MC's Journal

32th Chaos Communication Congress, part 2

Introduction

More notes from my visit to 32C3. Part 1.

Unpatchable: Living with a vulnerable implanted device

Fahrplan link. Recording.

Marie Moe & Eireann Leverett.

Marie lives with a pacemaker: “A project to break my own heart.”

A rather low-key presentation with no alarming remote cracking of pacemakers, but interesting insights into medical implants. For instance, Marie's own pacemaker has two wireless interfaces: one near-field and another for remote monitoring/telemetry when used with an optional a base station in her home.

They bought a programmer for the pacemaker and some base stations on Ebay and did experiments. They could extend the programmable range to several metres!

Some issues:

Some research needed:

“We need to be able to verify the software that control our lives.”

“You to can do this research! Lots of low hanging fruit.”

There is na excemption to the Digital Millennium Copyright Act (DMCA) for research on medical devices and automotive devices. Reverse engineering possible without infringing copyright law.

The programmers are unique for the device. Some standardization, perhaps?

Much smaller pacemakers coming. Inside the heart!

“Are there laws requiring the doctor to tell them they are upgrading the software?”

No third party tests? No consumer laboratory?

How the Great Firewall discovers hidden circumvention servers

Fahrplan link.

Philipp Winter, https://censorbib.nymity.ch/

An analysis of how China's Great Firewall blocks traffic and knows what to block.

“We know what is blocked, how it is blocked, where it is topologically.”

“Most measurements are one-off, continuous measurements challaneging.”

Even if you use DNS resolver outside of China, a DPI looks at your traffic and spoofs the results. If you wait for a while... you get the real DNS reply as well! Not filtered!

Several data sets collected to see where the probes come from.

Collected 16 000 unique probe ip addresses! 95% addresses seen only once!

Reverse DNS with “adsl” in them... Looks like ISP addresses. The single IP address 202.108.181.70 was almost 50% of the probes!?

Majority of probes comes from three ASes: 4837, 4134, 17622.

Do they hijack these addresses for GFW use? While the probe is active no communication with them possible: traceroute times out, no ping...

What do they have in common?

Physical infrastructure

Blocking is reliable but fails predictable

In 2012 probes were batched, perhaps started by cron.

Now real time. Median arrival time only 500 ms.

Blocked protocols

The probes doesn't seem to be using reference software. Handcrafted!? The probes look very different from ordinary software and can be easily identified.

Find your own probes

http://nymity.ch/active-probing/

Circumvention

DPI must re-assemble the stream before pattern matching. Make the protocol harder ro reassemble. Server-side manipulation of TCP window size can hide the protocol signature. Used in brdgrd.

TCP/ip based circumvention difficult to deploy: “use this unknown kernel module, will you?”

Tor project pluggable transport to the rescue! Pluggable transports that work in China

CloudABI: Pure capability-based security for UNIX

Fahrplan link.

Ed Schouten, https://nuxi.nl/

A new Unix runtime with capabilities.

What's wrong with unix?

Unix doesn't stimulate you to run software securely. A web service only needs a specific set of capabilites but can do everything.

Access controls like apparmor not a real solution. Puts the burden on the package maintainers.

Untrusted third-party programs are also extremely unsafe. Can the OS provide better isolation?

Capabilities

Capabilities: Example, Capsicum. Programs starts as an ordinary process, opens all files it needs, then calls cap_enter(), process can still use file descriptors, read(), write() but can't use open() et cetera. Returns ENOTCAPABLE.

Used in FreeBSD by some programs: dhclient, hastd, ping, sshd, tcpdump, et cetera.

However, problems: code isn't designed to have system calls disabled!

Introducing CloudABI

A new posix-like runtime environment.

Default rights

Additional rights: file descriptors

Make sure you have the right set of file descriptors when starting the process.

A file descriptor is its own chroot.

Process descriptors: replacement for wait()/kill(). Special fork gives you a process descriptor. These descriptors can't be passed over Unix sockets.

File descriptors have permission bitmasks allowing fine-grained limiting of actions performed on them.

Example file descriptors for a web server:

This web server will be limited to the above and can't escape.

Cross-platform

POSIX becomes tiny if you remove all interfaces that conflict with capabilities. Only 58 system calls available.

Goal: add support to existing posix operating systems.

Allows reuse of binaries without recompilation.

Upstreams: freebsd/arm64, /x86-64

Beta: Linux.

Developing for CloudABI

CloudABI ports - a collection of cross compiled libraries and tools.

Builds native packages: Freebsd pkg and Debian packages.

Use cases of CloudABI