Bestand wählen
Merken

Taking a scalpel to QNX

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
that was the end
of the year and a and the so we're ready to start and it's when the 2 is you know that sort thing of the I will leave that to you in the eye and the and with that and the rate of you can't for life things that I would have had to have lots of local number 1 of the most of the analyzing and bringing expertise the use of units 6 and 7
minus and that's also independent security researcher with me and I will mainly focus on that system security have previously worked as a security researcher at the University of London where focused on critical infrastructure protection and most of this work was part of my master thesis of dying of University of Technology in have but I think that was the I'm here students at I'm holding University of Technology and a visiting researcher at of system security natural University both on hearing Germany the my mostly are related to similar binary security and programmer logic controller secure all right
so a start this presentation of an introduction to humans and discussed in the General operating system security architecture before moving on to discussing the pseudorandom number generators and the explanations themselves finishing off at some final remarks so what is unique
about Unix's Unix-like Posix-compliant embedded real-time operating system it's closed-source and proprietary was initially released in 1982 so it's quite old was later acquired by white very so dude extrusions up to and including 6 . 6 are 32 bit operating systems but as of unique 7 which was released in March of this year it's a 64 bit operating systems most famously known for its use in various mobile devices and because it underpins library down operating system as well as the BlackBerry Tablet operating system but really this is only the tip of the iceberg of QNX usage because especially
these days it's far more prominent in automotive systems especially in entertainment systems it holds more than a 50 % of the market share and is set to be used in various self-driving car initiatives for example Delphi Automotive as partner very used units is the basis of its a self-driving car initiative so that's very interesting from a security point of view a
2nd very famous use of QNX isn't carrier-grade writers like this year a series of the 12 thousand seriously is our series and I hear QNX is used to underpin Cisco's IOS XR are operating system as you can see on the right of the slide that again makes for all the obvious reasons for an interesting security target
on its use in many many more critical systems here are just 2 examples you can find it in industrial control systems like the nuclear power plants of Westinghouse as Surface Mining Control turbine controllers and various military systems such as you with the military radios anti-tank guidance systems medical Systems Railway Safety you name it so the security implications are obvious sites in
the last year some people might remember we also gave a dog which covered sums over the subject matter particle wheel of fortune and here we focused on beer G. issues in VxWorks redacted OS which we can name for NDA reasons and Unix versions up to and including 6 . 6 so in this talk will discuss a lot of different stuff will discover the discussed the new user space in kernel space beer and use of QNX 7 and focus on the exploit mitigations of x 6 and 7 which have been discussed before
so here by hand the introduction to DOS and security architecture Dahlia you so was sense accused architecture
QNX is a market out it's from MicroCAD so what it means it means that basically most of the components of the operating system reading a can will out of a cannon things we should expect to be in a can and are not anymore the sole seems like file system stuff like device drivers FIL uh politically is stacks 1 of them are actually located outside of the can and what you we have is this really tiny tiny microkernel reach out to have some benefits so for example on the the biggest 1 is actually at the higher reliability for the operating system because I got less chances for by the implementation which cause a crash in your presence plants are operating system but also uh pro-whites something we call list for hackers to hang on and it's because there will be a smaller surface uh for think to target that can or market can and so if we had some a market can generally market and operating systems to gets a higher IEEE from an essay or other uh certificate but it's so that's market but
how then when you are putting all of these complaints out stuff outside of doped up the can on a macro how than they are actually going to communicate how they are going to work so what do we have here like is MSH boss in units specifically beach provided functionality rather uh uh assume a program like and unlike uh admit for communication so it's we use very similar to the network communication so what you have is that the up an application in the user space wants to communicate that say fights stencil How does it it sends a message to the market can be so market pass it to the target application so let's say 5 systems and the file system respond and this method be then passed to the application so that's the message passing message boss basically and democratize basically the task of muckraking basically these 2 for war this messages to other components but 1 interesting thing about like units a specifically is that this kind this architecture combined with something called units Inc units provide the functionality where you can have multiple microcontinents running and talking with each other so let's say they can actually the UK units to microchannel can have a like talk over the internet which may provide the greater functionalities for example 1 14 on it for communication beside
that actually creates also supports the Scots by is not as deep as our generally line which you have more than 300 C. Scott was like this and 90 and I also can exert cause it's complex meaning that so that you can have those somebody see function which you write your code but here you are using a specific and unique compiler and then these compiler converts the sleep of functions uh to message passing is the space
that regarding the memory layout so you we have kind a space and user space but the only thing which is remaining or stay at the kernel space is the market can itself and the basically all sold the VBE user-space separation so it means that there's is no possibility for some processes reading the reading the user space just like touch each other for example because soft or sensitive so basically tunics provided we thought private memory support the all memory management units but also units pro-life Unix-like process access control which just data the it is back to that
unit's memory layouts but if you look at the user space parts there's not that much significant and stuffing all in other operating system so you we have programming age and uh basically a in the market and basically know the and then you have like your shared optical dynamic libraries which we which the if the be ordered by genomic thinkers however you kind space wanting is interesting is that all of the actors like basically the actors the base address of the market a starts at static and the location of acetic actors and per-CPU you we have a different stack the so now let's look at the process
management so measurement is it's different solid state it is a process called Proc and you'll reach my beach is basically matter but parts of the 2 is located at the micro and but other part of the located at the user space so the present matter that she's running by rule to process like be the PID 1 and that basically it's invokes the mother kind of the same as the same way as other processes bots only difference series that have uh a flat and you appear things you reach the opera ordering 0 privilege and for the market and a set at the size of the state before it's actually support the usual politics the Softsel spon 46 the call of them or provided also as I said before can it's uh the users and format the 5 but here the interesting thing is that if the file systems on block oriented was as the code and data actually loaded into the memo main memory wide it suffices that is actually a memory-mapped uh called it was called commutative in in place so basically multiple instances of the same process shared with memory the also a unit units
provide some sandboxing it's provided it it's provided the upright manager at teasing out minus that capabilities uh so that you can obtain the k committees before dropping roots and also restrict certain actions even for the user or but so this is beauty like significantly in the so if you have domain range like you're being blocked from lots so of you name it all of them or existing optimize but so have paid here is it it depends on system integrators on how the R. point implemented it's not a problem after operating system but it's it's depending on the on this is symmetric if and how they are going to use this this this function its it but
also it's actually support usual itself so like from the prospective user management so you have to see past 4 . cc shadow uh to seek groups and also I usually utilities such as like genius you can also support the mandatory access control lists but the specter hashing mechanism for passports uh well unique 6 basically about support a solid quantity 6 and my default shot 5 and 12 how the it's actually have it backwards compatibility of the 2 and 5 uh encryptions as so which are beaker so basically if you if someone can practice uh those the western we have like there's like that for let's say they get it they pass based on any file or a deist and uh the amount they might be able to crack once somebody can correct it and they have a long shelf life for attackers to use it but most things are much better you 7 so and of course patch unique 6 . 6 uh so they are basically using if to uh uh and uh the shelf I found 12 as before so looking at the history of the
sick security of units it's uh major of research actually done by BlackBerry mobile usage and just only it's uh from 2011 to 2014 and also very very interesting talk in 2016 by Alex it's uh about uh interprocess communication QNX PPS and can cause I recommend you to watch that and and that there are also various individual 1 abilities from 2002 thousand 8 but the most interesting parties uh deletes from the candidates are named faults 7 uh which was showing and the US Central Intelligence Agency were interested in targeting well mn development branch of the at into interested in targeting units um which they didn't do yet on the 2014 but it on after that so basically there were no no prior work on expert mitigation completely so this will be the 1st time and you're going to talk about it also with a P R N G parts we talked about the and of UNIX 6 . 6 but saw it know here I will talk about can examine the RNG implementation for seamless Besançon experts so a circuit that G
what we are looking at the the and this is like that but because actually uh appearances that is action have a broader implications the foundation of the wider crop cryptographic ecosystem so stuff like monarch SSH SSL all of them are relying on those of the stuff and beside that's a distance of exploiting instigation itself also are affected by the the pure and use the purity and quality so as you'll see later talks about it but you can see that how it seems like for example is a sign of our can the affected body a and API and you
so as the 3 cats but we talked about Unix 6 . 6 and that that random implementation so long as it just as a recap so basically origin at the energy at which was implementing in last year which we talked about was based on your own but not their friends Europe but yeah 1 has this but the origin of red like a year vision of the arrow and there were some uh sketchy design issues and uh basically the biggest part which we talk for example have a lack of completely broken seat control or not having basically anything controls and also low-quality time entropy and there's some uh entropy source selection which was based on system integrators and this shows that some examples of tunnel of scenes tangle back and system integrators don't care about that it's an operating system itself doesn't provide a proper a P a g however scenes got much
better in Quranic 7 after our assessments and they incorporated some of us are just sense so right now there actually using an for fun I implementation uh directly using a new entropy sources which are talk later and uh at the proper receipt control mechanism which wasn't didn't exist before and that the basic quite much better and student doesn't mean that everything is fine so as the star some design out right decisions or like implementation decisions which system integrator after you have to decide and still there can be attacked surface but from the operating system side things are much better so let's look at the
scenes things change so you don't have to actually start off and only look at the green parts because that supports the seems change 1st and foremost for fixing the problem after the time entropy uh June exactly examine the right up white uh a seed source each point source basically which means that at the time you can pro-life uh the randomness of file which contain some memorandum on the basic entropy uh to the operating system at the time and later ones deceit get use an exhaustive uh at the time it's can get updated but the point is that the the frame where have to actually pull white the per frame where you have to have defined for example see but beside that there is also a user-supplied sources of entropy so there are 2 different kind of you supply sources which can be provided in but other Park is still the receipt source basically which is the the year because so using for example get your idea and get PID which is not at all random because just completely static and get time of day which is not random but strongly proper 1 is already for unknown function which is uh not that regarding the killing
7 can guarantee which the matrix M actually introducing you can PNG and there's implemented suffer as a function of final value in the market opportunities and is the it's the use or being used as a forward a set R canneries the vitamin a panel so basically what you see here is that so you have different sorts of entropy so for example clock cycle using uh uh the PID or right in the current time in nanoseconds uh also 0 for example kind CPU like they cover time air and also some random since it you can pass it to appear in gene could block and which get past the shot 1 at 66 function and basically what happened uh the key ideas that or outputs a b be divided to 8 blocks and the 1st block will be used as assault and a 2nd block will be used for data that like out there random you such attributes and that that there will be iteration issue whenever you actually need a new and and Brennan value which uh the situation moves each time from uh location 0 2 1 2 trees or right at each time this at the location which short choosing the acidity bites the chants assess EBP change basically that's the case 7
can the idea now the meet afterward we exploit mitigation or and thank you for the link so let's start to look at the explanations of
why take a look at explanations well because the mitigation that we used to in the purpose will Windows Linux BSD is the income falling from the sky especially not in their current incarnations there's a long history of weaknesses bypasses and subsequent improvements as you can see for example for windows on the bottom of the slide and because there's nothing like that for QNX that means that it's very fruitful ground for finding interesting stuff which is why we took a look at it so as of
Q x 6 . 5 as you can see in the table are there is support for data execution prevention address space layout randomization stack entries and relocation read-only but don't get too excited because these are not enabled by default so it might just mean that you encounter a firmer image with Unix is fully up to date but if system integrators been explicitly enable support for all these mitigations in there toolchain then you might be just exploiting like it's the nineties the they also shouldn't expect any support for advanced mitigations like the table protections a contraflow integrity or kernel code and data isolation so this is really just a let's start off a
data execution prevention and for those of you unfamiliar with it he seeks to prevent the execution of injected Baillargeon to data memory and roughly speaking you have 2 main architectural styles for CPU 1 is the Harvard 1 where of separate physically separate code and data memory and the other 1 is of online and 1 way of shared of program and data memory and in order to to prevent the execution of injected payloads and data memory you effectively seek to emulate a Harvard architecture of online in 1 and typically this is done as on 9 8 6 8 it's 64 on the bottom of the slide I've been facilitated by our hardware support in the memory management unit in here in a page table entry you I have a specific bit like the unexpired which regulates executability of this particular page now Tuaregs DB as support for
several of these and it's like flags in the in and then use the support for it on makes 86 and make 64 the support for it on army does not however have support for this feature on MIPS and it has varying support for power PC but you know that party but the big problem with Unix is the fact that this defaults are insecure so the problem is that even if you of hardware support here and you have UNIX version that has support for B then still the stack will be left executable even if he does not so this is something to to really check for when you encounter tunics firmer image what's more is that the the typical glue stock alpha program header is ignored by the program loader so regardless of your linker settings or whatever is will be executable now it's possible to make the stack non-executable by specifying explicitly a particular flag in a microkernel start of options but the problem is that this is a system-wide setting so if you have executables which require for legacy or backwards compatibility reasons an executable stack they can no longer be included with these are new firmware images so even though we reported is and we said you know this is just enough rope to hang yourself with as a system integrator this issue is still present unique 6 and Q X 7 and this really is something to check for if you encounter at Unix former image so the 2nd litigation the saddest things layer
randomization and again for those unfamiliar with it at space liberalization seeks to complicate code reuse attacks like were during 2 programming by randomizing the memory object addresses so a typical exploitation flow you can see on the right of the slide you find existing code to reuse as gadgets and snippets extension together a bit like you know a ransom note on the top of the slide now it is a large seeks to prevent this by using randomness is a means towards the goal of memory layout secrecy because if you don't know where to various code fragments are in memory in against its and together to form a rope payload or at least that's the idea behind it is La
not Unix is Laura i is enabled by starting the microkernel with again a dedicated flight which is not enabled by default a child processes inherent their parents as law settings but it can be enabled or disabled on a per-process basis so you have a good opt-out scheme but the by default it's it's yeah its opt out so it's not an opt-in scheme so go and look for mistakes like that on your memory objects are randomized to the base address level so it's not a very fine grained formal phase a lot but that goes from 0 Say's law versions and most memory objects are randomized except for the girl code addresses and how terrible that is depends on your opinion of the usefulness of K is law in general so that's that's not the real problem here and then 1 problem that that is a a problem in practice is the fact that by is disabled by default in the dual chain so that means that unless you explicitly explicitly enable it then all the binaries you have and you will compile including the system binaries won't have randomization of of code memory and if you look at all of our fur were images of given x in the wild you will find that in fact good memories never actually randomized greatly reduces the usefulness of a is a LA so in order to learn how QNX A is
law works under the hood we reverse-engineer the memory manager of of QNX which you can see mapped out here and I'll save you all the details but basically it comes down to the fact that all of it is underpinned mostly by calls to and up in the microkernel and are 2 functions that actually regulate the randomization and those are marked in blue which is the stack randomize function on the left and that's fine via a function on the right in these both rely on the same random number generator which will discussed in this in the stock In the 1st
of the functions map find VA among other things randomizes virtual addresses which are returned by the unmapped all and it does this as you can see on the right of the slide the subtracting or adding a random value to define virtual address and this random value is obtained by taking the lower 32 bits of the random number generator result bit was left shifting them by 12 and then extracting the lower 24 bits and the problem already here is the fact that the application of this bitmask contributes at most 12 bits of entropy to any address randomized in this fashion regardless of the quality of the period g in general which is worse as we'll see in a minute the 2nd of these functions
seg randomize well as the name says it minimizes specs start addresses when mistake is allocated either when the process is started going new thread is created on it does this in the same fashion as the previous function by subtracting a random value from the original stack pointer it takes a lower 32 bits of the random number generator result as you can see on the right of the slide and that was left shifted by 4 and then add most extracts the lower 11 bits the bending of the size of the allocated stack and this contributes to the bitmask again at most 7 bits of entropy which is also worth in practice is mitigate a little bit because it is combined with the results of the previous function because under the hood of course the stack is also allocated using and that but in practice this will matter a lot why
take a sip of water the so the cell can actually these upper bounds are quite optimistic because Punic 6 A is LA uses a very weak appearing G you can't really call appearing g because they directly use a source of entropy called clock cycles and as you can probably guess it maintains and retrieves a 64 bit life running a cycle cover and that the implementation of this is architecture specific so on the right of the slide you can see that x 86 it will simply use the read timestamp counter instruction before Bobby seed will use dynabase facility and various other kind of architecture-specific options the the 1st
thing that springs to mind is the fact that if you want to guarantee memory really of secrecy using as a lot you will also need to keep the internal state of appearing G. secret because that might allow people to reproduce the is lost earnings of a given point in time because there's no beer g here but just the raw entropy source that means that in that scenario clock cycles would have to be a secret value which of course it is not it can be requested with unprivileged axis it's incorporated in a lot of different kind of drivers and network packets broadcasted all over the network so in theory you could mount a reconstruction attack but that's overkill and kind of involve considering the
fact that it doesn't contribute a lot a lot of entropy in another approach is much more feasible for breaking it so we measured various kinds of processes across different boot sessions and harvested the memory object addresses then we use the NIST entropy source testing tool to obtain the min-entropy an estimate for all of these memory object addresses in different kind of classes and here it is good to realize that 256 bits of uniformly random data should correspond to 256 bits of min entropy we found that the average mean entropy of and that and and address and unique 6 was 4 . 4 7 bits i with the lowest and in entropy being 3 bits for shared libraries and the highest 6 bits for the stack and this is very very weak if you compare it to our 32 bit operating systems as you can see on the right of the slide for example for mainline Linux varying between 8 bits of entropy and 19 minutes or for example line would be taxed where you vary between 6 bits and even 27 beads why is this a problem that you
might ask this is a problem because of the potential of brute-forcing so if you have a typical on networking and worry have a forking architecture and let's say that upon every incoming connection you spot a year and new child to handle this this client connection the for call will be called and because of memory layout inheritance and a child process will have a copy of the parent process memory layout because is applied after lot has been applied to that means that the is a law randomization is also copied to the child which is static every time this child is response now an attacker trying to guess the address for a certain code address for example might try and address and measured response in whatever way the the child crashes and as we started they can try the next address there's not enough entropy in in the randomization of these addresses they might succeed ivory locally or remotely or both within a reasonable timeframe to discover the enters is needed to build the R. B. gene does this work in practice you
ask well you can see on this slide that in fact it does a left you have a vulnerable service which runs on the that reports 1 3 3 7 is a trivial stack buffer overflow it as a as a law enabled and on the right you can see it remotely being exploited over the network brute-forcing is Laurent 23 seconds to pop a root shell so yes that works in practice of course
brute-forcing as Lawrence interesting but memory Leora information leaks are even more interesting and typically you find an information leak in the application you're targeting more you graph formed from a flexible enough vulnerability but it's nicer especially for local and vulnerabilities to have a system-wide information with i in this case so I will discuss 2 but there are many many more of this kind in 9 QNX unix a 1st information leak we discovered is the proper vast information leak and this basically works by and relying on the fact that Unix like many Unix-like operating systems has a process file system in the area of dedicated entries for each running process on the system again and to interact with these different entries using the deaf CDL API we can request information like the register values or stack addresses order general memory-mapping layout in general this you can see in the slide conveniently these entries are regardless of of privileges or whatever or will readable so that makes it very easy to
write a very simple application that across privilege boundaries for low privileged user this closes the memory layout of the microgrid on the right you can see that is made even more convenient but the fact that the including a lot of QNX releases the PID and utility which allows to incorporate this functionality by default so even if you can write your own creation and drop it on the system to exploit this information leak you might just be in lock and find its utility there to do it for you the 2nd information lead we found
is served residing in the alley debug environment variable this is an environment variable which allows you to specify various requests for debugging information if you specify the all option then it will give you a lot of debate information among which RD addresses all shared libraries and the interesting thing is that on for example line x or B is the this this option has privilege checking so if you try to do this for a set you idea binary and you're not root user then it will not output that information but on QNX no such checks are present and it can now is information across privilege boundaries which makes exploiting said UID binaries that much easier
so after we reported some of this stuff but they made improvements to Punic 7 and like Unix 7 and now has still has disabled is a there's no K is a lot but they do use a new kernel appearing G that just discussed and that's good but it doesn't make Unix 7 nasal are much stronger despite his new on G. and despite the fact that they have a 64 bit address space they forgot to remove these bit masking are applied to derandomization functions so as a result you still have a theoretical upper bound of 7 bits of entropy for stack addresses and 12 bits for the various virtual memory addresses or most of them as they are allocated number interesting thing to note you can see on the right of the slide is the fact that good memories mostly loaded in the lower 32 bits of the address space which also greatly reduces the potential effectiveness of a is a Laurent 64 bit operating system and
I did that fix the Ltd Booker information but unfortunately for defenders and fortunately for attackers they did not completely fixed epoch fast in fully so she can see and given x 7 evolve you while you can over longer used the IDN and utility but if your just writing your own application compiling it them interacting directly with the brucke events you can still discloses information across privilege boundaries so this is the information we free there to use the
but the next mitigation I like to discuss our stack entries added protect against traditional linear stack buffer overflows which are much more interesting on embedded systems and they should be for people unfamiliar with it and it basically works as follows you generate a master gunnery value using a random number generator and again you keep it secret and you inserted between the local variables like a local data buffer and the stay safe return address on the stack and ideally also other stagnated other variables so when an attacker then overwrites the safe return address and upon return of the function traditionally you'd hijack control flow but here at 1st the saved gallery is checked against a master gunnery and if a mismatch is detected instead of returning to the safe return address you instead of invoke a violation handler and thus prevent contraflow logic now
UNIX uses the GCC stack smashing productora implementation of secondary so the compiler side it's what we're used to in the timeline x 4 b is the for example and that's mostly OK but only operating system the side of the implementation it's all customer that's where the problem starts and it is used as master cannery is generated at program start up when Lipsius loaded not typically in the GCC implementation induces as please God set of function to regulate on various platforms they have sometimes differing implementations but it's a it's mostly the same online it for example helix however uses a custom in cookies function and that's where the problem lies because
again it uses a week random number generator address entropy from 3 sources as you can see on the bottom of the slide it uses again clock cycles that combines this with a local stack variable address and the address of the function itself now these last 2 only contribute any entropy if A is LA is enabled and again even if a vnoise enabled their entropy relies and clock cycles as well so we decided to
evaluate the can min-entropy across 3 configurations without any is a lot of with a Islamic but with our position independent executables and with a is along with position-dependent executables and found min-entropy on average of the calories to be 7 . 7 9 bits and a lot had no noticeable influence here this is less than ideal because using a a spear and g they should have had at least 24 bits of min entropy if like in this case the include 1 null bytes in the 32 bit cannery or if the use of a full generator should have 32 bits of entropy and again this is a problem because of brute-forcing attacks against countries improve space however the problems are even worse because the microkernel is neither loaded nor linked against which see so the master cannery in the kernel cannot be generated by the standard cookies function so they should have implemented a master gunnery generation function in a kernel but they forgot to do this so the microkernel protected across various functions using stack entries but the 2nd reason never actually initialize and so they're always 0 which kind of defeats the purpose of having 2nd reason the first one
now we reported these issues to uh to tube-like very and now enabled by by default they also generated should 64 bit canneries on 64 bit operating system and for user generates mixing and Alf auxiliary-vector value these are best practice suggestions by taking a 64 bit random number generator value from the girdle appearing G and transporting it to the user space process to mixing with the unit cookie stuff and the kernel space QNX now concatenates to 32 bit kernel Perón G values during very early boot and creates a country out of that so basically canneries at least fully fixed now that's good news for
offenders please and that brings us to the final litigation relocation really only or our 0 and the way this works you can see on the right of the slide is that dynamically linked binaries use relocation to do runtime lookup of symbols and shared libraries so if you have a function during runtime and you have it in a shared library when she had that function it will be looked up and the address will be stored in the global offset there now for obvious reasons this relocation data as a popular target for overriding to hide Contel mostly because these are the system to be static regardless of of a lot and and because of the fact obviously that once the contraflow hits that particular function then you can hide to control flow In order to mitigate this partial role was invented which works by reordering the ELV internal data sections and they can then proceed to the program data sections and then making them read only after relocations have been done so attackers during runtime can no longer override these entries now the problem here is because of something called lazy binding lazy binding means that most of these symbols will be looked up at program load time but during program run time and as a result the global offset table will remain writable during runtime now now you'll have to relocate and or have to relocate you have to make sure that this does not happen how did you do that they do it by disabling lines lazy binding in the making the built the got read-only at program start
they implement the different Unix 6 and that's that's very nice but the problem is that the implementation turned out to be broken so as you can see on the left is what it looks like and that and what it should look like there you have all the internal data sections precede program data sections and are covered by the CNO ro row segment and made read-only right on the right yeah the QNX 6 . 6 implementation for the same application we can see that only some of the internal data sections precede the program data section and a global offset table which is the most interesting of the overriding targets actually does not precede the program data section was a result it's not covered by the read-only segment and regardless of your settings in your linker you will be left vulnerable to visit back even if Romo has been enable the root cause of this is the fact that they did not do proper linker section reorder in
practice it looks like this on the left again you have deviance full row enabled and you can no longer right to global offset table entries on right of QNX full row row enabled and you can write to global off the table entries so that's a broken mitigation right there on top of
that we also found a local by fast for our own again the LD debug environment variable turns out to have an undocumented function called in Boston which allows us to disable row for whatever reason without any privilege checks whatsoever and this is very nice of course for exploiting vulnerable set UID binaries measures saw on 1 of the 1st flight there are a lot of these in the history of QNX so this is actually very nice in practice on both of these issues were reported to black bearing on fix would benches for Punic 6 . 6 and unique 7 so that's good news that brings us to the final remarks also
we disclosed all of the issues we discuss today to tube-like very most of these issues of fixing given 7 patches are available for of some of these issues and unique 6 . 6 she can see the on the link in the bottom of the table that's displayed a word of warning go to to both defenders and attackers most of these batches will take a long time to filter down to the original equipment manufacturers and the end users especially for deeply embedded systems which might be a couple of of minor release versions of Unix behind left up to grade all the way to QNX 6 . 6 and then applied batches of the firmware updates so these issues might be encountered for a long time in the wild concluding are most of the
medications turned out to be OK on the toolchain side but that's mostly because they relied in GCC where the problems were really found and this is not just a QNX thing but this is generally an embedded thing is on the operating systems why is this the case because cannot benefit directly from any work that's done in general purpose operating system security because it cannot be easily ported one-to-one from Y and X be is the your windows to QNX because of a very different architectural 1 lineage and result this home-brewed DIY mitigations which turn out to be not as good as you want them to be what's also really evident if you look at these issues and another vulnerabilities that you find here is the lack of prior attention by security researchers a lot of vulnerabilities feel like the from the early 2 thousands and the information leaks are really evident of this and again as a word of warning to many people and added random number generator design remains difficult and many of the entropy issues in the Embedded World of lack of proper entropy sources mean that the design burden is often placed on the system integrators regardless of the good intentions of operating system designers but on a more positive finishing nodes tunics at least attempts to keep up a general-purpose operating circuits security which is more than can be said of most embedded operating system vendors at which don't have any X 1 mitigations whatsoever as discussed in my talk at this year's hardware up I O conference and had a very quick and extensive offender response sometimes directly integrating or feedback into a and you go to and now as a finishing noted really like to call for more attention to embedded operating system security in general if we ever want to hold on to the standards will hold on laptops and desktops servers and smartphones to which we should for things that are deploying cars critical infrastructure military systems they could also look forward to more Punic stuff and the future from us and reckoned Brussels of fans of common black cat and infiltrated so with
that person questions of like taken them bit phone thank you highly above the upper body and if that the now we have some time for Q and a and you can just line up on the microphones here here here and back there and I got 1 and Mike 5 will start with you probably the very 1st to use and then come expectation work next I feel a bit left of the monitor slides order was not my intention what is your name or nickname the thanks and the any any other questions the I of ideas and for the machine where the stack Kerry wasn't and set properly for the kernel was an issue was set up at all or where something like it wasn't persisted or all reclaimed add like for local storage guassian actually placed in the spot for it on the stack this so the problem is that I do we implemented it is they had no initialization routine at all for the master Canada so all references to the gallery all across a microkernel but it was never actually initialize them because the microkernel and secondary was located in the users which was initialized all zeros in very early good that means that it was predictably 0 all the time you know they use they would never initialized it so it's very prudent for the yeah the anybody else with questions don't be shy 1 and long time if there aren't any questions left right what you very much for all of the the war what was it that
at the and the AEC to complete the thank but
Videospiel
Bewegungsunschärfe
Einheit <Mathematik>
Exploit
Stellenring
Zahlenbereich
Bitrate
Quick-Sort
Binärcode
Architektur <Informatik>
Computersicherheit
Natürliche Zahl
Stochastische Abhängigkeit
t-Test
Statistische Hypothese
Ähnlichkeitsgeometrie
Physikalisches System
Kombinatorische Gruppentheorie
Binärcode
Statistische Hypothese
Font
Generator <Informatik>
Bewegungsunschärfe
Exploit
Rechter Winkel
Netzbetriebssystem
Mereologie
Mapping <Computergraphik>
Computersicherheit
Vorwärtsfehlerkorrektur
Computerarchitektur
Stochastische Abhängigkeit
Pseudozufallszahlen
SCI <Informatik>
Bit
Punkt
Sichtenkonzept
Gemeinsamer Speicher
Computersicherheit
Mobiles Internet
Systemplattform
Graphiktablett
Echtzeitsystem
Physikalisches System
Menge
Open Source
Echtzeitsystem
Einheit <Mathematik>
Socket
Infotainment
Total <Mathematik>
Abgeschlossene Menge
Tablet PC
Basisvektor
Programmbibliothek
Mobiles Internet
Router
Kontrollstruktur
Computersicherheit
Flächentheorie
Reihe
Physikalisches System
Gradient
Ein-Ausgabe
Rechenschieber
Reservierungssystem
Systemprogrammierung
Bewegungsunschärfe
Rechter Winkel
Gamecontroller
Gamecontroller
Freier Ladungsträger
Leistung <Physik>
Laufwerk <Datentechnik>
Nuklearer Raum
Data Mining
Sichtbarkeitsverfahren
Subtraktion
Architektur <Informatik>
Gewichtete Summe
Computersicherheit
Raum-Zeit
Versionsverwaltung
Raum-Zeit
Kernel <Informatik>
Bewegungsunschärfe
Exploit
Computersicherheit
Partikelsystem
Computerarchitektur
Telekommunikation
Server
Implementierung
Systemzusammenbruch
Keller <Informatik>
Kartesische Koordinaten
Raum-Zeit
Internetworking
PROM
Task
Physikalisches System
Komponente <Software>
Systemprogrammierung
Mikrokernel
Message-Passing
Bewegungsunschärfe
Einheit <Mathematik>
Flächentheorie
Adressraum
Netzbetriebssystem
Bus <Informatik>
Endogene Variable
Protokoll <Datenverarbeitungssystem>
Dateiverwaltung
Interprozesskommunikation
Zusammenhängender Graph
Hacker
Druckertreiber
Lineares Funktional
Architektur <Informatik>
Digitales Zertifikat
Prozess <Informatik>
Datennetz
Raum-Zeit
Übergang
Mailing-Liste
Gibbs-Verteilung
Physikalisches System
Keller <Informatik>
Warteschlange
Druckertreiber
Benutzerschnittstellenverwaltungssystem
Flash-Speicher
Computerarchitektur
Makrobefehl
Message-Passing
Maschinenschreiben
Kernel <Informatik>
Prozess <Physik>
Compiler
Ablöseblase
Regulärer Graph
ROM <Informatik>
Komplex <Algebra>
Raum-Zeit
Code
Kernel <Informatik>
Physikalisches System
Message-Passing
Bewegungsunschärfe
Einheit <Mathematik>
Code
Virtuelle Realität
Widget
Druckertreiber
Gerade
Trennungsaxiom
Lineares Funktional
Prozess <Informatik>
Physikalischer Effekt
Raum-Zeit
Systemaufruf
Arithmetisches Mittel
Funktion <Mathematik>
Thread
Festspeicher
Gamecontroller
Speicherverwaltung
Message-Passing
Kernel <Informatik>
Subtraktion
Prozess <Physik>
Adressraum
Textur-Mapping
ROM <Informatik>
Code
Raum-Zeit
Hydrostatik
Spezialrechner
Einheit <Mathematik>
Code
Theoretische Physik
Programmbibliothek
Dateiverwaltung
Optimierung
Einflussgröße
Hauptspeicher
Prozess <Informatik>
Reihe
Systemaufruf
Übergang
Schlussregel
Physikalisches System
p-Block
Dateiformat
Festspeicher
Mereologie
Hauptidealring
Dateiformat
URL
Speicherverwaltung
p-Block
Aggregatzustand
Instantiierung
Domain <Netzwerk>
Hash-Algorithmus
Punkt
Minimierung
Gruppenoperation
Gruppenkeim
Ähnlichkeitsgeometrie
Physikalisches System
Domain-Name
Spannweite <Stochastik>
Bewegungsunschärfe
Softwarewartung
Telnet
Abschattung
Passwort
Wurzel <Mathematik>
Default
Data Encryption Standard
Lineares Funktional
Kraftfahrzeugmechatroniker
Videospiel
Softwareentwickler
Prozess <Informatik>
Kryptologie
Default
Softwarewerkzeug
Systemintegration
Mailing-Liste
Physikalisches System
Elektronische Publikation
Abschattung
Gruppenoperation
Spannweite <Stochastik>
Patch <Software>
Token-Ring
Chiffrierung
COM
Einheit <Mathematik>
Wurzel <Mathematik>
Login
Gamecontroller
Speicherverwaltung
Mini-Disc
Speicherverwaltung
Kernel <Informatik>
Expertensystem
Verzweigendes Programm
Mathematische Logik
Interprozesskommunikation
Computersicherheit
Mobiles Internet
Verzweigendes Programm
Dualitätssatz
Implementierung
ROM <Informatik>
Systemaufruf
Zufallsgenerator
Einheit <Mathematik>
Exploit
Einheit <Mathematik>
Digitaltechnik
Mereologie
Computersicherheit
Mobiles Internet
Interprozesskommunikation
Richtung
Softwareentwickler
Kontrollstruktur
Gruppenoperation
Implementierung
Entscheidungstheorie
Demoszene <Programmierung>
Physikalisches System
Open Source
Zufallszahlen
Bewegungsunschärfe
Vorzeichen <Mathematik>
Kryptologie
Trennschärfe <Statistik>
Netzbetriebssystem
Adressraum
Zeitrichtung
Entropie
Booten
Abstand
Maschinelles Sehen
Systemintegration
Prognostik
Überlagerung <Mathematik>
Quellcode
Energiedichte
Mereologie
Gamecontroller
Entropie
Computerunterstützte Übersetzung
Punkt
Kontrollstruktur
Rahmenproblem
Hyperbelverfahren
Desintegration <Mathematik>
Mathematisierung
t-Test
Implementierung
Eins
Demoszene <Programmierung>
Quellcode
Physikalisches System
Bewegungsunschärfe
Zufallszahlen
Hauptidealring
Netzbetriebssystem
Regelkreis
Randomisierung
Konditionszahl
Implementierung
Lineares Funktional
Systemintegration
Quellcode
Elektronische Publikation
Mechanismus-Design-Theorie
Entscheidungstheorie
Arithmetisches Mittel
Rückkopplung
Mereologie
Entropie
Eigentliche Abbildung
Kernel <Informatik>
Lineares Funktional
Matrizenrechnung
Atomarität <Informatik>
Mathematisierung
Iteration
Übergang
Strömungsrichtung
p-Block
Binder <Informatik>
Zentraleinheit
Keller <Informatik>
Netzwerktopologie
Funktion <Mathematik>
Hauptidealring
Rechter Winkel
Dreiecksfreier Graph
URL
Gammafunktion
Kernel <Informatik>
Proxy Server
Windows Vista
Adressraum
Keller <Informatik>
Code
Kernel <Informatik>
Code
Proxy Server
Adressraum
Bildschirmfenster
Minimum
Randomisierung
Default
Bildgebendes Verfahren
Randomisierung
Kontextfreie Grammatik
Raum-Zeit
Default
Systemintegration
Integral
Rechenschieber
Exploit
Softwareschwachstelle
ROM <Informatik>
Lesen <Datenverarbeitung>
Tabelle <Informatik>
Bit
Versionsverwaltung
Seitentabelle
E-Mail
ROM <Informatik>
Code
Homepage
Wurm <Informatik>
Physikalisches System
Spezialrechner
Mikrokernel
Einheit <Mathematik>
Fahne <Mathematik>
Minimum
Jensen-Maß
Tragbarer Personalcomputer
Optimierung
Default
E-Mail
Bildgebendes Verfahren
Trennungsaxiom
Architektur <Informatik>
Hardware
Booten
Default
Wurm <Informatik>
Systemintegration
Binder <Informatik>
Konfiguration <Informatik>
Rechenschieber
Menge
Festspeicher
ATM
Firmware
Speicherverwaltung
Computerarchitektur
Ordnung <Mathematik>
Tragbarer Personalcomputer
Objekt <Kategorie>
Kernel <Informatik>
Bit
Adressraum
Versionsverwaltung
Pi <Zahl>
ROM <Informatik>
Binärcode
Gesetz <Physik>
Code
Raum-Zeit
Übergang
Physikalisches System
Spezialrechner
Mikrokernel
Code
Adressraum
Vererbungshierarchie
Randomisierung
Optimierung
Maßerweiterung
Default
Bildgebendes Verfahren
Phasenumwandlung
Kette <Mathematik>
Randomisierung
Prozess <Informatik>
Vererbungshierarchie
Raum-Zeit
Open Source
Default
Güte der Anpassung
Wurm <Informatik>
Nummerung
Physikalisches System
Exploit
Datenfluss
Keller <Informatik>
Rechenschieber
Arithmetisches Mittel
Objekt <Kategorie>
Menge
Rechter Winkel
Festspeicher
Basisvektor
Ordnung <Mathematik>
Speicherverwaltung
Resultante
Lineares Funktional
Unterring
Bit
Virtualisierung
Adressraum
Systemaufruf
Keller <Informatik>
Kartesische Koordinaten
Extrempunkt
Frequenz
Gesetz <Physik>
Zufallsgenerator
Rechenschieber
Mikrokernel
Zufallszahlen
Bewegungsunschärfe
Rechter Winkel
Adressraum
Virtuelle Realität
Randomisierung
Entropie
Speicherverwaltung
Resultante
Unterring
Bit
Prozess <Physik>
Wasserdampftafel
Adressraum
Implementierung
Zellularer Automat
Gebundener Zustand
Überlagerung <Mathematik>
Unendlichkeit
Bewegungsunschärfe
Zufallszahlen
Adressraum
Randomisierung
Entropie
Thread
Tragbarer Personalcomputer
Emulator
Zeitstempel
Zeiger <Informatik>
Implementierung
Umwandlungsenthalpie
Lineares Funktional
Videospiel
Architektur <Informatik>
Vererbungshierarchie
SISP
Zufallsgenerator
Konfiguration <Informatik>
Rechenschieber
Rechter Winkel
Dreiecksfreier Graph
Computerarchitektur
Lesen <Datenverarbeitung>
Mittelwert
Unterring
Bit
Subtraktion
Punkt
Prozess <Physik>
Extrempunkt
Klasse <Mathematik>
Adressraum
Kartesische Koordinaten
ROM <Informatik>
Physikalische Theorie
Open Source
Softwaretest
Mittelwert
Adressraum
Datennetz
Schätzung
Mapping <Computergraphik>
Programmbibliothek
Entropie
Booten
Strom <Mathematik>
Gerade
Randomisierung
Softwaretest
Schätzwert
Prozess <Informatik>
Datennetz
Booten
Quellcode
National Institute of Standards and Technology
Physikalisches System
Objekt <Kategorie>
Rechenschieber
Arithmetisches Mittel
Druckertreiber
Rechter Winkel
Festspeicher
Dreiecksfreier Graph
Entropie
Speicherverwaltung
Aggregatzustand
Einfach zusammenhängender Raum
Prozess <Physik>
Nabel <Mathematik>
Datennetz
Vererbungshierarchie
Zwei
Adressraum
Systemzusammenbruch
Systemaufruf
Gesetz <Physik>
Code
Rechenschieber
Dienst <Informatik>
Client
Rechter Winkel
Pufferüberlauf
Festspeicher
Endogene Variable
Client
Randomisierung
Vererbungshierarchie
Wurzel <Mathematik>
Computerarchitektur
Prozess <Physik>
Kontrollstruktur
Adressraum
Keller <Informatik>
Kartesische Koordinaten
Information
Iteriertes Funktionensystem
Leck
Bewegungsunschärfe
Hauptidealring
Netzbetriebssystem
Dateiverwaltung
Default
Chi-Quadrat-Verteilung
Leck
Lineares Funktional
Prozess <Informatik>
Graph
Softwarewerkzeug
Physikalisches System
Rechenschieber
Randwert
Diskrete-Elemente-Methode
Flächeninhalt
Einheit <Mathematik>
Softwareschwachstelle
Rechter Winkel
Festspeicher
Information
Eigentliche Abbildung
Ordnung <Mathematik>
Resultante
Kernel <Informatik>
Unterring
Bit
Adressraum
Zahlenbereich
Keller <Informatik>
Binärcode
Kernel <Informatik>
Adressraum
Netzbetriebssystem
Randomisierter Algorithmus
Programmbibliothek
Virtuelle Adresse
Gerade
Funktion <Mathematik>
Gebundener Zustand
Soundverarbeitung
Lineares Funktional
Raum-Zeit
Default
Güte der Anpassung
Konfiguration <Informatik>
Rechenschieber
Randwert
Menge
Rechter Winkel
Festspeicher
Hill-Differentialgleichung
Information
Entropie
Programmierumgebung
Lineares Funktional
Adressraum
Stellenring
Softwarewerkzeug
Kartesische Koordinaten
Physikalisches System
Mathematische Logik
Ereignishorizont
Zufallsgenerator
Randwert
Pufferspeicher
Variable
Zufallszahlen
Bewegungsunschärfe
Pufferüberlauf
Zahlenbereich
Adressraum
Kontrollstruktur
Information
Spyware
Beweistheorie
Pufferspeicher
Lineares Funktional
Unterring
Raum-Zeit
Compiler
Adressraum
Schraubenlinie
Implementierung
Physikalisches System
Quellcode
Systemplattform
Keller <Informatik>
Zufallsgenerator
Rechenschieber
Quellcode
Menge
Minimum
Grundsätze ordnungsmäßiger Datenverarbeitung
Dreiecksfreier Graph
Cookie <Internet>
Entropie
Compiler
Optimierung
Kernel <Informatik>
Bit
Unterring
Prozess <Physik>
Ortsoperator
Extrempunkt
Vektorraum
Information
Pi <Zahl>
Raum-Zeit
Kernel <Informatik>
Mikrokernel
Einheit <Mathematik>
Mittelwert
Zweiunddreißig Bit
Netzbetriebssystem
Wärmeübergang
Mixed Reality
Booten
Konfigurationsraum
Default
Koroutine
Lineares Funktional
Prozess <Informatik>
Booten
Raum-Zeit
Stochastische Abhängigkeit
Default
Übergang
Zufallsgenerator
Energiedichte
Erzeugende
Quelle <Physik>
Cookie <Internet>
Entropie
Resultante
Kontrollstruktur
Spyware
Adressraum
Implementierung
Kartesische Koordinaten
Binärcode
Spezialrechner
Datensatz
Code
Adressraum
Programmbibliothek
Kontrollstruktur
Wurzel <Mathematik>
Optimierung
Diskretes System
Physikalischer Effekt
Binärdaten
Lineares Funktional
Schnelltaste
Physikalischer Effekt
Rechenzeit
Rechenzeit
Gemeinsamer Speicher
Symboltabelle
Physikalisches System
Binder <Informatik>
Arithmetisches Mittel
Rechenschieber
Garbentheorie
Menge
Wurzel <Mathematik>
Last
Rechter Winkel
Binder <Informatik>
Lesen <Datenverarbeitung>
Garbentheorie
Ordnung <Mathematik>
Eigentliche Abbildung
Tabelle <Informatik>
Binärdaten
Lineares Funktional
Datensatz
Menge
Softwareschwachstelle
Rechter Winkel
Proxy Server
Güte der Anpassung
Patch <Software>
Programmierumgebung
Binärcode
Einflussgröße
Tabelle <Informatik>
Gebundener Zustand
Leck
Kernel <Informatik>
Unterring
Default
Versionsverwaltung
Physikalisches System
Patch <Software>
Binder <Informatik>
Information
Gradient
Komponente <Software>
Patch <Software>
Zufallszahlen
Proxy Server
Firmware
Minimum
Wort <Informatik>
Stapelverarbeitung
Implementierung
Tabelle <Informatik>
Rückkopplung
Unterring
Bit
Desintegration <Mathematik>
Keller <Informatik>
Echtzeitsystem
Kernel <Informatik>
Physikalisches System
Mikrokernel
Virtuelle Maschine
Leck
Erwartungswert
Knotenmenge
Fächer <Mathematik>
Notebook-Computer
Netzbetriebssystem
Koroutine
Bildschirmfenster
Endogene Variable
Computersicherheit
Entropie
Speicher <Informatik>
Maßerweiterung
Bijektion
Hardware
Nichtlinearer Operator
Hardware
Computersicherheit
Default
Stellenring
Systemintegration
Turbo-Code
Physikalisches System
Quellcode
Endogene Variable
Zufallsgenerator
Rückkopplung
Exploit
Softwareschwachstelle
Digitaltechnik
Server
Wort <Informatik>
Entropie
Information
Ordnung <Mathematik>
Eigentliche Abbildung
Smartphone
Standardabweichung
Hypermedia
Medianwert
Systemprogrammierung

Metadaten

Formale Metadaten

Titel Taking a scalpel to QNX
Untertitel Analyzing & Breaking Exploit Mitigations and Secure Random Number Generators on QNX 6.6 and 7.0
Serientitel 34th Chaos Communication Congress
Autor Wetzels, Jos
Abbasi, Ali
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34935
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract In this talk we will present a deep-dive analysis of the anatomy of QNX: a proprietary, real-time operating system aimed at the embedded market used in many sensitive and critical systems, particularly within the automotive industry. We will present the first reverse-engineering and analysis of the exploit mitigations, secure random number generators and memory management internals of QNX versions up to and including 6.6 and the brand new 64-bit QNX 7.0 (released in March 2017) and uncover a variety of design issues and vulnerabilities.
Schlagwörter Security

Zugehöriges Material

Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback