Twitter | Pretraživanje | |
Jeremy Boone
Embedded systems bug hunter @ NCC Group
1.872
Tweetovi
413
Pratim
612
Osobe koje vas prate
Tweetovi
Jeremy Boone 24 h
Yeah. Sorry for confusion. If the electronics are exposed on the outside of the door, it may be possible to tamper with them after opening the plastics. But it'd be time consuming and you're better off just kicking it in or picking the lock.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 24 h
Yeah for a door lock the threat model is different than, say, a mobile device that has a fingerprint sensor. You don't "lose" your door lock.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 4. velj
Odgovor korisniku/ci @colinoflynn @FauthNiklas
Match-on-host is possibly slightly better, assuming the host can authenticate the STM32 to prove it is legitimate, and that the bus is encrypted+MAC'd. Still, any cryptographic identities or secrets may be extracted with an RDP downgrade.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 4. velj
Odgovor korisniku/ci @colinoflynn @FauthNiklas
STM32 is a bad choice for match-on-chip implementations. The RDP downgrade attacks make it possible to tamper with the enrolled fingerprint template, or replace the firmware with a variant that accepts all fingerprints.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 29. sij
Odgovor korisniku/ci @ajmalton
It tried to use a default password in an http basic auth header in order to issue a request that executed a shell command that downloaded, and executed the above payload.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 29. sij
Stood up a webserver for literally 30 seconds to mess around with something and got pinged by a bot trying to download this Mirai payload: http://82.223.101.182/.t/80/arm7
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 26. sij
Odgovor korisniku/ci @intoverflow @pedrib1337 i 2 ostali
if you assume all regs are potentially malicious, wouldn't that produce a large number of FPs?
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 26. sij
Odgovor korisniku/ci @intoverflow @pedrib1337 i 4 ostali
Hmmm... well thats like comparing apples and orange. SiFive has the advantage of having very little legacy complexity. I guess we can agree on that :)
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 26. sij
Odgovor korisniku/ci @intoverflow @pedrib1337 i 2 ostali
I guess my point is: ioread(0x<reg>); <-- how can a FM tool know whether the data read from any reg is attacker controlled?
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 26. sij
Odgovor korisniku/ci @intoverflow @pedrib1337 i 2 ostali
... and this only refers to input verification. There are other classes of bugs that many formal methods would struggle with. Ex: confused deputy problems require insight into the responsibilities of the deputy, which is something that may be encoded in hardware not software.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 26. sij
Odgovor korisniku/ci @intoverflow @pedrib1337 i 2 ostali
The problem is that an FM tool can't divine the purpose of 10k's of peripheral regs, and how those regs are used to xfer data between sw and hw IPs, and whether any of that data can be trusted. This is where humans must train the tools.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 26. sij
Odgovor korisniku/ci @_markel___ @pedrib1337 @XenoKovah
Also, i would be surprised if any large company did not already use SAST products that support custom modeling (coverity, klocwork, fortify). I think there's room for both. Use SAST for low hanging fruit, use skilled ppl to find new classes of vulns, then automate their detection
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 1. sij
Odgovor korisniku/ci @cybergibbons
What do you mean: other examples of bugs related to usb control transfers, or different bootrom vuln classes? There are many examples of both.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 26. pro
Odgovor korisniku/ci @cybergibbons
Like most peripherals in an embedded system, the chipset vendor develops/signs the firmware. The OEM merely distributes the firmware update package. Many TPM vendors base their code on this reference implementation:
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 22. pro
Odgovor korisniku/ci @dyn___ @ericevenchick @0xcharlie
Too expensive to buy a car for research purposes. Therefore much of the security work is done by contract, e.g. consulting. There are lots of automotive security experts who own cars every day, but can't publish because it's paid work for a client.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 22. pro
Odgovor korisniku/ci @cybergibbons
I would argue that if BL2 is not authenticated then the device doesn't truly implement secure boot.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 7. pro
Odgovor korisniku/ci @0xda9e01
Nice. Its certainly non-trivial to interpose the bus. Any plans on releasing the tooling?
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone proslijedio/la je tweet
Ella Dawson 6. pro
Here's some of the best advice I got when I became a manager last year! It's simple, but considering most people receive no management training whatsoever these days, it's better than nothing. Thread!
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone 6. pro
Odgovor korisniku/ci @kkamagui1 @BlackHatEvents
Awesome vulnerability and research.
Reply Retweet Označi sa "sviđa mi se"
Jeremy Boone proslijedio/la je tweet
Yaah 🦀 ☕ 27. stu
GNU project code of conducts be like
Reply Retweet Označi sa "sviđa mi se"