In-garage delivery and alarms

January 22, 2024

So I've recently set up my alarm system to

Plan

Ratgdo wiring

Arduino programming

Assembling the synchronizer

Testing

Setting up DSC alarms without pain

January 14, 2024

It's time to set up my new alarm system, after moving everything to a location downstairs and wiring up everything using Ethernet (see structured wiring for DSC). I have a DSC PC-1864 alarm, and here are some notes about setting it up. And it turned out to be not at all scary, once I found the right software!

First, I needed to ensure that the alarm is back in the factory configuration, this is easily done by shorting the PGM1 output with Zone 1 input (while the alarm unpowered) and then connecting the board to power for 10 seconds. After the reset, you can check that everything is working by getting into the installer mode using the default password (5555): "*8 5555". Now it's ready for the zone setup.

There is a nice blog detailing the alarm setup for a home: https://chrisschuld.com/2019/02/programming-a-dsc-alarm-1832/ I did something similar before, but it's completely unintuitive and error-prone. But It turns out that DSC produces (a somewhat crappy) Windows-based software that can be used to set up their alarms using a visual UI.

It's called DLS-5, and it's a free download that is normally locked on the installer-only section of their website. Fortunately, it can be bought for $40 from https://www.credexalarmsystems.eu/en/dsc-software-dls5.html The panels are region-specific, so I made sure to get the North America (NA) version.

I also bought a PC-Link cable, CredexAlarmSystems sells them, but I found one much cheaper on eBay. I also bought one of the “PC-Link Adapter” cables from eBay for around $25, after failing to make the DLS work:

Ultimately, both cables worked fine, after I found (by accident) the correct way to connect them, see below for the details.

These cables are simple pass-through serial cables, so you should be able to just connect any other USB-serial adapter, but I had no luck connecting my RaspberryPi adapter with female ferrule-style pins.

Connecting the DLS

System setup

Setting up the zones

Setting up partitions

Envisalink

Structured wiring for the DSC alarm

January 13, 2024

DSC alarm panels are usually a veritable rats' nest of wires and strange connectors, so I decided to try and clean up my panel by using structured wiring. This makes a lot of sense, standard Ethernet wiring is good enough for 2 amps for a single pair, which provides more enough power for the DSC panel and alarms.

My house uses a Legrand On-Q enclosure, so I used an AC1015 Network Interface Module to terminate the wires from sensors in individual zones. At this point, I spent some time deciding on the way to map the wiring from the DSC standard to the T-568A Ethernet pinout.

DSC uses cables with 4 wires, usually: ${\color{white}\colorbox{black}{black}}$, ${\color{white}\colorbox{red}{red}}$, ${\color{white}\colorbox{green}{green}}$, and ${\color{black}\colorbox{yellow}{yellow}}$. Sometimes wires might use ${\color{white}\colorbox{blue}{blue}}$ instead of ${\color{white}\colorbox{green}{green}}$. This is what I came up with:

T-568A	4-wire	Meaning
WhiteGreen
Green
WhiteOrange	${\color{white}\colorbox{black}{Black}}$	12V(–)
${\color{white}\colorbox{blue}{Blue}}$	${\colorbox{red}{Red}}$	12V(+)
${\fbox{White}}{\color{white}\colorbox{blue}{Blue}}$	${\color{white}\colorbox{green}{Green}}$ (${\color{white}\colorbox{blue}{Blue}}$)	KEYBUS
Orange	${\color{black}\colorbox{yellow}{Yellow}}$	KEYBUS
${\fbox{White}}{\colorbox{brown}{Brown}}$
${\colorbox{brown}{Brown}}$

DSC uses the ${\color{white}\colorbox{black}{black}}$ and ${\colorbox{red}{red}}$ wires for 12V DC power supply, so it's important to make sure that they are not connected to the same Ethernet pair (for example, do NOT connect them to blue and white-blue). This way, if you accidentally plug in a regular Ethernet device into the DSC plug, there won't be any magic smoke emitted.

Additionally, I used RJ11 phone jacks with 4-wire cable instead of the regular CAT6 cable for the zone-to-alarm wiring. It saves a bit of space and makes sure they are visibly distinct from Ethernet jacks. RJ11 jacks are perfectly compatible with the regular CAT6 Ethernet sockets.

Using extender for zones

Another thing is that I wanted to move my alarm panel into the basement, out of my living room. This is mainly to get rid of an ugly metal cabinet in my food pantry, and because my wiring cabinet was getting congested.

I added several conduits leading from the basement up into my living room, so there was plenty of space to just run the wires to the panel downstairs. But then I had an idea, I could use a zone expander and just run one wire from it to the control panel!

It worked well, I was able to use just one Ethernet cable to connect the zone expander with the main panel downstairs. Here's how the living room panel looks, and it also holds an Envisalink 4 board that exposes the DSC alarm state for my HomeAssistant:

And here's the main alarm panel. Super-tidy!

For comparison, this was the initial look.

Expander wiring

Zone expanders for the DSC alarm systems use the same KEYBUS standard for 4-wire cables. But we need two more modifications: 1. I also need to send the bell (siren) signal up from the main alarm panel. 2. I'd like to have some headroom for power. I have 3 keypads and 1 security camera powered by 12V from the expander, and this is just a bit too close to the maximum rated amperage for the CAT5 cable pairs. So I used up the remaining twisted pair for an additional power line.

This is the updated mapping for the expander-main connection:

T-568A	Expander	Meaning
${\fbox{White}}{\color{white}\colorbox{green}{Green}}$	${\colorbox{red}{Additional Red}}$	MORE POWER
${\color{white}\colorbox{green}{Green}}$	Bell(–)	Siren
${\fbox{White}}{\color{black}\colorbox{orange}{Orange}}$	${\color{white}\colorbox{black}{Black}}$	12V(–)
${\color{white}\colorbox{blue}{Blue}}$	${\colorbox{red}{Red}}$	12V(+)
${\fbox{White}}{\color{white}\colorbox{blue}{Blue}}$	${\color{white}\colorbox{green}{Green}}$ (${\color{white}\colorbox{blue}{Blue}}$)	KEYBUS
${\color{black}\colorbox{orange}{Orange}}$	${\color{black}\colorbox{yellow}{Yellow}}$	KEYBUS
${\fbox{White}}{\colorbox{brown}{Brown}}$	${\color{white}\colorbox{black}{Additional Black}}$	MORE POWER
${\colorbox{brown}{Brown}}$	Bell(+)	Siren

As a note for myself, here's the zone mapping between locations and zones, they go in the descending order, from upstairs to downstairs:

Location	Expander Zone	Global Zone
4th floor door	8	16
3rd floor: balcony door and living room PIR	7	15
2nd floor balcony door	6	14
2nd floor bedroom PIR	5	13
2nd floor entry hallway PIR	4	12
2nd floor entry door	3	11
1st floor bedroom door and window	2	10
1st floor elevator door	1	9
garage PIR	Main Panel	8

PIR stands for Passive InfraRed, in other words, motion detectors.

#dsc #homesetup

January 12, 2024

Here's how I set up my blogging environment

Benchmarking Go and C# async performance

March 17, 2023

Benchmarking Go and C# async performance

One large problem with async/await-based coroutines is that they are not very fast when compared with properly implemented fibers (aka “lightweight threads” or “goroutines”).

This is easy to demonstrate with a simple program:

package main

import (
	"log"
	"time"
)

func Calculate(val int) int {
	if val == 0 {
		return 0
	}
	res := Calculate(val - 1)
	res += 1
	return res
}

func main() {
	start := time.Now()
	var num int
	for i := 0; i < 1000000; i++ {
		num += Calculate(20)
	}
	diff := time.Now().Sub(start)
	log.Printf("Val: %d, %d(ms)", num, diff.Milliseconds())
}

Its output:

cyberax@CybArm:~/simp/bench$ go run test.go
2023/03/16 17:14:47 Val: 20000000, 32(ms)

I'm going to use C# to implement the coroutine-based version:

using System;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;

namespace ChannelsTest
{
    class Program
    {
        static async Task<int> Calculate(int val) {
                if (val == 0) {
                        return 0;
                }
                int res = await Calculate(val - 1);
                res += 1;
                return res;
        }


        static void Main(string[] args)
        {
                int num = 0;
                var sw = new Stopwatch();
                sw.Start();
                for (var i = 0; i < 1000000; i++) {
                        num += Calculate(20).Result;
                }
                sw.Stop();
                Console.WriteLine($"Result is: {num}, {sw.Elapsed.TotalMilliseconds:0.000}ms");
        }
    }
}

Its output:

cyberax@CybArm:~/simp/bench$ dotnet run -c Release
Result is: 20000000, 492,313ms

This is caused by the C# version having to allocate a heap object to store the stack frame for each level in the Calculate function. In contrast, Go simply uses a normal stack, that can be grown as needed.

Untangling the AWS SSM agent

January 24, 2023

Some years ago, AWS introduced the SSM (Simple Systems Manager) Agent. It's an agent that can be started on EC2 instances and perform multiple utility functions. Over the years, the SSM agent was added to all the major cloud-enabled Linux distribution AMIs, including Ubuntu, Amazon Linux, and RHEL. And AWS even added an option to automatically add SSM connectivity to all EC2 instances via Default Host Management!

SSM Agent supports a wide range of functionality. It can inventory running processes, apply patches, run shell commands, establish terminal sessions to EC2 instances, and even set up port forwarding.

The most significant advantage of the SSM Agent is its complete independence from the VPC settings. It uses an EC2 service, ssmmessages, and as a result, it can work just fine even in a VPC that doesn't have connectivity with the public Internet.

I was primarily interested in using this to set up port forwarding and, avoid using bastion hosts for SSH or PostgreSQL access.

Unfortunately, AWS's existing tooling around the SSM protocol is very clunky and can't be easily used in a composable standalone library. So I spent some time doing just that. The result of this work is Gimlet.

Looking at how SSM is supposed to be used normally

The normal way to use the SSM port forwarding is by using the AWS CLI with an optional Session Manager Plugin.

For example, to set up port forwarding to the instance i-0e3a964d49f28a5b8 and port 22 we need to run:

aws ssm start-session --target i-0e3a964d49f28a5b8 --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["22"], "localPortNumber":["56789"]}'

Starting session with SessionId: admin-0b6458385d2cffd35
Port 56789 opened for sessionId admin-0b6458385d2cffd35.
Waiting for connections...

The AWS CLI itself doesn't actually do anything but initiate the session, and the work of port forwarding is handled by spawning a background daemon:

cyberax@CybArm:~$ ps aux | grep session-manager-plugin
cyberax          43380   0,0  0,0 408636096   1488 s003  S+   10:01     0:00.00 grep session-manager-plugin
cyberax          43163   0,0  0,0 35315540  14816 s001  S+   10:00     0:00.27 session-manager-plugin {"SessionId": "admin-0b6458385d2cffd35", "TokenValue": "AAEAA......417bvh4OL", "StreamUrl": "wss://ssmmessages.us-east-1.amazonaws.com/v1/data-channel/admin-0b6458385d2cffd35?role=publish_subscribe&cell-number=AAEAAf2PldzWvh3EDdw8q7A0JB+nBIqkCvU+htAEPX0+D2QYAAAAAGPPc/9A2Ugc4EBbN5Qt9rCZMB9iBuYX6zUdShZndrZ5tvWh3g==", "ResponseMetadata": {"RequestId": "208ec786-7805-4965-91d7-8e6f7e95a603", "HTTPStatusCode": 200, "HTTPHeaders": {"server": "Server", "date": "Tue, 24 Jan 2023 06:00:31 GMT", "content-type": "application/x-amz-json-1.1", "content-length": "947", "connection": "keep-alive", "x-amzn-requestid": "208ec786-7805-4965-91d7-8e6f7e95a603"}, "RetryAttempts": 0}} us-east-1 StartSession pers {"Target": "i-0e3a964d49f28a5b8", "DocumentName": "AWS-StartPortForwardingSession", "Parameters": {"portNumber": ["22"], "localPortNumber": ["56789"]}} https://ssm.us-east-1.amazonaws.com

Yup. The parameters, including connection tokens and request metadata, are passed through the command line. Sigh.

The daemon is also quite a bit... hacky. It's just not written well, and can't really be used as a composable library inside your own application.

“Reverse engineering” the SSM port forwarding protocol

It's clear that the default implementation of session-manager-plugin leaves a lot to be desired. So we should just re-implement it! AWS is known for its pretty good documentation, so it should be simple, right?

The SSM port forwarding API calls are very eloquently documented by Amazon as special operations used by AWS Systems Manager. Which is about the total extent of the available documentation.

Fortunately, we do have the source code for both the server side and the client side. So we just need to read it and untangle its twisted web.

I documented the results of my investigation in Gimlet's README file.

In the next post, I'm going to demonstrate how Gimlet can be used to build a simple SSH proxy to allow passwordless access to EC2 instances.

Multitenancy in Postgres

August 14, 2022

What is Multitenancy

Even in the microservice world there's a common requirement to host data for many tenants. But first let's discuss what exactly is a tenant. When discussing multitenancy, various websites and some books give examples like this: a company that resells database access and needs to store data from multiple clients in one database. This is an extremely naïve example and it doesn't really reflect the actual reality.

For the purpose of this document, a tenant is a group of users that work within the same organization (or are somehow associated). For example, if we're making an enterprise chat application (a Slack clone, why not?) then a tenant would be an organization that subscribes for it. And the main goal would be to make sure that one tenant can't access the data from other tenants.

We likely still need to add some kind of access control within the tenant, but we absolutely need to make sure that data doesn't leak across the tenant boundary. Moreover, we should make it a goal to ensure that any bug in our code does not result in leaking data outside of the tenant. Basically, imagine how you can deal with the worst possible scenarios: arbitrary unlimited SQL injection, or a fully exploitable buffer overflow in server code.

PostgreSQL Row-Level Security

So with this in mind let's start designing the data access code. We're using PostgreSQL as our main data storage, so we'll be looking at securing it. We can't do database-per-tenant or schema-per-tenant partitioning as this will blow up the complexity of all the routine operations like database upgrade. Instead we'll be looking at row-level security.

Let's start with the schema and some sample data. I purposefully use human-readable names for tenants, in actual production code it's better to use something like uuid default uuid_generate_v4() instead (and probably for the orders table as well).

-- The application role
create role slack_app nosuperuser nocreatedb nocreaterole login password '123';

-- The tenants table
create table tenant (tenant_id varchar primary key, name varchar);
grant select on tenant to slack_app;

-- And a simple data table
create table orders (order_id int8 primary key, order_text varchar, 
    tenant_id varchar not null references tenant(tenant_id) on delete restrict);
grant select, insert, update, delete on orders to slack_app;

insert into tenant(tenant_id, name) values('HHL','Horns&Hooves Ltd.');
insert into tenant(tenant_id, name) values('CIA', 'Scary Government Agency');
insert into orders(order_id, order_text, tenant_id) values (1, 'Chairs', 'HHL');
insert into orders(order_id, order_text, tenant_id) values (2, 'Diamonds', 'HHL');
insert into orders(order_id, order_text, tenant_id) values (3, 'Killer Drones', 'CIA');

alter table tenant enable row level security;
alter table orders enable row level security;

So far so good. We can log into the database as slack_app and do the CRUD operations on tenants and orders.

Now we need to add some kind of security. This how-to guide has a nice tutorial, so we'll follow it.

create policy tenant_isolation_policy on tenant using (tenant_id = current_setting('app.current_tenant'));
create policy tenant_isolation_policy on orders using (tenant_id = current_setting('app.current_tenant'));

Now let's test it by logging in as slack_app and trying to do something:

cyberax@CybMac:/tmp$ psql --user slack_app slackapp
slackapp=> select * from orders;
ERROR:  unrecognized configuration parameter "app.current_tenant"

Good, we can't see all the data. Now let's try to change the tenant:

slackapp=> set app.current_tenant = 'HHL';
SET
slackapp=> select * from orders;
 order_id | order_text | tenant_id
----------+------------+-----------
        1 | Chairs     | HHL
        2 | Diamonds   | HHL
(2 rows)

Great! We can only see our own data. But there's one small problem, as nothing whatsoever stops an attacker that gained ability to do arbitrary SQL injection from doing this:

slackapp=> set app.current_tenant = 'CIA';
SET
slackapp=> select * from orders;
 order_id |  order_text   | tenant_id
----------+---------------+-----------
        3 | Killer Drones | CIA
(1 row)

There is no way to limit the SET operations in PostgreSQL to be one-time only. Also there are no ways to prohibit running SET commands altogether, or at least limit them to a set of whitelisted options.

Tokenizing Everything

One possible solution is to use unguessable tenant names (e.g. UUIDs), so this way the attacker likely won't know the other tenants' IDs right off the bat. But this is not a good solution, any tenant ID leak would give an attacker access to all the tenant's documents.

But this approach seems to be on the right track. What if instead of tenants we use one-time tokens? These tokens can be populated by a small highly-secure service and passed to the main application.

Let's try it! We need to create a table for the tokens and a stored procedure to check them:

create table token(token varchar primary key, tenant_id varchar not null references tenant(tenant_id) on delete restrict, valid_until timestamp);

create or replace function get_tenant()
returns varchar language plpgsql security definer
as $$ declare 
  tenant_res varchar;
begin
select tenant_id into tenant_res from token where token = current_setting('app.token', true) and now() < valid_until;
return tenant_res;
end $$;

Some explanations: security definer modifier means that the function is always invoked with the permissions of the user that defined it (the superuser in this case). This is necessary because we absolutely DO NOT want to give the slack_app user permissions to do select on our tokens table.

The rest is straightforward, we need to modify the row-level security policy on the tables and insert some test tokens.

drop policy tenant_isolation_policy on tenant;
drop policy tenant_isolation_policy on orders;

create policy tenant_isolation_policy on tenant using (tenant_id = get_tenant());
create policy tenant_isolation_policy on orders using (tenant_id = get_tenant());

-- Insert some test tokens (they MUST be unguessable cryptographically random strings in a real application)
insert into token (tenant_id, token, valid_until) values ('CIA', 'token-high', now() + interval '2 hours');
insert into token (tenant_id, token, valid_until) values ('HHL', 'token-low', now() + interval '2 hours');

And now let's test it!

cyberax@CybMac:/tmp$ psql --user slack_app slackapp
psql (13.3)
Type "help" for help.

slackapp=> select * from orders ;
 order_id | order_text | tenant_id
----------+------------+-----------
(0 rows)

slackapp=> set app.token = 'token-high';
slackapp=> select * from orders;
 order_id |  order_text   | tenant_id
----------+---------------+-----------
        3 | Killer Drones | CIA
(1 row)

slackapp=> set app.token = 'token-low';
slackapp=> select * from orders;
 order_id | order_text | tenant_id
----------+------------+-----------
        1 | Chairs     | HHL
        2 | Diamonds   | HHL
(2 rows)

And this is exactly what we want! The limited time tokens provide authorization to access the data for individual tenants. The tokens can be generated by a small service and communicated to the app over a secure channel. And there's nothing an attacker can do without knowing a token.

Performance

Row-level security is implemented as a hidden where clause, that is visible in the explain statement:

slackapp=> explain select * from orders;
                       QUERY PLAN
---------------------------------------------------------
 Seq Scan on orders  (cost=0.00..222.62 rows=4 width=72)
   Filter: ((tenant_id)::text = (get_tenant())::text)
(2 rows)

This hidden clause needs to be taken into account when designing queries and indexes.