Overview
QNX is a proprietary, real-time operating system used in many sensitive and critical embedded devices in different industry verticals from networking and automotive equipment to military and industrial control systems. While some prior security research has discussed QNX, mainly as a byproduct of BlackBerry mobile research, there is no prior work on QNX exploit mitigations or its secure random number generators.This work seeks to address that gap by presenting the first reverse-engineering and analysis of the exploit mitigations, secure random number generators and memory management internals of QNX.
We dissect the NX / DEP, ASLR, Stack Cookies and RELRO mitigations as well as the /dev/random and kernel PRNGs of QNX versions up to and including QNX 6.6 and the brand new 64-bit QNX 7.0 released in March 2017.We subsequently uncover a variety of design issues and vulnerabilities in these mitigations and PRNGs which have significant implications for the exploitability of memory corruption vulnerabilities on QNX as well as the strength of its cryptographic ecosystem. Finally, we provide information on available patches and hardening measures available to defenders seeking to harden their QNX-based systems against the discussed issues.
22-03-2018
Conference talk
Black Hat Asia
02-03-2018
Conference talk
Infiltrate
February 2018
Conference talk
OffensiveCon
All items