The talk “QNX: 99 Problems but a Microkernel ain’t one!” was part of the Troopers conference in Heidelberg, 16 March 2016. The talk was done by the researchers Alex Plaskett and Georgi Geshev from the MWR Labs. The MWR Labs is the research department of the cyber security consultancy MWR InfoSecurity located in the UK.
The talk provided an overview of the research on the architecture and security systems of the QNX kernel with focus on the Blackberry 10 operating system. The talk was divided into two parts. First Alex Plaskett gave an introduction regarding the general structure of the QNX operation system and introduced the main subsystems. Second Georgi Geshev presented tools and approaches to abuse vulnerabilities in the QNX system.
QNX is a widely spread micro kernel operating system for embedded devices. You can find QNX in many security critical systems like power plants or air control systems. QNX is also used in medical devices and automobiles. For the purpose of research the Blackberry 10 was used. Despite the wide spread of the QNX operating system, there is not much security research done. At this point there were only a handful CVEs published. Most issues were about insecure permissions and the kernel. To counteract these weaknesses the developers have implemented some hardening measures like ASLR.
To investigate for security issues Alex Plaskett looked at the internal architecture of the QNX microkernel. The operating system is a very compact system designed to have a strict separation of processes and their privileges. This leads to high fault tolerance and a reduced attack surface. Alex Plaskett focused his research especially on the QNX path manager, QNX resource manager and the QNX message passing system. One particularity of the QNX system is the Persistent Publish Subscribe System (PPS) which provides additional inter process communication features but also leads to an additional attack surface.
Afterwards Alex Plaskett presented an approach to abuse the QNX message passing system and the PPS to attack the kernel. For that purpose he used a malicious process for fuzzing PPS messages and reverse engineer the message format.
The talk was continued by Georgi Geshev. His part of the talk dealt with the firmware analysis and the technical details of the research. He started by describing the used tools and how to acquire the firmware. Besides the public available resources the tool Sachesi was used to extract the firmware from the Blackberry Playbook. For further analysis a custom ARM image was created and booted with QEMU. The QNX internal debugger QCONN provides only limited shell visibility access. An info leak vulnerability was used to add additional debugging features. Tools like GDB and the QNX kernel debugger KDEBUG were used for further investigation.
The result was an overview of the kernel security architecture, a deeper look in the memory layout of the kernel and an overview of the kernel syscalls.
Finally Georgi Geshev presented some vulnerabilities in the inter process communication system. He crashed a process and used an own process to receive and send message in the name of the crashed process. By using this technique it was possible to perform arbitrary read and write actions on the kernel. In conclusion they found two exploitable bugs, which will be fixed in further releases.
Although there were some bugs, Georgi Geshev came to the conclusion, that QNX is indeed a robust OS and because of the limited debugging visibility hard to exploit.
The slides for the presentation can be found at https://labs.mwrinfosecurity.com/publications/99/ .
See you at TROOPERS17
Robert