Analyzing & Breaking QNX Exploit Mitigations and PRNGs for Embedded Systems
Offered By: Black Hat via YouTube
Course Description
Overview
Syllabus
Intro
Automotive: BlackBerry Radar
Industrial: Nuclear HMI
Defense: Military Radios QNX Secures Major Design Win in Software Defined Radio
Medical: Surgical Robots
Carrier Routers: Cisco IOS-XR
Many more critical systems
What's New?
QNX Microkernel Architecture
QNX IPC Message Passing
QNX Attack Surface
QNX Security History
Syscalls
QNX Boot Process Power on
QNX Firmware
QNX Memory Layout - Nemespace - Userspace Separation
QNX User Management
QNX Process Management
QNX Process Abilities Limitations
Breaking' Rootless Execution
Qnet (Native Networking / TDP)
Qnet Security
Qnet EOP Vulnerability (CVE-2017-3891)
QNX Debugging
PRNG Quality
QNX Security-Oriented PRNGs
QNX 7 /dev/random
QNX 7 Kernel PRNG
Exploit Mitigation Quality
QNX Exploit Mitigations
QNX DEP
QNX ASLR - map_find_va
QNX ASLR - stack_randomize
QNX 6 ASLR - Weak RNG
QNX 6 ASLR - Bruteforcing
QNX 6 ASLR - procfs Infoleak (CVE-2017-3892)
QNX 6 ASLR-LD DEBUG Infoleak (CVE-2017-9369)
QNX 7 ASLR - Changes
QNX Stack Canaries
QNX 6 SSP - Weak RNG
QNX 6 SSP - Kernelspace
QNX 7 SSP - Changes
Relocation Read-Only (RELRO) to do
QNX 6 Broken RELRO (CVE-2017-3893)
QNX 6 RELRO
Patches
Conclusions
Taught by
Black Hat
Related Courses
Embedded Systems - Shape The World: Microcontroller Input/OutputThe University of Texas at Austin via edX Model Checking
Chennai Mathematical Institute via Swayam Introduction to the Internet of Things and Embedded Systems
University of California, Irvine via Coursera Sistemas embebidos: Aplicaciones con Arduino
Universidad Nacional Autónoma de México via Coursera Quantitative Formal Modeling and Worst-Case Performance Analysis
EIT Digital via Coursera