Jos Wetzels and Ali Abbasi

Dissecting QNX - Analyzing & Breaking QNX Exploit Mitigations and Secure Random Number Generators

Abstract

QNX is a proprietary, real-time operating system used in many sensitive and critical embedded devices in different industry verticals from networking and automotive equipment to military and industrial control systems. While some prior security research has discussed QNX, mainly as a byproduct of BlackBerry mobile research, there is no prior work on QNX exploit mitigations or its secure random number generators.

This work seeks to address that gap by presenting the first reverse-engineering and analysis of the exploit mitigations, secure random number generators and memory management internals of QNX. We dissect the NX / DEP, ASLR, Stack Cookies and RELRO mitigations as well as the /dev/random and kernel PRNGs of QNX versions up to and including QNX 6.6 and the brand new 64-bit QNX 7.0 released in March 2017.

We subsequently uncover a variety of design issues and vulnerabilities in these mitigations and PRNGs which have significant implications for the exploitability of memory corruption vulnerabilities on QNX as well as the strength of its cryptographic ecosystem. Finally, we provide information on available patches and hardening measures available to defenders seeking to harden their QNX-based systems against the discussed issues.

 

BIO

Jos Wetzels is an independent security researcher with Midnight Blue (https://www.midnightbluelabs.com) specializing in embedded systems security. He previously worked as a researcher at the Distributed and Embedded Security group (DIES) at the University of Twente (UT) where he developed exploit mitigation solutions for constrained Industrial Control Systems (ICS) used in critical infrastructure, performed various security analyses of state-of-the-art network and host-based intrusion detection systems and has been involved in the AVATAR research project regarding on-the-fly detection and containment of unknown malware and Advanced Persistent Threats. He has assisted teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several years.

Ali Abbasi is a Ph.D. candidate in Distributed and Embedded System Security group at the University of Twente, The Netherlands and visiting Ph.D. researcher at the Chair of Systems Security of Ruhr-University Bochum, Germany. His research interest involves embedded systems security mostly related to Industrial Control Systems, Critical Infrastructure security, and Real-Time Operating Systems security. He received his master degree in Computer Science from Tsinghua University, Beijing, China in 2013. He was working there on Programmable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High-tech Program grant from Ministry of Industry and Information Technology of China. He is currently doing his research at the Chair of Systems Security of Ruhr-University Bochum regarding designing system-level protection mechanisms to battle against the sophisticated memory corruption and code-reuse attacks against PLCs and other critical real-time embedded systems. Before that Ali was working as Head of Vulnerability Analysis and Penetration Testing Group at National Computer Security Incident Response Team (CSIRT) at the Sharif University of Technology in Tehran, Iran.