Stuff for the Stash, Week 6-8
Tales from the grab bag with too many things to list on automotive, cryptography, reversing, secure coding and breaking it, some really cool papers, and more !
Hi everyone and welcome to this new extra-large edition of Stuff for the Stash, your semi-regular update of internet things that made it on to my list of interesting things .
Let’s dive right in !
Articles and other News
Mercedes-Benz announces that it plans to develop its in-house vehicle operating system named MB.OS. The scope of it is very broad, from partnering with Google to supply maps functionality and other things, to partnering with NVIDIA to use its ORIN SoC to support SAE Level 3 automated driving. It would be interesting to learn more about the entire technology stack, but as it will be a proprietary system, I suspect not a whole lot might become known anytime soon. Did I say I would like to work on this ? You’re right, I wouldn’t mind working on this. Not to convinced about it supporting Youtube though…
NIST announced Ascon, which will be published by NIST as their lightweight cryptography standard later this year, for use in small devices such as sensors, actuators etc. More details are at https://ascon.iaik.tugraz.at/index.html
One of the commonly used terms in AI discussions today is “Prompt Engineering”. Well, someone has started collecting a huge collection of resources on exactly this topic in the Prompt Engineering Guide. From my perspective, I have not yet fully come to terms on whether prompt engineering can be considered a form of security vulnerability ? On the one side, you could argue that it is a form of perturbation attack where an attacker modifies queries such that you get the wanted response, which I would consider a valid concern in the context of a classification system. In the context of a Large Language Model or Image diffusion model, you could however argue that this is just pro-user behavior, where more precise outcomes are generated with more precise “prompt engineering”. I’d love to hear more perspectives on this! (and yes, this substack has a comment section)
Did you always want to understand the X64 stack better and understand what fancy terms like non-leaf functions, register homing and stack unwinding were about ? Look no further.
Kevin Thomas has made a great contribution by releasing extensive but easy to follow reverse engineering tutorials for common architectures.
Joren Garenar published a post on “Few lesser known tricks, quirks and features of C” to which the reaction of a dear friend with whom I shared this was “you live, you learn, you cry in horror”. If that didn’t make you read it, you should reconsider.
An Open Source book by ARM about Low-level Software Security for Compiler Developers covering memory vulnerabilities, covert and side-channels, supply chain security and physical attacks.
When you come across a function which uses java.util.Random, what do you do ? Well, you explore how vulnerable it _really_ is, you build a tool to crack it, and release the entire thing for the benefit of everyone of course ! Amazing work as usual from the gang at elttam. Write up at Cracking Randomness in Java.
Recently, U-Boot started developing support for remote booting using HTTP. Even more recently, someone broke it with a straight stack smash. U-Boot HTTP client
An article looking at Hardware Trojans under a microscope, introducing netlists, die preparations, electron microscope images, and circuit testing.
Papers
Sometimes you have a day where you feel you’ve been inside your bubble for too long and no longer know what’s happening outside of it, and I definitely had that feeling when I came across the new paper “CODAMOSA: Escaping Coverage Plateaus in Test Generation with Pre-trained Large Language Models“ from Caroline Lemieux et al.
In layman’s terms, can large language models of a codebase be used to improve fuzzing coverage for “hard to hit” areas by automatically generating test cases? The answer seems to point towards a yes. The code is here.
Search-based software testing (SBST) generates high-coverage test cases for programs under test with a combi-nation of test case generation and mutation. SBST’s performance relies on there being a reasonable probability of generating test cases that exercise the core logic of the program under test. Given such test cases, SBST can then explore the space around them to exercise various parts of the program. This paper explores whether Large Language Models (LLMs) of code, such as OpenAI’s Codex, can be used to help SBST’s exploration. Our proposed algorithm, CODAMOSA, conducts SBST until its coverage improvements stall, then asks Codex to provide example
test cases for under-covered functions. These examples help SBST redirect its search to more useful areas of the search space. On an evaluation over 486 benchmarks, CODAMOSA achieves statistically significantly higher coverage on many more benchmarks (173 and 279) than it reduces coverage on (10 and 4), compared to SBST and LLM-only baselines.
Fixing Hardware Security Bugs with Large Language Models
In this work we consider how LLMs maybe leveraged to automatically repair security relevant bugs present in hardware designs. We focus on bug repair in code written in the Hardware Description Language Verilog. For this study we build a corpus of domain-representative hardware security bugs. We then design and implement a framework to quantitatively evaluate the performance of any LLM tasked with fixing the specified bugs. The framework supports design space exploration of prompts (i.e., prompt engineering) and identifying the best parameters for the LLM. We show that an ensemble of LLMs can repair all ten of our benchmarks. This ensemble outperforms the state-of-the-art Cirfix hardware bug repair tool on its own suite of bugs. These results show that LLMs can repair hardware security bugs and the framework is an important step towards the ultimate goal of an automated end-to-end bug repair framework.
Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M
[…] only recently, individual chip manufacturers have started to respond to this threat by integrating countermeasures in their products. Generally, these countermeasures aim at protecting against single fault injection (SFI) attacks, since Multiple Fault Injection (MFI) is believed to be challenging and sometimes even impractical. In this paper, we present {\mu}-Glitch, the first Voltage Fault Injection (VFI) platform which is capable of injecting multiple, coordinated voltage faults into a target device, requiring only a single trigger signal. We provide a novel flow for Multiple Voltage Fault Injection (MVFI) attacks to significantly reduce the search complexity for fault parameters, as the search space increases exponentially with each additional fault injection. We evaluate and showcase the effectiveness and practicality of our attack platform on four real-world chips, featuring TrustZone-M: The first two have interdependent backchecking mechanisms, while the second two have additionally integrated countermeasures against fault injection. Our evaluation revealed that {\mu}-Glitch can successfully inject four consecutive faults within an average time of one day. Finally, we discuss potential countermeasures to mitigate VFI attacks and additionally propose two novel attack scenarios for MVFI.
Cyber-Resilience Approaches for Cyber-Physical Systems
In this article, we create a systematization of knowledge about existing scientific efforts of making CPS cyber-resilient. We systematically survey recent literature addressing cyber-resilience with a focus on techniques that may be used on CPS. We first provide preliminaries and background on CPS and threats, and subsequently survey state-of-the-art approaches that have been proposed by recent research work applicable to CPS. In particular, we aim at differentiating research work from traditional risk management approaches, based on the general acceptance that it is unfeasible to prevent and mitigate all possible risks threatening a CPS. We also discuss questions and research challenges, with a focus on the practical aspects of cyber-resilience, such as the use of metrics and evaluation methods, as well as testing and validation environments.
GPS-Spoofing Attack Detection Mechanism for UAV Swarms
In this study, we propose a GPS spoofing detection mechanism capable of detecting single-transmitter and multi-transmitter GPS spoofing attacks to prevent the outcomes mentioned above. Our detection mechanism is based on comparing the distance between each two swarm members calculated from their GPS coordinates to the distance acquired from Impulse Radio Ultra-Wideband ranging between the same swarm members. If the difference in distances is larger than a chosen threshold the GPS spoofing attack is declared detected.
End-to-End Security for Distributed Event-Driven Enclave Applications on Heterogeneous TEEs
We build upon and extend security primitives provided by Trusted Execution Environments (TEEs) to guarantee authenticity and integrity properties of applications, and to secure control of input and output devices. More specifically, we guarantee that if an output is produced by the application, it was allowed to be produced by the application's source code based on an authentic trace of inputs.
We present an integrated open-source framework to develop, deploy, and use such applications across heterogeneous TEEs. Beyond authenticity and integrity, our framework optionally provides confidentiality and a notion of availability, […]Recent Advances in the Internet of Medical Things (IoMT) Systems Security
In this paper, we present state-of-the-art techniques to secure IoMT systems' data during collection, transmission, and storage. We comprehensively overview IoMT systems' potential attacks, including physical and network attacks. Our findings reveal that most security techniques do not consider various types of attacks. Hence, we propose a security framework that combines several security techniques. The framework covers IoMT security requirements and can mitigate most of its known attacks.
Systematically Finding Security Vulnerabilities in Black-Box Code Generation Models
In this work, we propose the first approach to automatically finding security vulnerabilities in black-box code generation models. To achieve this, we propose a novel black-box inversion approach based on few-shot prompting. We evaluate the effectiveness of our approach by examining code generation models in the generation of high-risk security weaknesses. We show that our approach automatically and systematically finds 1000s of security vulnerabilities in various code generation models, including the commercial black-box model GitHub Copilot.
Security of IT/OT Convergence: Design and Implementation Challenges
The Industrial Internet of things is a sub-domain of IoT and serves as enablers of the industry. IIoT is providing valuable services to Industrial Control Systems such as logistics, manufacturing, healthcare, industrial surveillance, and others. Although IIoT service-offering to ICS is tempting, it comes with greater risk. ICS systems are protected by isolation and creating an air-gap to separate their network from the outside world. While IIoT by definition is a device that has connection ability. This creates multiple points of entry to a closed system. In this study, we examine the first automated risk assessment system designed specifically to deal with the automated risk assessment and defining potential threats associated with IT/OT convergence based on OCTAVE Allegro- ISO/IEC 27030 Frameworks.
Vulnerabilities
Otoro publishes a whitepaper describing some vulnerabilities they have found in IIoT equipment.
Tools
auto-fuzz, part of Fuzz Introspector, works provides auto-generation capabilities of fuzzers, which is an interesting idea. Input a Github repository, output a set of custom fuzzers for the target. I’m sure it has a long way to go, but interesting idea nonetheless.
A new active Bluetooth BR/EDR sniffer and injector framework is something which gets my attention every day, and this time it runs of very cheap ESP32 boards. Definitely to be tried out !
Policy
The ISO24089 - Road Vehicles — Software update engineering standard has been published. And while most security-specific topics are off-loaded onto ISO21434, it is still a good read for anyone involved in the automotive industry. And while it does not make an explicit reference to the UNECE R.156 standard, it does cover the same topic.
Bits and Pieces
This is a Stuff for the Stash post, where I share interesting things I have encountered on a wide variety of topics related to low-level security and cyber-physical systems.
You receive this email because at one point you have subscribed to this publication, and I deeply appreciate that. If you feel this information could be interesting to others, feel free to share !