Analyzing & Breaking QNX Exploit Mitigations and PRNGs for Embedded Systems

Explore a comprehensive analysis of QNX, a proprietary real-time operating system for embedded systems, widely used in critical devices across various industries. Delve into the intricacies of QNX's microkernel architecture, IPC message passing, attack surface, and security history. Examine the boot process, memory layout, user management, and process limitations. Investigate the quality of QNX's security-oriented PRNGs and exploit mitigations, including DEP, ASLR, stack canaries, and RELRO. Discover vulnerabilities such as rootless execution, Qnet EOP, and various information leaks. Compare the security features and weaknesses between QNX 6 and QNX 7, gaining valuable insights into the operating system's evolution and potential attack vectors in embedded systems.

Intro
Automotive: BlackBerry Radar
Industrial: Nuclear HMI
Defense: Military Radios QNX Secures Major Design Win in Software Defined Radio
Medical: Surgical Robots
Carrier Routers: Cisco IOS-XR
Many more critical systems
What's New?
QNX Microkernel Architecture
QNX IPC Message Passing
QNX Attack Surface
QNX Security History
Syscalls
QNX Boot Process Power on
QNX Firmware
QNX Memory Layout - Nemespace - Userspace Separation
QNX User Management
QNX Process Management
QNX Process Abilities Limitations
Breaking' Rootless Execution
Qnet (Native Networking / TDP)
Qnet Security
Qnet EOP Vulnerability (CVE-2017-3891)
QNX Debugging
PRNG Quality
QNX Security-Oriented PRNGs
QNX 7 /dev/random
QNX 7 Kernel PRNG
Exploit Mitigation Quality
QNX Exploit Mitigations
QNX DEP
QNX ASLR - map_find_va
QNX ASLR - stack_randomize
QNX 6 ASLR - Weak RNG
QNX 6 ASLR - Bruteforcing
QNX 6 ASLR - procfs Infoleak (CVE-2017-3892)
QNX 6 ASLR-LD DEBUG Infoleak (CVE-2017-9369)
QNX 7 ASLR - Changes
QNX Stack Canaries
QNX 6 SSP - Weak RNG
QNX 6 SSP - Kernelspace
QNX 7 SSP - Changes
Relocation Read-Only (RELRO) to do
QNX 6 Broken RELRO (CVE-2017-3893)
QNX 6 RELRO
Patches
Conclusions