SlideShare a Scribd company logo

44CON London - Attacking VxWorks: from Stone Age to Interstellar

44CON
44CON

Attacking VxWorks: from Stone Age to Interstellar presented by Yannick Formaggio at 44CON London 2015.

Technology
1 of 75
Download to read offline
ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR 44CON LONDON 9/10/2015YANNICK FORMAGGIO, RICHARD HSU & ERIC LIU
ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Look for vulns using fuzzing techniques, first time speaker, Lego fan… Help from Richard Hsu and Eric Liu (Lead security researcher) 2
AGENDA Introduction to VxWorks & previous researches Inside VxWorks: Memory management & protections From fuzzing to exploit: RPC Integer Overflow RCE Conclusion 3
INTRODUCTION 4
WHAT’S VXWORKS? #1 Embedded devices RTOS Claimed > 1.5 billions devices developed by Wind River supports lot of CPU architectures
SOME STATS 6
WHAT’S VXWORKS? 1987 • First release • 32 bits processing 1990’s • VxWorks 5 released • 1st RTOS w/ network stack 2000’s • VxWorks 6.x (12-2004) • Security improvements (RTPs, no more task shared memory) 2014 • VxWorks 7.x (02-2014) • 64bits, more security improvements
SOME CUSTOMERS 8
“ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 9
VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10
VXWORKS & SECURITY Wind River treatsVxWorks security seriously Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801
VXWORKS & SECURITY Wind River treats VxWorks security seriously Partnership with McAffee in Feb 2011 6.x introduced some memory protections 7.x improved way further: Digitally signed modules (X.509) Encryption Centralized user database Password management (SHA-256 algorithm) Ability to create/delete users at run time Encrypted data storage
PREVIOUS RESEARCHES & INSPIRATIONS
PREVIOUS RESEARCH & INSPIRATIONS “Shiny Old VxWorks Vulnerabilities” HD Moore (2010) 4 Metasploit modules targeting WDB RPC Weak password hash entropy  rainbow table containing around 200k hashed passwords 14
PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15
PREVIOUS RESEARCH & INSPIRATIONS “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab WDB debugging Interface (again) OS Security 16
INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17
X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table 19
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message 20
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Decriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point 21
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point WDB shared memory 22
MEMORY PROTECTIONS VxWorks provides MMU-based features in addition to the virtual memory support Non MMU based protections: Heap Error Detection 23
MEMORY PROTECTION: Task stack overrun and underrun detection Interrupt stack overrun and underrun detection Stack pages Stack Start Stop 24
MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment INCLUDE_TASK_STACK_NO_EXEC INCLUDE_PROTECT_TEXT Task stack size = MMU page size Program pages Read Only Raw Data r+w .TEXT.DATA 25
MEMORY PROTECTION -r-w-x Address Space 0x00000000 NULL Pointer usage detection 26
HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27
FROM FUZZING TO EXPLOIT 28
FUZZING TARGETS Network protocols: Portmap (RPC) FTP TFTP NTP … 29
FUZZING Used Sulley fuzzing framework Problem: no accurate crash detection available Solution: using WdbRPC 30
WHAT’S WDB RPC? Debugging Interface Service running on port UDP/17185 Based on SUN-RPC protocol Provides direct access to system memory 31
WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX OS 32
WDB PROTOCOL V2 CALL: SENT BY TARGET SERVER IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Request Header (40 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Sequence # (4 bytes) 33
WDB PROTOCOL V2 REPLY: SENT BY TARGET AGENT IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Reply Header (24 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Error code (4 bytes) 34
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 35
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 36
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 37
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 38
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 39
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 40
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 41
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 42
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X HOST TARGET CALL REPLY … 43 Small interpreted language Two objects: pointer and tape Result of the eval stored in tape Tape content returned to the host More info on Gopher
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 44 HOST TARGET … Host reads the pointed memory addresses
CRASH DETECTION Target sends event notification 45 HOST TARGET
CRASH DETECTION Target sends event notification Host acknowledges 46 HOST TARGET
CRASH DETECTION Target sends event notification Host acknowledges Host ask more information (registers content, memory area, …) 47 HOST TARGET
WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 48
WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 49
WDBRPC FRAMEWORK Some externals dependencies: PyElfTools: reads the imports from the VxWorks Image Capstone Engine: disassemble code around crash area 50
INTERFACING WITH SULLEY Inspiration from the process_monitor.py script coming with Sulley Implementation: DebuggerThread instantiates WdbDbg and implements callback to call when crash occurs ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines VxMon wraps everything 51
FUZZING 52 Sulley Fuzzer VxWorks Target Test cases VxWorks Process Monitor PED RPC WDB RPC WdbDbg
DEMO 53
CRASH ANALYSIS Portmap task crashed many times on the same RPC field: credential flavor When set to a negative value => PC is set to arbitrary memory value 54
CRASH ANALYSIS 55
CRASH ANALYSIS 56
CRASH ANALYSIS 57
CRASH ANALYSIS 58
CRASH ANALYSIS 59 O_o
CRASH ANALYSIS 60
CRASH ANALYSIS 61
RESPONSIBLE DISCLOSURE Vuln reported to Wind River on July 22nd and acknowledged on 23rd Confirmed August 11th that versions between 5.5 and 6.9.4.1 are vulnerable Wind River is providing patches Every VxWorks customers should check the Knowledge Library for details On Sept 9th 2015 I’ve been authorised to disclose details 62
HOW TO EXPLOIT? Integer overflow leading to RCE Heap spray to place the shellcode Compute credential flavor value Jump into shellcode directly all memory protections bypassed/defeated backdoor account set up 63
EXPLOITATION DEMO 64
ABOUT THE REAL TARGETS Schneider Modicon Quantum PLC runs VxWorks and has port 111 open (https://www.digitalbond.co m/tools/basecamp/schneide r-modicon-quantum/) 65
SOME NUMBERS Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 66
FUN FACT 67
MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 68
MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username and password  network stack down 69
CONCLUSION WindRiver takes VxWorks’ security seriously Implemented a lot of memory protections Being defeated by a simple integer overflow bug 70
FUTURE WORK ? VxWorks 7 More complete WDBRPC protocol and Wdb over serial implementation Continuing to find bugs 71
CODE RELEASE The WdbDbg framework should be released in the next weeks here: https://bitbucket.org/yformaggio/wdbdbg Exploit code will not be released unless explicit authorisation given 72
QUESTIONS 73
THANKS !
LINKS http://www.vxdev.com/docs/vx55man/tornado-api/wdbpcl/wdb.html http://www.uio.no/[...]/vxworks_architecture_supplement_6.2.pdf http://www.uio.no/[...]/vxworks_kernel_programmers_guide_6.2.pdf http://cimsol-mc.sourceforge.net/files/vxworks/VxWorks60.pdf Digging Inside the VxWorks OS and Firmware The Holistic Security HD Moore - Fun with VxWorks 75

Recommended

Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhtsBéo Tú
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UIOpersys inc.
 
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)Nanik Tolaram
 
C Programming - Refresher - Part III
C Programming - Refresher - Part IIIC Programming - Refresher - Part III
C Programming - Refresher - Part IIIEmertxe Information Technologies Pvt Ltd
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Anne Nicolas
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 
Tuning Android for low RAM
Tuning Android for low RAMTuning Android for low RAM
Tuning Android for low RAMChris Simmonds
 

Recommended

Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Verilog Lecture2 thhts
Verilog Lecture2 thhtsVerilog Lecture2 thhts
Verilog Lecture2 thhtsBéo Tú
 
Inside Android's UI
Inside Android's UIInside Android's UI
Inside Android's UIOpersys inc.
 
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)Nanik Tolaram
 
C Programming - Refresher - Part III
C Programming - Refresher - Part IIIC Programming - Refresher - Part III
C Programming - Refresher - Part IIIEmertxe Information Technologies Pvt Ltd
 
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...
Embedded Recipes 2018 - swupdate: update your embedded device - Charles-Anto...Anne Nicolas
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 
Tuning Android for low RAM
Tuning Android for low RAMTuning Android for low RAM
Tuning Android for low RAMChris Simmonds
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmertxe Information Technologies Pvt Ltd
 
Android Things : Building Embedded Devices
Android Things : Building Embedded DevicesAndroid Things : Building Embedded Devices
Android Things : Building Embedded DevicesEmertxe Information Technologies Pvt Ltd
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveNetronome
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Embedded C - Day 1
Embedded C - Day 1Embedded C - Day 1
Embedded C - Day 1Emertxe Information Technologies Pvt Ltd
 
Linux I2C
Linux I2CLinux I2C
Linux I2CKaidenYu
 
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM Systems
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM SystemsXPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM Systems
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM SystemsThe Linux Foundation
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
OpenOCD-K3
OpenOCD-K3OpenOCD-K3
OpenOCD-K3Nishanth Menon
 
Session 9 advance_verification_features
Session 9 advance_verification_featuresSession 9 advance_verification_features
Session 9 advance_verification_featuresNirav Desai
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Opersys inc.
 
Character drivers
Character driversCharacter drivers
Character driverspradeep_tewani
 
GCC compiler
GCC compilerGCC compiler
GCC compilerAnil Pokhrel
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesVirtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesNational Cheng Kung University
 
Interception de signal avec dump de la pile d'appel
Interception de signal avec dump de la pile d'appelInterception de signal avec dump de la pile d'appel
Interception de signal avec dump de la pile d'appelThierry Gayet
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overviewLinaro
 
Vim Rocks!
Vim Rocks!Vim Rocks!
Vim Rocks!Kent Chen
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 

More Related Content

What's hot

U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveNetronome
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM Systems
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM SystemsXPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM Systems
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM SystemsThe Linux Foundation
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
Session 9 advance_verification_features
Session 9 advance_verification_featuresSession 9 advance_verification_features
Session 9 advance_verification_featuresNirav Desai
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Opersys inc.
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
Interception de signal avec dump de la pile d'appel
Interception de signal avec dump de la pile d'appelInterception de signal avec dump de la pile d'appel
Interception de signal avec dump de la pile d'appelThierry Gayet
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overviewLinaro
 

What's hot (20)

U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IV
 
Android Things : Building Embedded Devices
Android Things : Building Embedded DevicesAndroid Things : Building Embedded Devices
Android Things : Building Embedded Devices
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep Dive
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
Embedded C - Day 1
Embedded C - Day 1Embedded C - Day 1
Embedded C - Day 1
 
Linux I2C
Linux I2CLinux I2C
Linux I2C
 
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM Systems
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM SystemsXPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM Systems
XPDDS18: CPUFreq in Xen on ARM - Oleksandr Tyshchenko, EPAM Systems
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
 
OpenOCD-K3
OpenOCD-K3OpenOCD-K3
OpenOCD-K3
 
Session 9 advance_verification_features
Session 9 advance_verification_featuresSession 9 advance_verification_features
Session 9 advance_verification_features
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
 
Character drivers
Character driversCharacter drivers
Character drivers
 
GCC compiler
GCC compilerGCC compiler
GCC compiler
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesVirtual Machine Constructions for Dummies
Virtual Machine Constructions for Dummies
 
Interception de signal avec dump de la pile d'appel
Interception de signal avec dump de la pile d'appelInterception de signal avec dump de la pile d'appel
Interception de signal avec dump de la pile d'appel
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
 
Vim Rocks!
Vim Rocks!Vim Rocks!
Vim Rocks!
 

Viewers also liked

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 

Viewers also liked (8)

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 

Similar to 44CON London - Attacking VxWorks: from Stone Age to Interstellar

FreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloFreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloValerio Balbi
 
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Nat Morris
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Docker Multihost Networking
Docker Multihost Networking Docker Multihost Networking
Docker Multihost Networking Nicola Kabar
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Cheng-Chun William Tu
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)PROIDEA
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanDefconRussia
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsSerge Stinckwich
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 RedHatTelco
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 

Similar to 44CON London - Attacking VxWorks: from Stone Age to Interstellar (20)

FreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloFreeLix: Semplicità & Controllo
FreeLix: Semplicità & Controllo
 
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Docker Multihost Networking
Docker Multihost Networking Docker Multihost Networking
Docker Multihost Networking
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systems
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

44CON London - Attacking VxWorks: from Stone Age to Interstellar

  • 1. ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR 44CON LONDON 9/10/2015YANNICK FORMAGGIO, RICHARD HSU & ERIC LIU
  • 2. ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Look for vulns using fuzzing techniques, first time speaker, Lego fan… Help from Richard Hsu and Eric Liu (Lead security researcher) 2
  • 3. AGENDA Introduction to VxWorks & previous researches Inside VxWorks: Memory management & protections From fuzzing to exploit: RPC Integer Overflow RCE Conclusion 3
  • 5. WHAT’S VXWORKS? #1 Embedded devices RTOS Claimed > 1.5 billions devices developed by Wind River supports lot of CPU architectures
  • 7. WHAT’S VXWORKS? 1987 • First release • 32 bits processing 1990’s • VxWorks 5 released • 1st RTOS w/ network stack 2000’s • VxWorks 6.x (12-2004) • Security improvements (RTPs, no more task shared memory) 2014 • VxWorks 7.x (02-2014) • 64bits, more security improvements
  • 9. “ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 9
  • 10. VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10
  • 11. VXWORKS & SECURITY Wind River treatsVxWorks security seriously Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801
  • 12. VXWORKS & SECURITY Wind River treats VxWorks security seriously Partnership with McAffee in Feb 2011 6.x introduced some memory protections 7.x improved way further: Digitally signed modules (X.509) Encryption Centralized user database Password management (SHA-256 algorithm) Ability to create/delete users at run time Encrypted data storage
  • 14. PREVIOUS RESEARCH & INSPIRATIONS “Shiny Old VxWorks Vulnerabilities” HD Moore (2010) 4 Metasploit modules targeting WDB RPC Weak password hash entropy  rainbow table containing around 200k hashed passwords 14
  • 15. PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15
  • 16. PREVIOUS RESEARCH & INSPIRATIONS “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab WDB debugging Interface (again) OS Security 16
  • 17. INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17
  • 18. X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18
  • 19. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table 19
  • 20. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message 20
  • 21. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Decriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point 21
  • 22. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point WDB shared memory 22
  • 23. MEMORY PROTECTIONS VxWorks provides MMU-based features in addition to the virtual memory support Non MMU based protections: Heap Error Detection 23
  • 24. MEMORY PROTECTION: Task stack overrun and underrun detection Interrupt stack overrun and underrun detection Stack pages Stack Start Stop 24
  • 25. MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment INCLUDE_TASK_STACK_NO_EXEC INCLUDE_PROTECT_TEXT Task stack size = MMU page size Program pages Read Only Raw Data r+w .TEXT.DATA 25
  • 27. HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27
  • 28. FROM FUZZING TO EXPLOIT 28
  • 29. FUZZING TARGETS Network protocols: Portmap (RPC) FTP TFTP NTP … 29
  • 30. FUZZING Used Sulley fuzzing framework Problem: no accurate crash detection available Solution: using WdbRPC 30
  • 31. WHAT’S WDB RPC? Debugging Interface Service running on port UDP/17185 Based on SUN-RPC protocol Provides direct access to system memory 31
  • 32. WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX OS 32
  • 33. WDB PROTOCOL V2 CALL: SENT BY TARGET SERVER IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Request Header (40 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Sequence # (4 bytes) 33
  • 34. WDB PROTOCOL V2 REPLY: SENT BY TARGET AGENT IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Reply Header (24 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Error code (4 bytes) 34
  • 35. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 35
  • 36. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 36
  • 37. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 37
  • 38. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 38
  • 39. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 39
  • 40. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 40
  • 41. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 41
  • 42. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 42
  • 43. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X HOST TARGET CALL REPLY … 43 Small interpreted language Two objects: pointer and tape Result of the eval stored in tape Tape content returned to the host More info on Gopher
  • 44. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 44 HOST TARGET … Host reads the pointed memory addresses
  • 45. CRASH DETECTION Target sends event notification 45 HOST TARGET
  • 46. CRASH DETECTION Target sends event notification Host acknowledges 46 HOST TARGET
  • 47. CRASH DETECTION Target sends event notification Host acknowledges Host ask more information (registers content, memory area, …) 47 HOST TARGET
  • 48. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 48
  • 49. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 49
  • 50. WDBRPC FRAMEWORK Some externals dependencies: PyElfTools: reads the imports from the VxWorks Image Capstone Engine: disassemble code around crash area 50
  • 51. INTERFACING WITH SULLEY Inspiration from the process_monitor.py script coming with Sulley Implementation: DebuggerThread instantiates WdbDbg and implements callback to call when crash occurs ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines VxMon wraps everything 51
  • 54. CRASH ANALYSIS Portmap task crashed many times on the same RPC field: credential flavor When set to a negative value => PC is set to arbitrary memory value 54
  • 62. RESPONSIBLE DISCLOSURE Vuln reported to Wind River on July 22nd and acknowledged on 23rd Confirmed August 11th that versions between 5.5 and 6.9.4.1 are vulnerable Wind River is providing patches Every VxWorks customers should check the Knowledge Library for details On Sept 9th 2015 I’ve been authorised to disclose details 62
  • 63. HOW TO EXPLOIT? Integer overflow leading to RCE Heap spray to place the shellcode Compute credential flavor value Jump into shellcode directly all memory protections bypassed/defeated backdoor account set up 63
  • 65. ABOUT THE REAL TARGETS Schneider Modicon Quantum PLC runs VxWorks and has port 111 open (https://www.digitalbond.co m/tools/basecamp/schneide r-modicon-quantum/) 65
  • 66. SOME NUMBERS Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 66
  • 68. MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 68
  • 69. MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username and password  network stack down 69
  • 70. CONCLUSION WindRiver takes VxWorks’ security seriously Implemented a lot of memory protections Being defeated by a simple integer overflow bug 70
  • 71. FUTURE WORK ? VxWorks 7 More complete WDBRPC protocol and Wdb over serial implementation Continuing to find bugs 71
  • 72. CODE RELEASE The WdbDbg framework should be released in the next weeks here: https://bitbucket.org/yformaggio/wdbdbg Exploit code will not be released unless explicit authorisation given 72