Stuff for the Stash, May-June
Articles and tools on vehicle security, AI, fuzzing, microcode, baseband, game console forensics, a bit of everything really !
Hello everyone,
Midsummer celebrations are behind us and many people are looking to well-deserved vacation breaks. Just in case you’re looking for some interesting reading to put on your e-reader, there’s plenty of good stuff linked below as usual.
Happy hacking !
Articles and other News
elttam dug deep into the attack surface of Home Assistant, with over 130K publicly accessible instances and now an authentication bypass.
An article on using AI to find software bugs in XNU, and while it did find bugs, it does raise doubts about the viability of the approach.
Automated Driver Assistance Systems (ADAS) require reliable cameras to ensure safety, and thus rely also on being secure. The MIPI security working group is introducing key security requirements for automotive cameras.
A description of popular assemblers and their architecture-specific differences.
The airbus seclab has published an article on optimizing binary-only fuzzing with AFL++, a practical case of grammar-aware in-memory persistent fuzzing.
An article describing the OTP eFuse readout glitching on the Wii U to gain code execution.
Checkpoint tends to delight with very detailed analysis, and this time is no different, with a feature by feature binary analysis of Rust code.
This one is just plain fun, cracking open a Boeing 747 fuel gauge, and well, make it do your bidding of course.
The race for AI mindshare is continuing at full strength, here Google is introducing “a conceptual framework to help collaboratively secure AI technology”.
An interesting opinion article on how a security tools crash is coming. Can’t say I disagree. When many security vendors inevitably will see their demise, what will the impact and effect be for the security of their customer base ?
Lots of people are exploring use cases for AI, this one details an approach in which generative AI is used to identify and resolve performance and reliability issues in systems.
The doctoral thesis of one of the people behind AFL++ on, you guessed it, fuzzing
A Journey Through the Secrets of Firmware: Exploring the Foundations
From time to time, you just want to read an in-depth analysis of some spyware, here the team at Talos analyzes the Intellexa PREDATOR spyware.
What Lies in Store for Connected Cars in the Cybercriminal Underground?
Like so many things in the world of cybersecurity, bug bounties can be both a blessing and a curse. This article gives an example of the cursed variant.
Bug bounties are broken – the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond
Papers
faulTPM: Exposing AMD fTPMs' Deepest Secrets
In this paper, we analyze a new class of attacks against fTPMs: Attacking their Trusted Execution Environment can lead to a full TPM state compromise. We experimentally verify this attack by compromising the AMD Secure Processor, which constitutes the TEE for AMD's fTPMs. In contrast to previous dTPM sniffing attacks, this vulnerability exposes the complete internal TPM state of the fTPM. It allows us to extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms such as Platform Configuration Register validation or passphrases with anti-hammering protection. First, we demonstrate the impact of our findings by - to the best of our knowledge - enabling the first attack against Full Disk Encryption solutions backed by an fTPM. Furthermore, we lay out how any application relying solely on the security properties of the TPM - like Bitlocker's TPM- only protector - can be defeated by an attacker with 2-3 hours of physical access to the target device. Lastly, we analyze the impact of our attack on FDE solutions protected by a TPM and PIN strategy.
Dead Man's Switch: Forensic Autopsy of the Nintendo Switch
In this paper, we have detailed the processes that must be conducted in order to extract forensic evidence from Nintendo Switch devices. We extracted a number of different forensic artefacts from a NAND dump of several Nintendo Switch devices. We discovered several key artefacts, notably personally identifiable information, network connection history and displays that have been connected. We also assessed the forensic value of each artefact extracted from the device. We developed software to automate the process of dumping and extracting the content of the NAND memory. Additionally, we developed modules for the forensic software Autopsy and released these as open source software to automate the process of ingestion and analysis
CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode
In this work, we present the first framework for static and dynamic analysis of Intel microcode. Building upon prior research, we reverse-engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. For static analysis, we implement a Ghidra processor module
for decompilation and analysis of decrypted microcode. For dynamic analysis, we create a UEFI application that can trace and patch microcode to provide complete microcode control on Goldmont systems. Leveraging our framework, we reverse-engineer the confidential Intel microcode update algorithm and
perform the first security analysis of its design and implementation. In three further case studies, we illustrate the potential security and performance benefits of microcode customization.
We provide the first x86 Pointer Authentication Code (PAC) microcode implementation and its security evaluation, design and implement fast software breakpoints that are more than 1000x faster than standard breakpoints, and present constant-time microcode division, illustrating the potential security and performance benefits of microcode customization.
o assist researchers, we present the first comprehensive guide to the existing open CAN intrusion datasets, including a quality analysis of each dataset and an enumeration of each's benefits, drawbacks, and suggested use case. Current public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, which lack fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but not a corresponding raw binary version. Overall, the available data pigeon-holes CAN IDS works into testing on limited, often inappropriate data (usually with attacks that are too easily detectable to truly test the method), and this lack data has stymied comparability and reproducibility of results. As our primary contribution, we present the ROAD (Real ORNL Automotive Dynamometer) CAN Intrusion Dataset, consisting of over 3.5 hours of one vehicle's CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real fuzzing, fabrication, and unique advanced attacks, as well as simulated masquerade attacks. To facilitate benchmarking CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures.
Hot Pixels: Frequency, Power, and Temperature Attacks on GPUs and ARM SoCs
The drive to create thinner, lighter, and more energy efficient devices has resulted in modern SoCs being forced to balance a delicate tradeoff between power consumption, heat dissipation, and execution speed (i.e., frequency). While beneficial, these DVFS mechanisms have also resulted in software-visible hybrid side-channels, which use software to probe analog properties of computing devices. Such hybrid attacks are an emerging threat that can bypass countermeasures for traditional microarchitectural side-channel attacks.
Given the rise in popularity of both Arm SoCs and GPUs, in this paper we investigate the susceptibility of these devices to information leakage via power, temperature and frequency, as measured via internal sensors. We demonstrate that the sensor data observed correlates with both instructions executed and data processed, allowing us to mount software-visible hybrid side-channel attacks on these devices.
To demonstrate the real-world impact of this issue, we present JavaScript-based pixel stealing and history sniffing attacks on Chrome and Safari, with all side channel countermeasures enabled. Finally, we also show website fingerprinting attacks, without any elevated privileges.Review of Electric Vehicle Charger Cybersecurity Vulnerabilities, Potential Impacts, and Defenses
Cybersecurity researchers have recently identified several vulnerabilities that exist in EVSE devices, communications to electric vehicles (EVs), and upstream services, such as EVSE vendor cloud services, third party systems, and grid operators. The potential impact of attacks on these systems stretches from localized, relatively minor effects to long-term national disruptions.
Fortunately, there is a strong and expanding collection of information technology (IT) and operational technology (OT) cybersecurity best practices that may be applied to the EVSE environment to secure this equipment. In this paper, we survey publicly disclosed EVSE vulnerabilities, the impact of EV
charger cyberattacks, and proposed security protections for EV charging technologies.
Fuzzing Embedded Systems Using Debug Interfaces (tool posted below)
Fuzzing embedded systems is hard. Their key components – micro-
controllers – are highly diverse and cannot be easily virtualized;
their software may not be changed or instrumented. However, we observe that many, if not most, microcontrollers feature a debug interface through which a debug probe (typically controllable via GDB, the GNU debugger) can set a limited number of hardware breakpoints. Using these, we extract partial coverage feedback even for uninstrumented binary code; and thus enable effective fuzzing for embedded systems through a generic, widespread mechanism. In its evaluation on four different microcontroller boards, our prototypical implementation GDBFuzz quickly reaches high code coverage
and detects known and new vulnerabilities.
A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs
the microarchitectural attack surface of the first commercially available RISC-V hardware CPUs is not yet explored. This paper analyzes the two commercially-available off-the-shelf 64-bit RISC-V (hardware) CPUs used in most RISC-V systems running a full-fledged commodity Linux system. We evaluate the microarchitectural attack surface, which leads to the introduction of 3 new microarchitectural attack techniques: Cache+Time, a novel cache-line-granular cache attack without shared memory, Flush+Fault exploiting the Harvard cache architecture for Flush+Reload, and CycleDrift exploiting unprivileged access to instruction-retirement information. Additionally, we show that many known attacks are applicable to these RISC-V CPUs, mainly due to non-existing hardware countermeasures and instruction-set subtleties that do not consider the microarchitectural attack surface. We demonstrate our attacks in 6 case studies, including the first RISC-V-specific microarchitectural KASLR break and a CycleDrift-based method for detecting kernel activity. Based on our analysis, we stress the need to consider the microarchitectural attack surface during every step of a CPU design, including custom instruction-set extensions.
Space Odyssey: An Experimental Software Security Analysis of Satellites
In this paper, we first provide a taxonomy of threats against satellite firmware. We then conduct an experimental security analysis of three real-world satellite firmware images.
We base our analysis on a set of real-world attacker models and find several security-critical vulnerabilities in all analyzed firmware images. The results of our experimental security assessment show that modern in-orbit satellites suffer from different software security vulnerabilities and often a lack
of proper access protection mechanisms. They also underline the need to overcome prevailing but obsolete assumptions. To substantiate our observations, we also performed a survey of 19 professional satellite developers to obtain a comprehensive picture of the satellite security landscape.
Vulnerabilities
This article explores using static analysis tools to find Spectre v1 gadgets for side-channel exploitation. Write up here.
The Silent Spy Among Us: Modern Attacks Against Smart Intercoms
Tools
A collection of scripts for reversing Qualcomm baseband / modem firmware
Diaphora has seen its 3.0 release, and continues to be a very valuable tool for diffing programs.
A tool to identify which CPU architecture applies to a given binary file.
ZMap, a very fast packet network scanner, has also seen it’s 3.0 release
Who needs another SAST code scanning tool ? Yep, we all do. This regex-based tool has a huge number of checks that will help you guide your code review efforts. cq by NCC Group.
GDBFuzz: Debugger-Driven Fuzzing, leverage hardware breakpoints from microcontrollers as feedback for coverage-guided fuzzing
An example using the dedicated emulator tool in Ghidra 10.3.
Policy
The United Kingdom has published security requirements for manufacturers of relevant connectable products, which will come into effect and thus require compliance by April 2024, and mostly based on ETSI EN 303 645.
The office of the director of national intelligence has released an declassified report from a panel on “Commercially Available Information”, ie. data collected from your smartphone.
This is a Stuff for the Stash article, where I share interesting things I have encountered on a wide variety of topics related to low-level security and cyber-physical systems.
You receive this email because at one point you have subscribed to this publication, and I deeply appreciate that. If you feel this information could be interesting to others, feel free to share !