log4shell: Error by Design

Photo by cottonbro from Pexels

What probably took 14 hours a day right in the preceding week to Christmas for many within the infosec realm  – guessing where and what versions of Log4J were present and what uses besides native ones were in and around the infra of every and one company big and small.

While the fun was really to have a succession of three patches over a few days and constantly having to rephase prioritities, now that most of the dust has been settled one has to think a bit about what actually happened.

What happened was part a consequence of our IT reality that all is to be logged, which is in itself a vulnerability as we already mentioned singlehandedly before. And also a not-so-friendly reminder of the long forgotten fact that computers were designed to communicate with each other, no matter what we would like to think.


For what it was a science fiction of its day, now became reality. For enjoyment, I recommend read these once more again to gain an insight of what computers actually are… (taken from the NCCF/longdawn framework)


MW1A8.2. Performance Optimization Procedures


The CPU has several routines that try to avoid unnecessary operations, thus accelerating its work and optimizing energy and data usage. Because of this, it is completely predictable how and in what order it will solve a given task.

MW1A8.2.1. Branch prediction

A branch predictor is a digital circuit that is usually part of the CPU that tries to guess which way a branch (e.g. an if–then–else structure) will go before this is known definitively. If another CPU is used to do the same guesswork and compile an unusual set of branches (e.g. where all predictions will be false), the resulting code could encumber a CPU so as to slow down or to cease functioning under the greatly heightened workload.

MW1A8.2.2. Speculative execution


The CPU loads everything into the operational memory that it may need. If a particular code was not needed, it does not take into account the presence of the code. At the end of each operation, all the codes will exit. If a large volume of smaller codes are sensed as a necessary code, the CPU’s performance will fall below the expected levels, and more and more organs and periphelrals will produce faults.

MW1A8.2.3. Pipelining

The CPU’s performance is maximized so that it can not be idle. This is done by instruction pipelining (~ sequencing, dataflow, paralellism). Pipelining tries to supply all parts of the processor with a specific command by converting incoming instructions into a series of sequential steps executed simultaneously by different processor units. Operations from the various parts will be processed as soon as the pipeline ends.

The disadvantage of pipelining is that 3 or more operations are interrupted when the CPU is interrupted, so there is a possibility of double-triple fault failures, which could cause an Operating System to freeze or restart the system it is installed on.

MW1A8.3. Interrupts


Program interruption is the sequence of operations when the running of a program by the CPU is interrupted and a higher priority (more important, more urgent) program execution is started by saving the status of the currently running program in a temporary storage so that it can be resumed later. After interruption, the original program will continue to run where it has stopped (the status of the original program has been restored).

System programming interrupts are important, because events that needs immediate attention may occur during the execution of programs, which can be solved only by the temporary suspension of the “normal” execution of the currently executed program(s).

These include:

  • Completing specified external operations that can be expected but can not be precisely scheduled (a periphery indicates that an input or output operation has been completed – for example a button is pressed down on the mouse or keyboard),
  • intentional, ie. program-driven events (system calls),
  • defined program defects (eg division with 0) and
  • compensation of random and unexpected events (like serious hardware failure or power outage).

Interruptions exist at a number of levels, the lowest level is the world of hardware / BIOS interrupt requests. Hardware interrupts are asynchronous and can occur in the middle of instruction execution, which could lead to instant freezes / faults (like inserting a hardly readable CD into the driver). The highest level is where the interrupt requests of softwares / user applications are handled (eg. message-signaled interrupt, push notification, doorbell, etc.).

Using purely interruption requests, it is  possible to suspend or divert CPU’s original activity unjustified.

MW1A8.4. Double fault

A double fault occurs when the processor detects an error while attempting to execute a pending interrupt or an exception. For example, a double error occurs when an interrupt request is received, but there is no such interrupt in the CPU interrupt handler. If the processor detects an error when calling a Double Fault Handler, a triple error is generated and the processor turns off / restarts. Because of this a number of pre-set conditions could be engineered, when the Operating System will restart – and consequently it is able to cold-boot it with a doctored version.

The error is x86-specific. On the Acorn RISC Machine (ARM) and other MOS Technology 6502 based systems, reset also has the highest priority and therefore it is possible to soft reset with vector interrupts.

MW1A8.5. Triple fault

In x86 computer architecture, triple fault is a CPU generated exception that occurs when the CPU attempts to call the exception handling after the double error, but encounters another failure. Processors with x86 specification cause a shutdown cycle when a triple fault occurs. This usually forces motherboard hardware to initiate CPU reset, which causes restart of the whole computer.

Triple errors indicate the operating system kernel or device drivers problem. In modern operating systems, the triple error is typically caused by a buffer overflow or under-operation in a device controller that is described through the Interrupt Descriptor Board (IDT). If the IDT is corrupted, at the next interruption, the processor will be unable to call the required interrupt manager or dual error handler because the IDT descriptors are defective, so the system stops / restarts. On the Acorn RISC Machine (ARM) and other MOS Technology 6502 based systems, reset also has the highest priority and therefore it is possible to soft reset with vector interrupts.

This phenomenon makes it possible to run low-level disruptive programs to restart the system on most systems (root, jailbreak, re-opping). As of now these kind of ‘vulnerabilities’ are the most sought after, with some of these are being legally bought for as much as 1.5 million USD.

WM1A8.6. Hypnosis (netborne system rigging)

If a central (datacenter) or network (server) machine, which is considered a reliable source of data, sends wrong or distorted data for some reason, the CPU will  execute erroneous operations or send erroneous commands to the output devices. In this way an infection of a central machine is enough to bring down a whole network if the trust system between the networked machines is one-way from the top down.

The relation between real and sensory data is thus: A ≠ A

WM1A8.7. Mass psychosis / data poisoning

All data scanned by the machine trough its sensors and / or its I / O devices will be interpreted in any case, even if the facts, decisions, emotions and the motives behind the data are unclear. A group case is “mass psychosis” where most of the data is meaningless, so the comprehensible data are statistically so small in the whole dataset that the data processed reflect a misunderstood system of conclusions.

WMA8.8. Autohypnosis (system self-suggestion, distorted experience of reality)


If the sensory data of the machine is distorted in a particular direction (~ is actually larger or smaller in a given spectrum or a number of spectrums), then the CPU sends higher or lower intensity control to output devices. This is because deliberately incorrect data will be provided with the sensors in question (eg. artificially elevated temperature, etc.).

The relation between real and sensory data is thus: A ≠ A

WM1A8.9. Psychotic Effect / Psychosis (reality border blurring)

Psychosis is an abnormal state of the mind when it is difficult to find out what reality is and what it is not. In the case of the machine, this analogy can be detected when the CPU is unable to read data from I / O devices or when a sensor continuously disseminates data that is different from the real values. Defective sensors lead to serious interpretation problems as they are analogous to delusions, misconceptions and / or delusions. This could be easily exploited to make a self-aware machine to quit a particular operation.

The relation between real and sensory data is thus: A = A ≠ A

WM1A8.10. Shock effect

The shock is a sudden impact from the outside environment or an abnormal state of internal operation that is not foreseeable. For computer systems, this is a simultaneous, sudden and uniform burden. Any part of your computer and network can be shocked and this will always cause a crash (eg DoS, DdoS).

WM1A8.11. Schizophrenia

The machine can not know about certain parts of itself that bypass the CPU and / or the Operating System. If their automation stops for any reason, this will lead to the collapse of the processes, the disintegration of the inputs, operations and output.

WM1A8.12. Compliance constraint

This is the case when user programs / applications running on the computer are demanding resources from  the operating system and CPU so much that each process / thread can only be processed very slowly. The CPU load is greatly increased, while overall, no user program can deliver outstanding performance at the same time. Replacing by analogy: the system takes up too many features that require too much resources, so it can only perform slow operations (with a fraction of the normal speed).

WMA8.13. Physiological overload

The needs of the internal system processes of the computer are not satisfied, but the operating system or the user programs can not or do not know about it because of lack of monitoring or inability to do so (because they do not have  a core monitoring subroutine). It could lead to overheating and consequently to double- and triple faults, which ends in a restart of the machine.

WM1A8.14. Understanding (unsupported belief / dataset disfiguration)


The computer gains sensory or I / O knowledge, incorrectly evaluates it, then stores this false (deceitful) data and compares and evaluates false data for the entire dataset as compared to all subsequent data.

WM1A8.15. Time factor / external time

The machine or program externally measures something that can be modified without knowing the system (for example, changing the CMOS clock and date to circumvent the time limit of a try-out software). This way it is not only possible to alter internal processes within a machine, but also to force a network to deny access for a machine because of its corrupted settings (like a ‘date not passed’ check).

WM1A8.16. Start and stop sequence (power on / off sequence)

Only when the machine is powered up and the startup sequence is successful create the conditions for a machine to operate. When the system is switched off, the shutdown sequence must ensure the system can be restarted. If the power off sequence is incorrect or an error occurs, the system can not turn on (restart) without error correction – or at all.

WM1A9. Kernel elements (analogous to brainstem – spinal cord)

WM1A9.1. BIOS (firmware interface)

Kernel-level program execution and device management for motherboard options are implemented through the BIOS. The BIOS is flashable in most cases and is vulnerable. In some versions of the BIOS, options are restricted to make a particular higher level program (eg. Operating System) exclusive (eg EFI / UEFI).

However, because of the legacy building principles, these firmware programs also include legacy support for BIOS services, so they remain vulnerable at the kernel level.

WM1A9.2. Low level DOS access (shell / terminal access)


The startup sequence of each computer and all I / O operations are performed with low level instructions that serve higher level programs. However, the computer is directly accessible and programmable with low level instructions (external bootstrap loader, reverse shell, etc.). If this low level relationship arises, all higher level programs are completely circumvented. Acquiring a reverse shell on a target machine is almost always the goal of the attackers, because it allows complete control over the targeted system.

WM1A10. Device managers

The device manager can operate all connected devices by installing standard drivers. These device managers can be exchanged and can be used to exploit any vulnerability of said peripherals / organs because they are could not scanned heuristically by softwares of any level. Drivers and .CAB and .INF files can be recognized, decoded and rebuilt to contain malicious code.

WM1A11. Operating System

The Operating System is able to communicate via a machine code, so trough any Operating System it is possible to perform I / O operations directly to the peripherals of the computers and to program the programmable elements. This means that by infecting an Operating System a complete control could be established over any machine.

WM1A11.1. Boot options / selector

Almost all motherboards can selectively boot operating systems, so BIOS decides which operating system to boot. This can not be controlled by the operating system before it is loaded, so it is possible to circumvent and / or replace the Operating System if a physical access or a Wake-on-LAN connection could be established to the said machine.

WM1A11.2. Resident programs

The Operating System includes for each type of operation (user task) a resident and several programs called / loaded only if needed. However, the resident program can not continue to work if it is unable to pass the workflowto a necessary external program. It means that if a necessary non-resident program could be damaged / altered / deleted the Operating System will fail.

WM1A11.3. Dynamic-link libraries

Those parts / subroutines that are used by several programs are stored in the external dynamic-link library files of the Operating System, which are always writable because they need to be changed continuously. Because they are writable, however, they are vulnerable too. (.DLL, .DRV, .OCX) The dynamic-link library is a MS Windows concept, but modular computing and coupling GUIs with APIs, etc. made the approach similar in all OS realms.

WM1A11.4. Registry

The registry contains all the settings of the Operating System programs that the Operating System needs to know. It contains two types of data: key and variable. Any value can be entered in the registry and everything can be changed. Thus those programs that are sensitive of the loss / alteration of their recorded settings becoming vulnerable.

WM1A11.5. Internal deviation

The Operating System updates and service packs only change some files, so more and more instances of different versions work together and their compatibility could not be tested because of the endless number of variations on particular machines. This leads to the occurrence of potential double / triple faults.

WM1A11.6. Three-level programming

The Operating Systems are written in at least three different levels of programming languages. These may include differences that may interfere with the resource management of the machine. Three levels require three different interpreter programs (assemblers), which are not necessarily fully compatible. An example of the three levels: Java SDK (.NET) ⇒ Common Intermediate Language v. C ⇒ Assembly.

WM1A12. Logical necessities

WM1A12.1. Routines and subroutines

Any program contains a number of routines and repetitive subroutines, each of which makes the whole program vulnerable if coded faulty.

WM1A12.2. Memory resident programs

Resident programs can change while running in the memory without any changes in their stored version – and could not be detected by other programs (such as an operating system, anti-virus). This makes memory resident malicious programs a prime vehicle to deliver payloads into the targeted systems.

WM1A12.3. User preferences

User programs are storing the settings made by the user in user initialization files (eg. preferences). Because user programs do not have the task of protecting the file system, they have never been encrypted. This means that it is very easy to change the settings in such a way to cause faults in a system (like changing memory usage limits, write permissions, etc.)

WM1A12.4. Session storage in files

User programs save the partial or end result of their use into files in a given format and then load them in the same session as soon as possible. By modifying the files, however, the user program’s behaviour can be modified.

WM1A12.5. Nonheuristic operation

While user programs are running in machine code,  they can not be restored to the original code neither by the Operating System, nor an anti-virus program, so they can be heuristically checked only in their pre-input, default versions. There is no way to control their malicious activity with data, without obtaining their specific input data separately.

WM1A12.6. I / O privileges

User programs can only work with full write / read privileges. If their access to the memory or a data storage device is limited or becomes non-operative, their operation crashes.

Be the first to comment on "log4shell: Error by Design"

Leave a comment

Your email address will not be published.