STE WILLIAMS

Security researcher Kate Temkin has released proof-of-concept code dubbed Fusée Gelée that exploits a bug in Nvidia’s Tegra chipsets to run custom code on locked-down devices.

Temkin, who participates in the Nintendo Switch hacking project ReSwitched, has developed a cold-boot hack for the games console that takes advantage of an unpatchable blunder in the Tegra boot ROM.

She’s also working on customized Switch firmware called Atmosphère, which can be installed via Fusée Gelée.

Essentially, Fusée Gelée exploits a vulnerability during a Switch’s startup to commandeer the gadget and execute unofficial software. This is useful for unlocking the locked-down Nintendo Switch so that home-brew games, custom firmware, and other code can be run.

You’ll need physical access to the hardware during power-up to perform Fusée Gelée – it’s not something that can be pulled off over the air.

In a blog post outlining her findings earlier this month, Temkin explained: “The relevant vulnerability is the result of a ‘coding mistake’ in the read-only boot ROM found in most Tegra devices.”

Looking to nab Nvidia’s GeForce chips? You need cash and patience

READ MORE

Full details of the bug is set to be revealed on June 15, 2018, unless it is made public by others first – a parallel effort to create custom firmware for the Switch using the vulnerability, or one substantially similar, is underway by a group called Team Xecuter.

The vulnerability is said to affect Tegra chips prior to T186/X2, released in 2016, so it’s not just the Nintendo Switch that’s potentially vulnerable. Other gear using the affected chipset is also potentially at risk.

Temkin reckoned the issue is present in all Nintendo Switches. The nature of the flaw is such that it will require a hardware revision to fix. The boot ROM, which contains the programming bug, accepts minor patches in the factory but cannot be updated afterwards, according to Temkin. That means once a vulnerable machine rolls off of the assembly line, the vulnerability is baked in and cannot be mitigated.

Temkin said the cockup was responsibly disclosed to and forwarded to other vendors that use Tegra embedded processors, including Nintendo.

In a summary of her work, Temkin described Fusée Gelée as “a cold boot vulnerability that allows full, unauthenticated arbitrary code execution from an early boot ROM context via Tegra Recovery Mode (RCM) on Nvidia’s Tegra line of embedded processors.”

The issue is that the USB software stack in the Tegra boot ROM calls a memory copy function with a length parameter that can be defined by an attacker, allowing the processor’s execution stack to be overwritten by an oversized copy operation. It’s pretty much game over after that: now you can point the processor at whatever code you want having scribbled over its stack, which contains return addresses.

“By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur,” Temkin’s paper explained.

Successful exploitation compromises the processor’s root-of-trust and provides the attacker with access to secrets burned into device fuses, as well as allowing arbitrary code execution.

An Nvidia spokesperson declined to comment when prodded by The Register. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/23/nintendo_switch_nvidia_tegra_boot_rom_flaw/

NATO and assorted partners have unleashed a massive cyber-attack on the fictional country of Berylia to test their ability to defend critical infrastructure against outside attacks.

The virtual country will suffer its virtual attack under NATO’s Cooperative Cyber Defence Centre of Excellence’s (CCDCOE) Locked Shields 2018, which CCDCOE described as the world’s “largest and most advanced international live-fire cyber defence exercise”.

The ping-ping-ping-pew-pew-pew was scheduled to run from April 23rd to April 27th, and NATO said it will let participants “practice the entire chain of command” (all the way from hoodie-clad attackers using anachronistic green screens up, El Reg presumes), covering civilian and military systems and capabilities.

The scenario for the exercise sees Berylia under attack on multiple fronts: someone (cough, cough, Russia?) has the resources to coordinate attacks on an ISP and a military air base, along the way disrupting “the electric power grid, 4G public safety networks, drone operation and other critical infrastructure components.”

Beware! Medical AI systems are easy targets for fraud and error

READ MORE

Techs involved in the exercise were tasked with keeping the notional nation’s networks alive, while “the strategic part should serve as a forum to understand the impact of decisions made at the strategic and policy level”, NATO’s announcement said.

Nations beyond NATO are also playing: countries as distant as Australia will also join as observers.

The organisational credits for Locked Shields 2018 go to CCDCOE, the defence forces of Estonia and Finland, the Swedish Defence University, the British Joint Army, the US European Command, the Republic of Korea’s National Security Research Institute, the Tallinn University of Technology, with industry input from Siemens, Ericsson, Bittium, Goodmill, Threod Systems, Cyber Test Systems, Clarified Security, Iptron, Bytelife, BHC Laboratory, openvpn.net, GuardTime and others.

The Register understands that Locked Shields 2019 will involve an attack on NATO by The Duchy of Grand Fenwick. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/24/nato_locked_shields_2018_cyberwar_excercise/

Security researcher Kate Temkin has released proof-of-concept code to launch an exploit chain called Fusée Gelée, which relies on an as-yet-undisclosed vulnerability in past versions of Nvidia’s Tegra system-on-a-chip.

Temkin, who participates in the Nintendo Switch hacking project ReSwitched, has developed a cold boot hack for the device that takes advantage of the supposed Tegra flaw. She’s also working on customized Switch firmware called Atmosphére, which will be installable through Fusée Gelée.

In a blog post outlining her findings earlier this month, Temkin explains, “The relevant vulnerability is the result of a ‘coding mistake’ in the read-only boot ROM found in most Tegra devices.”

Looking to nab Nvidia’s GeForce chips? You need cash and patience

READ MORE

The bug is expected to be revealed on June 15, 2018, unless it is made public by others first – a parallel effort to create custom firmware for the Switch using the vulnerability, or one substantially similar, is underway by a group called Team Xecuter.

The vulnerability is said to affect Tegra chips prior to T186/X2 (released in 2016), so it’s not just the Nintendo Switch that’s potentially vulnerable.

Temkin claims the issue affects all current Nintendo Switch firmware versions. She also suggests that the flaw she identified isn’t necessarily the only vulnerability that has been found.

The nature of the flaw is such that it will require a hardware revision to fix. The boot ROM accepts minor patches in the factory but cannot be updated afterwards, according to Temkin.

Temkin says the vulnerability was responsibly disclosed to and forwarded to other vendors that use the Tegra embedded processor, including Nintendo.

In a summary of her findings, Temkin describes Fusée Gelée as “a cold boot vulnerability that allows full, unauthenticated arbitrary code execution from an early boot ROM context via Tegra Recovery Mode (RCM) on Nvidia’s Tegra line of embedded processors.”

The issue is that the USB stack in the Tegra boot ROM contains a copy operation with a length parameter that can be set by the attacker.

“By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur,” Temkin’s paper explains.

Successful exploitation compromises the processor’s root-of-trust and provides the attacker with access to secrets burned into device fuses.

The Register asked Nvidia to comment but the company declined. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/23/nvidia_tegra_flaw/

To intervene with optimum efficiency, response team needs to zero in on the most potentially dangerous endpoint anomalies first. And according to Harish Agastya, VP of Enterprise Solutions at Bitdefender, machine learning-assisted EDR can help you do exactly that.

Article source: https://www.darkreading.com/can-machine-learning-improve-your-endpoint-detection-and-response/v/d-id/1331603?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Executives are mostly confident in their hybrid cloud security, according to the results of a new survey.

A new survey of executives shows that the vast majority are deploying hybrid cloud architectures for their organization. When queried about the state of their IT security, the breakdown is interesting: Half say it’s healthy, one-quarter have some level of concern, and one-quarter seem to be at best overconfident, at worst delusional. More on that, shortly.

The survey, sponsored by Cavirin Systems, asked executives about how they were building their application architectures for the business. Roughly 80% say that they are building hybrid clouds, with half of those saying that Microsoft Azure is part of their infrastructure.

When the survey turned to how they are protecting the applications and workloads on those hybrid clouds, 40% say that they rely solely on the tools available through the cloud provider. Among the rest, respondents listed cloud workload protection systems (CWPP), CASB, and SIEM tools as part of their security platforms. Nearly two-thirds say that cloud and on-premise systems are protected by entirely separate security tools.

With the diversity of approaches and tools, 53% of those responding say that their cybersecurity posture is “healthy.” Another 23% say that their cybersecurity health is on the spectrum between average and terrible. A confident 23% describe their cybersecurity health as “impenetrable.” History suggests that those in the final group might be wrong.

For more, read here.

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/new-survey-shows-hybrid-cloud-confidence/d/d-id/1331621?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

.bit domains are increasingly being used to hide payloads, stolen data, and command and control servers, FireEye says.

In a troubling trend for enterprises and law enforcement, threat actors are ramping up their use of blockchain domains to hide malicious activity and improve their ability to withstand takedown efforts.

Security vendor FireEye says it has observed a recent uptick in interest in cryptocurrency infrastructure in the cyber underground. Over the last year, there has been a big surge in the number of threat actors that have begun incorporating support for blockchain domains in their malware tools.

Many different software families — including some well-known ones, such as Necurs, GandCrab, Emotet, SmokLoader, and Corebot — have been reconfigured to use blockchain domains for command and control infrastructure, according to FireEye.

Searches using keywords such as Namecoin, blockchain, and .bit have also increased sharply in frequency since at least 2016, which suggests heightened criminal interest in the use of blockchain infrastructure to hide payloads, stolen data, and command and control servers.

The main advantage for threat actors in using blockchain domains is that the domains they register have no central authority — such as Internet Corporation for Assigned Names and Numbers (ICANN) or other third-party registrars — says Randi Eitzman, senior analyst at FireEye.

“In traditional ICANN-controlled domains, if a domain is known to be hosting malicious content, then law enforcement agencies could contact the central authority and request that the domain be taken down,” Eitzman says.

Because blockchain top-level domains such as .bit are not centrally managed and have DNS lookup tables shared across a peer-to-peer network, takedown efforts become much more difficult. “When an individual registers a .bit — or another blockchain-based domain — they are able to do so in just a few steps online, and the process costs mere pennies.”

Domain registration is not associated with an individual’s name or address but with a unique encrypted hash of each user. “This essentially creates the same anonymous system as Bitcoin for Internet infrastructure, in which users are only known through their cryptographic identity.”

Criminal interest in cryptocurrency-related topics are not new. As FireEye notes, threat actors have been exploring the possibility of leveraging the unique properties of blockchain technology to support malicious operations since at least 2009.

One example is malicious actors’ interest in Namecoin, a Bitcoin code-based cryptocurrency that allows pretty much anyone to register and manage domain names with the .bit extension. Any individual can use Namecoin to register a .bit domain without having to directly associate their identity or address with it.

Namecoin describes itself as enabling a decentralized domain name system where domain ownership can remain completely anonymous, and domains themselves can therefore be hard to shut down without causing collateral damage.

Domains registered with Namecoin are not directly accessible via standard DNS. So, criminals increasingly have begun configuring their malware to query their own, privately managed Namecoin-compatible domain name servers in order to reach their .bit domains. Or they have been configuring the malware to query Namecoin-compatible servers that are available via underground services. In many cases, malware authors have been hard-coding blockchain-compatible DNS servers in the sample.

“Because the DNS lookup table is decentralized on a blockchain, commonly used and default DNS servers — like ones run by Google and various ISPs — are unable to resolve the domain,” Eitzman explains.

Providers of so-called bulletproof hosting services have begun jumping into the fray as well. One example, according to FireEye, is Group 4, which recently has added support that allows malicious actors to query .bit-compatible servers.

FireEye expects that threat actors will continue to use Tor, domain generation algorithms, and so-called fast-flux techniques to hide malicious activity. But, increasingly, expect them to start using blockchain infrastructure as well.

“The same perks that continue to draw cybercriminals to using cryptocurrencies as a method of payment apply here,” says Kimberly Goody, senior analyst at FireEye.

Blockchain domains are decentralized and more resistant to takedowns, and they provide comparative anonymity. “Due to these factors and the increasing number of malware developers supporting .bit, we can expect to see these domains to continue to grain popularity amongst threat actors,” says Goody.

Related Content

• Tracking Bitcoin Wallets as IOCs for Ransomware
• Crypto-Mining Attacks Emerge as the New Big Threat to Enterprises
• 7 Ways to Protect Against Cryptomining Attacks

 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/threat-actors-turn-to-blockchain-infrastructure-to-host-and-hide-malicious-activity/d/d-id/1331622?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Industry insiders discuss how threat intelligence has changed and what may happen as the market becomes increasingly saturated.

If you were at last week’s RSA Conference in San Francisco, chances are good you heard someone talk about data visibility. The influx of connected devices and the rise of cloud adoption are driving concerns about information management: how can companies view and secure the data they have in environments with shrinking perimeters and larger attack surfaces?

The “legacy mode” of threat intel traditionally has been a tactical feed of malicious IP addresses feeding into the security operations center or security information and event management system with little context or relation to the business impact or risk, Flashpoint CEO Josh Lefkowitz said in an interview with Dark Reading.

Over the last two years, the shape of threat data has evolved. “We’ve seen a shift toward more correlation and understanding that intelligence needs to drive a decision advantage,” Lefkowitz explained. This idea applies to all sectors and industries, which “are wearing the same jersey when it comes to staying ahead of the threat.”

Cyber-risk and intelligence need to overlap with business decisions, he continued, and the artificial barriers between sectors are beginning to break down. It has taken a long time for information-sharing to catch on, but more businesses are now adopting a “fusion-style” approach to threat intelligence in recognition of the fact they all face the same threats.

“They’re realizing intelligence really is table stakes at this point,” he noted. Now, those tactical data feeds have an overlay of strategic information aligning with business requirements. These metrics, and a feedback loop, “help keep a scoreboard” and ensures everyone’s needs are met.

“What people don’t get about the threat landscape is it’s less about the [attackers’] techniques and more about the attack surface and the number of openings that have been created,” said Art Coviello, executive chairman (retired) of RSA. The key is to have enough data to spot malicious activity. “At some point, the attacker has to do something anomalous,” he noted.

“The best place to stop an attack is before it starts,” Coviello continued. “The idea is to have enough data that you can analyze in one of those controls that spots the signal and the noise. … At some point, the attacker has to do something anomalous.”

As Data Grows, Privacy Fears Abound

“So many people look at the world through a threat lens,” said Richard Ford, chief scientist at Forcepoint. “But there’s a difference between watching the game and being part of the game.”

The level of monitoring accessible with today’s technology is great, he added, but people are becoming more aware that better analytics tools come with privacy concerns. The answer is not to choose between privacy and security but figure out how to balance the two.

“We don’t have enough of a dialogue around privacy — what it means and how to protect it,” he said. “We shouldn’t take ‘privacy or security,’ it’s ‘privacy and security.'”

Katie Lewin, federal director of the Cloud Security Alliance, echoed this sentiment, noting that privacy is an “up-and-coming issue” in the United States, especially as the European Union prepares to launch the General Data Protection Regulation next month. While she doesn’t expect the US will fully adopt GDPR, she does anticipate companies will pay closer attention to privacy as a result.

“There will be a bigger shift in the US in the way in which organizations are looking at personal data,” said Cloud Security Alliance CTO Daniele Catteddu. “There is going to be a radical shift in the way compliance, privacy, and security are conceived in organizations.”

Threat Intel: An Oversaturated Market

The young and growing threat intelligence space is becoming crowded with companies selling point products, promising to help collect threat data. Instead of offering another monitoring service, some vendors are beginning to add capabilities to unify data across intelligence feeds — one way they can set themselves apart in an increasingly saturated space.

Jaime Blasco, vice president and chief scientist at AlienVault, said he’s seeing an “oversaturation of the market” and expects we will see unification in threat intelligence as more businesses try to solve the same problems. Some companies will work together; others will be acquired.

BluVector, which announced intelligence-focused partnerships with Endace and SS8 the week of RSA, is one company exploring these opportunities. The first partnership will combine BluVector’s threat detection with Endace’s analytics platform; the second will bring together network intelligence with a network security platform for detecting and responding to threats.

A company can use around 70 to 80 tools, said BluVector CEO Kris Lovejoy. To learn about the data they collect, they need to marry threat intelligence with what’s happening in the network. “Now, what they’re really worried about is [that] they’re discovering tools are missing things or catching them, but throwing off false positives,” she added.

Brian White, vice president at Forcepoint, also predicted the future will bring consolidation and it’s time to think about building systems, not point products. “This is finally the year it feels like [businesses] acknowledge that reality it coming,” he said.

Related Content:

• Digital Identity Makes Headway Around the World
• Microsoft CISO Talks Threat Intel, ‘Data Inclusion’
• 8 Ways Hackers Monetize Stolen Data
• 7 Steps to a Smooth, Secure Cloud Transition

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/threat-intel-finding-balance-in-an-overcrowded-market/d/d-id/1331623?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

LinkedIn has plugged a flaw in its AutoFill button that would have allowed a malicious website to harvest basic account data from your LinkedIn profile.

Introduced a few years back, AutoFill is promoted as a convenient way for websites to capture a visitor’s name, email address, phone number, geographical location, company name, and job role.

Visitors must be logged in to LinkedIn for this to work seamlessly. Those who aren’t logged in will see a ‘sign in to LinkedIn’ button.

Given the sensitivity of the data being captured, it’s only supposed to be available to a select group of sites that pay for the privilege.

But according to researcher Jack Cable, any malicious website could have hosted it, invisibly, and siphoned off your data undetected.

All the unwitting victim would have to do to spring the trap is click anywhere on the malicious page, as demonstrated by Cable’s proof-of-concept. Said the researcher:

This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user’s information to the website.

After being informed on 9 April, LinkedIn partially fixed the vulnerability the next day, restricting the plugin to the list of sites that have permission to use AutoFill. Said LinkedIn:

We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly.

LinkedIn said it had seen no signs that the flaw had been abused and thanked Cable for reporting it.

The 10 April fix stopped sites that weren’t allowed to use the code from hosting it, but still left users of sites that were permitted to use it vulnerable to potential abuse, if those sites harboured any cross-site scripting (XSS) flaws.

That loophole was closed by a second patch on 19 April.

Web flaws are incredibly common but this one exposes bigger issues.

First, what looks like a serious vulnerability has been hiding in plain sight for some time, which speaks of weak testing.

Second, and perhaps even worse, LinkedIn users who are logged in have only rudimentary control over the feature.

Visit a site with AutoFill installed (Twitter, SalesForce, Twilio, say) and true to its name your data is loaded automatically for you to submit. There doesn’t appear to be a LinkedIn privacy setting to control this.

One countermeasure you can take (one that also protects you from Cross-Site Request Forgery attacks of all stripes), is to log out of sites like LinkedIn when you’ve finished using them.

Meanwhile, LinkedIn’s explanation of AutoFill security is written solely to aid websites that might implement it – it’s as if the user’s data is just another resource to be disseminated as far and wide as possible.

It’s a model that explains how the web often works. As Facebook’s problems underline, the future might not be as carefree.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h-YyPonoAVE/

The US is looking to lock up one of the Yahoo mega-breach spearphishers for 94 months: nearly eight years.

On Tuesday, Department of Justice (DOJ) prosecutors asked a San Francisco federal court judge to impose that sentence on Karim Baratov, a Canadian citizen born in Kazakhstan who was indicted in March 2017 for working with two officers of the Russian Federal Security Service (FSB) -that’s Russia’s successor to the KGB – to pull off the historic Yahoo breach.

Yahoo confirmed in September 2016 that it had discovered a raid that affected half a billion Yahoo accounts in 2014.

Just a few months later, Yahoo confirmed yet another, separate breach, dating back to 2013, that affected a staggering three billion.

Baratov pleaded guilty in November 2017 to nine counts related to the 2014 breach, including aggravated identity theft and violating the Computer Fraud and Abuse Act (CFAA) by stealing information from protected computers.

Under federal guidelines, his maximum sentence is up to 20 years in prison, according to the DOJ. Baratov’s attorneys have asked for a sentence of 45 months: about half of what the DOJ is after.

According to the sentencing memorandum (PDF), Baratov was a hacker-for-hire who took orders to target specific victims without asking his customers to explain their own identity, their motives, or their objectives.

He took his operations to the international stage between 2014 and 2016, when he started working with a co-defendant, FSB officer Dmitry Dokuchaev. Based on information stolen in the Yahoo breach, Dokuchaev allegedly paid Baratov to break into 80 webmail accounts belonging to people of interest to Russian intelligence.

Running his business out of his home in Ontario, Baratov had a few websites to advertise his services to Russians. One site, named “webhacker,” offered “hacking of email accounts without prepayment”. The site said that Baratov could take over webmail accounts of Google and Russian providers, such as Mail.ru and Yandex.

He used the money he earned from his illegal activities to buy himself a cushy life: he bought a $650,000 home and luxury cars that included a Lamborghini, a Porsche, an Aston Martin, a Mercedes and a BMW. He bragged about it all on social media, including one post showing him with a fanned-out stack of $100 Canadian bills.

Baratov’s hacking was a springboard for his customers to go after their victims with a laundry list of crimes that followed the webmail account breaches, prosecutors said. From the sentencing memorandum:

The defendant setup, operated, and grew a criminal hacker-for-hire business that gave his customers the ability (and provided a layer of concealment for their identities) to commit a whole spectrum of additional crimes (e.g. against the victims’ dignity, finances, safety, privacy, or other interests).

Yes, but he was just a pup when he was hacking people’s email accounts, Baratov’s legal team is arguing (PDF).

The Extenuating circumstances in the instant matter are plentiful. This is Mr Baratov’s first arrest. Additionally, Mr Baratov was under the age of 22 during the majority of the time that he hacked email accounts.

No prior contact with law enforcement combined with Mr Baratov’s young age weigh heavily in favor of a low culpability calculation.

Baratov is due to be sentenced by Judge Vince Chhabria on 24 April.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3TByu9mD-AA/

Last week, the first RISC-V port of its seL4 microkernel was released by the Data61 division of the Australian government’s Commonwealth Scientific and Industrial Research Organisation (CSIRO).

seL4 is an open-source and highly secure version of the L4 microkernel that aims to be mathematically proven to be bug free, in that it works as expected as per its specifications. Meanwhile, RISC-V is an open-source instruction-set architecture, and is used as the blueprint for various open-source processor core designs – some of which are now shipping as real usable silicon, such as chips from SiFive and Greenwaves.

The first release of the port is a prototype: it is 64-bit-only, there is no floating-point math hardware support, and it runs only in the Spike CPU simulator.

As part of its RISC-V efforts, the CSIRO has joined the RISC-V Foundation, so as to have a seat at the table as the fledgling processor architecture takes shape.

Vulture South spoke to Data61 chief research scientist for trustworthy systems, Professor Gernot Heiser, about the seL4-on-RISC-V project.

“RISC-V has a lot of momentum behind it,” Heiser said, not just because the specification is open, but also because of the open reference implementations on offer. We note that Western Digital has also thrown its weight behind it, as has Nvidia and Google, as they search around for affordable customizable cores to glue their hardware together.

Its combination of “greenfield design on the back of experience” makes RISC-V a “very clean design,” he added.

As a platform for seL4, Heiser said, RISC-V is also an important alternative to the Intel and Arm architectures. For one thing, RISC-V is free and open-source technology for engineers to adopt and tweak as they need. Also, they do not suffer from the Meltdown-Spectre speculative execution design flaws, and even if they were affected, the blueprints are all there in the open to be fixed.

While seL4 runs on Arm-compatible processors, its original platform, and since then Intel hardware – it’s still going through the formal verification process on Chipzilla’s CPUs – Heiser said porting the open-source microkernel to an open hardware platform is a natural next step. It means if anyone suspects there is a backdoor or a vulnerability in the processor design, the hardware design code can be inspected, analyzed, and verified.

And it means the designs can be improved directly by their users, rather than waiting for folks at Intel or Arm to get round to it. That’s why the CSIRO wants to be part of the RISC-V foundation: “Some of the instruction set has not been finalised at all … it’s important to take part so that we can have a say, and make sure seL4 is properly supported.”

Even though modern chips are dizzyingly complex, the openness of RISC-V means it’s “more feasible to scrutinise,” he said. “In principle, we can analyse what’s in the microarchitecture, and see how that could lead to security holes.”

If you don’t have a complete model of a CPU, he said, “it’s very difficult, if not impossible, to analyse the processor.” Even for RISC-V, he said, “a lot of research is required” to systematically explore an architecture for vulnerabilities.

seL4 and L4 adoption has been a long process, Heiser told Vulture South – “it took eight years to get deployed to Apple devices, but it’s now shipping hundreds of millions a year.”

By that, the professor means the L4 microkernel running on the Secure Enclave security coprocessor [PDF, p7] Apple builds into its most recent iPhones and iPads. That kernel has been tweaked by Apple to meet its needs.

Because it’s a microkernel, seL4 needs a lot of work and extra code to turn it into a functioning system. A microkernel tries to do as little as possible so that as little possible can go wrong. All the system services and drivers run isolated in a layer above the microkernel, and can be restarted if something breaks, or upgraded if bugs need patching, without taking out the entire device.

“You get a lot of services with the Linux kernel,” Heiser said, whereas those services run in user-space alongside applications in an seL4 environment.

“There’s nothing stopping us for having complete user level services available, but that hasn’t happened yet,” Prof Heiser said. “We’re keen to build an open source ecosystem,” he told us, because building seL4 into a complete operating system is “beyond the scope of what we can do ourselves.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/23/risc_v_sel4_port/