rdist

April 6, 2007

JTAG attacks and PR submarines

Filed under: Embedded,Hacking,Hardware — Nate Lawson @ 3:41 pm

Security research publication comes in two varieties: genuine advances and PR submarines (stories that sound like real advances but are more clever PR than substance.) Barnaby Jack’s recent announcement of attacking embedded systems via JTAG is definitely the latter. Since the trade press is always looking for interesting angles, they are especially susceptible to PR submarines.

Background: the attack uses the standard JTAG port present on nearly all chipsets and CPUs. This port is used for factory and field diagnostics and provides device-specific access to the internal flip-flops that store all the chip’s state. A technician typically uses a GUI (aka in-circuit emulator) on the host PC to set breakpoints, read/write internal registers, dump memory, and perform other debugger-like functions. Secure processors like smart cards already disable JTAG before the chips leave the factory to prevent this kind of attack.

Like Schneier’s snake oil crypto test, let’s examine how to identify security PR submarines.

1. Attack has been done before (bonus: no citation of prior work in the same area)

Check. Since JTAG access gives the hardware equivalent of a software debugger, attackers have been using it from the beginning. The first attackers were probably competitors reverse engineering designs to copy them or improve their own. Currently, a packaged version of this attack has been in use for years to get free satellite TV. No mention of any of this history can be found in the article.

2. Researcher previously gave same talk at another conference

Check. Keep these slides open for reference below. He is probably speaking on another application of the same attack, but count on the talk being quite similar.

3. Implications of attack wildly speculative

An attacker with physical access to the circuit board can control a device. Yes, that’s what JTAG is for. But there is no way this allows an attacker to “redirect Internet traffic on routers” without physical access to those routers. Perhaps Mr. Jack was unaware that this attack primarily matters to tamper-resistant devices (i.e., smart cards) where the device itself must protect stored cash, authentication secrets, or other data subject to physical attacks. That may be why he added a nice, but wholly-unnecessary application of modifying the software on a home router to insert trojan code in EXEs (slides 35-38.)

4. Attack uses very polished, mature tools and requires little or no custom development

Check. Note use of GUI in-circuit emulator on slides 18 and 21. The only custom development I can see is for the ARM code to modify the TCP packets. He could have inserted that code via a socketed flash chip instead of using JTAG but that would not sound as cool.

5. Deployed systems already have defenses against the attack

Check. JTAG is already disabled with any use of a tamper-resistant processor, and nearly every microcontroller made has a fuse to disable JTAG.

6. New researcher or new field for existing researcher

Barnaby Jack (formerly of eEye) has done awesome work on win32 kernel shellcode. Not to slight his previous work, but hardware is a new direction for him.

7. Venue is a talk at a minor conference, not a peer-reviewed paper (bonus: no details given)

Check. CanSecWest does not require a paper, and I don’t expect Mr. Jack to publish one although it’s possible he might. And what’s this about Juniper, his employer, sponsoring CanSecWest?

8. Announcement first appears in trade press or Slashdot

Check and check.

9. Slogan or catch-phrase consistently used to advertise attack

Check. Closing quote for the article is “I’m looking at my microwave oven right now, but I don’t think there’s much I could do with that.” See also intro slide 3 for the previous talk.

What is it about CanSecWest that attracts such sensationalism? Is there just no other way to justify a trip to Canada in your travel budget?

37 Comments

  1. I think you’ll find that few of your typical infosec presenters will go the peer-reviewed journal route.

    Comment by Ryan Russell — April 6, 2007 @ 6:46 pm

  2. Hopefully you will attending CanSecWest so that you can eat the words in this post. You have made assumptions based on a high level press report most of which are wrong.

    1. Attack has been done before (bonus: no citation of prior work in the same area)

    Wrong. This attack is not done via the JTAG port. If you bothered to actually read the article or perhaps paid attention to past presentations you would know this.

    2. Researcher previously gave same talk at another conference

    Cansecwest does not allow repeat talks. So this must be new material. So wrong again.

    3. Implications of attack wildly speculative

    I’ll give you that one because no details are out and no one has seen this talk yet.

    5. Deployed systems already have defenses against the attack

    Easily bypassed defenses.

    6. New researcher or new field for existing researcher

    New direction? Did he not deliver a talk on this last year? So that would make one assume that he has spent at least a year working on it.

    7. Venue is a talk at a minor conference, not a peer-reviewed paper (bonus: no details given)

    CanSecWest is no little known minor conference. It is, in fact, the most technical security ocnference there is today and is quite mainstream which is evident by the corporate sponsors. Are you actually suggesting that Juniper is sponsoring just to get a speaking slot? I doubt that very much as that is not typically Dragos’ style and this speaker has spoken at this venue before.

    “What is it about CanSecWest that attracts such sensationalism?”

    What is it about this post that tells me you have never attended CanSecWest nor would you remotely understand any of the issue presented at the conference. Perhaps you should stick to topics you actually have knowlege in although we both know that would limit what you can write about.

    Comment by anonymous — April 6, 2007 @ 7:15 pm

  3. Dear Ann Onymous,

    Since the article gives few details about the attack, we’ll both have to wait and see, won’t we? But what use is an article without any details? Publicity. And that’s my point — whatever his findings, this article and others like it are PR submarines.

    Regarding the attack itself, either it’s done via JTAG or it isn’t. If it’s done via JTAG, then it cannot be used to “redirect Internet traffic on routers” as the article says without presuming physical access to Internet routers. If it is not done via JTAG (i.e., a CPU flaw in exception handling that was discovered via JTAG), then it is irrelevant to spend so much of the article talking about JTAG, why it should be turned off, etc.

    Barnaby Jack is a smart guy, and his talk will probably be interesting. But that doesn’t mean the articles about it aren’t a PR submarine.

    Comment by Nate Lawson — April 6, 2007 @ 9:49 pm

  4. “What is it about CanSecWest that attracts such sensationalism?”

    British Columbia is beautiful country.

    FWIW, I believe there probably is a real advance in what Barnaby Jack is talking about, it’s just not all that relevant to the current security landscape. It gets all this press for novelty reasons, misleading a lot of casual readers, but I happen to believe that hardware hacking will become increasingly relevant over time. We’re not talking wormable vulns, or remote pwnage, but there are quite a few very interesting attack vectors that this stuff brings into play.

    Comment by Mangoboy — April 7, 2007 @ 6:39 am

  5. Nate,

    I’ve read your blogs with some amusement, for this one I think your own words are pretty poignant “I don’t like blogs. I think a blog elevates the author’s opinion over the commenters, unlike a Usenet discussion where replies to the first post have equal weight.”

    Seems like you have made a blog submarine…

    Lets see.

    1. Entry uses references that the author might have read – but not all the way through, then abuses the concepts in these references to make his own point.

    The Submarine reference you mention – is a great story – but if anything it makes a great point “If anyone is dishonest, it’s the reporters. The main reason PR firms exist is that reporters are lazy”. If the intent of the story is to generate buzz, as you seem to indicate – the article maintains that “Where the work of PR firms really does get deliberately misleading is in the generation of “buzz.” They usually feed the same story to several different publications at once”. Wow – this certainly seems the case – except that in each an every instance of this story the source goes back to the same exact reporter – Robert McMillan of IDG. So perhaps this will qualify more as a Media Submarine?

    2. Use a similar concept by a well respected blogger, and adjust it to fit your blog.

    Check. Schneier’s Snake Oil Crypto test concept is well executed and contains quite a bit of substance. Your blog entry seems to be rather forced – I felt the last 2 criteria you’ve selected were really thrown in there so that you have an equal amount of points to the number Schneier uses.

    – Announcement first appears in trade press or Slashdot? Putting aside the fact that the speaker/topic list has been up on CanSecWest site for a while, what’s your point? How else do you expect the announcement to be made? Word of mouth? Your blog?

    – Slogan or catch-phrase consistently used to advertise attack? That’s a stretch – calling using the same concept twice in a year – a slogan/catch-phrase, or that it is consistently used?

    3. Blog goes after “The Corporation” and hints at a bigger conspiracy theory.

    I love how you throw in the comment “And what’s this about Juniper, his employer, sponsoring CanSecWest?” – I’m surprised you didn’t mention that both Microsoft and Google are also sponsoring the conference both of which are good size companies and are probably in on the conspiracy.

    4. Entry makes wild speculations based on speculations.

    Sure, no one can call you out when you speculate on speculations.

    5. Entry uses condescending language and tools.

    Check

    6. When blogger gets confronted about the points in his entry, he/she deflects the criticism.

    Your reply to Ann Onymous was perfect. In fact – if you had this response as the original blog – it would have been perfect. You do seem to shrug off the criticism that most of your original points were BS.

    7. Blog in itself is an Epimenides paradox.

    “Cretans, always liars” or the more popular “All Cretans are liars” – If this is all just a PR stunt – you certainly seem to help it along. This entry seems to suggest that “All mention of this story is PR”, then you’re doing some PR yourself. In fact, you seem to be encouraging people to go to CanSec yourself.

    8. No Harm No Foul – Blogger is really not making accusations, or disparaging remarks.

    I’m sure Barnaby is soothed by your assurances that he “has done awesome work”, and that “Barnaby Jack is a smart guy, and his talk will probably be interesting”. This is pretty much in the same breath with saying that he’s making wild speculations, reusing other people’s work without attribution and a field he’s a novice in, and regurgitating an old talk.

    9. Well – I don’t have a 9, so I’ll stop here.

    Your blogs are better than this…

    Comment by Annon Ymous — April 7, 2007 @ 7:10 am

  6. While i have yet to see the details on this particular talk, i’m very familiar with barnaby’s work with hardware over the past couple years. I think the article (and subsequent slashdotting) were somewhat of a red herring. Barnaby does use a JTAG to develop his attacks, but they are not the basis of his attacks. He has never claimed any magic via the JTAG port, but the fact that JTAg exists is still lost on many security researchers. With a small amount of monetary capital and time researching embedded systems, he’s found numerous attacks against internet conneted devices that do allow for remote compromise. While you are correct that requiring chaning major parts of the embedded os require a reflash, also realize that many of these devices allow reflash remotely for upgradability. a remote compromise on a router that blanks the admin password via the control mechamism is still a potent attack, i’m certain you’d agree. I’ve seen his flash image that injects trojans, and while it was for some home user router, it worked surprisingly well.

    I think you will find that there is more to the talk once the details come out. Earth shattering? perhaps not, but it may lead a few more researcher souls away from software and towards hardware hacking, which has long been a somewhat sparse field in the research community. I’m not trying to denigrate prior efforts, but we’ve only seen public discourse on cisco shellcode and that’s only been in the past couple years. I think ultimately, this, and previous work he’s done in the hardware field, have been advances, rather than submarines, if only to show the hubris of hardware vendors in relation to security practices.

    Comment by Ryan Permeh — April 7, 2007 @ 9:53 am

  7. I was going to write about this, but it looks like Nate’s blog has the mo’ for the discussion.

    First observation: people like Barnaby. He’s obviously crazy talented. I’m gonna point out that Nate seems to like him too, and is talking about the PR phenomenon, not the researcher. Same way we did with George Ou.

    Second, Nate, you need to go to CanSec. CanSec has built up momentum; it’s not Black Hat yet, but it’s neck-and-neck with Usenix for vulnerability and operational security research. Mainstream vuln research conferences are fodder for cheap and easy security stories; all the good ones are going to produce their fair share of hype.

    Third, I think this is an excellent post! I’m a bit uneasy that it’s (unintentionally) aimed at Barnaby Jack but, come on: repeated talks on rehashed vulnerabilities, hyped beyond reconciliation, backed up with no novel code, with slick packaging and a PR machine? Tell me that this DOESN’T happen all the time, or point me to someone ELSE who has written this. The only points here I disagree about are (6) and (7), but all of it reads fresh to me.

    Fourth: Nate, using embedded debugging facilities to pick apart the devices that people thought were hermetically sealed and off limits to casual vuln researchers is interesting. I talked to you about this earlier; we’ve done a bit of this (particularly, massaging firmware images into IDA or esoteric builds of objdump) and if Barnaby is talking about how he slurped some off-the-shelf bit of networking hardware into IDA and came up with a book full of integer overflows and race conditions, dude, I can’t wait to see the slides.

    Fifth: If Barnaby’s target is “finding overflows in a NetGear router” and Nate’s target is “finding auth bypass in a smartcard”, you can see where Nate’s coming from. There are classes of products where the owners are totally cognizant of things like JTAG, where physical attacks are part of the threat model and have to be accounted for. NetGear routers are not in that class. When you attack the “physically hardened” products, basic JTAG (even if you’re wiring things to processor pins) is old news.

    Comment by Thomas H. Ptacek — April 7, 2007 @ 1:10 pm

  8. @nate: Peer-reviewed journals/conferences and practitioners (hax0r-type) venues are almost completely disjoint worlds. There are very few individuals that can survive, let alone live comfortably, in both of them. You are one of them and I can think of only a handful of others.
    What is it about CanSecWest that attracts such sensationalism?
    CSW (and PacSec/EuSec) is the new BlackHat. It does not need a formal peer-review process altho. there is something that loosely resembles that, it’s informal, cool and fun as the original hacker con from the 90s were. Enjoy it in its natural form while it lasts.
    Ohh, an additional comment: As much as I respect peer-reviewed journals and conferences I am yet to see one where something practicaland applicable to a real-world scenario was presented with a hands-on approach (actual usable code or research data and tested outside of of lab).

    Comment by ivan — April 7, 2007 @ 2:56 pm

  9. Ryan,

    Nice points. But remember the title of the article, “New class of attack targets embedded devices” (emphasis mine.) Whether Barnaby, Juniper’s PR firm, or the reporter chose this hyperbole is an important question, and ultimately this is about how his findings are announced, not whether his findings are worth talking about at a conference. (Given his history, I can safely assume it’s a talk worth attending.) I agree hardware hacking is experiencing a renaissance and is very much worth pursuing.

    One question I should have included in the post was whether security findings should be announced in the press like this before any details are available. My opinion is they shouldn’t, because other researchers contacted by the reporter have to waste effort trying to read between the lines and guess what the talk will be about and ultimately may give an inaccurate opinion.

    Part of the genesis of this post was that I’ve often been contacted by a reporter who is being led down a path by a PR agency. “A new type of storage encryption is going to change everything,” they say, and I ask who initially contacted them. Invariably, it’s a PR firm associated with, wait, a storage company that is announcing a new encryption product. No info on how the product works, if it’s software or hardware, key management, or other important details are available. I have to say “I don’t know exactly what they’re selling, but given their history and these other products, it’s probably a PGP Disk clone implemented in the drive firmware.” Doesn’t sound so sexy then, does it? But it’s tough to take a hard line against it even if I’m 99% sure of what the product is because there are no details available to be sure.

    Barnaby’s talk announcement has a lot of the same fingerprints on it. If he’s found flaws in the software of a router, that’s nice but not tremendous news. If he’s found internal CPU implementation flaws (e.g., strange pipeline, exception, or cache interactions), that’s probably news but hard to explain to a reporter why it’s important. But by throwing in an uncommon word “JTAG” and calling it a new class of attacks, that’s a story a reporter can understand and run with. A port that is in 90% of devices and is a backdoor for a new class of attacks? Damn the presses, hide your cellphones, full speed ahead!

    In my post, I linked to a similar situation about timing attacks (curiously also at CanSecWest). The finding had merit — timing attacks against internals of an RSA implementation. But the press blitz was “Intel implemented a catastrophic flaw, hyperthreading, and it must be disabled!” Never mind that the attack was more due to cache characteristics instead of concurrent execution, and it was viable against single core CPUs also. Someone decided that “hyperthreading is a security hole” was a sexier story than “crypto software needs to take into account caching behavior.” Substitute “JTAG” for “hyperthreading” and you’ve got this story. Funny enough, the “hyperthreading” hole was fixed by patching OpenSSL to align data on cache line boundaries. With a patch contributed by Intel, no less.

    Maybe this all can be blamed on the reporter, but I’m not so sure. As an industry, we need to be more vigilant about crying wolf about “new classes of attacks”.

    Comment by Nate Lawson — April 7, 2007 @ 3:19 pm

  10. Thomas: Thanks, I agree that it’s great people are using JTAG to do interesting things, I was most dismayed at it being presented as a new class of attack. I’ll have to catch CanSecWest in 2008.

    ivan: I do think peer-reviewed journals are in danger of becoming obsolete. For an example from crypto, eprint is becoming the main publication place for crypto advances that only appear months or a year later in an actual conference. It would take an entire post to describe, but the delays, annoying typographical requirements, sometimes arbitrary rejection criteria, and high cost of ordering copies all are hurting the effectiveness of peer-reviewed conferences.

    However, there may be a middle ground. Provide a full copy of your slides or paper to your PR agency and the reporter. Authorize redistribution to whomever the reporter contacts for verification, but request they do not redistribute the paper further. Then, you get a modicum of peer review without publishing the paper before the conference. Heck, you could even have a panel of security researchers who are willing to review talks for speakers or reporters covering the story. This would be more flexible in addition to the panels that review talks for each individual conference.

    Comment by Nate Lawson — April 7, 2007 @ 3:30 pm

  11. Nate:

    Speaking from the point of view of an academic security researcher, I don’t think peer-reviewed conferences are going anywhere. Getting published in a venue like NDSS or USENIX Security will get you a substantial amount of buzz in the academic security community, and there is always good, interesting security work getting published in top systems and networks conferences (OSDI, IMC, etc.). Of course, all I may be saying here is that the systems & networks security people do things differently than the crypto people.

    Comment by Matt — April 7, 2007 @ 6:52 pm

  12. Nate, I do agree that hyperbole is rampant in the industry, especially in the press coverage. I’ve seen it run wild over the years, and sometimes it’s shocking. That being said, I have to say that sensationalism sells news, sells products, and puts people in seats at conferences, so I don’t know if it will ever go away. I’m not saying it’s a good thing, but it is our current reality. I will freely admit I can’t substantiate the claim of “new class of attack” status for this one as I haven’t reviewed the slides. I freely concede your point at the lack of transparency in the article and somewhat confusing focus towards JTAG do raise some questions about his findings. I’m looking forward to Barnaby’s talk to see how it all fits together.

    On the more general topic of the industry and the media, I agree something new should be done. However, I’m not certain that pre-publishing findings will get the results you think it will. Even if full details are provided, and corroborated by other “experts”, the final cut of the article is ultimately up to the reporter, his editor, and the publication. PR companies do have an effect on this, but news as advertising is not new in this industry or any others. As I mentioned, sensationalism sells, and even if full details were provided, I can almost guarantee someone would endorse it to get their 15 seconds. With the number of “experts” in this field, any halfway decent reporter can find a dozen of them to prove any point. As long as there will be slow news days, there will be articles on scary and dangerous “hacker things”. As a side, I do know of one such group consisting of both reporters and technical security folks whose aim it is to provide a modicum of sanity in the coverage, but it obviously doesn’t contain all reporters who write technical security stories or all technical security people who are domain experts.

    On another note, it is my opinion that the security industry (at least the part that does vulnerability research) and the academic community have been diverging for a very long time (in my opinion, with the advent of the first commercial firewall). Ultimately, successful parties in both camps have the same goal (increasing security), but wholly different sets of tools towards achieving it and metrics to show progress on that path. Peer review works in many academic scenarios, but in the commercial space, it’s potentially spreading trade secrets. Success in the academic community relies on peer review and conferences and journals (publish or perish). In the commercial space, the market is king and selling a million security widgets or showing how yours is better than others is success. I’ll freely admit it’s as much business as security. Because of this, you see the wild difference between a USENIX conference and a blackhat or [can|pac]sec conference. On one hand, as matt mentioned, there is great cache for an academic publishing his findings at USENIX. On the other, companies, like eEye, Juniper, and Matasano have direct business reasons for speaking at (and sponsoring) commercial conferences. While I don’t have stats on USENIX or other academic conferences, I can say that year after year, attendance is growing at blackhat and others. So it seems that for each group, their conferences are succeeding, if only by their own metrics for success.

    Comment by Ryan Permeh — April 7, 2007 @ 11:13 pm

  13. Playing off Matt’s comment: Do any bloggers feel like taking on the subject of how security research community as a whole is so scientifically dysfunctional?

    I’m only in a position to evaluate the veracity of about 5% of things that are claimed at security conferences (the BH kind), but even to me it’s obvious there are a lot of problems in the information getting disseminated. Without a real peer review process, this is to be expected, though. Instead of review, we do demonstrations to show that what we’re saying is not total bullshit. But anyone with a half-understanding of the scientific method can tell you that such a demo does not nearly constitute valid proof. As a direct result we end up with things like Dave Maynor vs Apple PR, and He Said She Said blog wars.

    Not to mention the scarcity of actual published papers in the field (kudos to the Litchfields on this one), and the absurdity of getting handed a huge book full of PowerPoint slides labeled “Proceedings.”

    I’ll freely concede that academic peer review is not by any stretch a remedy against “PR Submarines”. Peer-reviewed medical research is misrepresented and overblown by the press on a daily basis. But the current state of security research is such that information is produced and culled extremely inefficiently, to the detriment of all.

    Comment by Mangoboy — April 8, 2007 @ 4:46 am

  14. @Mangoboy

    You just untied a knot I’ve been chewing on for months now. I’ve been wondering why it just annoys me so much that people call themselves “vulnerability researchers” and you made it clear as day; no scientific method, no peer review, essentially just a lot of medicine shows.

    Comment by Chris_B — April 8, 2007 @ 4:49 pm

  15. Mangoboy, excellent summary. I think there are 2 areas that need to be improved: peer review of contents of talks and sanity checking of press regarding security. My post was mostly focused on the latter since the former is the responsibility of the forum (i.e., Shmoocon vs. Usenix may have different approaches or standards).

    Snopes is the go-to for urban legends, FactCheck.org for politician’s statements — who will stand up for truth in security announcements?

    Comment by Nate Lawson — April 8, 2007 @ 5:44 pm

  16. I have been contacted once or twice by journalists seeking peer review of a result before publishing a news story. So it does happen, although certainly not as often as it should. I don’t have any good ideas on how to encourage it to happen more often, unfortunately.

    As for standing up for truth in security announcements, two main things come to mind. First, most directly, there’s Schneier’s Doghouse column, which has been calling out BS for years. Second, there’s a tradition of “break” papers at various conferences that expose bogus security claims. Sometimes these break papers from conferences, other times they show that a particular commercial mechanism is snake oil. For example, I was just watching a YouTube video of Annalee Newitz and Jonathan Westhues debunking VeriChip’s claims to be a secure access control device.

    To my knowledge, though, there is no single space collecting these notices. One way to go would be to put up a wiki and start trying to index these things. I don’t have time to host or set up such a thing right now, though.

    Comment by David Molnar — April 8, 2007 @ 7:23 pm

  17. Good stuff, especially in the comments. I wanted to add one bit and ask a question.

    The bit: Virus researchers are a third strain. They don’t get respect at the academic or the hacker cons.

    The question: what, if anything do we do about this? Are the fields naturally split because of specialization and socialization? The cross-fertilizations have been both painful and sometimes very worthwhile, but I admit to not spending a lot of time on the academic venues lately–the hoop jumping gets too difficult for the payoff if you’re not an academic.

    Comment by adam — April 8, 2007 @ 8:15 pm

  18. @ivan : on the distinction between blackhat and usenix security, have you seen Dug Song’s entry on the subject?
    http://asert.arbornetworks.com/2006/08/hax0rs-vs-ivory-tower-vs-demoscene/

    It came to mind because your invited talk gets a shout-out. :)

    As for real-world results published in peer-reviewed conferences, the subfield of software security tools has some work that may be worth a look. Coverity came out of the metacompilation work from Dawson Engler’s group at Stanford. More recently, their work on EXE, published at Oakland and at CCS, found bugs in file system code, berkeley packet filter, udhcpd, and a couple other things. While the code isn’t publically available, the ideas are certainly worth a look.
    The STP decision procedure used by EXE, however, _is_ available and is worth playing with if you think you might want to reason automatically about what a program does with its input:
    http://theory.stanford.edu/~vganesh/stp.html

    The SATURN project, also out of Stanford from Yichen Xie and Alex Aiken, did some nice static analysis for leak detection in the Linux kernel. Xie had a paper recently on finding SQL injection attacks in PHP that led to a few advisories. See his page for details:
    http://theory.stanford.edu/~yxie/

    You can download SATURN here:
    http://saturn.stanford.edu/pages/downloadindex.html

    David Wagner at Berkeley (disclosure: my advisor) and his students have some papers on experiences with static analysis tools on real-world code bases. For example, there’s this report on using the MOPS tool to audit Red Hat 9 by him and Ben Schwarz, Hao Chen, Geoff Morrison, Jacob West, Jeremy Lin, and Wei Tu.
    http://www.cs.berkeley.edu/~daw/papers/mops-full.pdf

    MOPS is available on sourceforge:
    http://sourceforge.net/projects/mopscode

    Overall, there seems to be a trend towards doing this kind of
    experiment with real world code. Not every project goes there,
    of course, but it happens more often now.

    Comment by David Molnar — April 8, 2007 @ 8:17 pm

  19. who says cansecwest _isn’t_ peer reviewed? It is. cheers,
    –dr

    Comment by dragos — April 9, 2007 @ 9:46 am

  20. Has Schneier’s “doghouse” column ever called out a vulnerability finding as BS and been correct? Cite an example? Thanks!

    Comment by Thomas H. Ptacek — April 9, 2007 @ 2:59 pm

  21. @Thomas

    As I recall, Schneier had put a Scandinavian crypto start-up in the doghouse. I had a look at the company and it did have a known cryptographer as well as some sort of published research associated. So to me the company did not qualify as *snake oil* and Schneier did not really research the company before passing judgment.

    Sorry I can’t find the link or remember anymore details but it was pre 2002.

    Comment by Shawn F — April 9, 2007 @ 5:41 pm

  22. @Thomas: I don’t know of an example, thanks. You’re right to point that out. I was straying from the original issue of calling BS on vulnerability findings and on to the issue of calling BS for security products in general. My apologies.

    Comment by David Molnar — April 9, 2007 @ 6:12 pm

  23. there is a workshop currently being proposed for USENIX – WOOT! (Workshop On Offensive Technologies – all credit to organizer Tal Garfinkel :-) which would offer a forum for more rigorous research in this area.

    we’re trying to gauge interest in this, as it wouldn’t have the party atmosphere of CSW/Blackhat/DEFCON for folks doing operational security research, nor the prestige of CCS/Oakland/USENIX Security for folks in academia. but it would be a way to advance the field by making sure published work is as good as it can possibly be, related work is properly referenced (and citable, in the case of online publications like Phrack or Uninformed Research), and cross-pollination of ideas happens between groups. that’s the idea, anyhow.

    maybe this will only work if there’s beer involved…

    Comment by dugsong — April 10, 2007 @ 12:56 am

  24. This defamation of Barnaby Jack is undeserved.

    Here’s what likely happened. The reporter plans on going to CanSecWest. Before going, he reviews the presentations, finds some he likes, contacts the presenter, and does a few stores on what they are going to present. He then goes to CanSecWest, and does followup stories. One of the people he calls is Barnaby Jack, who faithfully answers the questions the reporter asks. The reporter, like many in our industry, exagerates it.

    For example, here is another story by the same reporter about the same conference, but different presenter:
    http://www.infoworld.com/article/06/04/07/77230_HNwebservicesrisks_1.html?source=searchresult

    It is not a “PR submarine” campaign. There is not conspiracy here to hype one’s research. Barnaby Jack did not call the reporter trying to hype his presentation, the reporter called him.

    Nate’s comments are speculation not based in fact, and humorously, would not pass peer review themselves. It’s the sad fact in our industry that while “hype” is not trusted, “anit-hype” (based on even less facts) is always trusted. The anti-hypers like Nate, Schneier, attrition, etc. often do more damage than good.

    Comment by Robert David Graham — April 10, 2007 @ 6:29 am

  25. @Robert: I agree, Nate has been so quick to cry foul based on absolutely no facts.

    The truth is, no one knows what will be uncovered in the upcoming presentation except Barnaby himself.

    @Nate: If the presentation does uncover a new “attack class”, will you apologize with the same vigour as you did when calling BS? Or will you be a coward and brush it under the covers?

    Comment by Mike D — April 10, 2007 @ 9:52 am

  26. Robert, nice idea, but the article you link to was written after the talk was presented (“a security researcher said at the CanSecWest/core06 conference…” and “During a conference presentation, researcher Alex Stamos outlined …”). I have no problem with that since the talk can be compared against the article, at least for those who were there. There is information available to measure the claims, compared to an article coming out before any information required to validate it.

    Another minor problem with your theory — the only publicly available information, the talk’s title (“Exploiting Embedded Systems – The Sequel!”), does not seem compelling enough to warrant an interview. Usually in these cases, a PR firm or perhaps the researcher themselves contacts the reporter and offers a sneak peek to get more press. But the question isn’t who called who, it’s why a story is being hyped as a new class of attack without enough detail to support or reject it. That’s intentional.

    Mike D, since new classes of attack are so rare, the burden of proof is on the researcher, not the audience. Anyway, new classes of attack are supposed to be a happy occasion! Let’s not bicker and argue about who overplayed what. [*]

    Comment by Nate Lawson — April 10, 2007 @ 2:31 pm

  27. Sorry to post a big response so many days later but I feel compelled…

    I agree with Nate’s overall point: “PR Submarines” are annoying and completely “un-scientific”. We should watch out for them. I totally acknowledge that this all may be speculation about speculation about what may or may not be speculation or snake oil (kindof Nate’s gripe) and it’s even silly to have say that (twice). But that’s not exactly new either.

    My biggest gripe in this case, though, is not the hype. Theres just so much of it these days. My gripe is that this talk will be at CanSecWest and I may not get to see it. But then again (back to Nate) maybe I’ve just been torpedoed. We wont know yet.

    But after skimming the presentation, it seems to me that what Barnaby Jack is doing is downright awesome. Regardless of whether it is entirely new or not, I too cannot wait to hear more about this.

    First off, it seems to me that he’s talking about finding holes in vendor firmware and writing exploits to inject malicious code using the JTAG debugging technique. That is, the goal doesn’t appear to be injecting malicious code onto the router via JTAG as Nate’s point #3 seems to suggest. I think this point may already have been raised in this discussion.

    Now, jump to a different but related episode:
    Consider a bug published by one Ginsu Rabbit last year but not widely discussed and quietly patched by the vendor in another consumer-grade AP/Router by Linksys.

    Sometime later, Linksys shipped a new version of the firmware which quietly included a fix. No mention of the bug or fix ever appeared in the release notes.

    Nutshell:
    The bug gives away admin access, remote administration, and thus remote firmware upgrade. All via a silly web authentication bypass bug in the web-based management (not the first to affect this vendor and one of many in these type of products). Further, it can be exploited on the WAN side by directing a victim to a malicious page with the right POST to the right default router IP. Now, consider that there are also numerous open-source firmware projects available for the device in question providing an attacker a great rootkit platform to build on.

    Now, how many people not reading this blog go out and download the latest firmware whenever they get a new router if it does what they need it to? My guess is not so many.
    Now, how many do it when they don’t even know theres something that needs patching? Um… how many on this blog do? (Ok good… I usually do too)

    The Linksys bug is not particularly interesting from a technical exploit perspective but it has scary potential. Ginsu himself noted his incredulity that it hadn’t been found/published yet. But nobody seemed inclined enough to discuss too much further last year after his post either. The vendor never released an announcement and at least as of February-March ’07, several people I know are buying these with buggy firmware brand new. Sadly, most people don’t go out and search for known bugs in their new toys right away if at all.

    Point? Jack’s work does appear to broaden the field on finding even subtler ways to discover and exploit these types of of devices using far more advanced techniques than the case in point above. Maybe not new, but I cant say I’ve seen alot of presentation/papers/research material about it and Barnaby is definitely raising the bar. More discussion about has been a long time coming.

    In short, sometimes a little hype may get the vendors to react and act appropriately or even open their eyes a bit to something missed. In Jack’s case, the hype may even very well be appropriate.

    And either way I agree. 90% of the time, the hype is not the researchers’ doing. It’s the reporters’.

    I might add that it seems this whole discussion has served to add EVEN MORE hype to the article. Go figure. I probably would have missed it otherwise since work’s been busy.

    Comment by Eric Monti — April 11, 2007 @ 9:33 pm

  28. Late to the rss feed, but I’ll have to second the sentiments from others about mentioning CanSecWest in a negative way was a pretty bad idea, you’ve basically inserted an ad hominem attack for something which wasn’t your primary target, way to net collateral damage.

    I’m biased of course, as I think CSW is great. Admittedly I missed last year (due to a funeral), and will miss this year (just started a new job), but have made it a point to attend every year once I went in 2000. Out of all the conferences I’ve been too it’s consistently the most technical with the broadest scope (I’ll state that REcon has finally upped CSW in technical merits, but it’s more narrowly focus). Moreover, you’ll tend to learn as much from your peers as you did from the presentations as you socialize over second breakfast or lunch or going out for drinks and dinner in the evenings.

    Sure, every now and then the media has picked a presentation ahead of time and sensationalized it. To that extent, the worst one in my recollection was Paul Watson being claimed as a Net ‘savior’ before he’d presented his talk on a variant on TCP attacks (e.g. here’s a story recanting some of the sensationalism: http://news.com.com/Nets+savior+sets+the+record+straight/2100-7355_3-5198853.html ). The media generated buzz actually had a pretty negative impact on the reception of his talk, when it got to the Q&A section, there were several prominent researchers in the audience had some rather pointed comments even on the technical merits of the talk and didn’t make any nuance to hide them. Basically, the CanSecWest attendees are a more highly tuned bullshit test than any blog. Although in this case I think had the media not gone apeshit before th presentation, the reception wouldn’t have been so cold (as opposed to the XPSP2 talk which had little media attention, but probably the coldest reception of any talk I’ve seen, a lot of people had broken software when raw sockets were disabled, and questions from the audience about justifications weren’t met with decent answers).

    Anyway, I’m not going to talk about Barnaby or his research or whatever since I haven’t seen it presented. But I’ll say that the media attention in this case (yours included) is entirely the result of efforts outside of Dragos’s own promotion, they take whatever they think is a hot story and spin it whatever way they like. This isn’t to say Dragos hasn’t done something to promote his conference in a bit of a grandstanding way, indeed he’s put up two mac book pros to win for people who can own them on the spot:
    http://www.cansecwest.com/post/2007-03-21.15:10:00.PWN_to_OWN

    So while he’s inviting some people to use their 0day, there’s a decent reward. Really though this is his own stab at Apple due to losing a speaker who was pressured out of presenting due to Apple legal. I’ve heard of vendors mounting legal pressures against security researchers after the researchers have presented material against them, but this is one of the first occasions where I’ve heard of a company proactively threatening a researcher out of talking. Admittedly, this story has been out and about a little bit, close the the brood reporter Robert Lemos put out this: http://www.securityfocus.com/brief/468 but I haven’t seen it getting much attention in general. I think it’s because most of the researchers in the community already know that Apple sucks when it comes to security and treats researchers horribly, so it’s like beating a dead horse.

    But yeah you make no mention of probably the one carnie-like aspect of CanSecWest this year while you make snake oil allegations against a researcher and drag the soapbox he’ll be standing on down with him, poor form.

    Comment by grey — April 14, 2007 @ 9:38 am

  29. @grey, the article is about PR, not the conference. The only part about CanSecWest is that overhyped announcements seem to be coming from there more often. But that probably just means it’s becoming mainstream, which means it is (was?) a good conference. Others seem to think it’s on par with Blackhat. I hope to attend next year.

    Comment by Nate Lawson — April 17, 2007 @ 1:31 pm

  30. So how does it feel to be completely wrong?

    Comment by Anonymous — April 22, 2007 @ 1:51 pm

  31. Wow. Do you have any response to the fact that you were 100% wrong about everything you posted? I wonder how long before this blog post disapears? Barbaby dropped a NEW ATTACK CLASS against ARM based processers. I will save you all the technical details since it seems a bit out of your reach anyway. But it has NOTHING to do with JTAG other than using JTAG attachments to get access on chip debuging is a good way to find exploits. Saying that JTAG is a attack class would be like saying IDA is a new attack class.

    Ironic that now YOU are the one who looks like a grandstanding sensationalist in the “media” (if these joke of a blog qualifies). Maybe you shouldn’t believe everything you read and make assumptions about technical details you obviously dont understand.

    Comment by Anonymous — April 23, 2007 @ 8:54 am

  32. Open mouth, insert foot.

    Comment by Heh — April 23, 2007 @ 11:35 am

  33. I’ve had lots of conversations about this with lots of people. Most people saying Nate was dead wrong. I don’t agree completely.
    – press gets it wrong, often because of press releases. Dead on.
    – barnaby jack was complicit and is peddling fud. Completely off.

    Lots of good discussions coming out of this, but also I think a lot of people think an apology is due. I would agree.

    Congrats on the talk, Mr Jack.

    Comment by newsham — April 26, 2007 @ 12:56 pm

  34. Hm ok, now that the mist cleared up a bit: Barnaby’s talk was awesome, he _DID_ the work from the bottom up, describing and explaining JTAG, how to identify the interface, build hw to use it, how to debug using it with gdb, then found a hole in the firmware of an ARM-based DSL/wireless router, wrote the exploit and had it deliver a payload that intercepts and injects _in-transit_ a malicious executable into a binary being downloaded. The demo of the later part did not work but it was clear beyond any reasonable doubt that this presentation was not FUD. As for the new class of attack… it is not (but that doesn’t matter anyway, it was incredibly good work). What was mentioned as a new class of attack basically revolved around exploitable NULL pointer de-references and example of which (and which i presume to be quite common in many code portions) was shown with a code snippet using a malloc wrapper that returns NULL on error (ie. out of memory) and then with the callee wrongly using the returned pointer to write to where it points to. If the underlying OS has memory page zero actually mapped the bug becomes an exploitable bug and can be exploited very reliably if at page zero the OS happens to place the IDT (which is the case with the firmware of the ARM-based device that Barnaby demo’ed).

    However this is not a new type of attack as some very clever fellows demonstrated in 1994:
    http://packetstorm.linuxsecurity.com/poisonpen/8lgm/ptchown.c

    Mr. Anonymous: I doubt Nate would have any problems understanding the technical details of the alleged ‘new class of attack’, he just made the wrong assumptions based on somebody else’s description of what Barnaby Jack’s talk was about.

    Comment by ivan — May 3, 2007 @ 6:46 pm

  35. ivan, thanks for the analysis. I’ve posted a followup, comparing the two news articles and how they differ so much. The reporter can’t be blamed since it’s clear he could get it right when given the right information.

    https://rdist.root.org/2007/05/04/second-try-gets-it-right/

    Comment by Nate Lawson — May 4, 2007 @ 2:35 pm

  36. This talk had been presented in SyScan’06 in Singapore (http://www.syscan.org/syscan06/index.html), the same time when Joanna Rutkowska first presented her “Blue Pill” – Subverting Vista Kernel for Fun and Profit. This JTAG attacks didn’t create much attention in that conference, one of the reasons probably was everyone were focusing on “Blue Pill”.

    Anyway, IMO, Jack had successfully get people’s attention to look into other possible attack vector. He deserves the credits.

    Comment by JooGuan — June 13, 2007 @ 10:00 pm

  37. Have a look at http://www.jtagtest.com/ ; it might be quite useful for reverse engineering. They also have a large pinouts database at http://www.jtagtest.com/pinouts/

    Comment by jk — August 18, 2008 @ 5:04 am


RSS feed for comments on this post.

Blog at WordPress.com.