Overview
Syllabus
Intro
Automotive: BlackBerry Radar
Industrial: Nuclear HMI
Defense: Military Radios QNX Secures Major Design Win in Software Defined Radio
Medical: Surgical Robots
Carrier Routers: Cisco IOS-XR
Many more critical systems
What's New?
QNX Microkernel Architecture
QNX IPC Message Passing
QNX Attack Surface
QNX Security History
Syscalls
QNX Boot Process Power on
QNX Firmware
QNX Memory Layout - Nemespace - Userspace Separation
QNX User Management
QNX Process Management
QNX Process Abilities Limitations
Breaking' Rootless Execution
Qnet (Native Networking / TDP)
Qnet Security
Qnet EOP Vulnerability (CVE-2017-3891)
QNX Debugging
PRNG Quality
QNX Security-Oriented PRNGs
QNX 7 /dev/random
QNX 7 Kernel PRNG
Exploit Mitigation Quality
QNX Exploit Mitigations
QNX DEP
QNX ASLR - map_find_va
QNX ASLR - stack_randomize
QNX 6 ASLR - Weak RNG
QNX 6 ASLR - Bruteforcing
QNX 6 ASLR - procfs Infoleak (CVE-2017-3892)
QNX 6 ASLR-LD DEBUG Infoleak (CVE-2017-9369)
QNX 7 ASLR - Changes
QNX Stack Canaries
QNX 6 SSP - Weak RNG
QNX 6 SSP - Kernelspace
QNX 7 SSP - Changes
Relocation Read-Only (RELRO) to do
QNX 6 Broken RELRO (CVE-2017-3893)
QNX 6 RELRO
Patches
Conclusions
Taught by
Black Hat