DOCSLIB.ORG

LBM: a Security Framework for Peripherals Within the Linux Kernel

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian∗, Grant Hernandez∗, Joseph I. Choi∗, Vanessa Frost∗, Peter C. Johnsony, Kevin R. B. Butler∗ ∗University of Florida {daveti, grant.hernandez, choijoseph007, vfrost, butler}@ufl.edu yMiddlebury College [email protected] Abstract—Modern computer peripherals are diverse in their However, with this virtually unconstrained functionality capabilities and functionality, ranging from keyboards and print- comes the threat of malicious devices that can compromise ers to smartphones and external GPUs. In recent years, periph- computer systems in myriad ways. The BadUSB attack [62] erals increasingly connect over a small number of standardized communication protocols, including USB, Bluetooth, and NFC. allows attackers to add functionality allowed by the USB pro- The host operating system is responsible for managing these tocol to device firmware with malicious intent. For example, devices; however, malicious peripherals can request additional a BadUSB flash drive presents not only expected behavior functionality from the OS resulting in system compromise, or of a storage device when plugged into a computer, but also can craft data packets to exploit vulnerabilities within OS registers keyboard functionality to allow it to inject malicious software stacks. Defenses against malicious peripherals to date only partially cover the peripheral attack surface and are limited keystrokes with the aim of gaining administrative privilege. to specific protocols (e.g., USB). In this paper, we propose Other examples of malicious USB functionality include charg- Linux (e)BPF Modules (LBM), a general security framework ers that can inject malware into iOS devices [51], or take that provides a unified API for enforcing protection against control of Android devices via AT commands [78]. Bluetooth malicious peripherals within the Linux kernel. LBM leverages peripherals are also vulnerable: the BlueBorne attack [11] the eBPF packet filtering mechanism for performance and extensibility and we provide a high-level language to facilitate the allows remote adversaries to craft Bluetooth packets that will development of powerful filtering functionality. We demonstrate cause a kernel stack overflow and enable privilege escalation, how LBM can provide host protection against malicious USB, while BleedingBit [12] exploits a stack overflow within the Bluetooth, and NFC devices; we also instantiate and unify existing Texas Instruments Bluetooth Low Energy (BLE) stack. We defenses under the LBM framework. Our evaluation shows that observe that malicious peripherals launch attacks in one of two the overhead introduced by LBM is within 1 µs per packet in most cases, application and system overhead is negligible, ways, either by (1) sending unexpected packets (I/O requests and LBM outperforms other state-of-the-art solutions. To our or responses) to activate extra functionality enabled by the knowledge, LBM is the first security framework designed to operating system, or by (2) crafting specially formed packets provide comprehensive protection against malicious peripherals (either legitimate or malformed) to exploit vulnerabilities within the Linux kernel. within the operating system’s protocol software stack. Current defenses against malicious peripherals are not I. INTRODUCTION comprehensive and are limited in scope. USBFILTER [79] Computer peripherals provide critical features to facilitate applies user-defined rules to USB packet filtering within the system use. The broad adoption of computers can be traced Linux kernel, but fails to prevent exploitation from malformed not only to the reduction in cost and size from mainframe packets. USBFirewall [43], on the other hand, provides bit- to microcomputer, but to the interactivity afforded by devices level protection by parsing individual incoming USB packets, such as keyboards and mice. Displays, printers, and scanners but offers limited support for user-defined filtering rules. Apple have become integral parts of the modern office environ- recently added USB restricted mode in iOS 11.4, shutting ment. Nowadays, smartphones and tablets can not only act down USB data connections after the device stays locked for as peripherals to a host computer, but can themselves support an hour [84], but this restriction can be bypassed [2]. Not only peripherals that attach to them. do these defenses lack comprehensive coverage, but they often The scope of functionality that peripherals can contain is focus primarily or solely on USB, providing no protection almost limitless, but the methods of connecting them to host against peripherals using other interfaces. computers have converged to a few select standards, such In this paper, we propose Linux (e)BPF Modules (LBM), as USB [10] for wired connections and Bluetooth [15] for a general security framework that provides a unified API for wireless. As a result, most modern operating systems provide enforcing protection against malicious peripherals within the support for these standards (and the peripherals that use them) Linux kernel. LBM requires only a single hook for incoming by default, implementing the respective software stacks inside and outgoing peripheral data to be placed in each peripheral the kernel and running different device drivers to support subsystem, and modules for filtering specific peripheral packet various classes of peripherals. types (e.g., USB request blocks or Bluetooth socket buffers) can then be developed. Importantly for performance and discusses additional dimensions of our work; Section VII extensibility, we leverage the Extended BSD Packet Filter explains limitations of our work; Section VIII summarizes (eBPF) mechanism [25], which supports loading of filter related work; and Section IX concludes. programs from user space. Unlike previous solutions, LBM is II. BACKGROUND designed to be a general framework suitable for any peripheral protocol. As a result, existing solutions such as USBFIL- A. Peripheral Security TER and USBFirewall can be easily instantiated using LBM. USB. The Universal Serial Bus (USB) has been around since Moreover, new peripherals can be easily supported by adding 1996 with the release of the version 1.0 specification [23]. extensions into the LBM core framework. To demonstrate the USB emerged to provide a single, ubiquitous means to connect generality and flexibility of LBM, we have fully instantiated peripherals that would support a variety of applications with USBFILTER and USBFirewall using the LBM framework, different performance requirements. Since its inception, USB developed hooks for the Bluetooth Host Control Interface has undergone many revisions (1.1, 2.0, 3.0, 3.1, and most (HCI) and Logical Link and Adaptation Protocol (L2CAP) recently 3.2 and Type-C). The set of supported peripheral layers, and demonstrated a hook mechanism for the Near-Field devices expanded with each version, and the current USB Communication (NFC) protocol. Our evaluation shows that the version 3.2 [10] supports a data transfer rate of 20 Gbits per general overhead introduced by LBM is within 1 µs per packet second, much improved over the 12 Mbits per second of v1.0. across different peripherals in most cases; the application and Numerous attacks have been demonstrated by vulnerable system benchmarks demonstrate a negligible overhead from or malicious USB peripherals. BadUSB [62] attacks work LBM; and LBM has a better performance when compared to by altering the firmware of USB devices so they register as other state-of-the-art solutions. deceptive device types when plugged into a machine. For We summarize our contributions1 below: example, a USB mass storage device could masquerade as • Design and implement LBM as a general security frame- a keyboard to gain the ability to inject malicious keystrokes. work to defend against malicious peripherals. The LBM A malicious USB charger can inject malware into iOS de- core is designed as a high-performance packet filtering vices [51] or take full control of Android devices via AT framework based on eBPF. LBM hooks are provided to commands [78]. MouseJack [61] affects wireless mice and extend support for different peripheral subsystems. keyboards that communicate with a computer through a USB • Develop a high-level filter language to facilitate writing dongle. An adversary may inject keystrokes by spoofing either LBM rules. Users can write LBM rules in a high-level, a mouse or keyboard, and in some cases may even pair a fake PCAP-like language to apply different policies to periph- keyboard with a victim’s dongle. eral data packets, to avoid having to write filters in the More vulnerabilities with the USB protocol stack and complex, low-level BPF assembly language. Our user- device drivers have been identified with the help of tools space LBMTOOL utility translates LBM rules into eBPF such as FaceDancer [30] and syzkaller [31]. On one hand, instructions and loads them into the LBM core. these vulnerabilities are mostly implementation bugs within • Develop support for USB, Bluetooth, and NFC in LBM. the software stack. On the other hand, malicious USB We extend LBM to support multiple peripheral protocols devices can exploit these vulnerabilities to compromise the by exposing useful protocol fields to the user space and whole system by sending out specially-crafted USB packets. extending LBMTOOL to recognize LBM rules for differ- For a comprehensive exploration of the variety of available ent peripherals. We demonstrate LBM’s extensibility by USB
Recommended publications
  • The Core Difference in Your Design RX Family Software Solutions

    The Core Difference in Your Design RX Family Software Solutions

    The Core Difference in Your Design RX Family Software Solutions www.renesas.eu 2014.03 Free software from Renesas – Save time and costs in your embedded-system development project Use our proven software solutions to jump-start your embedded design, freeing up more time to focus on your application code. We offer software libraries and hundreds of sample programs for the microcontrollers in our advanced RX family – code that has been thoroughly developed, debugged, and tested by application engineers. Documentation explains how the code works. See below for a sampling of some of our software solutions. For a complete list, go to: www.renesas.eu/support/software/index.jsp MCU Series Connectivity Software App Note RX100 RX200 RX600 To add Ethernet, USB, or CAN connectivity to your system design, just select an RX600-series TCP/IP (HTTP, FTP, DNS, DHCP) R20AN0051EJ0106 4 MCU and download reliable code for the standard formats LibUSB (simple comm. w/out 4 you need. If it comes to USB only, RX100 and RX200 would be class spec) R01AN0492EJ0200 providing excellent solutions. USB HID (Device) R01AN0401EJ0200 4 USB HID (Host) R01AN0399EJ0200 4 USB MSC (Device) R01AN0514EJ0200 4 USB MSC (Host) R01AN0513EJ0200 4 USB CDC (Device) R01AN0273EJ0200 4 USB CDC (Host) R01AN0275EJ0200 4 CAN API R01AN0339EU0203 4 USB (Device/Host) R01AN1670EJ0100 4 USB MSC (Host) R01AN0624EJ0210 4 USB MSC (Device) R01AN0710EJ0211 4 USB HID (Device) R01AN0546EJ0211 4 USB HID (Host) R01AN0664EJ0211 4 USB CDC (Host) R01AN0643EJ0211 4 USB CDC (Device) R01AN0555EJ0211 4 MCU Series Graphics Software App Note RX100 RX200 RX600 RX600-series MCUs integrate an external DMA 4 controller that enables cost-effective direct-drive Graphics Library *Contact Sales graphics implementations.
  • UG1046 Ultrafast Embedded Design Methodology Guide

    UG1046 Ultrafast Embedded Design Methodology Guide

    UltraFast Embedded Design Methodology Guide UG1046 (v2.3) April 20, 2018 Revision History The following table shows the revision history for this document. Date Version Revision 04/20/2018 2.3 • Added a note in the Overview section of Chapter 5. • Replaced BFM terminology with VIP across the user guide. 07/27/2017 2.2 • Vivado IDE updates and minor editorial changes. 04/22/2015 2.1 • Added Embedded Design Methodology Checklist. • Added Accessing Documentation and Training. 03/26/2015 2.0 • Added SDSoC Environment. • Added Related Design Hubs. 10/20/2014 1.1 • Removed outdated information. •In System Level Considerations, added information to the following sections: ° Performance ° Clocking and Reset 10/08/2014 1.0 Initial Release of document. UltraFast Embedded Design Methodology Guide Send Feedback 2 UG1046 (v2.3) April 20, 2018 www.xilinx.com Table of Contents Chapter 1: Introduction Embedded Design Methodology Checklist. 9 Accessing Documentation and Training . 10 Chapter 2: System Level Considerations Performance. 13 Power Consumption . 18 Clocking and Reset. 36 Interrupts . 41 Embedded Device Security . 45 Profiling and Partitioning . 51 Chapter 3: Hardware Design Considerations Configuration and Boot Devices . 63 Memory Interfaces . 69 Peripherals . 76 Designing IP Blocks . 94 Hardware Performance Considerations . 102 Dataflow . 108 PL Clocking Methodology . 112 ACP and Cache Coherency. 116 PL High-Performance Port Access. 120 System Management Hardware Assistance. 124 Managing Hardware Reconfiguration . 127 GPs and Direct PL Access from APU . 133 Chapter 4: Software Design Considerations Processor Configuration . 137 OS and RTOS Choices . 142 Libraries and Middleware . 152 Boot Loaders . 156 Software Development Tools . 162 UltraFast Embedded Design Methodology GuideSend Feedback 3 UG1046 (v2.3) April 20, 2018 www.xilinx.com Chapter 5: Hardware Design Flow Overview .
  • Rii Mini [Bluetooth]

    Rii Mini [Bluetooth]

    Ultra Slim Bluetooth keyboard User’s Manual Ver:ZW-53001BT (MWK09)1.1 Contents 1、Introduction 2、Hardware Installation 3、Software Setup Microsoft Windows Mobile OS Google Android OS Symbian OS Windows OS (with IVT Bluetooth Stack) Windows OS (Broadcom Bluetooth Stack) Linux(Ubuntu) 4、Product overview 5、Technical parameters 6、Maintenance 1、Introduction Thank you for purchasing the Ultra Slim Bluetooth Keyboard! You can use it for emails, chat, or to enjoy your favorite games. It is compatible with desktop computers running Windows or Linux but also with handhelds running Android, Windows Mobile Pocket PCs or Symbian S60 Operating systems. It also supports the Sony Playstation3. Use it with your HTPC on your Sofa or browse the internet in the most comfortable fashion. Computer System Requirements Windows 98/ME/2000/XP/Vista/7 Mac OS 10.2.8 or Later Mobile System Requirements Google Android Apple IOS 4 or Later Microsoft Windows Mobile 5.0 or Later Nokia Symbian S60 System Sony Playstation 3 Package Contents: Ultra Slim Bluetooth Keyboard Bluetooth USB Dongle(Optional) Driver CD(Optional) Charging Cable User Manual 2、Hardware Setup Please Note: The battery may be empty when you first unbox the product.Make sure to charge the device before attempting to set it up Paring Mode 1. Turn ON the power swith,the green LED will illuminate for 2 seconds. 2. Click on the “Bluetooth Pair/Connect”button.The green LED will blink intermittently. 3. The Keyboard is now in paring mode and is ready to be paired with your device. Recharging Connect the mini Bluetooth keyboard to your computer by using the included USB charging cable.When connected,the Red LED will illuminate and get dimmer as the battery charge level nears capacity.
  • PM0269 Bluetooth LE Stack V3.X Programming Guidelines

    PM0269 Bluetooth LE Stack V3.X Programming Guidelines

    PM0269 Programming manual Bluetooth LE stack v3.x programming guidelines Introduction The main purpose of this document is to provide developers with reference programming guidelines on how to develop a Bluetooth® Low Energy (Bluetooth LE) application using the Bluetooth LE stack v3.x family APIs and related event callbacks. The document describes the Bluetooth LE stack v3.x Bluetooth Low Energy stack library framework, API interfaces and event callbacks allowing access to the Bluetooth Low Energy functions provided by the STMicroelectronics Bluetooth Low Energy devices system-on-chip. The following Bluetooth Low Energy device supports the Bluetooth LE stack v3.x family: • BlueNRG-LP device The document also focuses on the key changes about APIs and the callback interface, Bluetooth LE stack initialization versus the Bluetooth LE stack v2.x family. This programming manual also provides some fundamental concepts about the Bluetooth Low Energy technology in order to associate the Bluetooth LE stack v3.x APIs, parameters, and related event callbacks with the Bluetooth LE protocol stack features. The user is expected to have a basic knowledge of Bluetooth LE technology and its main features. For more information about the supported devices and the Bluetooth Low Energy specifications, refer to Section 5 References at the end of this document. The manual is structured as follows: • Fundamentals of the Bluetooth Low Energy technology • Bluetooth LE stack v3.x library APIs and the event callback overview • How to design an application using the Bluetooth LE stack v3.x library APIs and event callbacks. Note: The document content is valid for all the specified Bluetooth Low Energy devices.
  • Linux Kernal II 9.1 Architecture

    Linux Kernal II 9.1 Architecture

    Page 1 of 7 Linux Kernal II 9.1 Architecture: The Linux kernel is a Unix-like operating system kernel used by a variety of operating systems based on it, which are usually in the form of Linux distributions. The Linux kernel is a prominent example of free and open source software. Programming language The Linux kernel is written in the version of the C programming language supported by GCC (which has introduced a number of extensions and changes to standard C), together with a number of short sections of code written in the assembly language (in GCC's "AT&T-style" syntax) of the target architecture. Because of the extensions to C it supports, GCC was for a long time the only compiler capable of correctly building the Linux kernel. Compiler compatibility GCC is the default compiler for the Linux kernel source. In 2004, Intel claimed to have modified the kernel so that its C compiler also was capable of compiling it. There was another such reported success in 2009 with a modified 2.6.22 version of the kernel. Since 2010, effort has been underway to build the Linux kernel with Clang, an alternative compiler for the C language; as of 12 April 2014, the official kernel could almost be compiled by Clang. The project dedicated to this effort is named LLVMLinxu after the LLVM compiler infrastructure upon which Clang is built. LLVMLinux does not aim to fork either the Linux kernel or the LLVM, therefore it is a meta-project composed of patches that are eventually submitted to the upstream projects.
  • Hdcp Support in Optee

    Hdcp Support in Optee

    HDCP SUPPORT IN OPTEE PRODUCT PRESENTATION Linaro Multimedia Working Group MICR ADVANCED TECHNOLOGIES • https://www.linaro.org/ SEPTEMBER 2019 Agenda • Quick introduction to HDCP • Secure Video Path overview • Current HDCP control in Linux • Proposal to control HDCP in OPTEE • Questions HDCP OVERVIEW 3 HDCP : High bandwidth Digital Content Protection • A digital copy protection developed by Intel™ to prevent copying of digital and audio video content. Before sending data, the source device shall check the destination device is authorized to received it. If so, the source device encrypts the data, only the destination device can decrypt. - data encryption - prevent non-licensed devices from receiving content • Android and Linux NXP bsp manage HDCP at Linux Level, through libDRM. So nothing prevent a user to disable HDCP protection while secure content is under playback. It is a security holes in the Secure Video Path. • HDCP support currently under development for wayland/Weston: https://gitlab.freedesktop.org/wayland/weston/merge_requests/48 • No Open Source solution exists to manage HDCP in secure mode. • HDCP versions: ▪ HDCP 1.X: Hacked: Master key published (leak/reverse engineering) ▪ HDCP 2.0: Hacked before release ▪ HDCP 2.1: Hacked before release ▪ HDCP 2.2: Not yet hacked 4 ▪ HDCP 2.3: Not yet hacked HDCP control state Machine Content with HDCP protection mandatory no yes Local display Local display yes no yes no Video displayed Video displayed without HDCP Digital Display without HDCP Digital Display encryption encryption yes no yes no It means we have analog display Video displayed Video displayed HDCP supported without HDCP HDCP supported without HDCP encryption encryption yes no yes no Video displayed Video displayed without Widevine/PlayReady To Video not displayed Application to decide if HDCP check current HDCP version Application to display a Warning 5 HDCP encryption message HDCP Unauthorized, encryption to be used >= expected HDCP version Content Disabled.' Error.
  • A Simplified Graphics System Based on Direct Rendering Manager System

    A Simplified Graphics System Based on Direct Rendering Manager System

    J. lnf. Commun. Converg. Eng. 16(2): 125-129, Jun. 2018 Regular paper A Simplified Graphics System Based on Direct Rendering Manager System Nakhoon Baek* , Member, KIICE School of Computer Science and Engineering, Kyungpook National University, Daegu 41566, Korea Abstract In the field of computer graphics, rendering speed is one of the most important factors. Contemporary rendering is performed using 3D graphics systems with windowing system support. Since typical graphics systems, including OpenGL and the DirectX library, focus on the variety of graphics rendering features, the rendering process itself consists of many complicated operations. In contrast, early computer systems used direct manipulation of computer graphics hardware, and achieved simple and efficient graphics handling operations. We suggest an alternative method of accelerated 2D and 3D graphics output, based on directly accessing modern GPU hardware using the direct rendering manager (DRM) system. On the basis of this DRM support, we exchange the graphics instructions and graphics data directly, and achieve better performance than full 3D graphics systems. We present a prototype system for providing a set of simple 2D and 3D graphics primitives. Experimental results and their screen shots are included. Index Terms: Direct rendering manager, Efficient handling, Graphics acceleration, Light-weight implementation, Prototype system I. INTRODUCTION Rendering speed is one of the most important factors for 3D graphics application programs. Typical present-day graph- After graphics output devices became publicly available, a ics programs need to be able to handle very large quantities large number of graphics applications were developed for a of graphics data. The larger the data size, and the more sen- broad spectrum of uses including computer animations, com- sitive to the rendering speed, the better the speed-up that can puter games, user experiences, and human-computer inter- be achieved, even for minor aspects of the graphics pipeline.
  • Iwrap 6.1 Bluetooth® Software

    Iwrap 6.1 Bluetooth® Software

    iWRAP 6.1 Bluetooth® Software May 2015 Topics . iWRAP Bluetooth Stack . New features in iWRAP 6.1 . BGScript for iWRAP . iWRAP Feature Matrix 2 Silicon Labs Confidential iWRAP Bluetooth Stack Host (MCU) APPLICATIONS Application . Cable replacement . Stereo and hands-free audio Bluetooth Module . Smart phone accessories . HID Bluegiga iWRAPTM UART SPP, iAP etc. A2DP, HDP etc. profiles profiles FEATURES Security Generic . A fully featured Bluetooth 3.0 Stack RFCOMM Manager (SM) Access Profile (GAP) . Implements 13 different Bluetooth profiles for data and audio L2CAP . SPP, iAP, OPP, FTP, HID, DUN and HDP . A2DP, AVRCP v.1.5, HFP v.1.6, HSP, PBAP and MAP HCI . Up to 7 simultanous connections and data throughput up to 550kbps A fully featured Bluetooth 3.0A Stack . Apple MFI complaint with iAP1 and iAP2 protocols Bluetooth BR/EDR Radio . Integrated SBC, mSBC, aptX®, aptX® low latency and AAC audio codecs . Easy-to-Use ASCII based API over UART . Field upgradable over UART 3 Bluetooth 3.0 Integrated profiles Easy to use API ProductSilicon Family Labs ConfidentialDirectory New Features in iWRAP6.1 . Audio tone support . Audio tones (files) can be stored in the Bluetooth module’s flash memory Host (MCU) . Playback support for stored files Application Bluetooth Module . Audio tone mixing . Audio tones can be mixed with A2DP or HFP audio output Bluegiga iWRAPTM UART SPP, iAP etc. A2DP, HDP etc. profiles profiles . Enhanced reconnection logic . End user configurable Bluetooth reconnection logic Security Generic RFCOMM Manager (SM) Access Profile (GAP) . Simultanous AVRCP controller and target profiles L2CAP . Improved user experience with latest smart phones HCI .
  • IT Acronyms.Docx

    IT Acronyms.Docx

    List of computing and IT abbreviations /.—Slashdot 1GL—First-Generation Programming Language 1NF—First Normal Form 10B2—10BASE-2 10B5—10BASE-5 10B-F—10BASE-F 10B-FB—10BASE-FB 10B-FL—10BASE-FL 10B-FP—10BASE-FP 10B-T—10BASE-T 100B-FX—100BASE-FX 100B-T—100BASE-T 100B-TX—100BASE-TX 100BVG—100BASE-VG 286—Intel 80286 processor 2B1Q—2 Binary 1 Quaternary 2GL—Second-Generation Programming Language 2NF—Second Normal Form 3GL—Third-Generation Programming Language 3NF—Third Normal Form 386—Intel 80386 processor 1 486—Intel 80486 processor 4B5BLF—4 Byte 5 Byte Local Fiber 4GL—Fourth-Generation Programming Language 4NF—Fourth Normal Form 5GL—Fifth-Generation Programming Language 5NF—Fifth Normal Form 6NF—Sixth Normal Form 8B10BLF—8 Byte 10 Byte Local Fiber A AAT—Average Access Time AA—Anti-Aliasing AAA—Authentication Authorization, Accounting AABB—Axis Aligned Bounding Box AAC—Advanced Audio Coding AAL—ATM Adaptation Layer AALC—ATM Adaptation Layer Connection AARP—AppleTalk Address Resolution Protocol ABCL—Actor-Based Concurrent Language ABI—Application Binary Interface ABM—Asynchronous Balanced Mode ABR—Area Border Router ABR—Auto Baud-Rate detection ABR—Available Bitrate 2 ABR—Average Bitrate AC—Acoustic Coupler AC—Alternating Current ACD—Automatic Call Distributor ACE—Advanced Computing Environment ACF NCP—Advanced Communications Function—Network Control Program ACID—Atomicity Consistency Isolation Durability ACK—ACKnowledgement ACK—Amsterdam Compiler Kit ACL—Access Control List ACL—Active Current
  • BLUEBORNE on ANDROID Exploiting an RCE Over the Air

    BLUEBORNE on ANDROID Exploiting an RCE Over the Air

    BLUEBORNE ON ANDROID Exploiting an RCE Over the Air Ben Seri & Gregory Vishnepolsky BLUEBORNE ON ANDROID – © 2019 ARMIS, INC. Table of Contents Preface 3 Android RCE Vulnerability in BNEP - CVE-2017-0781 3 Exploitation on Android 7.1 5 Target Object Selection 6 Loading the Payload into Memory 10 Grooming the Heap 12 PoC Exploit Code 16 Conclusion 16 BLUEBORNE ON ANDROID — ©​ 2019 ARMIS, INC. — 2 ​ ​ Preface Armis researchers Ben Seri and Gregory Vishnepolsky presented (October 21, 2017) a detailed explanation of the Android Remote Code Execution vulnerabilities related to the BlueBorne attack vector at the Hacktivity conference. This presentation included new information regarding the vulnerability, as well as the exploit code itself. This white paper will elaborate upon the Android RCE vulnerability and its exploitation, which are part of the BlueBorne attack vector, revealed in September 2017. BlueBorne is an attack vector by which ​ ​ hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. Armis has identified 8 vulnerabilities related to this attack vector, affecting four operating systems, including Windows, iOS, Linux, and Android. Following Armis discoveries, Google has issued a patch to its Bluetooth stack in Android’s codebase (AOSP). This post contains additional details that were not included in the Blueborne whitepaper and unveils the exploit source code. To fully understand the ​ ​ underlying facilities that allow exploitation of the Android vulnerabilities, it is strongly suggested to read the full technical whitepaper, especially the following sections: Demystifying Discoverability, SMP, SDP and BNEP. Future publications will explore in detail the BlueBorne vulnerabilities on Linux and the “Bluetooth Pineapple” attack which affects both Android & Windows devices.
  • Tizen Overview & Architecture

    Tizen Overview & Architecture

    Tizen Overview & Architecture 삼성전자 정진민 There are many smart devices in mobile market. 2 And, almost as many software platforms for them 3 Many smart devices also appear in non-mobile market 4 User Expectation by it • Before smart device, • The user knew that they were different. • Therefore, the user did not expect anything among them. • Now, • The user is expecting anything among them. • However, They provide different applications and user experiences • Disappointed about inconvenient and incomplete continuation between them. 1 Due to different and proprietary software platform Proprietary platforms 5 Why do they? • Why could not manufacturers provide the same platform for their devices? • The platform has been designed for a specific embedded device. • Manufacturers do not want to share their proprietary platforms. • There is no software platform considering cross category devices as well as fully Open Source. Proprietary platforms 6 What if there is.. • What if there is a standard-based, cross category platform? • The same software can run on many categories of devices with few or no changes • Devices can be connected more easily and provide better convergence services to users • What if the platform is Open Source? • Manufacturers can deploy the platform on their products easily • New features/services can be added without breaking [given the software complies to platform standards] 7 The platform having these two features is ü Standard-based, Cross Category Platform ü Fully Open Source Platform 8 Standard-based, cross category platform
  • Linux Interface Specification Yocto Recipe Start-Up Guide Rev.1.09

    Linux Interface Specification Yocto Recipe Start-Up Guide Rev.1.09

    User ’s Manual ’s Linux Interface Specification Yocto recipe Start-Up Guide User’s Manual: Software RZ/G2 group All information contained in these materials, including products and product specifications, represents information on the product at the time of publication and is subject to change by Renesas Electronics Corp. without notice. Please review the latest information published by Renesas Electronics Corp. through various means, including the Renesas Electronics Corp. website (http://www.renesas.com). www.renesas.com Rev.1.09 Aug. 31, 2021 Notice 1. Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of semiconductor products and application examples. You are fully responsible for the incorporation or any other use of the circuits, software, and information in the design of your product or system. Renesas Electronics disclaims any and all liability for any losses and damages incurred by you or third parties arising from the use of these circuits, software, or information. 2. Renesas Electronics hereby expressly disclaims any warranties against and liability for infringement or any other claims involving patents, copyrights, or other intellectual property rights of third parties, by or arising from the use of Renesas Electronics products or technical information described in this document, including but not limited to, the product data, drawings, charts, programs, algorithms, and application examples. 3. No license, express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas Electronics or others. 4. You shall not alter, modify, copy, or reverse engineer any Renesas Electronics product, whether in whole or in part.