[langsec-discuss] Isolating code for mechanical relay control ( request for ideas )

matt matt at nycresistor.com
Wed Dec 3 17:21:58 UTC 2014


I think I agree with Alex fundamentally.  I think the only sane solution
here is to put something small like an at-tiny in line with the relay
controls and have it act as an isolated watchdog.  where it can cut the
rest of the logic out of the loop.  The trick is I'll probably want the
watchdog circuit to fail open, and prevent the rest of the logic from being
able to access mechanical relays... on a positive note, I SHOULD be able to
have that alert on the watchdog failure ( temp sensors will detect a
failure by the condensor to cool ).

this kind of sucks for any major manufacturer due to added costs.  but I am
beginning to think they should just eat the cost, and promote safety.

On Wed, Dec 3, 2014 at 10:34 AM, Alex Kropivny <alex.kropivny at gmail.com>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> As a rule, sandboxing code within a low cost microprocessor is
> hard/"interesting". There are fun avenues to experiment in (minimal
> VM/Forth/interpreter with guarded memory access primitives, or an nacl
> equivalent, or something with OTP ROM) but they are all standalone
> projects, not week long hacks you can embed into another project.
>
> To get an idea of the effort these techniques require, see:
>
> 1. the prevalence of feature creep in sandbox VMs, leading to easy escapes
> via peek/poke primitives being provided or low quality exploitable code
> attached.
>
> 2. the work that was put into testing nacl for unforeseen instruction edge
> cases, in addition to and outside of the analysis that the initial proof of
> safety covered.
>
> 3. Various public bypasses of manufacturer IP-protection sandboxes, like
> trustzone or the AVR BootJacker hack (which involves ROP with a clock-cycle
> granular return via a hardware timer interrupt.) BootJacker is an example
> that breaks most low end IP protection schemes that block memory reads from
> outside the region but allow jumps.
>
> In short, in-processor sandboxing is a fun topic. *However, for getting
> work done, you are better off drawing a security boundary outside the
> processor.*
>
> A low cost processor implementing a simple protocol (that does not include
> remote code exec/firmware upgrade functionality!) can be a *very* hard
> target remotely.
>
> Local access to the chip will always result in code exec. However, if
> you're trying to protect a condensor from damage, local access with a
> crowbar would result in worse. Против лома нет приема!
>
>
>
>
> On December 2, 2014 8:06:40 PM PST, travis+ml-langsec at subspacefield.org
> wrote:
> >On Tue, Dec 02, 2014 at 02:09:25PM -0500, matt wrote:
> >> As with many things that involve mechanical relays, there are safety
> >> concerns.  For one, rapidly toggling a relay can break it.  However,
> >the
> >> risks can grow rather greatly in the case of something like a
> >refrigeration
> >> condensor.  In the event someone were to compromise the refrigerators
> >> programming or otherwise induce a scenario of the relay closing the
> >loop
> >> indefinitely, on many refrigeration units this could potentially
> >cause
> >> irreparable harm to the condensor, and even potentially ( however
> >unlikely
> >> ) start a fire.  There are hardware work arounds, which are a good
> >and
> >> necessary safeguard, such as directly cutting power to the condensor
> >based
> >> off of a thermal sensor and/or timer hardwired into the circuit and
> >kept
> >> isolated from the programatic logic of the appliance.
> >>
> >> However, this raised a point.  Is there a way to isolate an area of
> >code
> >> and ensure that it cannot be replaced, impeded, or otherwise changed
> >in the
> >> carrying out of it's duties.  In short, in software is there a way to
> >> isolate the logic controlling the mechanical relays from any
> >potential
> >> intruder?  I immediately thought of tpm as a potential vector to a
> >> solution, however no tpm on your average low power supporting MCU.
> >
> >First thoughts are:
> >
> >Python is a pretty good language to write that in, and you're probably
> >okay if the Web API cannot be abused (the OWASP Top 10).  However,
> >since Python loads the program into (RAM) memory and executes it, that
> >area is mutable and can bypass read-only program security (mentioned
> >later).
> >
> >Your biggest risk is going to be outdated platform.  In my experience,
> >embedded Linux is a PITA and you should really consider something very
> >popular like ARM-kirkwood (e.g. OpenRD) with a well-supported Linux
> >distribution (debian, arch, emdebian, gento, ubuntu), because your
> >trivially exploitable vulnerabilities will be in (for example) an
> >outdated OpenSSL library on the distro.  IOW, how long will it take
> >you to update OpenSSL if it has a major POODLE-style bug?  As a side
> >benfit, you're less likely to run into kernel bugs or boot loader bugs
> >that prevent your system from working entirely.
> >
> >BTW, learn uBoot.  GRUB doesn't exist in embedded.
> >
> >1) Your problem is the same problem the iphones have.  They don't want
> >   unauthorized manipualation of the radio unit, SMS, etc.  They use
> >   some complicated protection systems, including DEP, ASLR, and
> >   signed code updates.  It has undergone several revolutions; the
> >   first iPhone hacks had to do with a flaw in how the code update was
> >   handled in microcode.  Not all may be possible in a MCU, since it
> >   may not have a MMU.
> >
> >2) Your problem is completely identical to the industrial control
> >   (SCADA) security problem, only significantly smaller.  You can
> >   probably read up on what they recommend; every recent DEFCON and
> >   BlackHat has at least one talk on this hot topic, and you can
> >   probably search SCADA security and visually grep for IOActive,
> >   iSecPartners, Cigital, Symantec, Neohapsis, and other security
> >   consulting firm names.
> >
> >3) The Harvard architecture does not allow for software updates
> >   to program memory:
> >   http://en.wikipedia.org/wiki/Harvard_architecture
> >
> >   You might not be likely to find this in a MCU, but you might get a
> >   close approximation by running out of ROM, or some kind of flash or
> >   EEPROM that cannot be triggered from software.  Note that if it
> >   caches ROM in RAM and it's a von Neumann architecture you've gained
> >   nothing, but that was a 1980s/90s feature for slow ROMs, probably
> >   not required with flash.
> >
> >   Obviously the control over rewriting flash is something that has to
> >   be audited.
> >
> >   If you have any function pointers from RAM into ROM, such as an
> >   interrupt table, that is an entry point that should be reviewed;
> >   being able to "write void* anywhere" will allow one to overwrite
> >   such a table, unless it is protected by MMU or like.
> >
> >   IIRC, MIPS = no MMU.  ARM = MMU.  Anything else, probably none.
> >
> >   But if you're running Unix there's probably no hope of this
> >   working.
> >
> >4) You could use something like SELinux or RSBAC to limit what
> >   legitimate processes can do.  Totally bypassed by kernel bugs.
> >
> >Basically, your defense for a von Neumann system is:
> >
> >0) Hardware protection
> >1) Web Sec (OWASP Top 10 Defenses)
> >2) Updated platform
> >3) Process privilege limitation (e.g. SELinux) which
> >   is totally bypassable with sufficient creativity,
> >   or an unpatched kernel bug.
> >
> >Alternately, you could try a non-mutable program (OS?), but it seems
> >unlikely to be comptable with Unix.  There may be other kinds of
> >unusual
> >setups that aren't feasible developemnt environments for you but would
> >solve it.
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.1.1
>
> iQJTBAEBCgA9BQJUfy1/NhxBbGV4IEtyb3Bpdm55IChwaG9uZSBlbWFpbCkgPGFs
> ZXgua3JvcGl2bnlAZ21haWwuY29tPgAKCRD0DYZCY+gtvCGoEACas6+JImS8Rl1M
> yyfz+A7ifuF0jRdaZ7vn46U1ipylkK4ozl91rq51e2dQnsOua6N6cORD3ZrUihVt
> kCQS3ExgvJ66r2wyGL3UvKV0DdmYkh5el8TlYpqBDw1LyQ/KAarXT9Ov8ic+xxuH
> /VmhfdRLg4Ax9q2PSUjIY23RYVL7NkVYscREr/Ehe/j4zdOGw9l4eAQjE2rOe8LX
> KZYghdHc0XIpYsG66tug/L4WANzuxj44kcLh191B15lKVHzAxHf8fzAJ1FW4hN8U
> KXzSJbYF6qgnbBzdfX2PGLJPrILqf6sYy+q19ZtTwPoQ2jOcJ+AjZGubn6GDoyP+
> oDVrdSUBrkshwmJ6ZTIcM2I5taBCdt+p2tiQh5+BXS8u8068wZksZmlg4Iqzxcye
> 48Oim8aTKZYEk4wYnwsFepBrjR0JWcPbXRkJ/ICYr0k/gKAza5WqNRqK/jkv8278
> 85C/ZDpdFMasf3U/609ip4064Lg0DstCEXzaMrWQEx2/cnnkg6IDuno6xAOQbOV5
> THOTo7ANlfYfNToN9pqOyhgZe1oTTDvQ9tg3ETgENniZtjsrWpoKgUnous3CE0M6
> cKjMFbKmT3xkskKdtTbrOhSUOUNi9f2XE4mCyUBArF/N51+cp9nV8kau4bFITlk5
> vapLjGenYZdSg33TUeWywATyDwwePg==
> =4/Tb
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss at mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20141203/8a2ea420/attachment-0001.html>


More information about the langsec-discuss mailing list