YoVDO

Analyzing & Breaking QNX Exploit Mitigations and PRNGs for Embedded Systems

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Embedded Systems Courses Attack Surface Analysis Courses

Course Description

Overview

Explore a comprehensive analysis of QNX, a proprietary real-time operating system for embedded systems, widely used in critical devices across various industries. Delve into the intricacies of QNX's microkernel architecture, IPC message passing, attack surface, and security history. Examine the boot process, memory layout, user management, and process limitations. Investigate the quality of QNX's security-oriented PRNGs and exploit mitigations, including DEP, ASLR, stack canaries, and RELRO. Discover vulnerabilities such as rootless execution, Qnet EOP, and various information leaks. Compare the security features and weaknesses between QNX 6 and QNX 7, gaining valuable insights into the operating system's evolution and potential attack vectors in embedded systems.

Syllabus

Intro
Automotive: BlackBerry Radar
Industrial: Nuclear HMI
Defense: Military Radios QNX Secures Major Design Win in Software Defined Radio
Medical: Surgical Robots
Carrier Routers: Cisco IOS-XR
Many more critical systems
What's New?
QNX Microkernel Architecture
QNX IPC Message Passing
QNX Attack Surface
QNX Security History
Syscalls
QNX Boot Process Power on
QNX Firmware
QNX Memory Layout - Nemespace - Userspace Separation
QNX User Management
QNX Process Management
QNX Process Abilities Limitations
Breaking' Rootless Execution
Qnet (Native Networking / TDP)
Qnet Security
Qnet EOP Vulnerability (CVE-2017-3891)
QNX Debugging
PRNG Quality
QNX Security-Oriented PRNGs
QNX 7 /dev/random
QNX 7 Kernel PRNG
Exploit Mitigation Quality
QNX Exploit Mitigations
QNX DEP
QNX ASLR - map_find_va
QNX ASLR - stack_randomize
QNX 6 ASLR - Weak RNG
QNX 6 ASLR - Bruteforcing
QNX 6 ASLR - procfs Infoleak (CVE-2017-3892)
QNX 6 ASLR-LD DEBUG Infoleak (CVE-2017-9369)
QNX 7 ASLR - Changes
QNX Stack Canaries
QNX 6 SSP - Weak RNG
QNX 6 SSP - Kernelspace
QNX 7 SSP - Changes
Relocation Read-Only (RELRO) to do
QNX 6 Broken RELRO (CVE-2017-3893)
QNX 6 RELRO
Patches
Conclusions


Taught by

Black Hat

Related Courses

Embedded Systems - Shape The World: Microcontroller Input/Output
The University of Texas at Austin via edX Model Checking
Chennai Mathematical Institute via Swayam Introduction to the Internet of Things and Embedded Systems
University of California, Irvine via Coursera Sistemas embebidos: Aplicaciones con Arduino
Universidad Nacional Autónoma de México via Coursera Quantitative Formal Modeling and Worst-Case Performance Analysis
EIT Digital via Coursera