Show notes
Oxide and Friends Twitter Space: April 4th, 2022Another LPC55 ROM VulnerabilityWe've been holding a Twitter Space weekly on Mondays at 5p for about an hour. Even though it's not (yet?) a feature of Twitter Spaces, we have been recording them all; here is the recording for our Twitter Space for April 4th, 2022.In addition to Bryan Cantrill and Adam Leventhal, our special guest was Laura Abbott.Other speakers on April 4th included Ian, jasonbking, Todd Gamblin?, Ben ?, MattSci, jasonbking and Evan?. (Did we miss your name and/or get it wrong? Drop a PR!)Some of the topics we hit on, in the order that we hit them:Jonathan Goldstein's Heavyweight podcastOxide and Friends podcasttransistor.fm launch point, has links to Spotify, Google, Amazon etc playersLaura did talk about the first LPC55 vulnerability in the May 3, 2021 space, but the recording for that day missed it.Laura Abbott (30 April, 2021) Exploiting Undocumented Hardware Blocks in the LPC55S69 write-upAnd DEF CON talk with Rick Altherr@4:01 Today's topic: Laura Abbott (23 March 2022) Another vulnerability in the LPC55S69 ROM write upHow do you brick a chip?@7:20 The spreadsheet, ROM patch after bootCompany dismisses or downplays vulnerabilitiesSees CVEs as optional??@15:19 CVEs as more software focused. What does a CVE for hardware even mean?NXP doesn't want to open their software"Even though we are not believers in security by obscurity, the product specific ROM code is not open to external parties except for approved test labs for vulnerability reviews"@19:43 The story of the current vulnerabilityGhidra@27:26 Picking apart the codeBounds checks, writing outside the bounds of the bufferDICE by Trusted Computing GroupRequest for DiscussionEvaluating potential chips when building a product@41:09 Secure hardware, work around potential pitfallsOpen source would help@45:37 Disclosed to NXP, more receptive this timeDiscussion on HN@54:21 Security review industry@57:11 Ian: building up your own (open) documentation on LPC55?@1:01:31 Jason: questionable definitions of "open" sourceAccess to source as building confidence in the product@1:05:20 Todd: securing supply chain for code in large scale projects with lots of contributorsVulnerabilities can occur so easily@1:08:54 Ben: custom setups abound. Hard to trust a whole stack of assembled pieces@1:12:16 Matt: what is the ROM doing? Assembly or C? Could the provider's hands be tied as far as releasing proprietary code?@1:17:19 Jason: X.509 parsing as a good place to look for vulnerabilities?@1:18:25 Evan: encouragement around fuzzing X.509Next time: more tales from the bringup lab!If we got something wrong or missed something, please file a PR! Our next Twitter space will likely be on Monday at 5p Pacific Time; stay tuned to our Twitter feeds for details. We'd love to have you join us, as we always love to hear from new speakers!