summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhellekin <hellekin@dyne.org>2016-08-07 22:22:22 +0000
committerhellekin <hellekin@dyne.org>2016-08-07 22:22:22 +0000
commitd632f625cb74cbcd2a6415b3e6cd5c83857d89fc (patch)
tree27494db98f9b1ceb0bfc2070ff12fe3d9bc7092e
parent6d4c4fb0898ee3a304f507b4cc5385405dffbcdf (diff)
downloadwww-d632f625cb74cbcd2a6415b3e6cd5c83857d89fc.tar.gz
www-d632f625cb74cbcd2a6415b3e6cd5c83857d89fc.tar.bz2
www-d632f625cb74cbcd2a6415b3e6cd5c83857d89fc.zip
Split ASN.1 vulnerability out of 0021 into 0022
-rw-r--r--content/0021-migrating-away-from-eagle-to-kicad.html295
-rw-r--r--content/0022-about-the-asn.1-vulnerability.html148
2 files changed, 148 insertions, 295 deletions
diff --git a/content/0021-migrating-away-from-eagle-to-kicad.html b/content/0021-migrating-away-from-eagle-to-kicad.html
deleted file mode 100644
index 11366f0..0000000
--- a/content/0021-migrating-away-from-eagle-to-kicad.html
+++ /dev/null
@@ -1,295 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="UTF-8" name="charset"><!-- pelican??? -->
- <title> Migrating away from Eagle, to KiCad </title>
- <meta name="date" content="2016-08-01 13:00:00">
- <meta name="last modified" content="2016-08-01 13:00:00">
- <meta name="keywords" content="neo900, eagle, kicad, n900, donation">
- <meta name="authors" content="hellekin">
- <meta name="description" content="Neo900 schematics now using free software KiCAD.">
- </head>
-
- <body>
-
- <p class="lead">
- The Neo900 team decided to move away from proprietary software
- Eagle and converted its schematics production to the KiCad
- open-source Electronics Design Automation
- (<abbr title="Electronics Design Automation">EDA</abbr>) suite.
- </p>
-
- <h2>Contents</h2>
-
- <p>Before jumping to Neo900 project updates since June, and our main
- feature, we'd like to share with you a recent vulnerability
- disclosure which shows the value of separating the telephony stack
- from the rest of the system.</p>
-
- <ol>
- <li><a href="#asn1-vulnerability">ASN.1 Vulnerability</a></li>
- <li><a href="#more-n900-sourcing">More N900 Sourcing</a></li>
- <li><a href="#neo900-whitepapers">Whitepapers Update</a></li>
- <li><a href="#feature">From Eagle to KiCad</a></li>
- </ol>
-
- <h3 id="asn1-vulnerability">ASN.1 Vulnerability</h3>
-
- <p>Following the decision of <abbr title="National Institute for
- Standards and Technology">NIST</abbr> to deprecate usage of SMS in
- two-factor authentication (we'll come back on this in an upcoming
- installment), this vulnerability disclosure confirms the interest
- of the unique design of Neo900 that isolates the baseband chip
- from power supply, making it dependent on the <abbr title="Central
- Processing Unit">CPU</abbr> (and the <abbr title="Operating
- System">OS</abbr>) to access anything else on the system, and
- preventing remote activation of the chip in the first place.</p>
-
- <p>Lucas Molas of <em>Programa STIC</em> discovered a <cite>Heap
- memory corruption in ASN.1 parsing code generated by Objective
- Systems Inc. ASN1C compiler for C/C++</cite> potentially affecting
- billions of phone users worldwide. The proprietary software
- vendor received a bug report via <em>plain text email</em> on
- June, 1<sup>st</sup>, 2016, according to
- the <a href="https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080/">CVE-2016-5080</a>
- released on July, 18<sup>th</sup>, 2016 to the public in a
- coordinated release with the vendor.</p>
-
- <blockquote>Abstract Syntax Notation One (<abbr title="Abstract
- Syntax Notation One">ASN.1</abbr>) is a technical standard and
- formal notation that describes rules and structures for
- representing, encoding, transmitting, and decoding data in
- telecommunications and computer networking.</blockquote>
-
- <blockquote>A vulnerability found in the runtime support
- libraries of the ASN1C compiler for C/C++ from Objective
- Systems Inc. could allow an attacker to remotely execute code
- in software systems, including embeded software and firmware,
- that use code generated by the ASN1C compiler. The
- vulnerability could be triggered remotely without any
- authentication in scenarios where the vulnerable code receives
- and processes <abbr>ASN.1</abbr> encoded data from untrusted
- sources, these may include communications between mobile
- devices and telecommunication network infrastructure nodes,
- communications between nodes in a carrier's network or across
- carrier boundaries, or communication between mutually untrusted
- endpoints in a data network.</blockquote>
-
- <p>The proprietary software vendor released a hot patch (v7.0.1)
- available upon request to their customers, and will integrate the
- fix in the upcoming v7.0.2 of their compiler.</p>
-
- <p>On July, 1<sup>st</sup>, Programa STIC mentioned
- that <q>memory corruption bugs in <abbr>ASN.1</abbr> related
- components of an <abbr title="Long Term Evolution">LTE</abbr>
- stack have been announced or hinted at in several infosec
- conference presentations over the past few weeks and its likely
- the same or similar bugs will become public soon.</q></p>
-
- <h4>How is Neo900 Affected?</h4>
-
- <p>The short answer is: Neo900 is not affected. Keep reading to
- know why.</p>
-
- <p>In
- our <a href="https://neo900.org/news/paypal-resumes-neo900-sources-again">last
- communication</a> we noted that <q><strong>Neo900 is the only
- phone that provides a hardware protection from remote
- activation of the baseband chip</strong></q>.</p>
-
- <p id="anchor-gta0x">In fact, the
- <a href="#note-gta0x"><strong>GTA0x</strong> design</a> contains
- two unique features:
- <ul>
- <li>the modem is detached from the power source, unlike other
- smartphones, so that the modem has to be authorized by
- the <abbr>CPU</abbr> before it can perform its tasks.</li>
- <li>the modem and the <abbr>CPU</abbr> <strong>do not share
- <abbr title="Random Access Memory">RAM</abbr>, which
- prevents a whole range of attack vectors where a rogue
- baseband chip, either by design, by "lawful" or illegal
- action, could take control of memory segments pertaining to
- other subsystems and inject malicious code.</li>
- </ul>
- Neo900 takes advantage of this and incorporates circuitry to
- give the <abbr>CPU</abbr> the capacity to monitor:
- <ul>
- <li>the modem access to power and its consumption</li>
- <li>the activity of the modem antenna</li>
- <li>the activation of the
- <abbr title="Global Positioning System">GPS</abbr>
- part of the modem</li>
- <li>other interfaces (e.g., digital
- <abbr title="Pulse-Code Modulation">PCM</abbr> audio</li>
- </ul>
- </p>
-
- <p>Therefore this vulnerability that potentially plagues most
- commercial phones on the planet, won't affect Neo900 like it
- will other devices. In other designs where RAM is shared and a
- rogue modem can access the power supply at will, the attack
- surface is infinitely larger, and exploiting a vulnerability
- such as the <abbr>ASN.1</abbr> bug will grant access to the
- whole system.</p>
-
- <p>But with Neo900, only a rare combination of hardware
- vulnerability in the <abbr title="Universal Serial
- Bus">USB</abbr> connecting the modem to the <abbr>CPU</abbr>,
- and a software vulnerability would have a remote chance to do
- that. As long as there's no proprietary vulnerable binary blobs
- in the Neo900 <abbr title="Application Processor
- Environment">APE</abbr>, the chance of a modem bug bubbling up
- to the rest of the system without a way to control it and fix
- it in software remains null.</p>
-
- <p>Our exclusive Neo900 design is more valuable than ever!</p>
-
- <h3 id="server-migrated">Neo900.org Server Migrated</h3>
-
- <p>Last week we completed the migration of Neo900.org services,
- including <a href="https://my.neo900.org/">Neo900 Shop</a> to a
- new server. The old one was running out of space, and
- dangerously approaching capacity, especially
- when <a href="https://en.wikipedia.org/wiki/Slashdot_effect">slashdotted</a>.</p>
-
- <p>If you encounter any problems with the new server,
- please <a href="mailto:contact@neo900.org?Subject=Neo900.org%20Services%20Issue">report
- them</a>!</p>
-
- <h3 id="more-n900-sourcing">More N900 Sourcing</h3>
-
- <p>After dowsing for a while, our boots in China confirmed the
- source mentioned previously! We already received 20 more N900
- units responding to our quality criteria for enduring the
- metamorphosis into brand new Neo900 units for you lucky (and
- patient) early birds. 20 more units are on the way, and we
- expect more to come. We're already at 70 units and
- counting.</p>
-
- <p>Again, if you know where to find some affordable stocks of N900
- units,
- please <a href="mailto:contact@neo900.org?Subject=N900%20Stock">contact
- us</a>!</p>
-
- <h3 id="neo900-whitepapers">Whitepapers Update</h3>
-
- <p>While we're at it, and to continue building momentum for
- our <a href="#feature">main feature</a> today, like if you were
- too early at the movies, let's have a look at what our mad
- scientists concocted since last June.</p>
-
- <p>
-
- <p>You can always follow our whitepapers updates directly from
- Werner in
- the <a href="http://talk.maemo.org/showthread.php?t=93498">Neo900
- Announcements</a> thread on talk.maemo.org, and access the whole
- up-to-date whitepaper collection from
- the <a href="https://neo900.org/resources">Resources section</a>
- at neo900.org.</p>
-
- <p>And now, without further ado, our main feature!</p>
-
- <h3 id="feature">From Eagle to KiCad</h3>
-
- <p>When Joerg took charge of the Neo900 project, the electronics
- design was made with Eagle, and was updated using that tool ever
- since. Nikolaus Schaller, of OpenPandora fame, was the Eagle
- virtuoso, but our communication with his company, Golden
- Delicious, was hampered for a long time by incompatible tools and
- workflow.</p>
-
- <p>In 2016, Nikolaus faded away from Neo900, absorbed by the
- finishing touch to Neo900's sister
- project <a href="https://pyra-handheld.com">Pyra</a>. Just a few
- weeks ago he confirmed that he couldn't follow up on the layout
- for Neo900, which prompted Joerg and Werner to consider
- alternatives.</p>
-
- <p>In the <abbr title="Electronics Design Automation">EDA</abbr>
- market, besides Eagle, there's Altium. But Altium has the same
- flaw as Eagle: it's proprietary, and moreover, it's quite
- expensive. Our rationalizing mind wants to say there's cognitive
- dissonance in using non-free software for a free hardware
- project. And in hindsight, this sounds like a good
- rationalization.</p>
-
- <p>Among the open-source alternatives to Eagle (let's leave Altium
- in its own class), <a href="http://fritzing.org/">Fritzing</a>
- didn't match our need for multilayer board support;
- between <a href="http://geda-project.org/">gEDA</a>
- and <a href="http://kicad-pcb.org/">KiCad</a>, the choice was
- easy: the latter is much more popular, backed up
- by <abbr title="Centre Européen de Recherche
- Nucléaire">CERN</abbr> as part of
- the <a href="http://home.cern/about/updates/2015/02/kicad-software-gets-cern-treatment">Open
- Hardware Initiative</a>, and there are discussions to share
- codebase between the two projects [ref needed].</p>
-
- <h4>How does the move to KiCad influence Neo900 development?</h4>
-
- <p>The only major downside comes from the reduced access to
- Nikolaus' <abbr title="Open Multimedia Applications
- Platform">OMAP</abbr> know-how, although we hope he will be able
- to review our work. On the other hand, we're no longer slowed
- down by uncertainty with regard to the future role of Golden
- Delicious in Neo900: this used to cause change requests to pile
- up, and we used white papers as a means of documenting what we
- couldn't change in the schematics in a timely manner.</p>
-
- <p>That gives us wings: with KiCad, we can now provide a more
- transparent development process and can now operate in a more
- schematics-centric mode, using white papers only where something
- actually needs explaining.</p>
-
- <p>We found out that KiCad's routing capabilities are superior to
- Eagle's:</p>
-
- <figure>
- <iframe width="560" height="315" src="https://www.youtube.com/embed/CCG4daPvuVI" frameborder="0" allowfullscreen></iframe>
- <figcaption>
- <a href="https://www.youtube.com/watch?v=CCG4daPvuVI">Demo of the KiCad router</a>
- </figcaption>
- </figure>
-
- <p>Moving to KiCad proved to be quite
- an <a href="https://www.youtube.com/watch?v=d5oO6fiyB7o">improvement
- over that</a>.</p>
-
- <h4>What's the progress on converting Neo900 schematics from Eagle
- to KiCad?</h4>
-
- <p>Progress is surprisingly fast. We already completed the bulk of
- the conversion, and are now fixing bugs (some discovered during
- the conversion,
- and <a href="https://bugs.launchpad.net/kicad/+bug/1154131/comments/9">also
- in KiCad</a>.)</p>
-
- <p>In the coming weeks we're going to work on incorporating
- material <em>parked</em> in whitepapers (see above), [maybe leave
- that alone for now:] define the BB-mX interface for prototype v2
- (...)</p>
-
- <p>Being able to put our schematics under version control moves us
- away from the Stone Age, into the present. You can watch the
- evolving contents in our
- <a href="https://neo900.org/git/?p=ee;a=tree">eletronics
- engineering Git repository</a>.</p>
-
- <p>Thank you for your attention,</p>
-
- <p>&ndash; hellekin for the Neo900 team</p>
-
- <p>P.S.: Feedback is welcome! Did you enjoy reading this post?
- What else should it have covered? What do you want to read in the
- news? You can tell me: hellekin at neo900 dot org, or in the
- comments.</p>
-
- <p id="note-gta0x" class="footnote">Footnote: from Openmoko Neo
- 1973 and FreeRunner, to Golden Delicious GTA04 and maybe the
- upcoming Pyra, and of course Neo900, GTA0x design supports modem
- separation, although not power separation in Neo
- 1973. <a href="#anchor-gta0x" title="back to text">^^</a></p>
-
-</body>
-</html>
diff --git a/content/0022-about-the-asn.1-vulnerability.html b/content/0022-about-the-asn.1-vulnerability.html
new file mode 100644
index 0000000..b546344
--- /dev/null
+++ b/content/0022-about-the-asn.1-vulnerability.html
@@ -0,0 +1,148 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="UTF-8" name="charset"><!-- pelican??? -->
+ <title> About the ASN.1 Vulnerability</title>
+ <meta name="date" content="2016-08-07 13:00:00">
+ <meta name="last modified" content="2016-08-07 13:00:00">
+ <meta name="keywords" content="neo900, ASN.1, security, modem separation, GTA0x">
+ <meta name="authors" content="hellekin">
+ <meta name="description" content="Neo900 is not vulnerable to ASN.1 vulnerability. Here's why.">
+ </head>
+
+ <body>
+
+ <p class="lead">
+ A recent vulnerability disclosure threatens billions of
+ smartphones. What's the fuss about it? How does Neo900 fare
+ against this threat? Hint: pretty well.
+ </p>
+
+ <h1 id="asn1-vulnerability">ASN.1 Vulnerability</h1>
+
+ <p>Following the decision of <abbr title="National Institute for
+ Standards and Technology">NIST</abbr> to deprecate usage of SMS in
+ two-factor authentication (we'll come back on this in an upcoming
+ installment), this vulnerability disclosure confirms the interest
+ of the unique design of Neo900 that isolates the baseband chip
+ from power supply, making it dependent on the <abbr title="Central
+ Processing Unit">CPU</abbr> (and the <abbr title="Operating
+ System">OS</abbr>) to access anything else on the system, and
+ preventing remote activation of the chip in the first place.</p>
+
+ <p>Lucas Molas of <em>Programa STIC</em> discovered a <cite>Heap
+ memory corruption in ASN.1 parsing code generated by Objective
+ Systems Inc. ASN1C compiler for C/C++</cite> potentially affecting
+ billions of phone users worldwide. The proprietary software
+ vendor received a bug report via <em>plain text email</em> on
+ June, 1<sup>st</sup>, 2016, according to
+ the <a href="https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080/">CVE-2016-5080</a>
+ released on July, 18<sup>th</sup>, 2016 to the public in a
+ coordinated release with the vendor.</p>
+
+ <blockquote>Abstract Syntax Notation One (<abbr title="Abstract
+ Syntax Notation One">ASN.1</abbr>) is a technical standard and
+ formal notation that describes rules and structures for
+ representing, encoding, transmitting, and decoding data in
+ telecommunications and computer networking.</blockquote>
+
+ <blockquote>A vulnerability found in the runtime support
+ libraries of the ASN1C compiler for C/C++ from Objective
+ Systems Inc. could allow an attacker to remotely execute code
+ in software systems, including embeded software and firmware,
+ that use code generated by the ASN1C compiler. The
+ vulnerability could be triggered remotely without any
+ authentication in scenarios where the vulnerable code receives
+ and processes <abbr>ASN.1</abbr> encoded data from untrusted
+ sources, these may include communications between mobile
+ devices and telecommunication network infrastructure nodes,
+ communications between nodes in a carrier's network or across
+ carrier boundaries, or communication between mutually untrusted
+ endpoints in a data network.</blockquote>
+
+ <p>The proprietary software vendor released a hot patch (v7.0.1)
+ available upon request to their customers, and will integrate the
+ fix in the upcoming v7.0.2 of their compiler.</p>
+
+ <p>On July, 1<sup>st</sup>, Programa STIC mentioned
+ that <q>memory corruption bugs in <abbr>ASN.1</abbr> related
+ components of an <abbr title="Long Term Evolution">LTE</abbr>
+ stack have been announced or hinted at in several infosec
+ conference presentations over the past few weeks and its likely
+ the same or similar bugs will become public soon.</q></p>
+
+ <h2>How is Neo900 Affected?</h2>
+
+ <p>The short answer is: Neo900 is not affected. Keep reading to
+ know why.</p>
+
+ <p>In
+ our <a href="https://neo900.org/news/paypal-resumes-neo900-sources-again">last
+ communication</a> we noted that <q><strong>Neo900 is the only
+ phone that provides a hardware protection from remote
+ activation of the baseband chip</strong></q>.</p>
+
+ <p id="anchor-gta0x">In fact, the
+ <a href="#note-gta0x"><strong>GTA0x</strong> design</a> contains
+ two unique features:
+ <ul>
+ <li>the modem is detached from the power source, unlike other
+ smartphones, so that the modem has to be authorized by
+ the <abbr>CPU</abbr> before it can perform its tasks.</li>
+ <li>the modem and the <abbr>CPU</abbr> <strong>do not share
+ <abbr title="Random Access Memory">RAM</abbr>, which
+ prevents a whole range of attack vectors where a rogue
+ baseband chip, either by design, by "lawful" or illegal
+ action, could take control of memory segments pertaining to
+ other subsystems and inject malicious code.</li>
+ </ul>
+ Neo900 takes advantage of this and incorporates circuitry to
+ give the <abbr>CPU</abbr> the capacity to monitor:
+ <ul>
+ <li>the modem access to power and its consumption</li>
+ <li>the activity of the modem antenna</li>
+ <li>the activation of the
+ <abbr title="Global Positioning System">GPS</abbr>
+ part of the modem</li>
+ <li>other interfaces (e.g., digital
+ <abbr title="Pulse-Code Modulation">PCM</abbr> audio</li>
+ </ul>
+ </p>
+
+ <p>Therefore this vulnerability that potentially plagues most
+ commercial phones on the planet, won't affect Neo900 like it
+ will other devices. In other designs where RAM is shared and a
+ rogue modem can access the power supply at will, the attack
+ surface is infinitely larger, and exploiting a vulnerability
+ such as the <abbr>ASN.1</abbr> bug will grant access to the
+ whole system.</p>
+
+ <p>But with Neo900, only a rare combination of hardware
+ vulnerability in the <abbr title="Universal Serial
+ Bus">USB</abbr> connecting the modem to the <abbr>CPU</abbr>,
+ and a software vulnerability would have a remote chance to do
+ that. As long as there's no proprietary vulnerable binary blobs
+ in the Neo900 <abbr title="Application Processor
+ Environment">APE</abbr>, the chance of a modem bug bubbling up
+ to the rest of the system without a way to control it and fix
+ it in software remains null.</p>
+
+ <p>Our exclusive Neo900 design is more valuable than ever!</p>
+
+ <p>Thank you for your attention,</p>
+
+ <p>&ndash; hellekin for the Neo900 team</p>
+
+ <p>P.S.: Feedback is welcome! Did you enjoy reading this post?
+ What else should it have covered? What do you want to read in the
+ news? You can tell me: hellekin at neo900 dot org, or in the
+ comments.</p>
+
+ <p id="note-gta0x" class="footnote">Footnote: from Openmoko Neo
+ 1973 and FreeRunner, to Golden Delicious GTA04 and maybe the
+ upcoming Pyra, and of course Neo900, GTA0x design supports modem
+ separation, although not power separation in Neo 1973
+ (GTA01). <a href="#anchor-gta0x" title="back to text">^^</a></p>
+
+</body>
+</html>