On Sep 22, 2011, at 8:46 PM, Dave Aitel wrote: > In this paper John Regehr who is a professor of Computer Science in like, > Utah or something, wrote about integer overflows > http://blog.regehr.org/archives/59 , and it's great!
Quick link correction, Dave: http://blog.regehr.org/archives/593 > It's funny and a good read, and frankly, that's the bar for success these > days from Academia. :> > > But in all seriousness, one thing that came up yesterday on the paper review > concall is that there are a lot of good , academic talks we'd like to see at > INFILTRATE[1]. There's no reason every talk has to be about 0days or heap > internals. Most of the work we are all doing is on solving bigger problems. > Maybe our theme should be "If you solved it for Mudge you should come talk > about it at INFILTRATE over mojitos!" I'm not sure how many of you have read the recent work done by joint UW and UCSD research team on the attack surface of automobiles [1]. I remember some snide remarks about academics not being able to write proper exploits -- or rather, seldomly being motivated enough to go through with it. Albeit being in the embedded space and hence not having to deal with mitigations, instead of other academic papers I've recently seen, the authors of [1] do not take prisoners: "To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s systems. We did not explore weaker attacks." To cut to the biggest bag of lulz, jump right ahead to section 4.4, A telematics unit that was exploited using with an "by manually dialing our car on an office phone and then playing this “song” [modulated post-authentication exploit payload] into the phone’s microphone". From the description of things, I'd guess this telematics unit to be running QNX (because of the LD_PRELOAD trick and the mentioning of "a variant of Linux" -- I guess they mean Linux-compatible here, something QNX has been touted as for a while). To achieve this they had to reverse-engineer the proprietary aqLink protocol (no, that box doesn't use SMS or data connections for the initial call-in). Not only that, but they get massive style points for writing and running their own IRC bot on the telematics unit that can pass on messages to the CAN bus. (can you say /msg davescar auths3cr3t brakeandswerve ?) Just as cute are the WMA files on CDs ("hey Dave, here's some fresh tunes for your drive back!") that pop your car or the wirelessly propagating malware for PassThru devices (diagnostic testers). This group has been the first to push serious offensive research in the automotive context, but given the hilariously bad state of security in that industry you can bet there have been others who have achieved similar results but have not published them... Cheers, Ralf [1] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno: Experimental Security Analysis of a Modern Automobile 20th USENIX Security Symposium, San Francisco, August 10-12, 2011 http://www.autosec.org/pubs/cars-usenixsec2011.pdf
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
