HTTP 502.5 When Deploying ASP.NET Core Site to AWS EBS

I recently had a fun time diagnosing a weird deployment error in the following environment:

• ASP.NET Core 2.0 site hosted on AWS EBS
• VS 2017
• IIS 10.0 running on 64-bit Windows Server 2016/1.2.0

After deployment, the site fails to load with a "HTTP Error 502.5 - Process Failure.  When retrieving logs from EBS, we see an error when starting the site:

Error 0:(0) IIS AspNetCore Module - Application 'MACHINE/WEBROOT/APPHOST/DEFAULT WEB SITE' with physical root 'C:\inetpub\AspNetCoreWebApps\app\' failed to start process with commandline 'dotnet .\MYAPP.dll', ErrorCode = '0x80004005 : 8000808c.

In the end, the fix was simple:  Downgrade the "Microsoft.AspNetCore.All" nuget package to the last version.

I believe what is happening here is AWS doesn't have the newest version of the .NET Core runtime and is failing because of it.  I believe you could also fix this by installing the correct version of the runtime on the EBS instance or specifying a runtime in the csproj.

In the past, a new deployment into a fresh EBS application has also fixed the issue, but did not in this instance.

Addendum: If you are having this issue on your local box, install the version of the SDK that the project requires.  You may need to install the 1.0 or 1.1 SDK for example.

Reflections on Microsoft BUILD 2018

I had the pleasure to attend Microsoft BUILD this year.  There's so much to see and do, it really is an assault on the senses.  Despite so much going on and all the huge announcements, I never feel like was missing anything because the sessions are recorded and freely available on the web.  The greater value is the ability to share videos of sessions I found particularly interesting with those that didn't have the opportunity or time to attend the conference.

There was a lot of AI/ML on display, from Azure hosted, to things you could host on-box with Azure IoT Edge.  It will take a while to digest it all, but I overall love the idea that you can find a way to work with these new technologies on the platform, device and security/risk posture of your choosing.

Some things I ran across:

• A neat demo of Microsoft Cognitive Services
• Smart Mirror (The author had an insightful Microsoft Graph for IoT Devices demo)
• The Seven Properties of Highly Secure Devices 
• Windows IoT: Accelerate the Intelligent Edge with the Windows AI Platform : Build 2018\

Adding drivers to Windows 10 IoT Core at Runtime Using Windows Device Portal

While I was compiling some Windows 10 IoT Core 1709 images, I made a small typo in an input file that resulted in one of the BSP drivers not being included in the image.  Instead of compiling the whole thing immediately, I stumbled upon an easy way to add a driver to a compiled image and make sure I had the correct one.

1. Use inf2cab from the iot-adk-addonkit to create a CAB file: inf2cab c:\temp\driver\driver.inf Driver.MyDevice
2. Navigate to Windows Device Portal | Windows Update
3. Select "Choose Files", navigate to the CAB and click Install
4. Reboot

Using this method, it was easy for me to see that I had messed up the input file versus having the incorrect device driver and incorporate a fix into my next set of builds.

Meltdown and Spectre - Considerations for Digital Signage/IoT/Embedded Devices

I've been following the Meltdown and Spectre news since last week since it was just vague mentions on lkml and speculation on twitter.  After receiving some questions, I thought I would provide my take on the impact and practical things to mitigate the issues and plan for the future.

Some information/background on the vulnerabilities:

• Ars Technica
• Google Project Zero
• Mozilla

Basically, these attacks allow someone running code on a system to access protected memory contents by using timing differences and speculative execution features in a lot of modern processors.

Digital Signage/IoT/Embedded solutions are somewhat unique in that the application set on on the system is usually well-known and strategically static.  These vulnerabilities require the attacker to be able to run code on your system.  This means the actual risk is low for systems running the majority of content.  The things that change on a solution are typically:

• Frequent content changes
• Monthly operating system patches
• Rare player/CMS updates

Concrete Things To Do

1. Turn on automatic patches.  The risk of not being patched is far more than the risk of a patch breaking a system.  Chaining remote execution vulnerabilities with local privilege escalation vulnerabilities is a lot harder if you actually patch things.  Do this first.
2. Examine your systems for things that run untrusted code.  Thankfully most solutions don't let the user navigate to arbitrary web pages or install applications
3. Look into Application Binary Whitelisting and Write Filters.  These technologies can prevent untrusted code from being run on the system and allow you to revert back to a known good configuration with a reboot.
4. Have a response plan.  Do you know who does what and how if you need to mitigate a piece of malware on one or more systems?

Some ruckus has been made about performance impacts recently released patches.  Although some workloads can be impacted it is mostly I/O intensive workloads not typically seen in Digital Signage.  It is also very important to not rely on synthetic benchmarks but your actual workload when judging the performance impact- synthetic benchmarks are going to give you an unrealistic picture.

Overall, the best thing to do right now is to communicate a plan to stakeholders and patch.  Ensuring systems are patching automatically now is the best protection against a "weaponized" version of any malware later.

Braswell/Cherry Trail BSP for Windows 10 IoT Core

I finally found the BSP for Braswell and Cherry Trail based devices today.  It was released in October and builds against 1709 if you follow the instructions here:

https://docs.microsoft.com/en-us/windows/iot-core/build-your-image/createbsps

Listed under  "Board Support Package for Intel Atom® Processor Windows* 10 IoT Core 32-bit and 64-bit Platforms" -  https://www.intel.com/content/www/us/en/embedded/products/braswell/software-and-drivers.html

Simple Webserver for Windows 10 IoT Core

Recently, I needed a small web server for a project I was working on.  I needed to run it in a UWP background task on Windows 10 IoT Core, so my options were a bit limited.

The ms-iot/samples repository has quite a few gems.  In particular, the IoTBlocky Sample has a very basic web server called SimpleWebServer.  I ended up adding some support for parameters, but otherwise was very happy about how fast I got a web server hosted in my code.

The one deficiency is the lack of SSL support:

A StreamSocket object can be configured to use SSL/TLS for communications between the client and the server. This support for SSL/TLS is limited to using the StreamSocket object as the client in the SSL/TLS negotiation. You cannot use SSL/TLS with the StreamSocket created by a StreamSocketListener when incoming communications are received, because SSL/TLS negotiation as a server is not implemented by the StreamSocket class.

I was hoping I was incorrect about this, but I haven't found any evidence to the contrary.  With .NET Standard 2.0, I hope to find something else I can include instead.

Things In My Lab - Raspberry Pi 3 and Windows 10 IoT Core For Digital Signage

Recently, I wrote an short post on using Windows 10 IoT Core on Raspberry Pi devices for Digital signage.  I wanted to detail a little bit more about what hardware I use for testing in the lab.

I have a SmartiPi Touch and Raspberry Pi setup in the home lab, which is really neat for giving demos and quickly testing stuff- as long as I don't need smooth video playback.  It is small and also shows what the UI looks like at a lower resolution

Otherwise, I use our Now Micro IoT Player 4k, since I can quickly PXE boot it and reimage for greenfield testing.  Prior to that product release, I used a variety of Intel BayTrail based devices, depending on what I was trying to accomplish at the time.

Overall, the IoT Player 4k is a lot faster and easier to work with when debugging UWP apps, but having a second monitor with me isn't always convenient.