Stuff for the Stash, Week 50

Software defined silicon, Fiber optics, Linux kernel security, medical implants, TEE, hypervisors and more...

Hello everyone, welcome to my weekly personal take on internet things I added to my collection of interesting things.

Business is slowing down while we inch closer to the end of year festivities, but it has not been noticeable yet, with plenty interesting stories having made it on to my screen this week.

This week’s catch covers Software defined Silicon, Fiber Optics, C23, Linux kernel security, medical implants, TEE, hypervisors and more.

And don’t forget friends, sharing is caring, so care away by sending me your interesting links, and share the newsletter with friends and colleagues. (psstt, there’s a subscribe button below, substack is really pretty decent in that way)

---

---

Articles and other news

• Underfox3 starts us off this week with an interesting introduction to Intel Software Defined Silicon (SDSi). When the cost of maintaining multiple customised product lines becomes higher than having a single multi-purpose product with flexible configuration options to enable/disable features, software-defined anything is a handy mechanism for achieving this kind of functional separation. We have seen this concept in action for years already in consumer and professional networking equipment, and it is being introduced in newer areas such as vehicles (seat heater subscription anyone?). In this case, Intel SDSi can enable or disable any CISC instruction through ISA flag registers.

• French hacker Xilokar wrote up some nice reversing results against a fiber gateway. The vendor did many things right, except …

  Arm Trusted Firmware, Op-tee, all signed and encrypted...

  During my work on the previous model, I found that by shorting two pins of one connector on the pcb, the board booted in a so-called test-mode. This mode, after a custom network authentication, allow to boot on a network loaded firmware image without signature check.

• Here’s a very interesting thread where Kenneth tears apart a 100G-LR4 optic connector for our entertainment and learning. First time I’ve seen one of those in detail and strongly recommend to read through it.

  

  Image copyright by Kenneth Finnegan

• Jens Gustedt at INRIA contributes a very in-depth look at the impact of upcoming C23 standard on C libraries.

• A few months old, but I only noticed it this week. The Linux kernel, when compiled with LLVM, has supported Control Flow Integrity since version 5.13. A new implementation is being considered making different design choices than using jump tables. Read more about it at https://lwn.net/Articles/898040/.

• You got to love* the NSA (*conditions apply). They released a very interesting series on protecting FPGA microelectronics . I especially appreciate the threat catalog and best practices. Maybe it’s time for the industry to take inspiration from this and start developing common threat catalogs for specific technologies ?

  Also, why is it there always seem to be 3 assurance levels ?

Threats covered by Assurance Level 1

• It doesn’t happen every week I get to highlight an article in Nature magazine, but I felt this story about what happens when medical implants are abandoned by their company was certainly worthwhile. While not strictly about cybersecurity, it has made me think about the role hackers could play in such a scenario. After all, as an industry we carry a very useful skillset in keeping old technologies alive. Have a think too.

• NIST is continuing to tell people to move away from SHA-1. Despite NIST putting forward a transition timeline until 2030, let’s stop shooting ourselves in the foot by stopping today and starting the transition asap m’kay ? I know in some cases there are good reasons why this transition will take plenty of time, but many situations are not that.

• You know I just couldn’t not share something about OpenAI’s ChatGPT. I believe it’s illegal now not to mention it in newsletters. So here’s all the ways to get around ChatGPT’s safeguards.

Papers

• A paper on non-intrusive hotpatching of memory in mission-critical ICS components, that one definitely made me sit up straight.

  The current state-of-the-art hotpatching approaches only focus on firmware and/or RTOS. Therefore, in this work, we develop ICSPatch, a framework to automate control logic vulnerability localization using Data Dependence Graphs (DDGs). With the help of DDGs, ICSPatch pinpoints the vulnerability in the control application. As an independent second step, ICSPatch can non-intrusively hotpatch vulnerabilities in the control application directly in the main memory of Programmable Logic Controllers while maintaining reliable continuous operation. To evaluate our framework, we test ICSPatch on a synthetic dataset of 24 vulnerable control application binaries from diverse critical infrastructure sectors. Results show that ICSPatch could successfully localize all vulnerabilities and generate patches accordingly. Furthermore, the patch added negligible latency increase in the execution cycle while maintaining correctness and protection against the vulnerability.

• The only other paper of interest this week is on the lack of code confidentiality in Trusted Execution Environments.

  We study the resilience of such solutions to side-channel attacks in two commonly deployed scenarios: when a confidential code is a native binary that is shipped and executed within a TEE and when the confidential code is an intermediate representation (IR) executed on top of a runtime within a TEE. We show that executing IR code such as WASM bytecode on a runtime executing in a TEE leaks most IR instructions with high accuracy and therefore reveals the confidential code. Contrary to IR execution, native execution is much less susceptible to leakage and largely resists even the most powerful side-channel attacks. We evaluate native execution leakage in Intel SGX and AMD SEV and experimentally demonstrate end-to-end instruction extraction on Intel SGX, with WASM bytecode as IR executed within WAMR, a hybrid between a JIT compiler and interpreter developed by Intel. Our experiments show that IR code leakage from such systems is practical and therefore question the security claims of several commercial solutions which rely on TEEs+WASM for code confidentiality.

Vulnerabilities

• The good people at Impalabs are on a roll and tearing apart Huawei’s security hypervisor. This time they bring us an in-depth write up of three vulnerabilities in the Huawei Secure Monitor. Serious impressive writing and explanations on display here.

• The full disclosure mailing list used to be THE place where all vulnerabilities were posted back in the day (Hi John !), and is still carrying the occassional post of interest to his day. In this instance, an interesting post on abusing Microsoft PlayReady content protection DRM of the CANAL+ SAT TV provider. Sounds oldskool ? Yes it is.

• CISA vulnerability summary for the week of December 5th has been released at https://www.cisa.gov/uscert/ncas/bulletins/sb22-346

Tools

• WaveDrom is a nice little Javascript appliction which renders Digital Timing Diagrams from a JSON-like input format. It looks good !

  

  

• More Linux kernel goodness with the introduction of the Linux Kernel Memory Sanitizer, aimed at discovering errors when unitialized values are being used. Docs @ https://docs.kernel.org/next/dev-tools/kmsan.html

• With SBOMs being all the rage, Google is making a contribution in the form of OSV-scanner, a scanner which checks your code and dependencies for known vulnerabilities. Some places like Github do similar things for hosted repos. Sorry Synopsys Black Duck and other commercial offerings, I guess you knew this day was coming.

• Mentioning ChatGPT twice in a single newsletter ? I fear someone willl definitely be docking points from my street cred now. But a few people have created interesting experiments in using ChatGPT to explain assembly code and functions in the Import Address Table of PE files in human words, compared to, well, the things we usually stare at on a daily basis. Give it a go.

  • https://github.com/JusticeRage/Gepetto

  • https://github.com/MayerDaniel/ida_gpt

  • https://github.com/fr0gger/IATelligence

Bits and Pieces

• Did you know you can download the full CVE list in multiple formats for your data manipulation pleasure ? You can find them at https://cve.mitre.org/data/downloads/index.html

Till next time,

Thierry

---

---