Intel 4004
Before going deeper into the analysis of today’s chips, we will take a quick journey to where it all began: the Intel 4004, world’s first widely-used microprocessor. The 4004 and most other antiquated chips differ from modern chips in two main characteristics: They only use a single type of transistor (PMOS or NMOS) and each logic gate is custom-designed to best utilize the available area — an inevitable optimization for chips built from transistors about 150x larger than those used in their modern descendants. Each of the gates is composed…
Updated PCI Standards: Flexibility, Clarity and Common Sense 2.0
The Payment Card Industry Data Security Standards (PCI DSS) are a set of 12 requirements that merchants and their business partners are expected to follow to ensure the safety of cardholder data. Authored by the PCI Security Standards Council-an independent consortium of representatives from the major credit card brands-the PCI DSS covers data management, information technology, encryption, physical security, legal agreements, and business operations. When these standards were updated from version 1.1 to version 1.2, 30 changes were introduced to the existing requirements.
QNX ker_msg_sendv System Call Integer Overflow
Discovered: 10.30.08. Reported: 10.30.08. Disclosed: 10.31.08. QNX’s ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If only partially exploited, this could lead to denial-of-service conditions and kernel panic, effectively shutting down the system.
DNS TXT Record Parsing Bug in LibSPF2
Reported: 10.20.08. Disclosed: 10.21.08. Researchers discovered a relatively common bug that parses TXT records delivered over DNS-dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier-in LibSPF2. This library retrieves Sender Policy Framework (SPF) records and applies policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.
Diskimages-helper band-size Vulnerability
Reported to Vendor: 09.30.08. Patch Released: 04.29.09. CVE ID: CVE-2009-0150. A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.
Reverse-Engineering Custom Logic (Part 1)
Today we are taking you one step deeper into a microchip than we usually go. We look at transistors and the logic functions they compose, which helps us understand custom ASICs now found in some secured processors. To reverse-engineer the secret functionality of an ASIC, we identify logic blocks, map out the wiring between the blocks, and reconstruct the circuit diagram. Today, we’ll only be looking at the first step: reading logic. And we start with the easiest example of a logic function: the inverter. To read logic, you first…
New Author: Herr Karsten Nohl!
We are proud to announce that those who enjoy reading the blog (which we apologize for the lack of content lately) can soon enjoy reading posts from Karsten Nohl as well. For those of you who are not familiar with Karsten, he played an important role in the discovery and analysis of the Crypto-1 mathematical algorithm found in Philips (NXP) Mifare RFID devices. He recently obtained his PhD from University of Virginia in the United States. He’s well known within the Chaos Computer Club (CCC) in Germany as well. We too…
Multiple Vulnerabilities in Apple’s MobileMe Service
Reported: 08.05.08. Patched: 11.06.08 Disclosed: 11.20.08. Apple’s MobileMe (me.com) web service contains several serious security vulnerabilities. The most critical vulnerability combines cross-site request forgery and cross-site scripting, and allows an attacker to access the service without a valid password.
Atmel AT91SAM7S Overview
Atmel produces a number of ARM based devices in their portfolio of products. We had one laying around the lab so here we go as usual… The device was a 48 pin QFP type package. We also purchased a sample of the other members of the family although the initial analysis was done on the AT91SAM7S32 part shown above. All pictures will relate to this specific part even though there is not a signifigant difference between the other members of this line except memory sizes. After decapsulating the die from…
Atmel CryptoMemory AT88SC153/1608 :: Security Alert
A “backdoor” has been discovered by Flylogic Engineering in the Atmel AT88SC153 and AT88SC1608 CryptoMemory. Before we get into this more, we want to let you know immediately that this backdoor only involves the AT88SC153/1608 and no other CryptoMemory devices. The backdoor involves restoring an EEPROM fuse with Ultra-Violet light (UV). Once the fuse bit has been returned to a ‘1’, all memory contents is permitted to be read or written in the clear (unencrypted). Normally in order to do so, you need to either authenticate to the device or…