donbApr 19, 2017

A full technical explanation of, and sample code for, the RISC-V CPU-level privilege escalation flaw. This is exploitable in QEMU, and is vulnerable in the current stable implementation spec, though it is in the process of being solved by the RISC-V team:

http://blog.securitymouse.com/2017/04/the-risc-v-files-supervisor-machine.html

#HITB2017AMS

donbApr 18, 2017

Wrote a more elegant for the RISC-V in-silicon System->Machine mode CPU privilege escalation bug.

The exploit allows a System-level kernel to inject an arbitrary payload of executable code into the Machine-level executive.

Full details in a blog tonight, along with sample code! #HITB2017AMS

HITBSecConfApr 14, 2017
REMINDER: All #HITB2017AMS materials are uploaded immediately after each talk: http://conference.hitb.org/hitbsecconf2017ams/materials/ Agenda is here: http://conference.hitb.org/hitbsecconf2017ams/agenda/
donbApr 12, 2017

Boom! Here's proof the current privilege model in #RISC-V is insecure. My malicious kernel breaks out of the Supervisor privilege, infecting highest level privilege (Machine Mode) with illegal instructions, causing panic.

Full details to be released tomorrow at #HITB2017AMS!

donbApr 12, 2017
Here we go... last test... #HITB2017AMS
donbApr 12, 2017
Hacking RISC-V kernels in my final prep run for tomorrow's #HITB2017AMS talk. Got Raekwon's new The Wild on blast in the background, keeping that motivation lit.
donbApr 11, 2017
I think I've messed with kernel/supervisor memory quite enough tonight. Looking forward to dropping some of this madness at #HITB2017AMS on Thursday. For now? Sleep, thx.
HITBSecConfApr 11, 2017
See a live demo of contactless HCE card cloning at #HITB2017AMS - https://www.youtube.com/watch?v=e91El5xX9Aw
donbApr 11, 2017

Want to break out of the RISC-V QEMU instance? Well, I'm not quite there yet. But... I can get QEMU to forcibly exit emulation without notifying the system. #lame #0day #HITB2017AMS

Welcome to Buildroot
buildroot login: donb
Password:
$ cd /donb
$ ./illegal 0
executing...
MODE, mmu_idx mismatch
x@riscv:/$

HITBSecConfApr 11, 2017
Secretaris van de Nederlandse Cyber ​​Security Raad (CSR) opent de achtste jaarlijkse HITB Security Conference #HITB2017AMS - https://www.emerce.nl/wire/secretaris-nederlandse-cyber-security-raad-csr-opent-achtste-jaarlijkse-hitb-security-conference