1. 19
  1.  

  2. 7

    Among the many fun details, they have notes about making exploits reliable. Don’t want to crash the target or make a lot of noise that the user might notice. Fortunately (for attackers) when WiFi crashes the user just sees an icon blink and then it restarts and you’re ready for another attempt.

    Theres a lot one can learn about how we build reliable “self healing” systems.

    1. 1

      Is this what Tanenbaum was talking about?

      1. 6

        Actually, yes, in a bad way. Funny, Colin Percival asked a question about this very topic after a talk at a BSD con. How do you defend against exploits? “Just let it crash and restart.” Tanenbaum didn’t seem to grasp the idea that there are outcomes worse than crashing.

        To elaborate on my point, device manufacturers have given up on making WiFi reliable, but users don’t like phones that don’t work. So the solution is to just keep restarting things. Make it all as invisible as possible. Of course, as noted, this allows an attacker to launch many attacks without notice.

        But they are not alone in this attitude. How do you make a server web scale reliable? “while (1) restart();”

        What’s often called fault tolerance is perhaps better described as fault masking. Maybe that’s ok, but sometimes it’s not.

        1. 1

          ah :)

    2. 3

      This creates a situation where it’s possible to build a dictionary of addresses for a given firmware, then repeatedly launch the exploit until we have brute forced the correct set of addresses

      This shows the crucial importance of ASLR. A deterministic address space allows remote attackers to copy&paste exploits with 100% accuracy and reliability. Given the vast amount of hardware that never sees security updates, the exploit code will live on and be successful for years to come.

      1. 1

        Is it a present-day 0-day that’s been fixed in iOS/Android?

        (For those who haven’t the time to read through all the details of the post?)

        1. 1

          Should be fixed in July updates.

          1. 1

            Should be fixed in July updates.

            What does that mean? July is almost over. Apple did release some security updates recently, are you saying those included fixes to this?

            EDIT: Ah yes, appears they did at the bottom here, CVE-2017-9417.

            1. 2

              https://source.android.com/security/bulletin/2017-07-01

              Also for android. I just double checked my Pixel has this update so it’s distributed and available.