I can't process this Supermicro story yet bloomberg.com/news/features/20

Queue "we told you so!" brigade.. been agonizing over supply-chain issues for years, but that doesn't make this easier for me to process

Timing of "apple kicking SM from their DCs over BMC security issues" rumours ages ago; nasdaq delisting... if this is BS, that's amazing propaganda effort that I also can't process

Stop saying RSS is dead people. I'm literally using it to read your shitty article about how it's dead

I meant to say multiple redundant digital+mechanical pathways to detect/trigger shutdowns...

That's not to say ICS security isn't terrible, or that explosions are impossible, but breathless reporting that ICS vulns = explosions probably need to be considered in context, and the context for regulated/dangerous industries is that it *SHOULD* take multiple problems to make explosions happen..

In the set of conditions that lead to explosion at a gas plant, I may be out of touch (only saw older stuff designed at a time perhaps less trusting of digital systems), but I'd be surprised if modern plants protected them with just "lol ok a single fieldbus sensor value + dumb threshold processed by a single PLC into a single solenoid is good enough here". On the few I saw, it was multiple redundant digital+electronic pathways to detect+trigger shutdowns for anything that could kill/explode.

I know some do, but how many self-proclaimed ICS security researchers have actually spoken to safety engineers that design safety-critical systems, have pitched scenarios at them and found holes in their designs that an ICS vulnerability might exploit? Or have seen control-systems schematics (different to electrical schematic!) of Eg. gas plants where things can explode?

@ed1conf @florian It's greatly reduced, but not completely eliminated on x86. I'm not an expert though. 😅

Todd Mortimer has made significant headway toward reducing the amount of useful ROP gadgets on x86 too. But made especially difficult by polymorphic instructions, x86 being a variable length ISA. ARM64, by comparison, being fixed-length.

I'd highly recommend reading his mailing list post, and commit messages. He's also giving a talk at #EuroBSDCon 2018!

2018.eurobsdcon.org/talks-spea

There's something about applying signal processing methods to offensive computing that deeply appeals to me, which is bizarre given that I hated my DSP subjects at university and my lack of engagement with them has always been one of my greatest regrets reflecting on my time as a student :)

Had an idea that might make an interesting PoC||GTFO submission but seems subject to export control. Luckily it's already written up in a 2009 paper. Related variants already out there but if code is published prior to submission that should satisfy public domain exceptions?

Anyway main point is to educate some netadmins who still seem to think they can skimp on endpoint hardening/monitoring because they've got NSMs etc. But I guess the world already has enough examples of why that's wrong.

"No Security Without Time Protection: We Need a New Hardware-Software Contract" - ts.data61.csiro.au/publication

"..requires that operating systems provide time protection, in addition to the established memory protection. We propose OS mechanisms. time protection, and define requirements on the hardware to enable them. We demonstrate that present.. processors do not meet these requirements, making them inherently insecure. We argue the need for a new security-oriented hardware-software contract.."

Listening to Orbital for a bit, re-arranging (personal) computing infra. It occurs to me I don't usually share musical interests: there was a long time where I effectively lived in my own world of random midi/chiptunes/modfiles I found lying around the internet for music, a collection nobody I knew could recognize. So I never really talked about music. Not on purpose; just didn't have a good enough PC for .mp3 for ages, which constrained my listening, and for a long time afterward too.

This is obviously reminiscent of ASLR and friends, but I just wish web folks would Just Turn on the Damn Taint Mode They Already Have Already. At least in perl/ruby. I wonder what the set of bugs that taint mode misses but this polyverse thing catches looks like. I also worry about making web folks feeling like they can keep safely doing eval, runtime reflection/"meta-programming" based on user input, etc.

"Introducing Polyscripting  the beginning of the end of code injection" - blog.polyverse.io/introducing-

"Polyscripting aims to dethrone code injection [..] by making the central component of code injection impossible
[..]
By taking a vulnerable server-side language [..] scrambling the interpreter’s source code as well as your program files, [..] generates a unique instance of that language. A language that behaves and acts just like php  but understands and looks like something completely different."

"ASLR PROTECTION FOR STATICALLY LINKED EXECUTABLES" - leviathansecurity.com/blog/asl

This paper provides insights into the more obscure security weaknesses of statically linked executables, including, but not limited to, the following:

- the glibc initialization code [..]
- what the attack surface looks like [..]
- why mitigations such as RELRO and ASLR are [..] important for statically linked executables
- [..] that static linking disables important security mitigations [..]

"The State of ASLR on Android Lollipop: Investigating the state of ASLR on Android, how Zygote breaks it, and how we fixed it in our ROM." copperhead.co/blog/2015/05/11/

.. consequence of zygote spawning model is .. shared ASLR bases across [apps] & most services.. defeats ASLR as a local security mechanism between processes of different privilege levels & severely weakens it against remote attackers. [infoleak] in one [app] gives away ASLR bases for others & bases remain constant across executions..

"Identifying & addressing challenges in embedded binary security" jbisa.nl/download/?id=17715564

"..IoT.. This thesis focuses on binary security, the exploitation and mitigation of memory corruption vulnerabilities. We look at the state of embedded.. quantitative and qualitative analysis and identify several gap areas and show embedded binary security to lag behind the general purpose world.. we designed, implemented and evaluated µArmor : an exploit mitigation baseline for deeply embedded systems."

"Push-Button Verification of File Systems via Crash Refinement" usenix.org/conference/osdi16/t

... Yggdrasil, a toolkit for writing file systems with push-button verification: Yggdrasil requires no manual annotations or proofs about the implementation code, and it produces a counterexample if there is a bug. Yggdrasil achieves this ... through ... crash refinement, which requires the set of possible disk states produced by an implementation ... to be a subset of those allowed by the specification.

Show more
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!