0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/845 Thanks! 1 00:00:15,680 --> 00:00:17,869 Hello. So we're ready to start. 2 00:00:20,630 --> 00:00:22,759 It's my pleasure to introduce to 3 00:00:22,760 --> 00:00:24,889 you your sweatsuits and 4 00:00:24,890 --> 00:00:26,420 Ali Abbasid 5 00:00:28,280 --> 00:00:30,379 with taking a scalpel to 6 00:00:30,380 --> 00:00:32,899 QNX, you'll get a deep dove 7 00:00:32,900 --> 00:00:35,149 analysis of the QNX operating 8 00:00:35,150 --> 00:00:36,169 system. 9 00:00:36,170 --> 00:00:38,299 And with that, I will just 10 00:00:38,300 --> 00:00:39,679 give it straight over to you. 11 00:00:39,680 --> 00:00:41,309 Thanks. All right. 12 00:00:41,310 --> 00:00:43,459 Thanks for that great round 13 00:00:43,460 --> 00:00:44,460 of applause. 14 00:00:49,020 --> 00:00:50,819 All right, so welcome, everybody, to 15 00:00:50,820 --> 00:00:53,429 talk. Taking a scalpel to QNX, analyzing 16 00:00:53,430 --> 00:00:55,209 and breaking exploit mitigations and 17 00:00:55,210 --> 00:00:58,019 bearings on QNX, six and seven. 18 00:00:58,020 --> 00:00:59,369 My name is Charles Wetzel's and I'm 19 00:00:59,370 --> 00:01:00,689 currently an independent security 20 00:01:00,690 --> 00:01:02,189 researcher with Midnight Blue, where I 21 00:01:02,190 --> 00:01:03,899 mainly focus on embedded systems 22 00:01:03,900 --> 00:01:04,919 security. 23 00:01:04,920 --> 00:01:06,389 I previously worked as a security 24 00:01:06,390 --> 00:01:08,009 researcher at the University of Atlanta, 25 00:01:08,010 --> 00:01:09,209 where I focused on critical 26 00:01:09,210 --> 00:01:10,769 infrastructure protection. 27 00:01:10,770 --> 00:01:12,299 And most of this work was part of my 28 00:01:12,300 --> 00:01:14,429 master's thesis at the University of 29 00:01:14,430 --> 00:01:15,430 Technology. 30 00:01:16,470 --> 00:01:18,659 Hi, my name is Percy. 31 00:01:18,660 --> 00:01:21,209 I'm a student at Eindhoven University 32 00:01:21,210 --> 00:01:23,729 of Technology and a visiting researcher 33 00:01:23,730 --> 00:01:25,739 at Sharov Systems Security at Rowan 34 00:01:25,740 --> 00:01:27,660 University here in Germany. 35 00:01:28,860 --> 00:01:31,349 My research mostly are related to 36 00:01:31,350 --> 00:01:33,479 binary security and programable logic 37 00:01:33,480 --> 00:01:34,500 controller security. 38 00:01:35,940 --> 00:01:37,499 All right. So we'll start this 39 00:01:37,500 --> 00:01:39,689 presentation of an introduction to QNX 40 00:01:39,690 --> 00:01:41,459 and discussing the general operating 41 00:01:41,460 --> 00:01:43,649 system and security architecture before 42 00:01:43,650 --> 00:01:45,419 moving on to discussing the pseudo random 43 00:01:45,420 --> 00:01:47,019 number generators and the exploding 44 00:01:47,020 --> 00:01:48,659 indignations themselves and finishing off 45 00:01:48,660 --> 00:01:49,859 with some final remarks. 46 00:01:51,180 --> 00:01:52,709 So what is QNX? 47 00:01:52,710 --> 00:01:54,779 QNX is a Unix like Botox, compliant, 48 00:01:54,780 --> 00:01:56,579 embedded, realtime operating system, its 49 00:01:56,580 --> 00:01:58,439 closed source and proprietary. 50 00:01:58,440 --> 00:02:00,509 It was initially released in 1982, so 51 00:02:00,510 --> 00:02:02,639 it's quite old and was later acquired by 52 00:02:02,640 --> 00:02:04,919 BlackBerry QNX versions up to 53 00:02:04,920 --> 00:02:07,169 and including six point six hour, 32 bit 54 00:02:07,170 --> 00:02:08,129 operating systems. 55 00:02:08,130 --> 00:02:10,499 But as of QNX seven, which was released 56 00:02:10,500 --> 00:02:12,689 in March of this year, it's a 64 bit 57 00:02:12,690 --> 00:02:14,309 operating system. 58 00:02:14,310 --> 00:02:15,899 Its most famously known for its use in 59 00:02:15,900 --> 00:02:17,999 various mobile devices because it 60 00:02:18,000 --> 00:02:19,619 underpins the BlackBerry 10 operating 61 00:02:19,620 --> 00:02:21,299 system as well as the BlackBerry tablet 62 00:02:21,300 --> 00:02:22,559 operating system. 63 00:02:22,560 --> 00:02:24,389 But really, this is only the tip of the 64 00:02:24,390 --> 00:02:26,849 iceberg of QNX usage, because especially 65 00:02:26,850 --> 00:02:28,679 these days, it's far more prominent in 66 00:02:28,680 --> 00:02:30,779 automotive systems, especially 67 00:02:30,780 --> 00:02:31,979 in infotainment systems. 68 00:02:31,980 --> 00:02:33,569 It holds more than a 50 percent of the 69 00:02:33,570 --> 00:02:35,699 market share and it's set to be used in 70 00:02:35,700 --> 00:02:37,889 various self-driving car initiatives. 71 00:02:37,890 --> 00:02:39,689 For example, Delphi Automotive has 72 00:02:39,690 --> 00:02:41,939 partnered with BlackBerry to use QNX 73 00:02:41,940 --> 00:02:43,889 as the basis of its self-driving car 74 00:02:43,890 --> 00:02:46,019 initiative. So that's very interesting 75 00:02:46,020 --> 00:02:47,250 from a security point of view. 76 00:02:48,750 --> 00:02:51,149 Second, very famous use of QNX is in 77 00:02:51,150 --> 00:02:53,159 a great writers like the Sierra series, 78 00:02:53,160 --> 00:02:55,799 the 12000 series, the as our series. 79 00:02:55,800 --> 00:02:57,689 And I hear QNX is used to underpin 80 00:02:57,690 --> 00:02:59,849 Cisco's iOS Exaro operating system, 81 00:02:59,850 --> 00:03:02,189 as you can see on the right of the slide. 82 00:03:02,190 --> 00:03:03,779 And that, again, makes for all the 83 00:03:03,780 --> 00:03:05,249 obvious reasons, for an interesting 84 00:03:05,250 --> 00:03:06,250 security target. 85 00:03:07,320 --> 00:03:08,969 It's used in many, many more critical 86 00:03:08,970 --> 00:03:10,679 systems. These are just two examples. 87 00:03:10,680 --> 00:03:12,179 You can find it in industrial control 88 00:03:12,180 --> 00:03:14,339 systems like the nuclear power plants of 89 00:03:14,340 --> 00:03:16,439 Westinghouse, surface mining 90 00:03:16,440 --> 00:03:18,779 control turbine controllers, and 91 00:03:18,780 --> 00:03:21,029 various military systems such as oves 92 00:03:21,030 --> 00:03:23,369 or military radios, anti-tank guidance 93 00:03:23,370 --> 00:03:25,589 systems, medical systems, railway 94 00:03:25,590 --> 00:03:26,549 safety, you name it. 95 00:03:26,550 --> 00:03:28,829 So the security implications are obvious. 96 00:03:28,830 --> 00:03:29,830 I'd say 97 00:03:31,140 --> 00:03:33,149 last year some people might remember, we 98 00:03:33,150 --> 00:03:35,009 also gave a talk which covered some of 99 00:03:35,010 --> 00:03:35,929 this subject matter. 100 00:03:35,930 --> 00:03:37,799 I called Wheel of Fortune and here we 101 00:03:37,800 --> 00:03:40,259 focused on and issues in vehicles works 102 00:03:40,260 --> 00:03:42,199 redacted address, which we can name for 103 00:03:42,200 --> 00:03:44,369 NDA reasons and QNX versions 104 00:03:44,370 --> 00:03:46,139 up to and including six point six. 105 00:03:46,140 --> 00:03:48,029 So in this talk, we'll discuss a lot of 106 00:03:48,030 --> 00:03:49,139 different stuff. 107 00:03:49,140 --> 00:03:50,759 We'll discuss to discuss the new 108 00:03:50,760 --> 00:03:53,159 userspace internal space beer GS of QNX 109 00:03:53,160 --> 00:03:54,899 seven and focus on the explosion 110 00:03:54,900 --> 00:03:56,789 mitigations of QNX six and seven, which 111 00:03:56,790 --> 00:03:58,020 haven't been discussed before. 112 00:03:59,580 --> 00:04:01,739 So I hereby hand the introduction to the 113 00:04:01,740 --> 00:04:03,689 OS and security architecture to Alere. 114 00:04:06,390 --> 00:04:08,759 So, Oisin, security architecture. 115 00:04:09,900 --> 00:04:12,239 QNX is a MicroCon at through 116 00:04:12,240 --> 00:04:13,379 micro Karenin. 117 00:04:13,380 --> 00:04:15,989 So what it means, it means that basically 118 00:04:15,990 --> 00:04:17,729 most of the components of the operating 119 00:04:17,730 --> 00:04:19,799 system within the kernel will be 120 00:04:19,800 --> 00:04:21,898 out of the kurnit things 121 00:04:21,899 --> 00:04:23,969 which you expect to be in the kernel are 122 00:04:23,970 --> 00:04:26,369 not any more there. So things 123 00:04:26,370 --> 00:04:28,499 like filesystem, stuff 124 00:04:28,500 --> 00:04:30,180 like device drivers, 125 00:04:31,230 --> 00:04:33,509 well, protocol attacks, 126 00:04:33,510 --> 00:04:35,639 all of them are actually located outside 127 00:04:35,640 --> 00:04:36,659 of the kernel. 128 00:04:36,660 --> 00:04:38,969 And what you will have is just really 129 00:04:38,970 --> 00:04:41,159 tiny, tiny micro kernel 130 00:04:41,160 --> 00:04:43,289 which have 131 00:04:43,290 --> 00:04:45,359 some benefits. So for example, 132 00:04:46,530 --> 00:04:48,659 the biggest one is actually 133 00:04:48,660 --> 00:04:50,639 the higher reliability for the operating 134 00:04:50,640 --> 00:04:52,739 system because there are less 135 00:04:52,740 --> 00:04:55,199 chances for the buggy implementation, 136 00:04:55,200 --> 00:04:57,039 which cause a crash in operating the 137 00:04:57,040 --> 00:04:58,679 entire operating system. 138 00:04:58,680 --> 00:05:00,839 But also it 139 00:05:00,840 --> 00:05:03,329 will provide something we call 140 00:05:03,330 --> 00:05:05,489 Lesra for hackers 141 00:05:05,490 --> 00:05:08,039 to hang on. And it's because 142 00:05:08,040 --> 00:05:10,829 there will be a smaller surface 143 00:05:10,830 --> 00:05:12,959 for attackers to target the kernel or 144 00:05:12,960 --> 00:05:14,219 the micro kernel. 145 00:05:14,220 --> 00:05:16,439 So it will help some 146 00:05:16,440 --> 00:05:18,689 micro kernel, generally micro 147 00:05:18,690 --> 00:05:21,479 kind of operating systems to get higher 148 00:05:21,480 --> 00:05:24,029 ed levels from NSA or 149 00:05:24,030 --> 00:05:26,489 other cert buddies. 150 00:05:26,490 --> 00:05:28,619 So that's micro 151 00:05:28,620 --> 00:05:31,199 kind of. But how 152 00:05:31,200 --> 00:05:32,939 then when you are putting all of these 153 00:05:32,940 --> 00:05:35,429 components outside, outside of 154 00:05:35,430 --> 00:05:37,619 the kernel or in a macro kernel, 155 00:05:37,620 --> 00:05:39,299 how then they are actually going to 156 00:05:39,300 --> 00:05:41,879 communicate, how they are going to work? 157 00:05:41,880 --> 00:05:44,159 So what you will have here 158 00:05:44,160 --> 00:05:46,379 like is a message 159 00:05:46,380 --> 00:05:48,189 boss in the and. 160 00:05:48,190 --> 00:05:50,259 Specifically, which 161 00:05:50,260 --> 00:05:51,549 the functionality where 162 00:05:52,670 --> 00:05:54,789 I assume a program like a like 163 00:05:54,790 --> 00:05:57,399 a network communication, 164 00:05:57,400 --> 00:05:59,289 so it will be very similar to the network 165 00:05:59,290 --> 00:06:01,359 communication. So what you will have is 166 00:06:01,360 --> 00:06:03,489 that an application in the user 167 00:06:03,490 --> 00:06:05,769 space wants to communicate, let's 168 00:06:05,770 --> 00:06:06,879 say, filesystem. 169 00:06:06,880 --> 00:06:09,189 So how does it send 170 00:06:09,190 --> 00:06:11,499 a message to the microphone 171 00:06:11,500 --> 00:06:13,359 which the microphone would pass it to the 172 00:06:13,360 --> 00:06:15,129 target application? 173 00:06:15,130 --> 00:06:17,139 So let's say filesystem and the 174 00:06:17,140 --> 00:06:19,029 filesystem respond and this message will 175 00:06:19,030 --> 00:06:21,159 be then pass to the 176 00:06:21,160 --> 00:06:21,759 application. 177 00:06:21,760 --> 00:06:24,339 So that's the message by saying message 178 00:06:24,340 --> 00:06:26,349 box basically. And the micro kind of 179 00:06:26,350 --> 00:06:28,329 basically the task of micro kind of 180 00:06:28,330 --> 00:06:30,399 basically is to forward 181 00:06:30,400 --> 00:06:33,159 these messages to the other components. 182 00:06:33,160 --> 00:06:36,039 But one interesting thing about 183 00:06:36,040 --> 00:06:38,259 QNX specifically is that this 184 00:06:38,260 --> 00:06:40,419 kind, this architecture combined with 185 00:06:40,420 --> 00:06:42,969 something called CUNEYT and QNX, 186 00:06:42,970 --> 00:06:44,739 provide a functionality where you can 187 00:06:44,740 --> 00:06:46,809 have multiple, multiple channels 188 00:06:46,810 --> 00:06:48,669 running and talking with each other. 189 00:06:48,670 --> 00:06:50,649 So let's say they can actually Vioxx 190 00:06:50,650 --> 00:06:52,839 units to microtonal can 191 00:06:52,840 --> 00:06:55,419 have like a talk over 192 00:06:55,420 --> 00:06:57,579 Ethernet, which 193 00:06:57,580 --> 00:06:59,619 provide greater functionalities, for 194 00:06:59,620 --> 00:07:00,910 example, for networking 195 00:07:02,470 --> 00:07:03,879 or network communications. 196 00:07:05,350 --> 00:07:07,689 Beside that, actually, QNX also supports 197 00:07:07,690 --> 00:07:11,079 these calls, but it's not as big as 198 00:07:11,080 --> 00:07:12,819 well. General, in Linux, which you have 199 00:07:12,820 --> 00:07:15,009 more than 300 Tsiskaridze, but it's like 200 00:07:15,010 --> 00:07:16,010 less than 90 201 00:07:17,170 --> 00:07:19,269 and also of Unix is a 202 00:07:19,270 --> 00:07:21,100 POSIX compatible meaning that 203 00:07:22,150 --> 00:07:24,609 you can have those are standard Lipsy 204 00:07:24,610 --> 00:07:26,169 functions, which you write in your code. 205 00:07:26,170 --> 00:07:28,629 But here you are using 206 00:07:28,630 --> 00:07:31,599 a specific Unix compiler 207 00:07:31,600 --> 00:07:33,789 and then this compiler convert 208 00:07:33,790 --> 00:07:36,789 this Lipsy functions 209 00:07:36,790 --> 00:07:39,249 to message passingly 210 00:07:39,250 --> 00:07:40,250 stops basically. 211 00:07:43,440 --> 00:07:46,139 Regarding the memory layout, so 212 00:07:46,140 --> 00:07:48,269 you will have the space and 213 00:07:48,270 --> 00:07:50,339 use our space, but the only thing which 214 00:07:50,340 --> 00:07:52,919 is remaining or stay at the COL 215 00:07:52,920 --> 00:07:55,439 space is the MicroCon itself. 216 00:07:55,440 --> 00:07:58,319 And basically also 217 00:07:58,320 --> 00:08:00,599 there will be userspace separation. 218 00:08:00,600 --> 00:08:02,729 So it means that there 219 00:08:02,730 --> 00:08:05,129 is no possibility for some processes 220 00:08:05,130 --> 00:08:07,229 within the within the user space to 221 00:08:07,230 --> 00:08:09,329 just, like, touch each 222 00:08:09,330 --> 00:08:11,669 other, for example, because some 223 00:08:11,670 --> 00:08:13,709 of them are sensitive. So basically, QNX 224 00:08:13,710 --> 00:08:16,319 provide a virtual private memory support 225 00:08:16,320 --> 00:08:18,809 via a memory management unit. 226 00:08:18,810 --> 00:08:21,089 But also QNX provides unique 227 00:08:21,090 --> 00:08:23,649 like process access control, which 228 00:08:23,650 --> 00:08:24,650 talked about the. 229 00:08:26,600 --> 00:08:28,699 With respect to QNX memory 230 00:08:28,700 --> 00:08:31,159 layout's, if you look at the userspace 231 00:08:31,160 --> 00:08:33,649 part, there's not that much significant 232 00:08:33,650 --> 00:08:35,689 difference than the stuff we know in 233 00:08:35,690 --> 00:08:36,689 other operating systems. 234 00:08:36,690 --> 00:08:38,989 So you will have program image and 235 00:08:40,309 --> 00:08:42,408 basically el there in a micro kind 236 00:08:42,409 --> 00:08:43,548 of basically loaded. 237 00:08:43,549 --> 00:08:45,379 And then you have like your shared object 238 00:08:45,380 --> 00:08:48,049 or dynamic libraries, which which we 239 00:08:48,050 --> 00:08:49,669 will be lauded by Islamic thinkers. 240 00:08:51,170 --> 00:08:53,149 However, in the current space, one thing 241 00:08:53,150 --> 00:08:54,859 which is interesting is that all of the 242 00:08:54,860 --> 00:08:56,929 actors like basically to address 243 00:08:56,930 --> 00:08:58,909 the base address of the microgrants 244 00:08:58,910 --> 00:09:01,339 starts at a static 245 00:09:01,340 --> 00:09:03,739 location or a static address 246 00:09:03,740 --> 00:09:06,469 and per CPU you will have 247 00:09:06,470 --> 00:09:07,470 different STAC. 248 00:09:10,870 --> 00:09:12,639 So now let's look at the process 249 00:09:12,640 --> 00:09:15,099 management, so process 250 00:09:15,100 --> 00:09:16,380 management is a little bit 251 00:09:17,440 --> 00:09:19,569 different, so let's say there is 252 00:09:19,570 --> 00:09:21,849 a process called Provencio, which Manit, 253 00:09:21,850 --> 00:09:23,769 which is basically process manager, but 254 00:09:23,770 --> 00:09:26,649 part of it is located at the microtonal, 255 00:09:26,650 --> 00:09:28,869 but other part of it is located at 256 00:09:28,870 --> 00:09:30,039 the USERSPACE. 257 00:09:30,040 --> 00:09:31,509 So the process manager is actually 258 00:09:31,510 --> 00:09:33,779 running by route's process like 259 00:09:33,780 --> 00:09:34,749 the one. 260 00:09:34,750 --> 00:09:37,209 And basically it 261 00:09:37,210 --> 00:09:39,309 invokes the micro kind of the same 262 00:09:39,310 --> 00:09:41,529 as the same way as other processes. 263 00:09:41,530 --> 00:09:43,659 But the only difference here is that it 264 00:09:43,660 --> 00:09:45,849 have a flag and 265 00:09:45,850 --> 00:09:48,369 offering zero, which 266 00:09:48,370 --> 00:09:49,989 provides zero privilege 267 00:09:51,970 --> 00:09:53,059 for democracy. And I said, 268 00:09:54,100 --> 00:09:56,569 uh, beside that, as we said before, 269 00:09:56,570 --> 00:09:58,879 the actually support the usual politics 270 00:09:58,880 --> 00:10:01,029 of stuff, sort of Spaan for all 271 00:10:01,030 --> 00:10:02,109 of them are provided. 272 00:10:02,110 --> 00:10:05,379 Also, as I said before, QNX actually 273 00:10:05,380 --> 00:10:08,109 uses L format a file. 274 00:10:08,110 --> 00:10:09,849 But here's the interesting thing is that 275 00:10:09,850 --> 00:10:11,979 if the file system is on block or 276 00:10:11,980 --> 00:10:13,989 oriented entity versus the code and data 277 00:10:13,990 --> 00:10:16,059 are actually loaded into the 278 00:10:16,060 --> 00:10:18,189 main memory y, if a file 279 00:10:18,190 --> 00:10:20,379 system is actually a memory mapped 280 00:10:20,380 --> 00:10:22,599 code, then it can be 281 00:10:22,600 --> 00:10:24,879 in place. So basically multiple instances 282 00:10:24,880 --> 00:10:26,830 of the same process share, quote, memory. 283 00:10:29,190 --> 00:10:30,190 Also 284 00:10:31,320 --> 00:10:33,419 provide some sandboxing, so it's 285 00:10:33,420 --> 00:10:35,519 provided it's provided via our 286 00:10:35,520 --> 00:10:37,289 project manager ability, similar to 287 00:10:37,290 --> 00:10:39,419 lining's capabilities, 288 00:10:39,420 --> 00:10:41,609 so you can obtain 289 00:10:41,610 --> 00:10:43,259 capabilities before dropping routes and 290 00:10:43,260 --> 00:10:45,539 also restrict certain actions even for 291 00:10:45,540 --> 00:10:47,999 the user or route process. 292 00:10:48,000 --> 00:10:50,609 But disabilities are like significantly 293 00:10:50,610 --> 00:10:51,809 like Beeks. 294 00:10:51,810 --> 00:10:53,879 So you have Dumain range, 295 00:10:53,880 --> 00:10:56,909 like being locked on Luxo, 296 00:10:56,910 --> 00:10:58,699 you name it. All of them are actually 297 00:10:58,700 --> 00:11:00,839 similar to Linux. But hey, 298 00:11:00,840 --> 00:11:03,239 here, it depends on system 299 00:11:03,240 --> 00:11:05,399 integrators and how they are going to 300 00:11:05,400 --> 00:11:06,959 implement it. It's not a problem of the 301 00:11:06,960 --> 00:11:09,119 operating system, but it's it 302 00:11:09,120 --> 00:11:11,249 will be depending on the 303 00:11:11,250 --> 00:11:12,869 system integrators, how you are going to 304 00:11:12,870 --> 00:11:14,870 use these these functionalities. 305 00:11:18,170 --> 00:11:20,209 Also, critics actually support usually 306 00:11:20,210 --> 00:11:22,549 stuff so like with respect to user 307 00:11:22,550 --> 00:11:25,069 management, so you have to see passport 308 00:11:25,070 --> 00:11:26,839 file shadow. 309 00:11:26,840 --> 00:11:28,939 It is two groups and also usually 310 00:11:28,940 --> 00:11:31,070 utilities such as logging issue 311 00:11:32,120 --> 00:11:34,159 and also it support mandatory access 312 00:11:34,160 --> 00:11:35,160 controls 313 00:11:36,830 --> 00:11:38,749 with respect to hashing mechanism for 314 00:11:38,750 --> 00:11:39,979 passports. 315 00:11:39,980 --> 00:11:42,289 Well, can execs basically 316 00:11:42,290 --> 00:11:45,349 support Shahd, 256 317 00:11:45,350 --> 00:11:47,299 and by default 512? 318 00:11:47,300 --> 00:11:49,819 However, it's actually have it backward 319 00:11:49,820 --> 00:11:52,499 compatibility with Mudie five 320 00:11:52,500 --> 00:11:53,659 encryption. 321 00:11:53,660 --> 00:11:55,999 So which are RECURSE 322 00:11:56,000 --> 00:11:58,999 or basically if one can crack 323 00:11:59,000 --> 00:12:00,979 those devices which have like they're 324 00:12:00,980 --> 00:12:03,049 like for let's say they could be 325 00:12:03,050 --> 00:12:05,239 passwords based on modify or 326 00:12:05,240 --> 00:12:07,639 DNS, then they might 327 00:12:07,640 --> 00:12:09,709 be able to cracky. Then once somebody can 328 00:12:09,710 --> 00:12:11,839 crack it, then they have a 329 00:12:11,840 --> 00:12:13,999 long shelf life for attackers 330 00:12:14,000 --> 00:12:15,000 to use it. 331 00:12:15,620 --> 00:12:17,839 But well things are much better. 332 00:12:17,840 --> 00:12:19,069 And Grenache seven. 333 00:12:19,070 --> 00:12:21,259 So and of course Patch Kewney six 334 00:12:21,260 --> 00:12:22,189 point six. 335 00:12:22,190 --> 00:12:24,349 So they are basically using CDV 336 00:12:24,350 --> 00:12:26,539 to uh 337 00:12:26,540 --> 00:12:28,729 and with the SHA 338 00:12:28,730 --> 00:12:30,650 512 as default. 339 00:12:31,990 --> 00:12:34,419 So looking at the history of the 340 00:12:34,420 --> 00:12:35,529 security of QNX, 341 00:12:37,150 --> 00:12:39,099 majority of research actually done by 342 00:12:39,100 --> 00:12:41,409 BlackBerry mobile usage, which is owner 343 00:12:41,410 --> 00:12:43,929 of QNX from 2011 344 00:12:43,930 --> 00:12:46,209 to 2014, and also very, 345 00:12:46,210 --> 00:12:48,279 very interesting talk in 2016 346 00:12:48,280 --> 00:12:50,589 by Alex Plaskett 347 00:12:50,590 --> 00:12:53,079 about process communication 348 00:12:53,080 --> 00:12:55,389 in QNX space and canonge calls. 349 00:12:55,390 --> 00:12:56,889 I recommend you to watch that. 350 00:12:57,940 --> 00:13:00,279 And Davor, also various 351 00:13:00,280 --> 00:13:02,349 individual vulnerabilities from 2000 to 352 00:13:02,350 --> 00:13:03,909 2008. 353 00:13:03,910 --> 00:13:06,579 But the most interesting part is 354 00:13:06,580 --> 00:13:09,039 the leaks from WikiLeaks 355 00:13:09,040 --> 00:13:11,199 named Vol seven, which 356 00:13:11,200 --> 00:13:13,539 was showing US 357 00:13:13,540 --> 00:13:15,459 Central Intelligence Agency, were 358 00:13:15,460 --> 00:13:17,649 interested in targeting, well, 359 00:13:17,650 --> 00:13:20,109 embedded development branch of the CIA, 360 00:13:20,110 --> 00:13:22,809 were interested in targeting QNX, 361 00:13:24,460 --> 00:13:26,989 which they didn't do yet until 2014. 362 00:13:26,990 --> 00:13:28,959 But we don't know after that. 363 00:13:28,960 --> 00:13:31,029 So basically, there were no no prior 364 00:13:31,030 --> 00:13:33,219 work on exploit mitigation 365 00:13:33,220 --> 00:13:34,809 completely. So this will be the first 366 00:13:34,810 --> 00:13:37,419 time we are going to talk about it. 367 00:13:37,420 --> 00:13:39,549 And also with the Orange Report, 368 00:13:39,550 --> 00:13:41,649 we talked about Premji of six point 369 00:13:41,650 --> 00:13:44,109 six, but here 370 00:13:44,110 --> 00:13:46,749 I will talk about seven punji 371 00:13:46,750 --> 00:13:48,639 implementation, both UserSpacE and 372 00:13:48,640 --> 00:13:49,640 Cairns's. 373 00:13:51,500 --> 00:13:53,129 So let's look at the. 374 00:13:56,160 --> 00:13:57,660 Why we are looking at you 375 00:13:58,700 --> 00:13:59,699 like that? 376 00:13:59,700 --> 00:14:02,309 Well, because actually peerages 377 00:14:02,310 --> 00:14:04,619 is actually have a broader implication. 378 00:14:04,620 --> 00:14:06,959 It's a foundation of wider 379 00:14:06,960 --> 00:14:08,759 cryptographic ecosystem. 380 00:14:08,760 --> 00:14:11,159 So stuff like, I don't know, like SSL, 381 00:14:11,160 --> 00:14:14,189 SSL, all of them are relying on those 382 00:14:14,190 --> 00:14:15,119 stuff. 383 00:14:15,120 --> 00:14:17,249 And besides that, the strands of 384 00:14:17,250 --> 00:14:19,619 exploit mitigation itself are also 385 00:14:19,620 --> 00:14:21,059 are affected by 386 00:14:22,590 --> 00:14:24,689 PR and PR and 387 00:14:24,690 --> 00:14:25,619 quality. 388 00:14:25,620 --> 00:14:27,779 So as your Slatyer talks about 389 00:14:27,780 --> 00:14:30,269 it, you can see that how things 390 00:14:30,270 --> 00:14:32,309 like, for example, is ASALA or is that 391 00:14:32,310 --> 00:14:34,859 cannery's can get affected 392 00:14:34,860 --> 00:14:35,860 by 393 00:14:37,680 --> 00:14:38,720 punji weaknesses. 394 00:14:42,060 --> 00:14:44,309 So as a recap, 395 00:14:44,310 --> 00:14:46,079 we talked to about six point six 396 00:14:47,180 --> 00:14:49,379 of random implementation, 397 00:14:49,380 --> 00:14:51,719 so as a just as a recap. 398 00:14:51,720 --> 00:14:54,179 So basically the original punji, 399 00:14:54,180 --> 00:14:56,279 which was implemented last year, which we 400 00:14:56,280 --> 00:14:58,529 talked about, was based on Yoro, but 401 00:14:58,530 --> 00:15:01,109 not dereference Yoro, but zero one. 402 00:15:01,110 --> 00:15:03,249 But the original was like 403 00:15:03,250 --> 00:15:04,739 an earlier version of the. 404 00:15:04,740 --> 00:15:06,989 And there were some 405 00:15:06,990 --> 00:15:08,759 sketchy design issues. 406 00:15:08,760 --> 00:15:10,859 And basically 407 00:15:10,860 --> 00:15:12,929 the biggest part, which we talk, 408 00:15:12,930 --> 00:15:15,119 for example, have a lack of completely 409 00:15:15,120 --> 00:15:17,429 broken seat control or not 410 00:15:17,430 --> 00:15:19,739 having basically any seat control and 411 00:15:19,740 --> 00:15:22,679 also low quality time entropy 412 00:15:22,680 --> 00:15:24,849 and some entropy 413 00:15:24,850 --> 00:15:26,999 source selection, which was based 414 00:15:27,000 --> 00:15:28,079 on system integrators. 415 00:15:28,080 --> 00:15:31,349 And we show some examples of how 416 00:15:31,350 --> 00:15:33,569 things can go bad system 417 00:15:33,570 --> 00:15:35,519 and regulators don't care about it. 418 00:15:35,520 --> 00:15:36,869 And the operating system itself doesn't 419 00:15:36,870 --> 00:15:38,190 provide the proper purinergic. 420 00:15:39,600 --> 00:15:41,909 However, things got much better in QNX 421 00:15:41,910 --> 00:15:44,189 seven after our assessment, and they 422 00:15:44,190 --> 00:15:46,259 incorporated some of our suggestions. 423 00:15:46,260 --> 00:15:48,689 So right now they are actually using for 424 00:15:48,690 --> 00:15:50,459 implementation. 425 00:15:50,460 --> 00:15:52,079 They are actually using a new unstrapped 426 00:15:52,080 --> 00:15:54,539 resources, which I talk later, 427 00:15:54,540 --> 00:15:56,879 and a proper 428 00:15:56,880 --> 00:15:58,979 reseat control mechanism which 429 00:15:58,980 --> 00:16:00,779 wasn't didn't exist before. 430 00:16:00,780 --> 00:16:02,849 And but basically 431 00:16:02,850 --> 00:16:04,710 overall quiting much better and 432 00:16:06,720 --> 00:16:08,639 still doesn't mean that everything is 433 00:16:08,640 --> 00:16:11,879 fine. So still, there are some design 434 00:16:11,880 --> 00:16:13,799 like decisions or like implementation 435 00:16:13,800 --> 00:16:15,269 decisions which the system integrator 436 00:16:15,270 --> 00:16:16,739 have to have to decide. 437 00:16:16,740 --> 00:16:18,809 And still there can be a texture 438 00:16:18,810 --> 00:16:21,179 face. But from the operating system side, 439 00:16:21,180 --> 00:16:22,180 things are much better. 440 00:16:23,760 --> 00:16:26,189 So let's look at things change 441 00:16:26,190 --> 00:16:28,049 so you don't have to actually look at all 442 00:16:28,050 --> 00:16:29,969 of them and only look at the green parts, 443 00:16:29,970 --> 00:16:31,799 because that's the part which things 444 00:16:31,800 --> 00:16:33,929 change first and 445 00:16:33,930 --> 00:16:36,179 foremost for fixing the problem of the 446 00:16:36,180 --> 00:16:38,459 time. Entropy is actually 447 00:16:38,460 --> 00:16:41,189 seven. They right now provide 448 00:16:41,190 --> 00:16:42,839 a seed source, citified source, 449 00:16:42,840 --> 00:16:44,489 basically, which means that at about time 450 00:16:44,490 --> 00:16:46,919 you can provide a 451 00:16:46,920 --> 00:16:49,169 randomness file which contains 452 00:16:49,170 --> 00:16:51,539 some random like basically 453 00:16:51,540 --> 00:16:53,909 entropy to the operating 454 00:16:53,910 --> 00:16:55,229 system at the time. 455 00:16:55,230 --> 00:16:57,629 And later, once the seed get used 456 00:16:57,630 --> 00:17:00,299 and exhausted at the runtime, 457 00:17:00,300 --> 00:17:01,299 it can get updated. 458 00:17:01,300 --> 00:17:02,489 But the point here is that 459 00:17:03,600 --> 00:17:06,959 the framework have to actually provide a 460 00:17:06,960 --> 00:17:08,699 framework. You have to have different, 461 00:17:08,700 --> 00:17:09,749 for example, seed file. 462 00:17:10,950 --> 00:17:13,108 But beside that, there is also a 463 00:17:13,109 --> 00:17:14,999 user supplied sources of entropy. 464 00:17:15,000 --> 00:17:16,979 So there are different kind of, you know, 465 00:17:16,980 --> 00:17:18,809 supply sources which can be provided. 466 00:17:20,670 --> 00:17:22,858 But the other part is still 467 00:17:22,859 --> 00:17:26,009 the source, basically, which is a still 468 00:17:26,010 --> 00:17:28,078 weird because they are still using, for 469 00:17:28,079 --> 00:17:30,149 example, get your ID and get PID, which 470 00:17:30,150 --> 00:17:32,129 is not at all random because it's just 471 00:17:32,130 --> 00:17:34,259 completely static and get time of 472 00:17:34,260 --> 00:17:36,059 day, which is not random. 473 00:17:36,060 --> 00:17:38,249 But the only proper one is asking 474 00:17:38,250 --> 00:17:40,469 for random function, which is 475 00:17:41,700 --> 00:17:42,700 not that. 476 00:17:45,820 --> 00:17:47,859 Regarding the Channel seven channel PR 477 00:17:47,860 --> 00:17:48,860 energy, which. 478 00:17:50,990 --> 00:17:52,609 Well, seven actually introduce a new 479 00:17:52,610 --> 00:17:54,829 canopy orangy and 480 00:17:54,830 --> 00:17:56,119 there is implementation of it as a 481 00:17:56,120 --> 00:17:58,099 function called random value in the micro 482 00:17:58,100 --> 00:18:00,169 kind of the QNX, and it 483 00:18:00,170 --> 00:18:02,299 will it will be used or being used 484 00:18:02,300 --> 00:18:04,369 as a forward ASALA, and it's 485 00:18:04,370 --> 00:18:07,309 that cannery's by the microtonal. 486 00:18:07,310 --> 00:18:09,379 So basically what you see here is that 487 00:18:09,380 --> 00:18:11,059 you have different sources of entropy. 488 00:18:11,060 --> 00:18:12,889 So, for example, clock cycle, you are 489 00:18:12,890 --> 00:18:15,829 using the PID 490 00:18:15,830 --> 00:18:18,169 or like the current 491 00:18:18,170 --> 00:18:19,640 time in nanoseconds, 492 00:18:20,760 --> 00:18:23,389 also, for example, current CPU 493 00:18:23,390 --> 00:18:25,669 like wake up timer and also some random 494 00:18:25,670 --> 00:18:27,859 seats which you can pass it to parent 495 00:18:27,860 --> 00:18:30,019 input block which get passed 496 00:18:30,020 --> 00:18:31,549 to assure 256. 497 00:18:33,080 --> 00:18:35,909 Function and basically what will happen, 498 00:18:35,910 --> 00:18:38,149 the ingested or the output 499 00:18:38,150 --> 00:18:40,219 will be divided to eight blocks and the 500 00:18:40,220 --> 00:18:42,379 first block will be used as a salt and 501 00:18:42,380 --> 00:18:44,270 a second block will be used 502 00:18:45,620 --> 00:18:47,959 for the like output of the random 503 00:18:47,960 --> 00:18:49,549 value, the started beats. 504 00:18:49,550 --> 00:18:52,369 And there will be a iteration 505 00:18:52,370 --> 00:18:54,109 whenever you actually need a new 506 00:18:55,190 --> 00:18:57,259 random value, which 507 00:18:57,260 --> 00:18:59,659 this iteration moves each time from 508 00:18:59,660 --> 00:19:01,559 location zero to one to three. 509 00:19:01,560 --> 00:19:03,799 So like each time is 510 00:19:03,800 --> 00:19:05,719 the location which you are choosing. 511 00:19:05,720 --> 00:19:07,799 The 32 bytes will change. 512 00:19:07,800 --> 00:19:09,529 Essentially a will change. 513 00:19:09,530 --> 00:19:11,960 Basically, that's the Unit seven 514 00:19:13,370 --> 00:19:15,589 kernel punji and now the meat of the work 515 00:19:15,590 --> 00:19:16,609 actually explodes. 516 00:19:16,610 --> 00:19:17,989 Mitigation Unit seven. 517 00:19:17,990 --> 00:19:19,129 All right. 518 00:19:19,130 --> 00:19:21,409 Um, thank you for that, Ali. 519 00:19:21,410 --> 00:19:23,359 So let's start to look at the exploit 520 00:19:23,360 --> 00:19:24,259 mitigations. 521 00:19:24,260 --> 00:19:26,219 Um, why take a look at exploit 522 00:19:26,220 --> 00:19:27,619 mitigations? Well, because the 523 00:19:27,620 --> 00:19:29,089 mitigations that we're used to in the 524 00:19:29,090 --> 00:19:31,249 general purpose world Windows, Linux, 525 00:19:31,250 --> 00:19:32,869 because they didn't come falling from the 526 00:19:32,870 --> 00:19:35,059 sky, especially not in their current 527 00:19:35,060 --> 00:19:36,209 incarnations. 528 00:19:36,210 --> 00:19:37,819 There's a long history of weaknesses, 529 00:19:37,820 --> 00:19:39,979 bypasses and subsequent improvements, as 530 00:19:39,980 --> 00:19:42,169 you can see, for example, for windows 531 00:19:42,170 --> 00:19:43,279 on the bottom of the slide. 532 00:19:43,280 --> 00:19:44,869 And because there is nothing like that 533 00:19:44,870 --> 00:19:46,999 for QNX, that means that it's 534 00:19:47,000 --> 00:19:48,769 very fruitful ground for finding 535 00:19:48,770 --> 00:19:50,599 interesting stuff, which is why we took a 536 00:19:50,600 --> 00:19:51,600 look at it. 537 00:19:52,330 --> 00:19:54,489 So as of QNX, six point 538 00:19:54,490 --> 00:19:56,589 five, as you can see in the table, there 539 00:19:56,590 --> 00:19:58,029 is support for data, execution, 540 00:19:58,030 --> 00:20:00,699 prevention, space layout, randomization, 541 00:20:00,700 --> 00:20:03,309 stack galleries and relocation read-only. 542 00:20:03,310 --> 00:20:05,409 But don't get too excited because 543 00:20:05,410 --> 00:20:07,059 these are not enabled by default. 544 00:20:07,060 --> 00:20:08,739 So it might just mean that you encounter 545 00:20:08,740 --> 00:20:10,929 a firmer image with QNX and it's fully up 546 00:20:10,930 --> 00:20:13,239 to date. But if system integrators didn't 547 00:20:13,240 --> 00:20:15,429 explicitly enable support for all these 548 00:20:15,430 --> 00:20:18,039 mitigations in their toolchain, 549 00:20:18,040 --> 00:20:19,659 then you might be just exploiting like 550 00:20:19,660 --> 00:20:21,309 it's the 90s. 551 00:20:21,310 --> 00:20:23,169 You also shouldn't expect any support for 552 00:20:23,170 --> 00:20:24,849 advanced mitigations like fee table 553 00:20:24,850 --> 00:20:27,219 protections, contraflow integrity 554 00:20:27,220 --> 00:20:29,169 or criminal code and data isolation. 555 00:20:29,170 --> 00:20:30,880 So this is really just an. 556 00:20:32,060 --> 00:20:33,889 Let's start off with date execution 557 00:20:33,890 --> 00:20:35,929 prevention for those of you unfamiliar 558 00:20:35,930 --> 00:20:37,879 with it, and it seeks to prevent the 559 00:20:37,880 --> 00:20:39,919 execution of injected payloads into data 560 00:20:39,920 --> 00:20:41,989 memory. And roughly speaking, you 561 00:20:41,990 --> 00:20:44,059 have two main architectural styles for 562 00:20:44,060 --> 00:20:44,989 a CPU. 563 00:20:44,990 --> 00:20:46,549 One is the Harvard one where you have 564 00:20:46,550 --> 00:20:48,259 separate, physically separate code and 565 00:20:48,260 --> 00:20:49,669 data memory. And the other one is the von 566 00:20:49,670 --> 00:20:51,439 Neumann one where you have shared 567 00:20:51,440 --> 00:20:52,999 programing data, memory. 568 00:20:53,000 --> 00:20:55,609 And in order to to prevent the execution 569 00:20:55,610 --> 00:20:57,559 of injected payloads and data memory, you 570 00:20:57,560 --> 00:20:59,479 effectively seek to emulate a Harvard 571 00:20:59,480 --> 00:21:01,829 architecture on a Nimon one. 572 00:21:01,830 --> 00:21:04,089 And typically this is done as on a 573 00:21:04,090 --> 00:21:06,259 six eight sixty four on 574 00:21:06,260 --> 00:21:08,809 the bottom of the slide being facilitated 575 00:21:08,810 --> 00:21:10,639 by hardware support in a memory 576 00:21:10,640 --> 00:21:11,659 management unit. 577 00:21:11,660 --> 00:21:13,519 And here in a page table entry, you will 578 00:21:13,520 --> 00:21:15,749 have a specific bit like the annex 579 00:21:15,750 --> 00:21:17,959 bit, which regulates execute ability 580 00:21:17,960 --> 00:21:19,250 of this particular page. 581 00:21:20,660 --> 00:21:23,149 Now, QNX DBE has support for several 582 00:21:23,150 --> 00:21:25,469 of these anex like flags 583 00:21:25,470 --> 00:21:27,559 in the amuse at a support for 584 00:21:27,560 --> 00:21:30,019 it on 86 and 64, 585 00:21:30,020 --> 00:21:31,579 the support for it unarm. 586 00:21:31,580 --> 00:21:33,349 It does not, however, have support for 587 00:21:33,350 --> 00:21:35,599 this feature on MEPs and it has 588 00:21:35,600 --> 00:21:37,249 varying support for PowerPC. 589 00:21:37,250 --> 00:21:39,739 But that's PowerPC. 590 00:21:39,740 --> 00:21:41,839 The big problem with QNX, Debbie, is the 591 00:21:41,840 --> 00:21:44,269 fact that the defaults are insecure. 592 00:21:44,270 --> 00:21:46,189 So the problem is that even if you have 593 00:21:46,190 --> 00:21:48,079 hardware support here and you have a QNX 594 00:21:48,080 --> 00:21:50,269 version that has support for the 595 00:21:50,270 --> 00:21:52,549 B, then still the stack will be left 596 00:21:52,550 --> 00:21:54,769 executable even if the heap is not. 597 00:21:54,770 --> 00:21:56,749 So this is something to really check for 598 00:21:56,750 --> 00:21:59,389 when you encounter a QNX firmware image. 599 00:21:59,390 --> 00:22:01,549 What's more is that the typical Ganu 600 00:22:01,550 --> 00:22:03,649 Stack program, Hattar, is ignored by 601 00:22:03,650 --> 00:22:05,599 the program loader. So regardless of your 602 00:22:05,600 --> 00:22:07,759 Linko settings or whatever, this will be 603 00:22:07,760 --> 00:22:09,889 executable. Now it's possible to 604 00:22:09,890 --> 00:22:11,359 make the stack not executable by 605 00:22:11,360 --> 00:22:13,819 specifying explicitly a particular 606 00:22:13,820 --> 00:22:16,459 flag in the microgrants startup options. 607 00:22:16,460 --> 00:22:17,989 But a big problem is that this is a 608 00:22:17,990 --> 00:22:19,129 system wide setting. 609 00:22:19,130 --> 00:22:21,329 So if you have executables which require 610 00:22:21,330 --> 00:22:23,209 for legacy or backwards compatibility 611 00:22:23,210 --> 00:22:25,399 reasons and executable stack, they can 612 00:22:25,400 --> 00:22:27,679 no longer be included with these 613 00:22:27,680 --> 00:22:28,889 new firmware images. 614 00:22:28,890 --> 00:22:30,769 So even though we reported it and we 615 00:22:30,770 --> 00:22:32,719 said, you know, this is just enough rope 616 00:22:32,720 --> 00:22:34,219 to hang yourself with as a system 617 00:22:34,220 --> 00:22:36,199 integrator, this issue is still present 618 00:22:36,200 --> 00:22:38,089 on June six and seven. 619 00:22:38,090 --> 00:22:40,069 And this really is something to check for 620 00:22:40,070 --> 00:22:42,230 if you encounter a QNX firmware image. 621 00:22:43,910 --> 00:22:45,679 So the second mitigation is outer space, 622 00:22:45,680 --> 00:22:47,359 layered randomization, and again, for 623 00:22:47,360 --> 00:22:49,009 those unfamiliar with outer space, 624 00:22:49,010 --> 00:22:50,719 layered randomization seeks to complicate 625 00:22:50,720 --> 00:22:52,579 code reuse attacks like return oriented 626 00:22:52,580 --> 00:22:54,589 programing by randomizing the memory 627 00:22:54,590 --> 00:22:55,879 object addresses. 628 00:22:55,880 --> 00:22:57,829 So a typical exploitation flow you can 629 00:22:57,830 --> 00:22:59,989 see on the right of the slide, you find 630 00:22:59,990 --> 00:23:02,479 existing code to reuse gadgets 631 00:23:02,480 --> 00:23:04,549 and snippets and stitch them together a 632 00:23:04,550 --> 00:23:06,619 bit like a ransom note on the top 633 00:23:06,620 --> 00:23:07,969 of the slide. 634 00:23:07,970 --> 00:23:10,189 Now, as seeks to prevent this 635 00:23:10,190 --> 00:23:12,409 by using randomness as a means towards 636 00:23:12,410 --> 00:23:13,969 the goal of memory layout secrecy. 637 00:23:13,970 --> 00:23:15,319 Because if you don't know where the 638 00:23:15,320 --> 00:23:17,389 various code fragments are in memory, 639 00:23:17,390 --> 00:23:19,459 then you can stitch them together to form 640 00:23:19,460 --> 00:23:20,239 a robot bailout. 641 00:23:20,240 --> 00:23:22,489 Or at least that's the idea behind a la. 642 00:23:24,230 --> 00:23:26,719 Now, QNX is lawyer is enabled 643 00:23:26,720 --> 00:23:28,759 by starting the micro kernel with, again, 644 00:23:28,760 --> 00:23:30,679 a dedicated flag which is not enabled by 645 00:23:30,680 --> 00:23:32,749 default processes 646 00:23:32,750 --> 00:23:34,699 inherited their parents ezola settings, 647 00:23:34,700 --> 00:23:36,629 but it can be enabled or disabled on a 648 00:23:36,630 --> 00:23:38,719 process basis. So you have a good opt out 649 00:23:38,720 --> 00:23:40,879 scheme. But by default, it's 650 00:23:40,880 --> 00:23:42,289 it's, uh. 651 00:23:42,290 --> 00:23:43,189 Yeah, it's opt out. 652 00:23:43,190 --> 00:23:44,389 So it's not an opt in scheme. 653 00:23:44,390 --> 00:23:46,099 So don't look for mistakes like that. 654 00:23:47,540 --> 00:23:49,489 Memory objects are randomized at a base 655 00:23:49,490 --> 00:23:51,229 outdraws level. So it's not a very fine 656 00:23:51,230 --> 00:23:53,419 grained form of Islam, but that goes 657 00:23:53,420 --> 00:23:55,549 for most áslaug versions and 658 00:23:55,550 --> 00:23:57,949 most memory objects are randomized except 659 00:23:57,950 --> 00:24:00,079 for the kernel code addresses. 660 00:24:00,080 --> 00:24:02,209 And how terrible that is depends on 661 00:24:02,210 --> 00:24:04,459 your opinion of the usefulness of a 662 00:24:04,460 --> 00:24:06,139 in general. So that's that's not the real 663 00:24:06,140 --> 00:24:07,249 problem here. 664 00:24:07,250 --> 00:24:10,189 Um, one problem that that is 665 00:24:10,190 --> 00:24:12,169 a problem in practice is the fact that BI 666 00:24:12,170 --> 00:24:14,179 is disabled by default in the toolchain. 667 00:24:14,180 --> 00:24:16,639 So that means that unless you explicitly 668 00:24:16,640 --> 00:24:18,769 enable it, then all the binaries you have 669 00:24:18,770 --> 00:24:20,029 and you will compile, including the 670 00:24:20,030 --> 00:24:22,429 system binaries won't have randomization 671 00:24:22,430 --> 00:24:23,539 of of code. 672 00:24:23,540 --> 00:24:25,729 And if you look at a lot of firmware 673 00:24:25,730 --> 00:24:28,099 images of QNX in the wild, you'll find 674 00:24:28,100 --> 00:24:30,289 that in fact, Gode memory is never 675 00:24:30,290 --> 00:24:31,999 actually randomized, which greatly 676 00:24:32,000 --> 00:24:34,369 reduces the usefulness of Ezola. 677 00:24:35,580 --> 00:24:37,799 So in order to learn how QNX Ezola 678 00:24:37,800 --> 00:24:39,689 works under the hood, we reverse engineer 679 00:24:39,690 --> 00:24:41,759 the memory manager of QNX, which you 680 00:24:41,760 --> 00:24:43,799 can see mapped out here, and I'll save 681 00:24:43,800 --> 00:24:45,269 you all the details. 682 00:24:45,270 --> 00:24:47,069 But basically, it comes down to the fact 683 00:24:47,070 --> 00:24:49,109 that all of it is underpinned mostly by 684 00:24:49,110 --> 00:24:51,569 calls to AMAP in the micro kernel 685 00:24:51,570 --> 00:24:53,279 and our two functions that actually 686 00:24:53,280 --> 00:24:54,839 regulate the randomization. 687 00:24:54,840 --> 00:24:56,339 And those are marked in blue, which is 688 00:24:56,340 --> 00:24:58,409 the stack randomize function on the left 689 00:24:58,410 --> 00:25:00,179 and the map find the function on the 690 00:25:00,180 --> 00:25:00,539 right. 691 00:25:00,540 --> 00:25:02,309 And these both rely on the same random 692 00:25:02,310 --> 00:25:04,439 number generator which will discuss in 693 00:25:04,440 --> 00:25:06,379 this, uh, this dark. 694 00:25:06,380 --> 00:25:08,269 Now, the first of the functions must find 695 00:25:08,270 --> 00:25:10,489 HVA, among other things, randomize 696 00:25:10,490 --> 00:25:12,199 as virtual addresses which are returned 697 00:25:12,200 --> 00:25:13,429 by the NAPCO. 698 00:25:13,430 --> 00:25:14,959 And it does this, as you can see on the 699 00:25:14,960 --> 00:25:16,639 right of the slide, by subtracting or 700 00:25:16,640 --> 00:25:18,229 adding a random value to the found 701 00:25:18,230 --> 00:25:19,489 virtual address. 702 00:25:19,490 --> 00:25:21,139 And there's random value is obtained by 703 00:25:21,140 --> 00:25:22,729 taking the lower thirty two bits of the 704 00:25:22,730 --> 00:25:24,949 random number generator result bitwise 705 00:25:24,950 --> 00:25:26,509 left, shifting them by 12 and then 706 00:25:26,510 --> 00:25:28,949 extracting the lower 24 bits. 707 00:25:28,950 --> 00:25:30,949 And the problem already here is the fact 708 00:25:30,950 --> 00:25:33,139 that the application of this Bednarski 709 00:25:33,140 --> 00:25:35,599 contributes at most 12 bits of entropy 710 00:25:35,600 --> 00:25:37,669 to any address randomizer 711 00:25:37,670 --> 00:25:39,439 in this fashion, regardless of the 712 00:25:39,440 --> 00:25:41,209 quality of the Beringia in general, which 713 00:25:41,210 --> 00:25:43,249 is worse, as we'll see in a minute. 714 00:25:44,900 --> 00:25:46,339 The second of these functions that 715 00:25:46,340 --> 00:25:48,079 randomize well, as the name says it 716 00:25:48,080 --> 00:25:50,239 randomizing start addresses when a stock 717 00:25:50,240 --> 00:25:52,519 is allocated, either when the process is 718 00:25:52,520 --> 00:25:54,049 started or when the new threat is 719 00:25:54,050 --> 00:25:55,050 created. 720 00:25:55,640 --> 00:25:57,289 It does this in the same fashion as the 721 00:25:57,290 --> 00:25:58,819 previous function. By subtracting a 722 00:25:58,820 --> 00:26:00,559 random value from the original stack 723 00:26:00,560 --> 00:26:02,719 pointer, it takes a lower thirty two bits 724 00:26:02,720 --> 00:26:04,579 of the random number generator result, as 725 00:26:04,580 --> 00:26:06,349 you can see on the right of the slide. 726 00:26:06,350 --> 00:26:08,449 Then bitwise left shifted by four 727 00:26:08,450 --> 00:26:10,699 and then at most extracts the lower 728 00:26:10,700 --> 00:26:12,739 eleven bits depending of the size of the 729 00:26:12,740 --> 00:26:14,089 allocated stack. 730 00:26:14,090 --> 00:26:15,679 And this contributes to do the bit and 731 00:26:15,680 --> 00:26:17,869 ask again at most seven bits of entropy, 732 00:26:17,870 --> 00:26:19,849 which is also worse in practice. 733 00:26:19,850 --> 00:26:21,589 This is mitigated a little bit because it 734 00:26:21,590 --> 00:26:22,879 is combined with the results of the 735 00:26:22,880 --> 00:26:24,439 previous function, because under the 736 00:26:24,440 --> 00:26:25,999 hood, of course, the stack is also 737 00:26:26,000 --> 00:26:28,069 allocated using map, but in practice 738 00:26:28,070 --> 00:26:28,729 this won't matter. 739 00:26:28,730 --> 00:26:30,829 A lot will take a sip of 740 00:26:30,830 --> 00:26:31,830 water. 741 00:26:34,170 --> 00:26:36,419 So it is actually these operations 742 00:26:36,420 --> 00:26:38,859 are quite optimistic because QNX 743 00:26:38,860 --> 00:26:40,919 six is Alara uses a very weak 744 00:26:40,920 --> 00:26:42,029 Beerenberg. 745 00:26:42,030 --> 00:26:43,949 You can't really call it a beer engie 746 00:26:43,950 --> 00:26:45,839 because they directly use a source of 747 00:26:45,840 --> 00:26:47,849 entropy called clock cycles. 748 00:26:47,850 --> 00:26:49,619 And as you can probably guess, it 749 00:26:49,620 --> 00:26:51,689 maintains and retrieves a 64 750 00:26:51,690 --> 00:26:54,509 bit life running cycle calendar. 751 00:26:54,510 --> 00:26:56,519 And the implementation of this is 752 00:26:56,520 --> 00:26:57,749 architecture specific. 753 00:26:57,750 --> 00:26:59,519 So on the right of the slide, you can see 754 00:26:59,520 --> 00:27:01,979 that on Zaidee six, it will simply 755 00:27:01,980 --> 00:27:04,259 use the timestamp counter instruction 756 00:27:04,260 --> 00:27:06,239 and for PowerPC it will use time based 757 00:27:06,240 --> 00:27:08,489 facility and various other kinds of 758 00:27:08,490 --> 00:27:10,019 architecture specific options. 759 00:27:11,220 --> 00:27:12,899 Now, the first thing that springs to mind 760 00:27:12,900 --> 00:27:15,029 is the fact that if you want to guarantee 761 00:27:15,030 --> 00:27:17,399 memory, layout secrecy using a Enzler, 762 00:27:17,400 --> 00:27:18,809 then you will also need to keep the 763 00:27:18,810 --> 00:27:20,639 internal state of the Birinyi secret, 764 00:27:20,640 --> 00:27:22,139 because that might allow people to 765 00:27:22,140 --> 00:27:24,329 reproduce the Enzler settings of a given 766 00:27:24,330 --> 00:27:26,309 point in time, because there is no 767 00:27:26,310 --> 00:27:28,319 Beerenberg here, but just the raw entropy 768 00:27:28,320 --> 00:27:30,839 source. That means that in that scenario, 769 00:27:30,840 --> 00:27:32,549 clock cycles would have to be a secret 770 00:27:32,550 --> 00:27:34,589 value, which of course it is not. 771 00:27:34,590 --> 00:27:36,989 It can be requested with unprivileged 772 00:27:36,990 --> 00:27:39,269 access. It's incorporated in a lot 773 00:27:39,270 --> 00:27:41,459 of different kind of drivers in network 774 00:27:41,460 --> 00:27:44,189 packets broadcasted all over the network. 775 00:27:44,190 --> 00:27:45,869 So in theory, you could mount a 776 00:27:45,870 --> 00:27:47,039 reconstruction attack. 777 00:27:47,040 --> 00:27:49,469 But that's overkill and kind of involved, 778 00:27:49,470 --> 00:27:51,119 considering the fact that it doesn't 779 00:27:51,120 --> 00:27:53,009 contribute, although a lot of entropy and 780 00:27:53,010 --> 00:27:54,629 another approach is much more feasible 781 00:27:54,630 --> 00:27:56,039 for breaking it. 782 00:27:56,040 --> 00:27:58,139 So we measured various kinds of processes 783 00:27:58,140 --> 00:27:59,639 across different boot sessions and 784 00:27:59,640 --> 00:28:01,829 harvested the memory object addresses. 785 00:28:01,830 --> 00:28:03,749 Then we use the next entropy source 786 00:28:03,750 --> 00:28:05,909 testing tool to obtain a min entropy 787 00:28:05,910 --> 00:28:07,589 estimate for all of these memory object 788 00:28:07,590 --> 00:28:10,139 addresses in different kind of classes. 789 00:28:10,140 --> 00:28:12,899 And here it is good to realize that 256 790 00:28:12,900 --> 00:28:14,849 bits of uniformly random data should 791 00:28:14,850 --> 00:28:17,039 correspond to 256 bits of main 792 00:28:17,040 --> 00:28:18,899 entropy. And we found that the average 793 00:28:18,900 --> 00:28:21,029 min entropy of an 794 00:28:21,030 --> 00:28:23,369 address on QNX six was four point forty 795 00:28:23,370 --> 00:28:25,649 seven bits, with the lowest 796 00:28:25,650 --> 00:28:27,629 in entropy being three bits for SHERRARD 797 00:28:27,630 --> 00:28:29,729 libraries and the highest six bits for 798 00:28:29,730 --> 00:28:30,689 the stack. 799 00:28:30,690 --> 00:28:32,309 And this is very, very weak if you 800 00:28:32,310 --> 00:28:34,529 compare it to other 32 bit operating 801 00:28:34,530 --> 00:28:36,029 system. So you can see on the right of 802 00:28:36,030 --> 00:28:37,619 the slide, for example, from mainline 803 00:28:37,620 --> 00:28:39,689 Linux, varying between eight bits of 804 00:28:39,690 --> 00:28:41,879 entropy and 19 minutes, or 805 00:28:41,880 --> 00:28:44,039 for example, Linux would be Backes 806 00:28:44,040 --> 00:28:46,199 patches where you vary between six 807 00:28:46,200 --> 00:28:48,059 bits and even twenty seven bits. 808 00:28:49,260 --> 00:28:51,329 And why is this a problem, you might ask? 809 00:28:51,330 --> 00:28:52,499 Well, this is a problem because of the 810 00:28:52,500 --> 00:28:54,569 potential of brute forcing. 811 00:28:54,570 --> 00:28:56,639 So if you have a typical 812 00:28:56,640 --> 00:28:58,799 networking demon where you have a forking 813 00:28:58,800 --> 00:29:00,569 architecture and let's say that upon 814 00:29:00,570 --> 00:29:03,099 every income and connection, you spawn 815 00:29:03,100 --> 00:29:05,269 a new child to handle this, 816 00:29:05,270 --> 00:29:07,499 this client connection and a phone call 817 00:29:07,500 --> 00:29:09,179 will be called. And because of memory, 818 00:29:09,180 --> 00:29:11,369 layout, inheritance, a child process 819 00:29:11,370 --> 00:29:13,409 will have a copy of the parent process 820 00:29:13,410 --> 00:29:15,899 memory layout, because this is applied 821 00:29:15,900 --> 00:29:17,669 after a law has been applied. 822 00:29:17,670 --> 00:29:18,819 That means that there is a law. 823 00:29:18,820 --> 00:29:20,579 Randomization is also copied to the 824 00:29:20,580 --> 00:29:22,739 child, which is static every time this 825 00:29:22,740 --> 00:29:24,389 child is respond. 826 00:29:24,390 --> 00:29:26,459 Now, an attacker trying to guess 827 00:29:26,460 --> 00:29:28,769 the address for a certain code 828 00:29:28,770 --> 00:29:30,749 address, for example, might try and 829 00:29:30,750 --> 00:29:32,579 address and measure the response in 830 00:29:32,580 --> 00:29:33,549 whatever way. 831 00:29:33,550 --> 00:29:34,889 And if the child crashes and is 832 00:29:34,890 --> 00:29:37,079 restarted, they can try the next address. 833 00:29:37,080 --> 00:29:38,909 And if there is not enough entropy in the 834 00:29:38,910 --> 00:29:40,469 randomization of these addresses, they 835 00:29:40,470 --> 00:29:42,599 might succeed either locally or 836 00:29:42,600 --> 00:29:44,969 remotely or both within a reasonable 837 00:29:44,970 --> 00:29:46,649 time frame to discover the address is 838 00:29:46,650 --> 00:29:47,429 needed to build. 839 00:29:47,430 --> 00:29:49,319 Are a B Jane. 840 00:29:49,320 --> 00:29:50,699 And does this work in practice, you'll 841 00:29:50,700 --> 00:29:52,649 ask? Well, you can see on this slide that 842 00:29:52,650 --> 00:29:54,059 in fact, it does. 843 00:29:54,060 --> 00:29:55,649 On the left, you have a vulnerable 844 00:29:55,650 --> 00:29:58,049 service which runs on the network 845 00:29:58,050 --> 00:29:59,759 porch one three three seven. 846 00:29:59,760 --> 00:30:01,679 It is a trivial stack buffer overflow. 847 00:30:01,680 --> 00:30:03,449 It has a isela enabled. 848 00:30:03,450 --> 00:30:05,249 And on the right you can see it remotely 849 00:30:05,250 --> 00:30:07,199 being exploited over the network. 850 00:30:07,200 --> 00:30:09,149 Brute forcing a Isaula in twenty three 851 00:30:09,150 --> 00:30:10,709 seconds to. 852 00:30:10,710 --> 00:30:12,569 So yes, that works in practice. 853 00:30:14,580 --> 00:30:16,499 Of course, brute force is less 854 00:30:16,500 --> 00:30:18,779 interesting, but memory 855 00:30:18,780 --> 00:30:20,459 information leaks are even more 856 00:30:20,460 --> 00:30:21,899 interesting. 857 00:30:21,900 --> 00:30:24,059 Typically, you find an information leak 858 00:30:24,060 --> 00:30:25,709 in the application you're targeting or 859 00:30:25,710 --> 00:30:27,419 you craft one from a flexible enough 860 00:30:27,420 --> 00:30:28,529 vulnerability. 861 00:30:28,530 --> 00:30:30,959 But it's nicer, especially for local 862 00:30:30,960 --> 00:30:33,059 vulnerabilities, to have a system wide 863 00:30:33,060 --> 00:30:35,609 information leak in this case. 864 00:30:35,610 --> 00:30:36,629 We'll discuss two. 865 00:30:36,630 --> 00:30:38,159 But there are many, many more of this 866 00:30:38,160 --> 00:30:40,349 kind in QNX, 867 00:30:40,350 --> 00:30:42,389 QNX. The first information leak we 868 00:30:42,390 --> 00:30:44,879 discovered is the information leak. 869 00:30:44,880 --> 00:30:47,339 And this basically works by relying 870 00:30:47,340 --> 00:30:49,349 on the fact that QNX, like many Unix like 871 00:30:49,350 --> 00:30:51,299 operating systems, has a process file 872 00:30:51,300 --> 00:30:52,799 system. And here you have dedicated 873 00:30:52,800 --> 00:30:54,929 entries for each running process on the 874 00:30:54,930 --> 00:30:57,119 system. And you can enter interact 875 00:30:57,120 --> 00:30:58,769 with these different entries using the 876 00:30:58,770 --> 00:31:01,079 deficit, the API, or you can request 877 00:31:01,080 --> 00:31:03,299 information like the register values 878 00:31:03,300 --> 00:31:05,609 or stack addresses and or general 879 00:31:05,610 --> 00:31:08,099 memory mapping layout in general. 880 00:31:08,100 --> 00:31:09,359 And as you can see on the slide, 881 00:31:09,360 --> 00:31:11,099 conveniently, these entries are, 882 00:31:11,100 --> 00:31:13,169 regardless of of privileges or 883 00:31:13,170 --> 00:31:14,729 whatever, are willed, readable. 884 00:31:14,730 --> 00:31:16,829 So that makes it very easy to 885 00:31:16,830 --> 00:31:19,109 write a very simple application that 886 00:31:19,110 --> 00:31:21,029 across privileged boundaries for a low, 887 00:31:21,030 --> 00:31:23,069 privileged user discloses the memory 888 00:31:23,070 --> 00:31:25,019 layout of the micro kernel. 889 00:31:25,020 --> 00:31:26,909 On the right you can see that it is made 890 00:31:26,910 --> 00:31:29,129 even more convenient by the fact that 891 00:31:29,130 --> 00:31:31,769 they include in a lot of QNX releases, 892 00:31:31,770 --> 00:31:33,899 the P ID and utility, which allows 893 00:31:33,900 --> 00:31:35,729 to incorporate this functionality by 894 00:31:35,730 --> 00:31:36,159 default. 895 00:31:36,160 --> 00:31:37,529 So even if you can write your own 896 00:31:37,530 --> 00:31:39,629 application and drop it on a system 897 00:31:39,630 --> 00:31:41,489 to exploit this information leak, you 898 00:31:41,490 --> 00:31:43,049 might just be in luck and find this 899 00:31:43,050 --> 00:31:44,839 utility there to do it for you. 900 00:31:46,520 --> 00:31:49,009 The second information leak we found is 901 00:31:49,010 --> 00:31:51,079 residing in the debug environment 902 00:31:51,080 --> 00:31:53,329 variable. This is an environment variable 903 00:31:53,330 --> 00:31:55,249 which allows you to specify various 904 00:31:55,250 --> 00:31:57,379 requests for debugging information. 905 00:31:57,380 --> 00:31:59,479 And if you specify the all option, then 906 00:31:59,480 --> 00:32:01,219 it will give you a lot of debug 907 00:32:01,220 --> 00:32:03,379 information among which are the addresses 908 00:32:03,380 --> 00:32:05,389 of shared libraries. 909 00:32:05,390 --> 00:32:07,339 And the interesting thing is that on, for 910 00:32:07,340 --> 00:32:10,099 example, Linux or DVD, 911 00:32:10,100 --> 00:32:11,959 this option has privileged checking. 912 00:32:11,960 --> 00:32:13,969 So if you tried to do this for a set you 913 00:32:13,970 --> 00:32:16,069 idea binary and you're not a road 914 00:32:16,070 --> 00:32:18,259 user, then it will 915 00:32:18,260 --> 00:32:19,879 not output that information. 916 00:32:19,880 --> 00:32:22,249 But on QNX, no such checks are present 917 00:32:22,250 --> 00:32:24,019 and you can obtain this information 918 00:32:24,020 --> 00:32:25,999 across privileged boundaries, which makes 919 00:32:26,000 --> 00:32:28,099 exploding wide binaries that much 920 00:32:28,100 --> 00:32:29,100 easier. 921 00:32:30,410 --> 00:32:31,410 So. 922 00:32:33,450 --> 00:32:35,909 After we reported some of this stuff, 923 00:32:35,910 --> 00:32:38,279 they made improvements to QNX seven 924 00:32:38,280 --> 00:32:40,439 and QNX seven and now has 925 00:32:40,440 --> 00:32:42,539 still has disabled Azara, there's 926 00:32:42,540 --> 00:32:44,699 no Casula, but they do use a new 927 00:32:44,700 --> 00:32:47,759 colonel beer that Ali just discussed. 928 00:32:47,760 --> 00:32:49,169 And that's good. 929 00:32:49,170 --> 00:32:51,299 But it doesn't make you seven 930 00:32:51,300 --> 00:32:53,669 Azle are much stronger despite 931 00:32:53,670 --> 00:32:55,469 this new orangy and despite the fact that 932 00:32:55,470 --> 00:32:57,629 they have a 64 bit address space, 933 00:32:57,630 --> 00:33:00,119 they forgot to remove these bit markings 934 00:33:00,120 --> 00:33:01,679 that are applied to the randomization 935 00:33:01,680 --> 00:33:03,539 functions. So as a result, you'll still 936 00:33:03,540 --> 00:33:05,279 have a theoretical upper bound of seven 937 00:33:05,280 --> 00:33:07,439 bits of entropy for STAC addresses 938 00:33:07,440 --> 00:33:09,679 and 12 bits for the various 939 00:33:09,680 --> 00:33:11,729 virtual memory addresses, or most of them 940 00:33:11,730 --> 00:33:13,649 as they are allocated. 941 00:33:13,650 --> 00:33:15,389 Another interesting thing to note you can 942 00:33:15,390 --> 00:33:17,399 see on the right of the slide is the fact 943 00:33:17,400 --> 00:33:19,469 that Gode memory is mostly loaded in the 944 00:33:19,470 --> 00:33:21,539 lower 32 bits of the space, 945 00:33:21,540 --> 00:33:24,059 which also greatly reduces the potential 946 00:33:24,060 --> 00:33:26,279 effectiveness of as 64 bit 947 00:33:26,280 --> 00:33:27,280 operating systems. 948 00:33:29,030 --> 00:33:31,939 And it did fix the debug information 949 00:33:31,940 --> 00:33:34,069 leak, but unfortunately for 950 00:33:34,070 --> 00:33:36,109 defenders and fortunately for attackers, 951 00:33:36,110 --> 00:33:38,359 they did not completely fix the progress 952 00:33:38,360 --> 00:33:39,319 info leak. 953 00:33:39,320 --> 00:33:41,629 So as you can see on QNX seven above 954 00:33:41,630 --> 00:33:43,879 you, you can no longer use 955 00:33:43,880 --> 00:33:45,109 the ID and utility. 956 00:33:45,110 --> 00:33:47,209 But if you're just writing your own 957 00:33:47,210 --> 00:33:49,159 application, compiling it and interacting 958 00:33:49,160 --> 00:33:51,079 directly with the events, you can still 959 00:33:51,080 --> 00:33:53,119 disclose this information across 960 00:33:53,120 --> 00:33:54,109 privileged boundaries. 961 00:33:54,110 --> 00:33:56,419 So this is an information leak, freedom 962 00:33:56,420 --> 00:33:57,420 to use. 963 00:33:58,830 --> 00:34:00,629 The next litigation I'd like to discuss 964 00:34:00,630 --> 00:34:02,759 our state economies, they protect against 965 00:34:02,760 --> 00:34:04,919 traditional linear stock buffer overflow, 966 00:34:04,920 --> 00:34:06,179 which are much more interesting on 967 00:34:06,180 --> 00:34:08,399 embedded systems than they should be 968 00:34:08,400 --> 00:34:10,289 for the people unfamiliar with it. 969 00:34:10,290 --> 00:34:11,729 It basically works as follows. 970 00:34:11,730 --> 00:34:14,039 You generate a master gunnery value using 971 00:34:14,040 --> 00:34:16,019 a random number generator and again, you 972 00:34:16,020 --> 00:34:17,189 keep it secret. 973 00:34:17,190 --> 00:34:19,049 And you inserted between the local 974 00:34:19,050 --> 00:34:21,178 variables like a local data buffer 975 00:34:21,179 --> 00:34:23,339 and the safe return address on the stack. 976 00:34:23,340 --> 00:34:25,499 And ideally also other stack made it 977 00:34:25,500 --> 00:34:27,059 out of variables. 978 00:34:27,060 --> 00:34:29,158 So when an attacker then overrides the 979 00:34:29,159 --> 00:34:30,988 safe return address and upon return of 980 00:34:30,989 --> 00:34:32,999 the function, traditionally you hijack 981 00:34:33,000 --> 00:34:34,049 contraflow. 982 00:34:34,050 --> 00:34:36,238 But here first, the safe country 983 00:34:36,239 --> 00:34:37,738 is checked against the master gunnery. 984 00:34:37,739 --> 00:34:39,869 And if a mismatch is detected, instead of 985 00:34:39,870 --> 00:34:41,939 returning to the safe return address, 986 00:34:41,940 --> 00:34:44,158 you instead invoke a violation 987 00:34:44,159 --> 00:34:46,198 handler and thus prevent contraflow 988 00:34:46,199 --> 00:34:47,199 hijacking. 989 00:34:48,050 --> 00:34:50,509 Now, QNX uses the Duke's 990 00:34:50,510 --> 00:34:52,789 text smashing protector implementation 991 00:34:52,790 --> 00:34:54,408 of State Guarneris, so on the compiler 992 00:34:54,409 --> 00:34:56,599 side, it's what we're used to in in 993 00:34:56,600 --> 00:34:58,819 Linux or BSD, for example, 994 00:34:58,820 --> 00:35:00,349 and that's mostly OK. 995 00:35:00,350 --> 00:35:02,419 But on the operating system side 996 00:35:02,420 --> 00:35:04,159 of the implementation, it's all custom. 997 00:35:04,160 --> 00:35:06,259 And that's where the problems start 998 00:35:06,260 --> 00:35:08,029 because the userspace master cannery is 999 00:35:08,030 --> 00:35:09,709 generated. That program start up when 1000 00:35:09,710 --> 00:35:11,179 Lipsey is loaded. 1001 00:35:11,180 --> 00:35:13,579 Now, typically in the GC implementation, 1002 00:35:13,580 --> 00:35:15,349 it uses Lippe as a Spaceguard setup 1003 00:35:15,350 --> 00:35:16,579 function to regulate this. 1004 00:35:16,580 --> 00:35:18,529 And then on various platforms, they have 1005 00:35:18,530 --> 00:35:20,119 sometimes differing implementations. 1006 00:35:20,120 --> 00:35:22,549 But it's it's mostly the same 1007 00:35:22,550 --> 00:35:24,919 on Linux, for example, QNX. 1008 00:35:24,920 --> 00:35:26,779 However, it uses a custom in a googlies 1009 00:35:26,780 --> 00:35:28,279 function. And that's where the problem 1010 00:35:28,280 --> 00:35:30,409 lies because again, it uses a weak 1011 00:35:30,410 --> 00:35:32,779 random number generator, address entropy 1012 00:35:32,780 --> 00:35:33,859 from three sources. 1013 00:35:33,860 --> 00:35:34,999 As you can see on the bottom of the 1014 00:35:35,000 --> 00:35:37,639 slide. It uses, again, clock cycles. 1015 00:35:37,640 --> 00:35:39,739 And it combines this with a local STAC 1016 00:35:39,740 --> 00:35:41,749 variable address and the address of the 1017 00:35:41,750 --> 00:35:43,009 function itself. 1018 00:35:43,010 --> 00:35:45,169 Now, these last two only contribute any 1019 00:35:45,170 --> 00:35:46,999 entropy if a isela is enabled. 1020 00:35:47,000 --> 00:35:49,009 And again, even if Ezola has enabled, 1021 00:35:49,010 --> 00:35:51,139 their entropy relies on the clock cycles 1022 00:35:51,140 --> 00:35:52,399 as well. 1023 00:35:52,400 --> 00:35:54,419 So we decided to evaluate the kind of 1024 00:35:54,420 --> 00:35:56,779 women entropy across three configurations 1025 00:35:56,780 --> 00:35:59,029 without Isela, with a Islah, 1026 00:35:59,030 --> 00:36:00,469 but without position independent 1027 00:36:00,470 --> 00:36:02,849 executables and with a Isaula and with 1028 00:36:02,850 --> 00:36:04,489 position independent executables and 1029 00:36:04,490 --> 00:36:06,439 found mean entropy on average of the 1030 00:36:06,440 --> 00:36:08,119 calories to be seven point seven nine 1031 00:36:08,120 --> 00:36:10,309 bits. And Enzler had no noticeable 1032 00:36:10,310 --> 00:36:11,599 influence here. 1033 00:36:11,600 --> 00:36:13,849 And this is less than ideal because using 1034 00:36:13,850 --> 00:36:15,949 a Xperia and they should have had 1035 00:36:15,950 --> 00:36:18,289 at least twenty four bits of entropy. 1036 00:36:18,290 --> 00:36:20,359 If, like in this case, they include 1037 00:36:20,360 --> 00:36:22,639 one null byte in the 32 bit Ganzouri 1038 00:36:22,640 --> 00:36:24,709 or if they used a full generator, 1039 00:36:24,710 --> 00:36:26,089 should have had thirty two bits of 1040 00:36:26,090 --> 00:36:27,919 entropy. And again, this is a problem 1041 00:36:27,920 --> 00:36:29,809 because of brute force attacks against 1042 00:36:29,810 --> 00:36:30,810 cannery's. 1043 00:36:31,840 --> 00:36:33,669 And Colonel Space, however, the problems 1044 00:36:33,670 --> 00:36:35,379 are even worse because the micro 1045 00:36:35,380 --> 00:36:37,119 journalists neither loaded nor linked 1046 00:36:37,120 --> 00:36:39,219 against Lipsey, so the master gunnery in 1047 00:36:39,220 --> 00:36:40,899 the colonel cannot be generated by this 1048 00:36:40,900 --> 00:36:42,369 innate cookies function. 1049 00:36:42,370 --> 00:36:44,239 So they should have implemented a master 1050 00:36:44,240 --> 00:36:45,669 gunnery regeneration function in the 1051 00:36:45,670 --> 00:36:48,129 kernel. But they forgot to do this. 1052 00:36:48,130 --> 00:36:50,259 So the microgrid is protected across 1053 00:36:50,260 --> 00:36:52,839 various functions using state cannery's, 1054 00:36:52,840 --> 00:36:54,939 but the secondary is never actually 1055 00:36:54,940 --> 00:36:55,569 initialized. 1056 00:36:55,570 --> 00:36:57,519 And so there are always zero, which kind 1057 00:36:57,520 --> 00:36:58,869 of defeats the purpose of having 1058 00:36:58,870 --> 00:37:00,389 secondaries in the first place. 1059 00:37:02,120 --> 00:37:04,249 Now, we reported these issues through to 1060 00:37:04,250 --> 00:37:06,449 BlackBerry, and they're now enabled by 1061 00:37:06,450 --> 00:37:07,879 by default secondaries. 1062 00:37:07,880 --> 00:37:10,099 They also generate 64 bit 1063 00:37:10,100 --> 00:37:12,799 cannery's on 64 bit operating system. 1064 00:37:12,800 --> 00:37:14,779 And for userspace cannery's, they mix in 1065 00:37:14,780 --> 00:37:17,059 an alpha auxiliary vector value 1066 00:37:17,060 --> 00:37:19,309 based on our best practice suggestions by 1067 00:37:19,310 --> 00:37:21,529 taking a 64 bit random number generator 1068 00:37:21,530 --> 00:37:23,059 value from the kernel, appearing and 1069 00:37:23,060 --> 00:37:25,189 transporting it to the userspace process 1070 00:37:25,190 --> 00:37:27,679 to mix in would be in it gooky stuff 1071 00:37:27,680 --> 00:37:28,669 and the kernel space. 1072 00:37:28,670 --> 00:37:30,739 QNX now concatenated to 32 bit 1073 00:37:30,740 --> 00:37:32,839 kernel Berenger values during very early 1074 00:37:32,840 --> 00:37:35,059 Bhoot and creates a cannery 1075 00:37:35,060 --> 00:37:36,919 out of that. So basically Cannery's at 1076 00:37:36,920 --> 00:37:38,269 least are fully fixed now. 1077 00:37:38,270 --> 00:37:40,309 And that's good news for the vendors at 1078 00:37:40,310 --> 00:37:41,310 least. 1079 00:37:42,220 --> 00:37:43,759 That brings us to the final litigation 1080 00:37:43,760 --> 00:37:46,639 relocation, Read-Only or Roro, 1081 00:37:46,640 --> 00:37:48,139 the way this works, you can see on the 1082 00:37:48,140 --> 00:37:50,209 right of the slide is that dynamically 1083 00:37:50,210 --> 00:37:52,099 linked binaries use relocation to the 1084 00:37:52,100 --> 00:37:53,809 runtime lookup of symbols and shared 1085 00:37:53,810 --> 00:37:54,769 libraries. 1086 00:37:54,770 --> 00:37:57,229 So if you have a function during runtime 1087 00:37:57,230 --> 00:37:59,269 and you have it in a shared library, once 1088 00:37:59,270 --> 00:38:00,949 you hit that function, it will be looked 1089 00:38:00,950 --> 00:38:02,479 up and the address will be stored in the 1090 00:38:02,480 --> 00:38:04,039 global offset table. 1091 00:38:04,040 --> 00:38:06,079 Now, for obvious reasons, this relocation 1092 00:38:06,080 --> 00:38:08,179 data is a popular target for overwriting 1093 00:38:08,180 --> 00:38:10,429 to hijack control flow, mostly because 1094 00:38:10,430 --> 00:38:11,809 these addresses tend to be static 1095 00:38:11,810 --> 00:38:13,030 regardless of the law. 1096 00:38:14,060 --> 00:38:15,559 And because of the fact, obviously, that 1097 00:38:15,560 --> 00:38:16,789 once the control flow hits that 1098 00:38:16,790 --> 00:38:18,589 particular function, then you can hijack 1099 00:38:18,590 --> 00:38:20,869 control flow in order to mitigate this 1100 00:38:20,870 --> 00:38:23,089 partial Roro was invented, which works 1101 00:38:23,090 --> 00:38:25,789 by reordering the internal data sections 1102 00:38:25,790 --> 00:38:28,039 and making them precede the program data 1103 00:38:28,040 --> 00:38:30,199 sections and then making them read only 1104 00:38:30,200 --> 00:38:31,849 after relocations have been done. 1105 00:38:31,850 --> 00:38:34,249 So attackers during runtime can no longer 1106 00:38:34,250 --> 00:38:36,289 override these entries. 1107 00:38:36,290 --> 00:38:38,359 Now, the problem here is because 1108 00:38:38,360 --> 00:38:40,279 of something called lazy binding. 1109 00:38:40,280 --> 00:38:42,109 Lazy binding means that most of these 1110 00:38:42,110 --> 00:38:44,489 symbols won't be looked up at program 1111 00:38:44,490 --> 00:38:46,699 time, but during program runtime 1112 00:38:46,700 --> 00:38:48,889 and as a result, the global offset table 1113 00:38:48,890 --> 00:38:51,139 will remain writable during runtime. 1114 00:38:51,140 --> 00:38:53,599 Now you'll have to relocate 1115 00:38:53,600 --> 00:38:54,529 or have to relocate. 1116 00:38:54,530 --> 00:38:56,479 You have to make sure that this does not 1117 00:38:56,480 --> 00:38:58,049 happen. How do they do that? 1118 00:38:58,050 --> 00:39:00,199 They do it by disabling line, lazy, 1119 00:39:00,200 --> 00:39:01,729 binding and then making the build. 1120 00:39:01,730 --> 00:39:03,920 Got Read-Only a program startup. 1121 00:39:06,890 --> 00:39:08,929 They implemented this on QNX six, and 1122 00:39:08,930 --> 00:39:10,969 that's that's very nice, but the problem 1123 00:39:10,970 --> 00:39:12,559 is that their implementation turned out 1124 00:39:12,560 --> 00:39:14,299 to be broken. So as you can see on the 1125 00:39:14,300 --> 00:39:16,219 left is what it looks like in Debian and 1126 00:39:16,220 --> 00:39:17,519 what it should look like. 1127 00:39:17,520 --> 00:39:18,979 There you have all the internal data 1128 00:39:18,980 --> 00:39:20,539 sections precede the program data 1129 00:39:20,540 --> 00:39:22,429 sections and are covered by the Roro 1130 00:39:22,430 --> 00:39:25,309 Segment and made Read-Only right 1131 00:39:25,310 --> 00:39:26,959 on the right. You have the QNX six point 1132 00:39:26,960 --> 00:39:28,399 six implementation for the same 1133 00:39:28,400 --> 00:39:30,739 application where you can see that only 1134 00:39:30,740 --> 00:39:32,599 some of the internal data sections 1135 00:39:32,600 --> 00:39:34,759 precede the program data section and 1136 00:39:34,760 --> 00:39:36,379 a global offset table, which is the most 1137 00:39:36,380 --> 00:39:38,479 interesting of the overwriting targets, 1138 00:39:38,480 --> 00:39:40,609 actually does not precede the 1139 00:39:40,610 --> 00:39:41,789 program data section. 1140 00:39:41,790 --> 00:39:43,249 As a result, it's not covered by the 1141 00:39:43,250 --> 00:39:44,419 READ-ONLY segment. 1142 00:39:44,420 --> 00:39:46,909 And regardless of your settings 1143 00:39:46,910 --> 00:39:48,409 and your linker, you will be left 1144 00:39:48,410 --> 00:39:50,029 vulnerable to this attack, even if 1145 00:39:50,030 --> 00:39:51,499 railroader has been enabled. 1146 00:39:51,500 --> 00:39:52,939 And the root cause of this is the fact 1147 00:39:52,940 --> 00:39:54,499 that they did not do proper link or 1148 00:39:54,500 --> 00:39:55,500 section reordering. 1149 00:39:56,650 --> 00:39:58,219 In practice, it looks like this on the 1150 00:39:58,220 --> 00:40:00,229 left again, you have your full railroad 1151 00:40:00,230 --> 00:40:02,209 enabled and you can no longer ride to 1152 00:40:02,210 --> 00:40:03,949 global officer table entries. 1153 00:40:03,950 --> 00:40:05,809 On the right you have QNX, your full 1154 00:40:05,810 --> 00:40:07,939 railroad enabled, and you can ride to 1155 00:40:07,940 --> 00:40:09,349 global offset table entries. 1156 00:40:09,350 --> 00:40:11,479 So that's a broken mitigation right 1157 00:40:11,480 --> 00:40:12,480 there. 1158 00:40:12,900 --> 00:40:14,789 On top of that, we also found a local 1159 00:40:14,790 --> 00:40:17,069 bypass, although, again, the elder 1160 00:40:17,070 --> 00:40:18,899 debug environment variable turns out to 1161 00:40:18,900 --> 00:40:20,519 have an undocumented function called 1162 00:40:20,520 --> 00:40:22,619 imposter, which allows us 1163 00:40:22,620 --> 00:40:24,899 to disable Roro for whatever 1164 00:40:24,900 --> 00:40:26,669 reason without any privilege checks 1165 00:40:26,670 --> 00:40:27,569 whatsoever. 1166 00:40:27,570 --> 00:40:29,099 And this is very nice, of course, for 1167 00:40:29,100 --> 00:40:31,529 exploiting vulnerable ID binaries. 1168 00:40:31,530 --> 00:40:32,999 And as you saw in one of the first 1169 00:40:33,000 --> 00:40:34,739 slides, there are a lot of these in the 1170 00:40:34,740 --> 00:40:35,789 history of QNX. 1171 00:40:35,790 --> 00:40:37,649 So this is actually very nice in 1172 00:40:37,650 --> 00:40:39,129 practice. 1173 00:40:39,130 --> 00:40:41,169 Um, both of these issues were reported to 1174 00:40:41,170 --> 00:40:43,029 BlackBerry and are now fixed with patches 1175 00:40:43,030 --> 00:40:45,189 for QNX, six point six and seven. 1176 00:40:45,190 --> 00:40:47,199 So that's good news. 1177 00:40:47,200 --> 00:40:48,849 That brings us to the final remarks. 1178 00:40:50,120 --> 00:40:51,589 So we disclosed all of the issues we 1179 00:40:51,590 --> 00:40:53,479 discussed today to BlackBerry, most of 1180 00:40:53,480 --> 00:40:55,879 these issues are fixed in seven batches 1181 00:40:55,880 --> 00:40:57,769 are available for some of these issues 1182 00:40:57,770 --> 00:40:59,969 and given a six point six, as you can see 1183 00:40:59,970 --> 00:41:02,359 in the link in the bottom and the table, 1184 00:41:02,360 --> 00:41:04,579 that's displayed a word of warning, 1185 00:41:04,580 --> 00:41:06,029 though, due to both the fenders and 1186 00:41:06,030 --> 00:41:08,329 attackers. Most of these patches 1187 00:41:08,330 --> 00:41:10,399 will take a long time to filter down to 1188 00:41:10,400 --> 00:41:12,499 the original equipment manufacturers 1189 00:41:12,500 --> 00:41:14,509 and the end users, especially for deeply 1190 00:41:14,510 --> 00:41:16,669 embedded systems, which might be a couple 1191 00:41:16,670 --> 00:41:18,739 of of minor release versions of QNX 1192 00:41:18,740 --> 00:41:20,749 behind. You'll have to upgrade all the 1193 00:41:20,750 --> 00:41:22,909 way to QNX six point six and then apply 1194 00:41:22,910 --> 00:41:25,119 to patches, roll out the firmware update. 1195 00:41:25,120 --> 00:41:27,229 So these issues might be encountered for 1196 00:41:27,230 --> 00:41:28,459 a long time in the wild. 1197 00:41:30,540 --> 00:41:32,669 Concluding most of the mitigations 1198 00:41:32,670 --> 00:41:34,349 turned out to be OK on the toolchain 1199 00:41:34,350 --> 00:41:35,939 side, but that's mostly because they 1200 00:41:35,940 --> 00:41:38,189 relied on to see where the problems 1201 00:41:38,190 --> 00:41:39,089 were really found. 1202 00:41:39,090 --> 00:41:40,799 And this is not just the QNX thing, but 1203 00:41:40,800 --> 00:41:43,019 this is generally an embedded thing 1204 00:41:43,020 --> 00:41:44,489 is on the operating system side. 1205 00:41:44,490 --> 00:41:45,899 And why is this the case? 1206 00:41:45,900 --> 00:41:47,999 Because QNX cannot benefit directly 1207 00:41:48,000 --> 00:41:49,319 from any work that's done in 1208 00:41:49,320 --> 00:41:51,479 General-Purpose Operating System security 1209 00:41:51,480 --> 00:41:53,219 because it cannot be easily ported one to 1210 00:41:53,220 --> 00:41:55,349 one from Linux or Windows 1211 00:41:55,350 --> 00:41:57,269 to QNX because of a very different 1212 00:41:57,270 --> 00:41:59,189 architectural lineage. 1213 00:41:59,190 --> 00:42:01,229 And a result is homebrewed DIY 1214 00:42:01,230 --> 00:42:03,299 mitigations, which turn out to be not 1215 00:42:03,300 --> 00:42:05,229 as good as you'd want them to be. 1216 00:42:05,230 --> 00:42:06,809 And what's also really evident, if you 1217 00:42:06,810 --> 00:42:08,429 look at these issues and other 1218 00:42:08,430 --> 00:42:10,439 vulnerabilities that you find here, is 1219 00:42:10,440 --> 00:42:12,359 the lack of prior attention by security 1220 00:42:12,360 --> 00:42:14,069 researchers. A lot of vulnerabilities 1221 00:42:14,070 --> 00:42:16,289 feel like they're from the early 2000s 1222 00:42:16,290 --> 00:42:18,299 and the information leaks are really 1223 00:42:18,300 --> 00:42:19,319 evident of this. 1224 00:42:19,320 --> 00:42:21,239 And again, as a word of warning to many 1225 00:42:21,240 --> 00:42:23,279 people and had random number generator 1226 00:42:23,280 --> 00:42:25,139 design remains difficult. 1227 00:42:25,140 --> 00:42:26,519 Many of the Entropia issues in the 1228 00:42:26,520 --> 00:42:28,679 embedded world, lack of proper entropy 1229 00:42:28,680 --> 00:42:30,749 sources mean that the design burden 1230 00:42:30,750 --> 00:42:32,279 is often placed on the system 1231 00:42:32,280 --> 00:42:33,779 integrators, regardless of the good 1232 00:42:33,780 --> 00:42:35,850 intentions of operating system designers. 1233 00:42:37,710 --> 00:42:39,989 On a more positive finishing note, QNX 1234 00:42:39,990 --> 00:42:41,279 at least attempts to keep up with 1235 00:42:41,280 --> 00:42:43,559 general-purpose operating security, which 1236 00:42:43,560 --> 00:42:45,239 is more than can be said of most embedded 1237 00:42:45,240 --> 00:42:47,459 operating system vendors, which don't 1238 00:42:47,460 --> 00:42:49,499 have any explo medications whatsoever, as 1239 00:42:49,500 --> 00:42:51,089 I discussed in my doc at this year's 1240 00:42:51,090 --> 00:42:52,919 hardware conference. 1241 00:42:52,920 --> 00:42:54,519 And they had a very quick and extensive 1242 00:42:54,520 --> 00:42:56,429 vendor response, sometimes directly 1243 00:42:56,430 --> 00:42:58,439 integrating our feedback into our new 1244 00:42:58,440 --> 00:42:59,399 code. 1245 00:42:59,400 --> 00:43:01,559 And as a finishing note, I'd really 1246 00:43:01,560 --> 00:43:03,069 like to call for more attention to 1247 00:43:03,070 --> 00:43:04,589 embedded operating system security in 1248 00:43:04,590 --> 00:43:06,629 general, if we ever want to hold them to 1249 00:43:06,630 --> 00:43:08,489 the standards will hold our laptops, 1250 00:43:08,490 --> 00:43:10,319 desktops, servers and smartphones to 1251 00:43:10,320 --> 00:43:11,879 which we shoot for things that are 1252 00:43:11,880 --> 00:43:14,069 deployed in cars, critical infrastructure 1253 00:43:14,070 --> 00:43:16,019 and military systems. 1254 00:43:16,020 --> 00:43:17,909 And you can also look forward to more QNX 1255 00:43:17,910 --> 00:43:20,039 stuff in the future from US and 1256 00:43:20,040 --> 00:43:20,719 in Brussels. 1257 00:43:20,720 --> 00:43:23,189 Fans of Black Hat and Infiltrate. 1258 00:43:23,190 --> 00:43:25,079 So with that, if there's any questions, 1259 00:43:25,080 --> 00:43:26,080 I'd like to take them now. 1260 00:43:39,380 --> 00:43:40,819 So. 1261 00:43:40,820 --> 00:43:43,009 Thank you, Ali Abbassi, 1262 00:43:43,010 --> 00:43:44,159 Upworthy. 1263 00:43:44,160 --> 00:43:45,160 And 1264 00:43:46,700 --> 00:43:48,380 now we have some time for Q&A, 1265 00:43:49,640 --> 00:43:52,459 you can just line up on the microphones 1266 00:43:52,460 --> 00:43:54,440 here, here, here and back there. 1267 00:43:56,030 --> 00:43:58,009 I got one on Mike five. 1268 00:43:58,010 --> 00:43:59,010 We'll start with you. 1269 00:44:01,040 --> 00:44:03,109 Probably did the very first Yucel 1270 00:44:03,110 --> 00:44:04,879 and then Colonel Exploitation work on 1271 00:44:04,880 --> 00:44:07,229 QNX. I feel a bit left out 1272 00:44:07,230 --> 00:44:08,989 of one of your slides. 1273 00:44:08,990 --> 00:44:10,459 Oh, that was not my intention. 1274 00:44:10,460 --> 00:44:11,870 What is your name or nickname? 1275 00:44:14,920 --> 00:44:15,920 Thanks. 1276 00:44:22,030 --> 00:44:24,099 Any any other questions? 1277 00:44:32,320 --> 00:44:33,550 Oh, there, I guess, 1278 00:44:35,890 --> 00:44:38,229 for the issue where the security 1279 00:44:38,230 --> 00:44:40,929 wasn't set up properly for the colonel, 1280 00:44:40,930 --> 00:44:43,029 was that an issue or wasn't set up at all 1281 00:44:43,030 --> 00:44:44,949 or where something like it wasn't 1282 00:44:44,950 --> 00:44:47,079 persisted or reclaimed out of 1283 00:44:47,080 --> 00:44:48,939 thread local storage to actually be 1284 00:44:48,940 --> 00:44:51,039 placed in the spot for it on the 1285 00:44:51,040 --> 00:44:52,040 stack? 1286 00:44:52,600 --> 00:44:54,759 So the problem is that the 1287 00:44:54,760 --> 00:44:57,489 way they implemented it is they had no 1288 00:44:57,490 --> 00:44:59,379 initialization routine at all for the 1289 00:44:59,380 --> 00:45:00,399 master gunnery. 1290 00:45:00,400 --> 00:45:01,989 So there were references to the gallery 1291 00:45:01,990 --> 00:45:04,029 all across the microgrants, but it was 1292 00:45:04,030 --> 00:45:05,379 never actually initialized. 1293 00:45:05,380 --> 00:45:08,019 And because the micro kernel secondary 1294 00:45:08,020 --> 00:45:10,239 was located in business, which was 1295 00:45:10,240 --> 00:45:12,249 initialized to all zeros and very early 1296 00:45:12,250 --> 00:45:14,409 Bhoot, that means that it was predictably 1297 00:45:14,410 --> 00:45:15,579 zero all the time. 1298 00:45:15,580 --> 00:45:17,139 And, you know, they used it but never 1299 00:45:17,140 --> 00:45:19,440 initialized it. So it's very predictable. 1300 00:45:28,980 --> 00:45:31,169 Anybody else with questions, don't 1301 00:45:31,170 --> 00:45:32,170 be shy, come on. 1302 00:45:40,860 --> 00:45:41,860 Well, 1303 00:45:43,020 --> 00:45:45,179 if there aren't any questions left, 1304 00:45:45,180 --> 00:45:46,180 right. 1305 00:45:47,730 --> 00:45:49,769 Thank you very much for often talk to 1306 00:45:49,770 --> 00:45:50,770 your doctor 1307 00:45:51,960 --> 00:45:52,960 about that.