Profile picture
Mudge @dotMudge
, 16 tweets, 4 min read Read on Twitter
A few weeks back the non-profit group CITL, cyber-itl.org, released a comparative report of software hygiene in 28 home routers...

and vulnerabilities that affect all Linux MIPS systems (not just IoT).

Some thoughts and data...

(Thread 1/N)

cyber-itl.org/2018/12/07/a-l…
This thread intends to get past some security nihilism, use data to refute some assumptions put forward by people as “facts”, and point out the big picture... which the security community largely missed.

Something about not being able to see the forrest through the trees ;)

2/
Let’s look at the router paper first.

cyber-itl.org/assets/papers/…

It’s true that none of the routers did well in regards to basic software safety hygiene, but thinking there’s nothing consumers can do is security nihilism and misses the actionable information in the paper...
If security hygiene is important to you:

1) Avoid Linux MIPS systems if possible (eg choose AARCH64).

2) Choose a system that did better than their competitors (next tweets in thread)

3) Perform your own simple measurements as tribal knowledge is often wrong.
In the Consumer Reports 2018 Home Router Buying guide, CITL, measurements showed that the Netgear r7000 did better than the others in software safety features.

Not great, but better than the others.
Across a collection of other ‘Best of 2018’ home router lists (CNET, PCMag, Trust Compass, and Consumer Reports), the Linksys WRT32x had the best marks.

Although still admittedly low compared to what one would hope for.
Some put forward statements that feel/sound true, but data shows are false. An example is “ARM is more common than MIPS in the home router field now”.

From measurements across 3000+ home router images MIPS is still the dominant architecture.
Another comment put forward was, essentially, that ‘vendors/developers do not ship software with known coding vulnerabilities like gets() etc’.

In fact CITL call graphs showed that out of 18 vendors, 15 still have binaries that call gets().

That’s over 80%. Yikes!
Looking at calls to system() as a security hygiene indicator is equally scary.

Of course one can expect correlation between poor function hygiene given a lack of basic safety awareness (DEP, ASLR, source fortification, RELRO, etc.).
With the MIPS bug(s) a lot of people focused on whether ASLR and DEP are “very important”, or “just important”.

What amazed me was that Linux MIPS Kernels from 2001-2016 lacked *any* Data Execution Prevention and 2016 onward have a universal DEP and ASLR bypass:

NOBODY NOTICED
The CITL team shares their research and work with me, which I appreciate, and I’m struck by two things:

1) they look for hundreds of features that relate to security/safety hygiene in every binary they analyze.

2) for the vast majority of the software industry this is overkill.
Vendors understand unit testing for product functionality but seemingly lack this awareness for the most basic safety/security build settings.

Modern software/systems need to check DEP, ASLR, Stack Guards, etc., the same way automobiles verify they have seatbelts and airbags.
You don’t have to look for all of the complex things the people at CITL do behind the scenes.

Just looking for basics will show you that the world is often very different from what people think it is. This includes security practitioners and a ‘common tribal knowledge’.
To end:

If you can’t/don’t measure it, you will make (incorrect) assumptions.

Product measurements are more helpful when quantitative, to allow comparison, rather than pass/fail or ‘certified’.

Put unit tests in to avoid unintentionally shipping without airbags, seatbelts, etc
P.S.

All of the Linux MIPS router images that the CITL folk looked at were vulnerable...

Even the vendors who stated that they didn’t think their Linux MIPS systems were affected.

So far there aren’t any unaffected Linux MIPS systems.

:/
PPS:

In total it was over 6000 images.

And dang it, I meant to tag @m0thran in the first tweet of the thread.

He is behind this (in my opinion) very impressive work over st CITL.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Mudge
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @dotMudge see all

Profile picture
Due to Floating Point emulation, Linux MIPS (Kernels 2.4.3.4 through 4.7 2001-2016) have executable stacks.

The patch, released in 2016 and still present - Kernel 4.8, introduces a universal DEP and ASLR bypass.

cyber-itl.org/2018/12/07/a-l…

cyber-itl.org/assets/papers/…
Think about this for a moment...

MIPS is the most common architecture for home routers (ubiquity, Netgear, Asus, linksys) and similar devices.

It is also found in telecom gear, next gen corporate firewalls, corporate switch fabric, etc. for control plane, data plane, or both.
What makes this particularly tough to remediate is that addressing the issue needs the Kernel fix and *also* updates to the compiler toolchains and *also* that vendors/developers adopt both of these and *also* turn on the needed settings if they aren’t default enabled...
Read 5 tweets
Profile picture
On ‘names are hard’, X509 Distinguished Names (DN) can be a downright minefield.

Consider military (gov) where rank is part of the distinguished name field.

So what happens when someone gets a pay raise (get’s promoted)?

Each time that happens the DN changes which means...
The old certificate needs to be revoked.

Onto the certificate revocation list it goes...

New digital certificates are issued, access cards re-provisioned, CAs updated (and eventually synchronized).

Life goes on...

But what happens to the certificate revocation list (CRL)?
According to Wikipedia there were over 17 million Common Access Cards issued by 2008.

That’s a decade ago and there are ~1.4 million people in the US military this year alone (according to Google). Don’t forget that we’re talking about a lot more than just military people...
Read 5 tweets
Profile picture
Unfortunately this is not a new revelation or disclosure.

Going back to 2009 there was an engagement that used a battle command system.

The opposing force in the exercise found the contractor, downloaded the user and training materials from a web and FTP site, exposed...

1/
to the public Internet, and found by scanning the IP range of the sub-contractor who did the work.

Then, they just logged in as privileged users to all the battle systems. You would think that would have been game over (it was a very simple default password).

2/
However, the defenders claimed foul (?!?).

While the OpFor (opposing force) was frustrated, they said ‘fine’.

They proceeded to essentially fuzz the input and found numerous ways to crash the system. Some of these were probably exploitable, but for the exercise, ...

3/
Read 8 tweets

Related threads

Profile picture
One of my proudest accomplishments was working on this two-day pop-up museum exhibit that we ran in October. The video game museum in my head has rotating exhibits like this: a visually striking display that tells a specific story that makes you think about games in a new way.
Specifically, what I wanted to express here was that the "Nintendo Entertainment System," if you knew where to look, literally never went away. There have been new commercial games written for the hardware every year since its debut 35 years ago. No other system can claim this.
Official support stopped around 1995 as the major markets moved on to new systems like the PlayStation. But in some countries you couldn't officially buy these new systems. Enter the "Famiclone" - a knock-off NES that was really, really cheap to manufacture.
Read 19 tweets
Profile picture
1/ This paper is a prime example of the arrogance that plagues our industry. Those features are harder to adopt, have greater downsides, fewer upsides, and aren't quite the standard they claim.
cyber-itl.org/assets/papers/…
2/ It's like yelling at Little League players for not performing at the same standard as Major League baseball. After all, if players earning $1 million per year can do it, why not a 13 year old???? It's so obvious, especially if you've never played baseball yourself.
3/ The biggest difficulty vendors have is hiring good people. There are fewer engineers that truly understand this than there are Major League baseball players. Ultimately, these devices are engineering using toolkits provided by others.
Read 23 tweets
Profile picture
Oh wow this is big. This is very big.
For the past several weeks I have been trying to shine light on the ties between the League of the South, in particular Brad Griffin, and violent extremists.

This article shows that Griffin was in direct regular contact with the Tree of Life killer.
A few weeks back, a white power group out of Southern California called the Rise Above Movement was brought down by the Feds for their violence in Charlottesville.

In this thread I show them alongside several League of the South members.

Read 14 tweets
Profile picture
u may have seen that brazil nearly elected a full-on fascist in the 1st round of its presidential elections on sunday.
u may have questions too.
i'll use this thread to clarify+debunk things i see circulating that are dead wrong.
i'll also provide some reading suggestions.
vamos+
brazil has run-off voting & bolsonaro (whom i'll refer to as the fascist) did not reach 51%,so not ALL hope is lost. between the 1st round of the general election on sunday (which also was for senate, house, and governor) and the 2nd round, candidates have 3 weeks to campaign.+
the remaining candidates for the 2nd round of the presidential election are the fascist (whose problems i have gone into ad nauseum on this site & written about elsewhere and you can go searching for later) and fernando haddad, who represents PT (workers' party)+
Read 251 tweets
Profile picture
Few weeks back, the media went to town with news that PDP had fixed prices for nomination forms and set an age-limit.

It was fake news, 100%

Did we fight? Moan? Or Cry? No.

APC fanboys should know it happens: DEAL WITH IT and move on instead of this stupid blame and outrage.
To be clear: my handle NEVER tweeted about whatever it is said that Miyetti Allah had said. I never referenced it, I never quoted it - our commitment to nationhood is permanent, in or out of power.

But the statement is 100% consistent with what Miyeti Allah says all the time.
Miyeti Allah has made more outrageous comments in various crisis situations before now and as TheNation newspaper which originally broke the quote is standing by its story, anyone can make his own summation of what is really going on.

Why aren’t APC e-boys attacking TheNation?
Read 9 tweets
Profile picture
(1) A Spotlight On Edward Price.
(2) His full name is Edward Chase Price.

intelius.com/people/Edward-…
(3) He was born on November 22, 1982.

politico.com/tipsheets/play…
Read 220 tweets

Trending hashtags

#chemistry #MasculinityKE #financing #NV03 #GA2 #CulturalDifferences #immigrant #Ethereum #FOSTA #highereducation #IPv6 #workplaceequality #GirlPower #parents #NV04 #GA13 #Pennsylvania #PA6 #GA4 #WorkingWomen #octal #PA04 #Shocking #Midterms2018 #NEOLAND

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!