SlideShare une entreprise Scribd logo

44CON London - Attacking VxWorks: from Stone Age to Interstellar

44CON
44CON

Attacking VxWorks: from Stone Age to Interstellar presented by Yannick Formaggio at 44CON London 2015.

Technologie
1  sur  75
Télécharger pour lire hors ligne
ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR 44CON LONDON 9/10/2015YANNICK FORMAGGIO, RICHARD HSU & ERIC LIU
ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Look for vulns using fuzzing techniques, first time speaker, Lego fan… Help from Richard Hsu and Eric Liu (Lead security researcher) 2
AGENDA Introduction to VxWorks & previous researches Inside VxWorks: Memory management & protections From fuzzing to exploit: RPC Integer Overflow RCE Conclusion 3
INTRODUCTION 4
WHAT’S VXWORKS? #1 Embedded devices RTOS Claimed > 1.5 billions devices developed by Wind River supports lot of CPU architectures
SOME STATS 6
WHAT’S VXWORKS? 1987 • First release • 32 bits processing 1990’s • VxWorks 5 released • 1st RTOS w/ network stack 2000’s • VxWorks 6.x (12-2004) • Security improvements (RTPs, no more task shared memory) 2014 • VxWorks 7.x (02-2014) • 64bits, more security improvements
SOME CUSTOMERS 8
“ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 9
VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10
VXWORKS & SECURITY Wind River treatsVxWorks security seriously Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801
VXWORKS & SECURITY Wind River treats VxWorks security seriously Partnership with McAffee in Feb 2011 6.x introduced some memory protections 7.x improved way further: Digitally signed modules (X.509) Encryption Centralized user database Password management (SHA-256 algorithm) Ability to create/delete users at run time Encrypted data storage
PREVIOUS RESEARCHES & INSPIRATIONS
PREVIOUS RESEARCH & INSPIRATIONS “Shiny Old VxWorks Vulnerabilities” HD Moore (2010) 4 Metasploit modules targeting WDB RPC Weak password hash entropy  rainbow table containing around 200k hashed passwords 14
PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15
PREVIOUS RESEARCH & INSPIRATIONS “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab WDB debugging Interface (again) OS Security 16
INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17
X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table 19
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message 20
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Decriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point 21
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point WDB shared memory 22
MEMORY PROTECTIONS VxWorks provides MMU-based features in addition to the virtual memory support Non MMU based protections: Heap Error Detection 23
MEMORY PROTECTION: Task stack overrun and underrun detection Interrupt stack overrun and underrun detection Stack pages Stack Start Stop 24
MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment INCLUDE_TASK_STACK_NO_EXEC INCLUDE_PROTECT_TEXT Task stack size = MMU page size Program pages Read Only Raw Data r+w .TEXT.DATA 25
MEMORY PROTECTION -r-w-x Address Space 0x00000000 NULL Pointer usage detection 26
HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27
FROM FUZZING TO EXPLOIT 28
FUZZING TARGETS Network protocols: Portmap (RPC) FTP TFTP NTP … 29
FUZZING Used Sulley fuzzing framework Problem: no accurate crash detection available Solution: using WdbRPC 30
WHAT’S WDB RPC? Debugging Interface Service running on port UDP/17185 Based on SUN-RPC protocol Provides direct access to system memory 31
WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX OS 32
WDB PROTOCOL V2 CALL: SENT BY TARGET SERVER IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Request Header (40 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Sequence # (4 bytes) 33
WDB PROTOCOL V2 REPLY: SENT BY TARGET AGENT IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Reply Header (24 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Error code (4 bytes) 34
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 35
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 36
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 37
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 38
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 39
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 40
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 41
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 42
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X HOST TARGET CALL REPLY … 43 Small interpreted language Two objects: pointer and tape Result of the eval stored in tape Tape content returned to the host More info on Gopher
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 44 HOST TARGET … Host reads the pointed memory addresses
CRASH DETECTION Target sends event notification 45 HOST TARGET
CRASH DETECTION Target sends event notification Host acknowledges 46 HOST TARGET
CRASH DETECTION Target sends event notification Host acknowledges Host ask more information (registers content, memory area, …) 47 HOST TARGET
WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 48
WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 49
WDBRPC FRAMEWORK Some externals dependencies: PyElfTools: reads the imports from the VxWorks Image Capstone Engine: disassemble code around crash area 50
INTERFACING WITH SULLEY Inspiration from the process_monitor.py script coming with Sulley Implementation: DebuggerThread instantiates WdbDbg and implements callback to call when crash occurs ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines VxMon wraps everything 51
FUZZING 52 Sulley Fuzzer VxWorks Target Test cases VxWorks Process Monitor PED RPC WDB RPC WdbDbg
DEMO 53
CRASH ANALYSIS Portmap task crashed many times on the same RPC field: credential flavor When set to a negative value => PC is set to arbitrary memory value 54
CRASH ANALYSIS 55
CRASH ANALYSIS 56
CRASH ANALYSIS 57
CRASH ANALYSIS 58
CRASH ANALYSIS 59 O_o
CRASH ANALYSIS 60
CRASH ANALYSIS 61
RESPONSIBLE DISCLOSURE Vuln reported to Wind River on July 22nd and acknowledged on 23rd Confirmed August 11th that versions between 5.5 and 6.9.4.1 are vulnerable Wind River is providing patches Every VxWorks customers should check the Knowledge Library for details On Sept 9th 2015 I’ve been authorised to disclose details 62
HOW TO EXPLOIT? Integer overflow leading to RCE Heap spray to place the shellcode Compute credential flavor value Jump into shellcode directly all memory protections bypassed/defeated backdoor account set up 63
EXPLOITATION DEMO 64
ABOUT THE REAL TARGETS Schneider Modicon Quantum PLC runs VxWorks and has port 111 open (https://www.digitalbond.co m/tools/basecamp/schneide r-modicon-quantum/) 65
SOME NUMBERS Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 66
FUN FACT 67
MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 68
MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username and password  network stack down 69
CONCLUSION WindRiver takes VxWorks’ security seriously Implemented a lot of memory protections Being defeated by a simple integer overflow bug 70
FUTURE WORK ? VxWorks 7 More complete WDBRPC protocol and Wdb over serial implementation Continuing to find bugs 71
CODE RELEASE The WdbDbg framework should be released in the next weeks here: https://bitbucket.org/yformaggio/wdbdbg Exploit code will not be released unless explicit authorisation given 72
QUESTIONS 73
THANKS !
LINKS http://www.vxdev.com/docs/vx55man/tornado-api/wdbpcl/wdb.html http://www.uio.no/[...]/vxworks_architecture_supplement_6.2.pdf http://www.uio.no/[...]/vxworks_kernel_programmers_guide_6.2.pdf http://cimsol-mc.sourceforge.net/files/vxworks/VxWorks60.pdf Digging Inside the VxWorks OS and Firmware The Holistic Security HD Moore - Fun with VxWorks 75

Recommandé

Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu IntroductionChiawei Wang
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started Emertxe Information Technologies Pvt Ltd
 
[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기NAVER D2
 
Windows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPWindows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPSeungmo Koo
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part IEmertxe Information Technologies Pvt Ltd
 
Geohashing with Uber’s H3 Geospatial Index
Geohashing with Uber’s H3 Geospatial Index Geohashing with Uber’s H3 Geospatial Index
Geohashing with Uber’s H3 Geospatial Index HPCC Systems
 
Qemu
QemuQemu
QemuKoganti Ravikumar
 
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍Chris Ohk
 

Recommandé

Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu IntroductionChiawei Wang
 
Linux programming - Getting self started
Linux programming - Getting self started Linux programming - Getting self started
Linux programming - Getting self started Emertxe Information Technologies Pvt Ltd
 
[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기NAVER D2
 
Windows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPWindows Registered I/O (RIO) vs IOCP
Windows Registered I/O (RIO) vs IOCPSeungmo Koo
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part IEmertxe Information Technologies Pvt Ltd
 
Geohashing with Uber’s H3 Geospatial Index
Geohashing with Uber’s H3 Geospatial Index Geohashing with Uber’s H3 Geospatial Index
Geohashing with Uber’s H3 Geospatial Index HPCC Systems
 
Qemu
QemuQemu
QemuKoganti Ravikumar
 
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍인프콘 2022 - Rust 크로스 플랫폼 프로그래밍
인프콘 2022 - Rust 크로스 플랫폼 프로그래밍Chris Ohk
 
ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedTin Le
 
Performance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla ClusterPerformance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla ClusterScyllaDB
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
 
Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1ArcBlock
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyViller Hsiao
 
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들Chris Ohk
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu PcieThe Linux Foundation
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Docker란 무엇인가? : Docker 기본 사용법
Docker란 무엇인가? : Docker 기본 사용법Docker란 무엇인가? : Docker 기본 사용법
Docker란 무엇인가? : Docker 기본 사용법pyrasis
 
Linux Internals - Interview essentials - 1.0
Linux Internals - Interview essentials - 1.0Linux Internals - Interview essentials - 1.0
Linux Internals - Interview essentials - 1.0Emertxe Information Technologies Pvt Ltd
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernelVadim Nikitin
 
Evolution of MongoDB Replicaset and Its Best Practices
Evolution of MongoDB Replicaset and Its Best PracticesEvolution of MongoDB Replicaset and Its Best Practices
Evolution of MongoDB Replicaset and Its Best PracticesMydbops
 
[NHN_NEXT] DirectX Tutorial 강의 자료
[NHN_NEXT] DirectX Tutorial 강의 자료[NHN_NEXT] DirectX Tutorial 강의 자료
[NHN_NEXT] DirectX Tutorial 강의 자료MinGeun Park
 
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph Community
 
Revisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerRevisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerYongseok Oh
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화sung ki choi
 
[NDC 2018] 유체역학 엔진 개발기
[NDC 2018] 유체역학 엔진 개발기[NDC 2018] 유체역학 엔진 개발기
[NDC 2018] 유체역학 엔진 개발기Chris Ohk
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 

Contenu connexe

Tendances

ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedTin Le
 
Performance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla ClusterPerformance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla ClusterScyllaDB
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
 
Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1ArcBlock
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyViller Hsiao
 
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들Chris Ohk
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Docker란 무엇인가? : Docker 기본 사용법
Docker란 무엇인가? : Docker 기본 사용법Docker란 무엇인가? : Docker 기본 사용법
Docker란 무엇인가? : Docker 기본 사용법pyrasis
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernelVadim Nikitin
 
Evolution of MongoDB Replicaset and Its Best Practices
Evolution of MongoDB Replicaset and Its Best PracticesEvolution of MongoDB Replicaset and Its Best Practices
Evolution of MongoDB Replicaset and Its Best PracticesMydbops
 
[NHN_NEXT] DirectX Tutorial 강의 자료
[NHN_NEXT] DirectX Tutorial 강의 자료[NHN_NEXT] DirectX Tutorial 강의 자료
[NHN_NEXT] DirectX Tutorial 강의 자료MinGeun Park
 
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph Community
 
Revisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerRevisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerYongseok Oh
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화sung ki choi
 
[NDC 2018] 유체역학 엔진 개발기
[NDC 2018] 유체역학 엔진 개발기[NDC 2018] 유체역학 엔진 개발기
[NDC 2018] 유체역학 엔진 개발기Chris Ohk
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 

Tendances (20)

ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learned
 
Performance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla ClusterPerformance Monitoring: Understanding Your Scylla Cluster
Performance Monitoring: Understanding Your Scylla Cluster
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
 
Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrency
 
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu Pcie
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Docker란 무엇인가? : Docker 기본 사용법
Docker란 무엇인가? : Docker 기본 사용법Docker란 무엇인가? : Docker 기본 사용법
Docker란 무엇인가? : Docker 기본 사용법
 
Linux Internals - Interview essentials - 1.0
Linux Internals - Interview essentials - 1.0Linux Internals - Interview essentials - 1.0
Linux Internals - Interview essentials - 1.0
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernel
 
Evolution of MongoDB Replicaset and Its Best Practices
Evolution of MongoDB Replicaset and Its Best PracticesEvolution of MongoDB Replicaset and Its Best Practices
Evolution of MongoDB Replicaset and Its Best Practices
 
[NHN_NEXT] DirectX Tutorial 강의 자료
[NHN_NEXT] DirectX Tutorial 강의 자료[NHN_NEXT] DirectX Tutorial 강의 자료
[NHN_NEXT] DirectX Tutorial 강의 자료
 
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
 
Revisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS SchedulerRevisiting CephFS MDS and mClock QoS Scheduler
Revisiting CephFS MDS and mClock QoS Scheduler
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화
제프리 리처의 Windows via C/C++ : 8장 유저 모드에서의 스레드 동기화
 
[NDC 2018] 유체역학 엔진 개발기
[NDC 2018] 유체역학 엔진 개발기[NDC 2018] 유체역학 엔진 개발기
[NDC 2018] 유체역학 엔진 개발기
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
 

En vedette

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 

En vedette (8)

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 

Similaire à 44CON London - Attacking VxWorks: from Stone Age to Interstellar

FreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloFreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloValerio Balbi
 
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Nat Morris
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Docker Multihost Networking
Docker Multihost Networking Docker Multihost Networking
Docker Multihost Networking Nicola Kabar
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Cheng-Chun William Tu
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)PROIDEA
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanDefconRussia
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsSerge Stinckwich
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 RedHatTelco
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 

Similaire à 44CON London - Attacking VxWorks: from Stone Age to Interstellar (20)

FreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloFreeLix: Semplicità & Controllo
FreeLix: Semplicità & Controllo
 
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Docker Multihost Networking
Docker Multihost Networking Docker Multihost Networking
Docker Multihost Networking
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systems
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 

Plus de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 

Plus de 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 

Dernier

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Dernier (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

44CON London - Attacking VxWorks: from Stone Age to Interstellar

  • 1. ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR 44CON LONDON 9/10/2015YANNICK FORMAGGIO, RICHARD HSU & ERIC LIU
  • 2. ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Look for vulns using fuzzing techniques, first time speaker, Lego fan… Help from Richard Hsu and Eric Liu (Lead security researcher) 2
  • 3. AGENDA Introduction to VxWorks & previous researches Inside VxWorks: Memory management & protections From fuzzing to exploit: RPC Integer Overflow RCE Conclusion 3
  • 5. WHAT’S VXWORKS? #1 Embedded devices RTOS Claimed > 1.5 billions devices developed by Wind River supports lot of CPU architectures
  • 7. WHAT’S VXWORKS? 1987 • First release • 32 bits processing 1990’s • VxWorks 5 released • 1st RTOS w/ network stack 2000’s • VxWorks 6.x (12-2004) • Security improvements (RTPs, no more task shared memory) 2014 • VxWorks 7.x (02-2014) • 64bits, more security improvements
  • 9. “ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 9
  • 10. VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10
  • 11. VXWORKS & SECURITY Wind River treatsVxWorks security seriously Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801
  • 12. VXWORKS & SECURITY Wind River treats VxWorks security seriously Partnership with McAffee in Feb 2011 6.x introduced some memory protections 7.x improved way further: Digitally signed modules (X.509) Encryption Centralized user database Password management (SHA-256 algorithm) Ability to create/delete users at run time Encrypted data storage
  • 14. PREVIOUS RESEARCH & INSPIRATIONS “Shiny Old VxWorks Vulnerabilities” HD Moore (2010) 4 Metasploit modules targeting WDB RPC Weak password hash entropy  rainbow table containing around 200k hashed passwords 14
  • 15. PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15
  • 16. PREVIOUS RESEARCH & INSPIRATIONS “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab WDB debugging Interface (again) OS Security 16
  • 17. INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17
  • 18. X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18
  • 19. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table 19
  • 20. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message 20
  • 21. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Decriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point 21
  • 22. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point WDB shared memory 22
  • 23. MEMORY PROTECTIONS VxWorks provides MMU-based features in addition to the virtual memory support Non MMU based protections: Heap Error Detection 23
  • 24. MEMORY PROTECTION: Task stack overrun and underrun detection Interrupt stack overrun and underrun detection Stack pages Stack Start Stop 24
  • 25. MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment INCLUDE_TASK_STACK_NO_EXEC INCLUDE_PROTECT_TEXT Task stack size = MMU page size Program pages Read Only Raw Data r+w .TEXT.DATA 25
  • 27. HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27
  • 28. FROM FUZZING TO EXPLOIT 28
  • 29. FUZZING TARGETS Network protocols: Portmap (RPC) FTP TFTP NTP … 29
  • 30. FUZZING Used Sulley fuzzing framework Problem: no accurate crash detection available Solution: using WdbRPC 30
  • 31. WHAT’S WDB RPC? Debugging Interface Service running on port UDP/17185 Based on SUN-RPC protocol Provides direct access to system memory 31
  • 32. WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX OS 32
  • 33. WDB PROTOCOL V2 CALL: SENT BY TARGET SERVER IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Request Header (40 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Sequence # (4 bytes) 33
  • 34. WDB PROTOCOL V2 REPLY: SENT BY TARGET AGENT IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Reply Header (24 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Error code (4 bytes) 34
  • 35. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 35
  • 36. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 36
  • 37. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 37
  • 38. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 38
  • 39. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 39
  • 40. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 40
  • 41. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 41
  • 42. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 42
  • 43. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X HOST TARGET CALL REPLY … 43 Small interpreted language Two objects: pointer and tape Result of the eval stored in tape Tape content returned to the host More info on Gopher
  • 44. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 44 HOST TARGET … Host reads the pointed memory addresses
  • 45. CRASH DETECTION Target sends event notification 45 HOST TARGET
  • 46. CRASH DETECTION Target sends event notification Host acknowledges 46 HOST TARGET
  • 47. CRASH DETECTION Target sends event notification Host acknowledges Host ask more information (registers content, memory area, …) 47 HOST TARGET
  • 48. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 48
  • 49. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 49
  • 50. WDBRPC FRAMEWORK Some externals dependencies: PyElfTools: reads the imports from the VxWorks Image Capstone Engine: disassemble code around crash area 50
  • 51. INTERFACING WITH SULLEY Inspiration from the process_monitor.py script coming with Sulley Implementation: DebuggerThread instantiates WdbDbg and implements callback to call when crash occurs ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines VxMon wraps everything 51
  • 54. CRASH ANALYSIS Portmap task crashed many times on the same RPC field: credential flavor When set to a negative value => PC is set to arbitrary memory value 54
  • 62. RESPONSIBLE DISCLOSURE Vuln reported to Wind River on July 22nd and acknowledged on 23rd Confirmed August 11th that versions between 5.5 and 6.9.4.1 are vulnerable Wind River is providing patches Every VxWorks customers should check the Knowledge Library for details On Sept 9th 2015 I’ve been authorised to disclose details 62
  • 63. HOW TO EXPLOIT? Integer overflow leading to RCE Heap spray to place the shellcode Compute credential flavor value Jump into shellcode directly all memory protections bypassed/defeated backdoor account set up 63
  • 65. ABOUT THE REAL TARGETS Schneider Modicon Quantum PLC runs VxWorks and has port 111 open (https://www.digitalbond.co m/tools/basecamp/schneide r-modicon-quantum/) 65
  • 66. SOME NUMBERS Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 66
  • 68. MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 68
  • 69. MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username and password  network stack down 69
  • 70. CONCLUSION WindRiver takes VxWorks’ security seriously Implemented a lot of memory protections Being defeated by a simple integer overflow bug 70
  • 71. FUTURE WORK ? VxWorks 7 More complete WDBRPC protocol and Wdb over serial implementation Continuing to find bugs 71
  • 72. CODE RELEASE The WdbDbg framework should be released in the next weeks here: https://bitbucket.org/yformaggio/wdbdbg Exploit code will not be released unless explicit authorisation given 72