Show newer

I meant to say multiple redundant digital+mechanical pathways to detect/trigger shutdowns...

Show thread

That's not to say ICS security isn't terrible, or that explosions are impossible, but breathless reporting that ICS vulns = explosions probably need to be considered in context, and the context for regulated/dangerous industries is that it *SHOULD* take multiple problems to make explosions happen..

Show thread

In the set of conditions that lead to explosion at a gas plant, I may be out of touch (only saw older stuff designed at a time perhaps less trusting of digital systems), but I'd be surprised if modern plants protected them with just "lol ok a single fieldbus sensor value + dumb threshold processed by a single PLC into a single solenoid is good enough here". On the few I saw, it was multiple redundant digital+electronic pathways to detect+trigger shutdowns for anything that could kill/explode.

Show thread

I know some do, but how many self-proclaimed ICS security researchers have actually spoken to safety engineers that design safety-critical systems, have pitched scenarios at them and found holes in their designs that an ICS vulnerability might exploit? Or have seen control-systems schematics (different to electrical schematic!) of Eg. gas plants where things can explode?

@ed1conf @florian It's greatly reduced, but not completely eliminated on x86. I'm not an expert though. 😅

Todd Mortimer has made significant headway toward reducing the amount of useful ROP gadgets on x86 too. But made especially difficult by polymorphic instructions, x86 being a variable length ISA. ARM64, by comparison, being fixed-length.

I'd highly recommend reading his mailing list post, and commit messages. He's also giving a talk at #EuroBSDCon 2018!

There's something about applying signal processing methods to offensive computing that deeply appeals to me, which is bizarre given that I hated my DSP subjects at university and my lack of engagement with them has always been one of my greatest regrets reflecting on my time as a student :)

Show thread

Had an idea that might make an interesting PoC||GTFO submission but seems subject to export control. Luckily it's already written up in a 2009 paper. Related variants already out there but if code is published prior to submission that should satisfy public domain exceptions?

Anyway main point is to educate some netadmins who still seem to think they can skimp on endpoint hardening/monitoring because they've got NSMs etc. But I guess the world already has enough examples of why that's wrong.

"No Security Without Time Protection: We Need a New Hardware-Software Contract" -

"..requires that operating systems provide time protection, in addition to the established memory protection. We propose OS mechanisms. time protection, and define requirements on the hardware to enable them. We demonstrate that present.. processors do not meet these requirements, making them inherently insecure. We argue the need for a new security-oriented hardware-software contract.."

Listening to Orbital for a bit, re-arranging (personal) computing infra. It occurs to me I don't usually share musical interests: there was a long time where I effectively lived in my own world of random midi/chiptunes/modfiles I found lying around the internet for music, a collection nobody I knew could recognize. So I never really talked about music. Not on purpose; just didn't have a good enough PC for .mp3 for ages, which constrained my listening, and for a long time afterward too.

This is obviously reminiscent of ASLR and friends, but I just wish web folks would Just Turn on the Damn Taint Mode They Already Have Already. At least in perl/ruby. I wonder what the set of bugs that taint mode misses but this polyverse thing catches looks like. I also worry about making web folks feeling like they can keep safely doing eval, runtime reflection/"meta-programming" based on user input, etc.

Show thread

"Introducing Polyscripting  the beginning of the end of code injection" -

"Polyscripting aims to dethrone code injection [..] by making the central component of code injection impossible
By taking a vulnerable server-side language [..] scrambling the interpreter’s source code as well as your program files, [..] generates a unique instance of that language. A language that behaves and acts just like php  but understands and looks like something completely different."


This paper provides insights into the more obscure security weaknesses of statically linked executables, including, but not limited to, the following:

- the glibc initialization code [..]
- what the attack surface looks like [..]
- why mitigations such as RELRO and ASLR are [..] important for statically linked executables
- [..] that static linking disables important security mitigations [..]

"The State of ASLR on Android Lollipop: Investigating the state of ASLR on Android, how Zygote breaks it, and how we fixed it in our ROM."

.. consequence of zygote spawning model is .. shared ASLR bases across [apps] & most services.. defeats ASLR as a local security mechanism between processes of different privilege levels & severely weakens it against remote attackers. [infoleak] in one [app] gives away ASLR bases for others & bases remain constant across executions..

"Identifying & addressing challenges in embedded binary security"

"..IoT.. This thesis focuses on binary security, the exploitation and mitigation of memory corruption vulnerabilities. We look at the state of embedded.. quantitative and qualitative analysis and identify several gap areas and show embedded binary security to lag behind the general purpose world.. we designed, implemented and evaluated µArmor : an exploit mitigation baseline for deeply embedded systems."

"Push-Button Verification of File Systems via Crash Refinement"

... Yggdrasil, a toolkit for writing file systems with push-button verification: Yggdrasil requires no manual annotations or proofs about the implementation code, and it produces a counterexample if there is a bug. Yggdrasil achieves this ... through ... crash refinement, which requires the set of possible disk states produced by an implementation ... to be a subset of those allowed by the specification.

"Instructions and tools to boot Xen in UEFI mode with TPM measurements of Xen and dom0" Tamas K Lengyel -

> This repository contains tools and instructions for installing Xen and dom0 with UEFI/SecureBoot + Intel TXT such that all critical components of Xen and the dom0 kernel get SecureBoot verified and measured into the TPM. The setup described here combines a full SRTM chain with DRTM measurements at the end.

My BSidesCBR 2018 talk slides + notes:


Due to a series of unfortunate events - each my own fault, amplifying the next due to escalating sleep deprivation - the actual talk I delivered wasn't what I had envisaged (even the slides I'm sharing here aren't what I had prepared).

I'll try to salvage it into an extended blog post of some kind.

On the bright side, the Hardware Hacking Village was a decent success - so not all was lost :)

Show older

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!