A computer security researcher who claimed he found a serious vulnerability in ARM-compatible processors has in fact stumbled across a class of bug infamous to RISC OS users - the ofla.The 'ofla' bug is seen when a confused program tries to read information from an inappropriate part of the computer's memory, and winds up mistaking executable code for text. This machine code is then displayed to the user in error messages and other windows, and shows up as the string of 'ofla's.
However, Juniper Networks's Barnaby Jack said by doing the reverse of this, a malicious hacker could overwrite this executable code with a new program, thus breaking into and taking over an ARM-powered gadget. He presented his findings at an international security conference this month, and compromised a D-Link router as a demonstration - drawing the attention of the mainstream IT press. Barnaby had billed his work as the discovery of a 'major vulnerability' in ARM-based systems. ARM remains the popular choice for mobile phones, routers, gadgets and other embedded kit, with over a billion ARM-based chips manufactured a year.
Doubts
While developers contacted by drobe.co.uk remain skeptical that hackers will be able to leverage Barnaby's work into effective attacks on devices, the news took some commentators by surprise. Analyst Russ Cooper at Cybertrust told reporters: "The ARM processor is supposed to be a secure environment, so that this flaw exists represents a bigger problem."
Technically speaking, Barnaby is worried that the majority of devices with ARM and XScale processors at their hearts store their hardware vectors starting at address 0 - although modern cores can optionally locate their vector tables in high memory. When software de-references a pointer, it is usually set to null, or zero, so by tricking a device's firmware into using the null pointer to store data, you can hijack the vector table and execute arbitrary code in a privileged mode.
The hardware vector table tells the processor what to do when certain situations arise, such as when the machine is reset, or peripherals and users' programs need attention from the operating system. If this table is read back as ASCII, it will appear as the familiar 'ofla's; try
memoryi 0 in a taskwindow to see them and the table's instructions.On RISC OS, you can do what Barnaby is suggesting by running from BASIC
SYS"OS_File",16,"$.evilcode",0. You will stiff your machine if you try to load random data, such as a sprite file, at address 0 with OS_File.Compromise
To do this on other platforms, the hacker must find similar vulnerabilities in a device's operating system. This can be non-trivial, however Barnaby was able to abuse debugging features enabled in production models of kit to probe firmware and discover these flaws. By compromising systems such as routers and wireless base stations, it is possible to reflash ROMs, take over a networks, and infect desktop and server systems by intercepting simple network transfers. Non-ARM systems, and most PC operating systems, lock the first page of memory to trap all null accesses - blocking the form of attack described above.
Barnaby said: "Security needs to reach further than a home PC. Insecure devices pose a serious threat to the entire network. Hardware vendors must take security into consideration."
Links
Firmware flaw threatens routers, phones