What is ASLR and how did it get owned? And we take an in-depth look at the Blackmagic Micro Cinema cameras in our first part of building your own streaming studio.
Let's start with the problem: pwning computers is too easy.
Time jump back to the 90s
* Every time your computer OS loads, it goes into the same, predictable memory cells.
* Programs tend to load into contiguous cells
This makes it VERY easy to exploit your OS
* I find a way to write to memory that I shouldn't be writing to... typically with a buffer overrun.
* If I know where I'm writing, and I know what's in the next contiguous cells, then if I can fool the OS to OVERWRITING those cells.
* If those cells are the cells that are being used to EXECUTE code, then I can make the OS run anything I want
Time jump forward to 2001
* Researchers start looking at ways to make it more difficult to use simple buffer overruns to take over an OS
* The Linux PaX project offers a kernel patch that implements kernel stack randomization
* Rather that writing to contiguous memory cells, ASLR uses random memory locations
* This makes it more difficult for an attacker to simply use a buffer overflow to overwrite the program he wants to exploit.
Effect of ASLR
* OS can still get pwned, but it's more difficult
* With ASLR, there's no guarantee as to where you're writing in memory, or where in memory is the program you want to hijack.
What just happened
* VUSec is a group of Dutch security researchers
* They figured out a way to defeat ASLR by exploiting the "Memory Managment Unit"
- The MMU keeps a "page table" of where everything is stored in memory
- The placement of data in the memory cells is random but the CPU used the MMU as a map
- A copy of that map is kept in the CPU cache to speed processing
* VUSec figured out a way to use that cached copy to find the offsets: (DeRandomizing the randomization)
Here's how it works:
* A program isn't allowed to READ from cache, but it can (needs to be able to) WRITE to cache
* This exploit does as follows:
1. Measure the baseline response time of the processor
2. Write to a single cell of CPU cache
3. Measure the response time of the processor
4. Compare the response time against the baseline response
** Rinse and Repeat
* If the processor response time drops, it's most likely b/c the cell contained some of the page table.
* Since you overwrote the page table, the CPU needs to get a fresh copy from main memory, which slows the processor
** Do this enough times, and you can figure out where the code is executed in memory.
* You shouldn't be allowing JS at all
* Very hard to mitigate b/c it's a hardware problem
* Most of the proposed mitigations involve playing with CPU response time to fool the malware, but that means we're giving up some of the performance.
Blackmagic Design Micro Cinema ~$1000
* It's an action-camera format, but with the quality and flexibility of a cinema-style camera
* It's for those who want a quality camera, but don't want to risk a $50k rig
* Active Micro Four-Thirds Lens Mount (Can use focus/iris control with the proper lenses)
* Super 16mm sensor
* Internet stereo omnidirection + 3.5mm Audio In
* Buttons for Record, Play, Rewind, Forward, Menu and Power
* SDHC/SDXC Memory Card Slot
* HDMI Out
* Uses Canon Batteries
* Expansion Port with Radio Control leads
- LANC (Logic Application Control Bus)
- Video Out
- 4 Analog PWM (Perfect for quadcopters)
- 18 channel S.Bus controls (for futaba transmitters)
That's the hardware... let's talk about the specs
* 13 Stops of Dynamic Range (A stop up is doubling, a stop down is halving)
* Records in CinemaDNG RAW or Apple ProRes 422 at 220Mbps
- 1080p 23.98 / 24 / 25 / 29.97 / 30 / 50/ 5994 / 60
Blackmagic Design Micro Studio Camera 4K ~$1300
* For those who want 4K quality in places where larger format 4K cameras won't fit
* For DSLR users who don't want to switch up their workflow
* For Studio Use
* Sensor size: 13.056mm x 7.322mm
* Active MFT mount (supports focus and iris control on supporten lenses)
* 1 SDI Input (1.5g 3g, 6g)
* 1 SDI Output (1.5g 3g, 6g) (Supports control thorough SDI)
* 1 HDMI Output
* Integrated stereo mic + Mic In
* Expansion Port
- PTZ Output
- B4 Lens Control
* Resolutions: 3840 x 2160 (4k) & 1920 x 1080 (1080)
- 4k @ 23.98 / 24 / 25 / 29.97 / 30
- 1080 @ 23.98 / 24 / 25 / 29.97 / 30 / 50 / 59.94 / 60 / 50(i) / 59.94(i) / 60(i)
Connect with us!
- Don't forget to check out our large library of projects at https://twit.tv/shows/know-how.
- Join our Google+ Community.
- Tweet at us at @PadreSJ, @Cranky_Hippo, and @Anelf3.
Thanks to CacheFly for the bandwidth for this show.