Researchers from the company NCC Group published recently the results of the Zephyr project audits, which is a real-time operating system (RTOS), designed to equip devices according to the concept of "Internet of things" (IoT). Zephyr is being developed with the participation of Intel.
Zephyr provides a single virtual address space for all processes global shared (SASOS, Single Address Space Operating System). Application-specific code is combined with a kernel tailored for a specific application and forms a monolithic executable file to download and run on certain computers.
All system resources are determined at the compilation stage, which reduces the size of the code and increases productivity. Only the kernel features that are required to run the application can be included in the system image.
It is noteworthy that among the main advantages Zephyr mentioned development with an eye on safety. It is argued that All stages of development go through the mandatory stages of confirm code security: fuzzy testing, static analysis, penetration testing, code review, backdoor deployment analysis, and threat modeling.
About vulnerabilities
The audit revealed 25 vulnerabilities in Zephyr and 1 vulnerability in MCUboot. In total, they were identified 6 vulnerabilities in the network stack, 4 in the kernel, 2 in the command shell, 5 in the system call handlers, 5 in the USB subsystem and 3 in the firmware update mechanism.
Two problems were assigned a critical hazard level, two: high, 9 moderate, 9 - low and 4 - to take into account. Problems critical affect the IPv4 stack and the MQTT parser, while whatDangerous ones include USB mass storage and USB DFU drivers.
At the time of information disclosure, fixes were prepared for only the 15 vulnerabilities more dangerous, there are still issues that have been resolved, leading to a denial of service or related failure of mechanisms for additional kernel protection.
A remotely exploited vulnerability has been identified in the platform's IPv4 stack, which leads to memory corruption when ICMP packets modified in a certain way are processed.
Another serious problem was found in the MQTT protocol parser, qIt is caused by the lack of proper verification of the length of the fields in the header and can lead to remote code execution. Less dangerous denial of service issues are found in the IPv6 stack and CoAP protocol implementation.
Other problems can be exploited locally to cause denial of service or code execution at the kernel level. Most of these vulnerabilities are related to the lack of proper checks of the arguments of the system calls, and can lead to the writing and reading of arbitrary areas of the kernel memory.
The issues also cover the system call processing code itself - accessing a negative system call number leads to an integer overflow. ANDThe kernel also identified problems in implementing ASLR protection (address space randomization) and the mechanism for installing canary labels on the stack, rendering these mechanisms ineffective.
Many issues affect the USB stack and individual drivers. For example, a problem in USB mass storage allows you to cause a buffer overflow and run code at the kernel level when you connect the device to a controlled USB attacking host.
The vulnerability in USB DFU, a driver for downloading new firmware via USB, allows you to load a modified firmware image into the internal Flash of a microcontroller without using encryption and bypassing the secure boot mode with component digital signature verification. In addition, the MCUboot open bootloader code was studied, in which a non-dangerous vulnerability was found that could lead to a buffer overflow when using Simple Management Protocol (SMP) via UART.