Profile picture
Robᵉʳᵗ Graham @ErrataRob
, 23 tweets, 4 min read Read on Twitter
1/ This paper is a prime example of the arrogance that plagues our industry. Those features are harder to adopt, have greater downsides, fewer upsides, and aren't quite the standard they claim.
cyber-itl.org/assets/papers/…
2/ It's like yelling at Little League players for not performing at the same standard as Major League baseball. After all, if players earning $1 million per year can do it, why not a 13 year old???? It's so obvious, especially if you've never played baseball yourself.
3/ The biggest difficulty vendors have is hiring good people. There are fewer engineers that truly understand this than there are Major League baseball players. Ultimately, these devices are engineering using toolkits provided by others.
4/ The latest toolkits are pretty good and have many of these features by default. However, the hardware and software in many of those devices started development 5 years ago when such things weren't standard.
5/ MIPS CPUs have a lot more difficulties than those mentioned in the paper. In my tests, even with ASLR enabled, I'm going only 8 bits of entropy, compared to the latest Ubuntu which gets 30 bits.
6/ With 8 bits, hackers can still exploit a lot of devices, just 1 in 256. Since services are generally restarted, that means exploiting every device, just with 256 attempts. Compared to Ubuntu, which requires a billion attempts due to ASLR.
7/ Yes, the paper seriously compared system running the latest high-end 64-bit CPUs capable of 30 bits of ASLR against low-end CPUs in IoT devices capable of only a few bits of ASLR.
8/ A lot of these features, such as the relocation tables, are much less expensive on modern desktop/laptop/server CPUs then they are on old embedded MIPS CPUs. There is a cost to adding them.
9/ I don't know what non-executable stacks aren't enabled more often. But there are reasons, and not simply because engineers are lazy and dumb.
10/ These home devices don't have a lot of storage/memory. A lot of devices come with 4-megabytes of flash and 8-megabytes of RAM, compared to laptops or you iphone that has a THOUSAND time more than that.
11/ glibc, the standard library for Linux (and the reason it's called GNU/Linux), is 2-megabytes. These home devices use alternative libraries that are only 500-kbytes in size -- which don't have the heap/stack protections of glibc.
12/ These alternatives to glibc, namely uClibc and musl, have gotten better recently, with more of these protections. But they still lag behind glibc, and the older versions in these devices probably didn't have the latest features.
13/ I can see the paper looked at FORTIFY_SOURCE, which in my tests, only works with glibc, and not the libraries used in these routers.
14/ Hardware is evolving. New ARM designs are replacing older MIPS designs. The standard ARM processor for home devices are quickly moving to 64-bit variants (like the one in the Raspberry Pi), so we'll get effective ASLR that isn't possible today.
15/ Hardware is also evolving away from the tiny SPI flash memories of only a few megabytes to eMMC memories that can cheaply do hundreds of megabytes, so we'll see the small libraries expand with security features, or just a switch to glibc.
16/ Which isn't necessarily a good thing for security: home devices are quickly becoming a monoculture based on roughly the same ARMv8 CPUs, glibc, and Linux. The way this paper says IoT needs to follow the "standard" can only be solved by monoculture.
17/ BTW, I wrote a simple program for testing entropy. It's how I know that MIPS Linux is getting only 8 bits of entropy in some cases:
github.com/robertdavidgra…
18/ This is the output on a small MIPS based router, where libc has only 9 bits of entropy, meaning 1/512 attacks will succeed, or it takes on average 512 attacks in order to succeed once.
19/ The original paper was unclear about what "ASLR" means. What they really meant was whether executables/libraries were built to be "position independent". You get randomized layout of heap and stack regardless of how the code is laid out.
20/ Compiling my entropy measuring program without position-independence causes it to be always laid out in the same position, though other memory segments can still be randomized:
21/ What this example shows is that when exploiting a stack buffer-overflow, the chief deterrent is the 19 bits of stack ASLR, not the added 9 bits of executable ASLR.
22/ Devices aren't insecure because they lack a specific "hygiene" feature you think they ought to have. They are simply a little bit less secure. This is the problem with CyberITL: they demand unreasonable amounts of security for no particular reason that they can quantify.
23/ Security "hygiene" is a good analogy: it's demanded because it's "moral" not because it's "effective". Organizations like CyberITL are pushing for a moral Internet, not a secure one. They are ignoring actual security.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵉʳᵗ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
1/ In regards to my tweets today about "institutions" that make us great, let's talk about journalism and "both-sides-ism". Nobody likes it, but those who disagree with us are still reasonable people, the are multiple sides to every debate. This is why a free press is valuable.
2/ Let's take "anti-vaxxers" for a moment, which I assume you'll agree are "batshit crazy" and not "reasonable" in any fashion. Yet, we still have a "both sides" issue. Even if "vaccines cause autism" argument is garbage, we still debate whether governments can force vaccines.
3/ It's the same argument whether governments can force you to donate a kidney. Or force you to donate bone marrow (which is relatively harmless to the donor). Or force a woman to cary a baby to term.
Read 9 tweets
Profile picture
1/ Also a good lesson for 2019, let's talk about General McChrystal's firing. What makes America great is that we have stable, independent institutions, rather than rule by a despot. That includes an independent press, courts, ... and a military.
2/ General McChrystal was critical of President Obama's policies in a piece in Rolling Stone. This was an attack on the institution of our military. Generals take their orders from the Commander In Chief, they don't publicly criticize their commanders. Therefore, he had to go.
3/ It's because we believe in "institutions" that McChrystal had to go. This is why Trump is uniquely bad among recent Presidents. It's not that he's left or right wing, it's that he's attacking all the institutions that make America great.
Read 11 tweets
Profile picture
To be fair, "Trump derangement syndrome" is a thing where people blame Trump for innocuous things, things he has no control over, or things that happened equally under Obama. On the other hand, this tweet is itself deranged.
The lesson you should learn for 2019 is how this tweet demonstrates lack of character and insecurity, they way Trump attacks childishly his critics: praising them when they agree with him, turning on them when they don't.
But that should equally apply to Trump. It's unlikely that even he is 100% bad. You should be able to point out things he does well. His recent prison reform was good. His judicial nominations have been all competent. While I don't agree with his tax law, it had needed reforms.
Read 3 tweets

Related threads

Profile picture
001/ [article content in this tweet series 001-180 reproduced with permission from Martin Howe QC of Lawyers for Britain @lawyers4britain]
#quote "Leaving the EU on WTO terms: pulling down the barriers to world trade
Introduction: why prices will FALL after Brexit, not rise" /002
002/ #quote "Over the past couple of weeks, the media have been full of lurid scare stories about what will happen if the UK leaves the EU on WTO terms, because negotiations with the EU do not result in a withdrawal agreement." /003
#tariffs #NoDeal #Brexit #WTO #ProjectFear #shortages #food #medicines
003/ #quote "One of the most ridiculous and UNJUSTIFIED of these absurd scare stories is that it will lead to higher prices, and even shortages, of foods and medicines." /004
Read 180 tweets
Profile picture
45 Days Of @ElvisCostello: a twitter megathread in anticipation of the Oct 12 release date of LOOK NOW, the new LP by Elvis Costello & The Imposters

This is either a bright idea or a brilliant mistake, but this is only, this is only, this is only the beginning...
I did something similar to this 5 years ago, in anticipation of EC & @theroots' Wise Up Ghost LP, on tumblr.

(You can still find all those posts if you look, although a lot of the YouTube links etc are now dead ends. It was 40 Days Of EC then, so for 2018 I'm upping it to 45.)
Mostly I will be going chronologically from the early years right up to the present, but it feels right to start out with Costello's 2002 song, "45."

Music Video directed by @jessebdylan


(There's an alternate "diner" version I can't find anywhere online)
Read 2378 tweets
Profile picture
Tonight I helped raise money for @PAWSChicago, the largest no-kill animal rescue in the Midwest. PAWS’s mission is to reduce homelessness of our community’s pets. Meet Marlow, Maribel and other dogs available for adoption at pawschicago.org
Read 5 tweets
Profile picture
So, it's about time I finally did it. Join me as I play Thief: The Dark Project; I've never got further than The Sword before. Thanks to the No Spiders mod from @adurdin I hope to actually finish it this time. #ThiefTDP
I'll be playing Thief Gold. I have multiple copies of The Dark Project but they'd require me to dig through boxes to find. Thief Gold is the only one reliably available online. I am reserving the right to level skip past the Thieves Guild, though. #ThiefTDP
I'll be using the New Dark version, but sticking to a 4:3 aspect ratio. #ThiefTDP
Read 639 tweets

Trending hashtags

#motivation #Gorbachev #NotGoingToBeEasy #FDA #TBT #Czechoslovakia #half #SteeleDossier #Kryuchov #CelebrateAbortionProviders #cheese #October #licensing #ChequersPlan #amendment #KavaNOPE #RecordStoreDay #Stalin #Washington #profiles #Regulation #corpus #food #senator #brexit

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!