Stuff for the Stash, Week 49
My personal take on what I found noteworthy in the field of cybersecurity this week
Welcome to this weeks’ roundup of internet things which I added to my collection of interesting things. A somewhat slower week than last week, in volume but not in quality, which I expect to continue till after the New Year’s festivities.
This week covers #automotivesecurity, #windowsdebugging, #windowssandbox, #hypervisor, #bootloader, #pwn2own, #fuzzing, #ssdlc, #5g, #securitytools and more.
Comments, suggestions and story submissions are always welcome ! If you feel these weekly updates are interesting, thank you for sharing them with your colleagues, friends and contacts, that would be really helpful.
Articles and other news
Impalabs has published their extensive research on the Huawei security hypervisor as well as a detailed write-up of CVE-2021-39979. Quality research and a LONG read.
The Secure our Streets conference, organized by the Automotive Security Research Group (asrg.io) has released the videos they recorded during the event. 22 recordings with some worthwhile contributions. You can watch them here.
A curious story popped up about an F-150 truck being bricked while charging at an EV station. The story is imo worthwhile as it triggers a number of questions
What will be the root cause ? The truck pulling more current than it can handle, or the charging station providing an incorrect or oscillating voltage ?
How involved will repair and diagnostic procedures be for this kind of fault ? Will this require replacing components, or can they be fixed? Do repair shops have the capability to do this, or is more specialized help required? And what will the bill look like ?
And of course, if electric vehicles seem to be subject to this kind of faults, can these faults be weaponized as an attack vector against electrical vehicles ?
Article can be found at https://fordauthority.com/2022/11/ford-f-150-lightning-bricked-after-charging-at-electrify-america-station/
itm4n publishes an interesting article on how to debug protected processes on Windows
A trilogy of posts on the exploitation of a Google Pixel 6, from booting up, emulating the bootloader to finally bootloader exploitation.
In case anyone is living under a rock this week, ZDI’s Pwn2Own Toronto competition is ongoing, targeting a wide variety of consumer electronics.
Write up for Day 1 and Day 2 have been published at the time of writing, the remaining two days are expected to soon follow on the same blog. I’m very excited about the SOHO Smashup category results, where a pivot on one electronics device needs to be used to attack the second device (e.g. exploit home router to attack a printer). I believe this gives us everyone a better demonstration of actual risk.
Papers
How to compare fuzzers is the straight forward title of this paper looking under the hood of fuzzer evaluation by means of mutation analysis.
Despite considerable progress in this area in the past
years, measuring and comparing the effectiveness of fuzzers
is still an open research question. […]In this paper, we apply modern mutation analysis tech-
niques that pool multiple mutations; allowing us, for the first
time, to evaluate and compare fuzzers with mutation analy-
sis. We introduce an evaluation bench for fuzzers and apply
it to a number of popular fuzzers and subjects. In a compre-
hensive evaluation, we show how it allows us to assess fuzzer
performance and measure the impact of improved techniques.
While we find that today’s fuzzers can detect only a small per-
centage of mutations, this should be seen as a challenge for
future research—notably in improving (1) detecting failures
beyond generic crashes; and (2) triggering mutations (and
thus faults).I admit I enjoy literature reviews, as they tend to give a fast overview of main findings on a particular topic, but also are an entry point to many more relevant papers. This paper applies a systematic literature review to 5G.
Another literature review, this time on Secure Software Development methodologies, covering 28 different ones. The paper asks some very pertinent questions, I believe answering them would be beneficial for increasing the value of secure software development methodologies and move the practice forward.
As a result of the survey, several research gaps are
addressed. One of the open questions is why companies
tend to create their methodologies but do not adopt the
existing methodology. Another research gap is why the
evidence of the effectiveness of the methodologies is based
on the belief that the number of vulnerabilities in software is
reduced. The authors also do not provide any facts that sup-
port their beliefs. The academic methodologies also involve
auxiliary (non-technical) security practices sparingly, focus-
ing only on technical security practices. Several academic
methodologies even do not provide information on what is
novel in their methodologies, using the security practices
from methodologies that have been already published. And
finally, why there is a trend of increasing the number of
vulnerabilities produced in software despite there are many
SSDMs. We believe that exploring the gaps that we found
may contribute to producing software with fewer number
of vulnerabilities.
Vulnerabilities
Jean-Jamil Kahlif published a concise writeup of a pre-auth remote code execution vulnerability on the WAN side of a Netgear Nighthawk, and its exploitation. The bug is in the JSON parsing.
NIST has published its overview of all vulnerabilities registered in the week of November 28th and notifies us that a type confusion vulnerability in the Chromium V8 Javascript engine, CVE-2022-4262, is actively being exploited .
Tools
Microsoft released security testing tools for Windows sandboxing technologies. Specifically those sandboxes in scope of the Microsoft Windows Insider Preview Bounty Program
The EMBA firmware security analyzer has a new release. This tool performs a reasonably extensive number of automated checks against firmware images, and is definitely something to explore for the crowd that enjoys using binwalk (which is also used by the tool)
Bits and Pieces
Blackhat USA 2022 videos are up on Youtube.
Pwn2Own announced its next event to be held next February 14-16, this time around ICS and SCADA targets.
Till next time,
Thierry