ARM 'security hole' is ofla cousinPublished: 24th Apr 2007, 23:46:40 | Permalink | Printable
One man's exploit is another's .ofla.ofla.oflaA computer security researcher who claimed he found a serious vulnerability in ARM-compatible processors has in fact stumbled across a class of bug infamous to RISC OS users - the ofla.
The 'ofla' bug is seen when a confused program tries to read information from an inappropriate part of the computer's memory, and winds up mistaking executable code for text. This machine code is then displayed to the user in error messages and other windows, and shows up as the string of 'ofla's.
However, Juniper Networks's Barnaby Jack said by doing the reverse of this, a malicious hacker could overwrite this executable code with a new program, thus breaking into and taking over an ARM-powered gadget. He presented his findings at an international security conference this month, and compromised a D-Link router as a demonstration - drawing the attention of the mainstream IT press. Barnaby had billed his work as the discovery of a 'major vulnerability' in ARM-based systems. ARM remains the popular choice for mobile phones, routers, gadgets and other embedded kit, with over a billion ARM-based chips manufactured a year.
While developers contacted by drobe.co.uk remain skeptical that hackers will be able to leverage Barnaby's work into effective attacks on devices, the news took some commentators by surprise. Analyst Russ Cooper at Cybertrust told reporters: "The ARM processor is supposed to be a secure environment, so that this flaw exists represents a bigger problem."
Technically speaking, Barnaby is worried that the majority of devices with ARM and XScale processors at their hearts store their hardware vectors starting at address 0 - although modern cores can optionally locate their vector tables in high memory. When software de-references a pointer, it is usually set to null, or zero, so by tricking a device's firmware into using the null pointer to store data, you can hijack the vector table and execute arbitrary code in a privileged mode.
The hardware vector table tells the processor what to do when certain situations arise, such as when the machine is reset, or peripherals and users' programs need attention from the operating system. If this table is read back as ASCII, it will appear as the familiar 'ofla's; try
memoryi 0 in a taskwindow to see them and the table's instructions.
On RISC OS, you can do what Barnaby is suggesting by running from BASIC
SYS"OS_File",16,"$.evilcode",0. You will stiff your machine if you try to load random data, such as a sprite file, at address 0 with
To do this on other platforms, the hacker must find similar vulnerabilities in a device's operating system. This can be non-trivial, however Barnaby was able to abuse debugging features enabled in production models of kit to probe firmware and discover these flaws. By compromising systems such as routers and wireless base stations, it is possible to reflash ROMs, take over a networks, and infect desktop and server systems by intercepting simple network transfers. Non-ARM systems, and most PC operating systems, lock the first page of memory to trap all null accesses - blocking the form of attack described above.
Barnaby said: "Security needs to reach further than a home PC. Insecure devices pose a serious threat to the entire network. Hardware vendors must take security into consideration."
Firmware flaw threatens routers, phones
Previous: Dutch A9home support site hopes to sell software
Next: Theme manager app revised
DiscussionViewing threaded comments | View comments unthreaded, listed by date | Skip to the end
Please login before posting a comment. Use the form on the right to do so or create a free account.
Search the archives
Today's featured article
RISC OS filename translation
Being understood in the outside world
31 comments, latest by mrchocky on 09/01/04 11:06PM. Published: 2 Jan 2004
Remote desktop apps compared
Next in our series: RDP and VNC clients for users with second machines
15 comments, latest by hutchies on 17/1/06 3:26PM. Published: 12 Jan 2006
News and media:
RISCOS Ltd •
RISC OS Open •
MW Software •
Advantage Six •
CJE Micros •
Liquid Silicon •
Chris Why's Acorn/RISC OS collection •
The Register •
The Inquirer •
Apple Insider •
BBC News •
Sky News •
Google News •