[langsec-discuss] Isolating code for mechanical relay control ( request for ideas )

Alex Kropivny alex.kropivny at gmail.com
Wed Dec 3 15:34:24 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

As a rule, sandboxing code within a low cost microprocessor is hard/"interesting". There are fun avenues to experiment in (minimal VM/Forth/interpreter with guarded memory access primitives, or an nacl equivalent, or something with OTP ROM) but they are all standalone projects, not week long hacks you can embed into another project.

To get an idea of the effort these techniques require, see:

1. the prevalence of feature creep in sandbox VMs, leading to easy escapes via peek/poke primitives being provided or low quality exploitable code attached.

2. the work that was put into testing nacl for unforeseen instruction edge cases, in addition to and outside of the analysis that the initial proof of safety covered.

3. Various public bypasses of manufacturer IP-protection sandboxes, like trustzone or the AVR BootJacker hack (which involves ROP with a clock-cycle granular return via a hardware timer interrupt.) BootJacker is an example that breaks most low end IP protection schemes that block memory reads from outside the region but allow jumps.

In short, in-processor sandboxing is a fun topic. *However, for getting work done, you are better off drawing a security boundary outside the processor.*

A low cost processor implementing a simple protocol (that does not include remote code exec/firmware upgrade functionality!) can be a *very* hard target remotely.

Local access to the chip will always result in code exec. However, if you're trying to protect a condensor from damage, local access with a crowbar would result in worse. Против лома нет приема!




On December 2, 2014 8:06:40 PM PST, travis+ml-langsec at subspacefield.org wrote:
>On Tue, Dec 02, 2014 at 02:09:25PM -0500, matt wrote:
>> As with many things that involve mechanical relays, there are safety
>> concerns.  For one, rapidly toggling a relay can break it.  However,
>the
>> risks can grow rather greatly in the case of something like a
>refrigeration
>> condensor.  In the event someone were to compromise the refrigerators
>> programming or otherwise induce a scenario of the relay closing the
>loop
>> indefinitely, on many refrigeration units this could potentially
>cause
>> irreparable harm to the condensor, and even potentially ( however
>unlikely
>> ) start a fire.  There are hardware work arounds, which are a good
>and
>> necessary safeguard, such as directly cutting power to the condensor
>based
>> off of a thermal sensor and/or timer hardwired into the circuit and
>kept
>> isolated from the programatic logic of the appliance.
>>
>> However, this raised a point.  Is there a way to isolate an area of
>code
>> and ensure that it cannot be replaced, impeded, or otherwise changed
>in the
>> carrying out of it's duties.  In short, in software is there a way to
>> isolate the logic controlling the mechanical relays from any
>potential
>> intruder?  I immediately thought of tpm as a potential vector to a
>> solution, however no tpm on your average low power supporting MCU.
>
>First thoughts are:
>
>Python is a pretty good language to write that in, and you're probably
>okay if the Web API cannot be abused (the OWASP Top 10).  However,
>since Python loads the program into (RAM) memory and executes it, that
>area is mutable and can bypass read-only program security (mentioned
>later).
>
>Your biggest risk is going to be outdated platform.  In my experience,
>embedded Linux is a PITA and you should really consider something very
>popular like ARM-kirkwood (e.g. OpenRD) with a well-supported Linux
>distribution (debian, arch, emdebian, gento, ubuntu), because your
>trivially exploitable vulnerabilities will be in (for example) an
>outdated OpenSSL library on the distro.  IOW, how long will it take
>you to update OpenSSL if it has a major POODLE-style bug?  As a side
>benfit, you're less likely to run into kernel bugs or boot loader bugs
>that prevent your system from working entirely.
>
>BTW, learn uBoot.  GRUB doesn't exist in embedded.
>
>1) Your problem is the same problem the iphones have.  They don't want
>   unauthorized manipualation of the radio unit, SMS, etc.  They use
>   some complicated protection systems, including DEP, ASLR, and
>   signed code updates.  It has undergone several revolutions; the
>   first iPhone hacks had to do with a flaw in how the code update was
>   handled in microcode.  Not all may be possible in a MCU, since it
>   may not have a MMU.
>
>2) Your problem is completely identical to the industrial control
>   (SCADA) security problem, only significantly smaller.  You can
>   probably read up on what they recommend; every recent DEFCON and
>   BlackHat has at least one talk on this hot topic, and you can
>   probably search SCADA security and visually grep for IOActive,
>   iSecPartners, Cigital, Symantec, Neohapsis, and other security
>   consulting firm names.
>
>3) The Harvard architecture does not allow for software updates
>   to program memory:
>   http://en.wikipedia.org/wiki/Harvard_architecture
>
>   You might not be likely to find this in a MCU, but you might get a
>   close approximation by running out of ROM, or some kind of flash or
>   EEPROM that cannot be triggered from software.  Note that if it
>   caches ROM in RAM and it's a von Neumann architecture you've gained
>   nothing, but that was a 1980s/90s feature for slow ROMs, probably
>   not required with flash.
>
>   Obviously the control over rewriting flash is something that has to
>   be audited.
>
>   If you have any function pointers from RAM into ROM, such as an
>   interrupt table, that is an entry point that should be reviewed;
>   being able to "write void* anywhere" will allow one to overwrite
>   such a table, unless it is protected by MMU or like.
>
>   IIRC, MIPS = no MMU.  ARM = MMU.  Anything else, probably none.
>
>   But if you're running Unix there's probably no hope of this
>   working.
>
>4) You could use something like SELinux or RSBAC to limit what
>   legitimate processes can do.  Totally bypassed by kernel bugs.
>
>Basically, your defense for a von Neumann system is:
>
>0) Hardware protection
>1) Web Sec (OWASP Top 10 Defenses)
>2) Updated platform
>3) Process privilege limitation (e.g. SELinux) which
>   is totally bypassable with sufficient creativity,
>   or an unpatched kernel bug.
>
>Alternately, you could try a non-mutable program (OS?), but it seems
>unlikely to be comptable with Unix.  There may be other kinds of
>unusual
>setups that aren't feasible developemnt environments for you but would
>solve it.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQJTBAEBCgA9BQJUfy1/NhxBbGV4IEtyb3Bpdm55IChwaG9uZSBlbWFpbCkgPGFs
ZXgua3JvcGl2bnlAZ21haWwuY29tPgAKCRD0DYZCY+gtvCGoEACas6+JImS8Rl1M
yyfz+A7ifuF0jRdaZ7vn46U1ipylkK4ozl91rq51e2dQnsOua6N6cORD3ZrUihVt
kCQS3ExgvJ66r2wyGL3UvKV0DdmYkh5el8TlYpqBDw1LyQ/KAarXT9Ov8ic+xxuH
/VmhfdRLg4Ax9q2PSUjIY23RYVL7NkVYscREr/Ehe/j4zdOGw9l4eAQjE2rOe8LX
KZYghdHc0XIpYsG66tug/L4WANzuxj44kcLh191B15lKVHzAxHf8fzAJ1FW4hN8U
KXzSJbYF6qgnbBzdfX2PGLJPrILqf6sYy+q19ZtTwPoQ2jOcJ+AjZGubn6GDoyP+
oDVrdSUBrkshwmJ6ZTIcM2I5taBCdt+p2tiQh5+BXS8u8068wZksZmlg4Iqzxcye
48Oim8aTKZYEk4wYnwsFepBrjR0JWcPbXRkJ/ICYr0k/gKAza5WqNRqK/jkv8278
85C/ZDpdFMasf3U/609ip4064Lg0DstCEXzaMrWQEx2/cnnkg6IDuno6xAOQbOV5
THOTo7ANlfYfNToN9pqOyhgZe1oTTDvQ9tg3ETgENniZtjsrWpoKgUnous3CE0M6
cKjMFbKmT3xkskKdtTbrOhSUOUNi9f2XE4mCyUBArF/N51+cp9nV8kau4bFITlk5
vapLjGenYZdSg33TUeWywATyDwwePg==
=4/Tb
-----END PGP SIGNATURE-----



More information about the langsec-discuss mailing list