Know How...

Feb 16th 2017

Know How... 287

Streaming Studio Part 1: Cameras

What is ASLR, and the perfect cameras for your own studio.
New episodes every Thursday at 2:00pm Eastern / 11:00am Pacific / 18:00 UTC.
Category: Help & How To

What is ASLR and how did it get owned? And we take an in-depth look at the Blackmagic Micro Cinema cameras in our first part of building your own streaming studio.


Let's start with the problem: pwning computers is too easy.

Time jump back to the 90s 
* Every time your computer OS loads, it goes into the same, predictable memory cells. 
* Programs tend to load into contiguous cells

This makes it VERY easy to exploit your OS
* I find a way to write to memory that I shouldn't be writing to... typically with a buffer overrun.
* If I know where I'm writing, and I know what's in the next contiguous cells, then if I can fool the OS to OVERWRITING those cells.
* If those cells are the cells that are being used to EXECUTE code, then I can make the OS run anything I want

Time jump forward to 2001
* Researchers start looking at ways to make it more difficult to use simple buffer overruns to take over an OS
* The Linux PaX project offers a kernel patch that implements kernel stack randomization
* Rather that writing to contiguous memory cells, ASLR uses random memory locations
* This makes it more difficult for an attacker to simply use a buffer overflow to overwrite the program he wants to exploit.

Effect of ASLR
* OS can still get pwned, but it's more difficult
* With ASLR, there's no guarantee as to where you're writing in memory, or where in memory is the program you want to hijack.

What just happened
* VUSec is a group of Dutch security researchers
* They figured out a way to defeat ASLR by exploiting the "Memory Managment Unit"
 - The MMU keeps a "page table" of where everything is stored in memory
 - The placement of data in the memory cells is random but the CPU used the MMU as a map
 - A copy of that map is kept in the CPU cache to speed processing
* VUSec figured out a way to use that cached copy to find the offsets: (DeRandomizing the randomization)

Here's how it works:
* A program isn't allowed to READ from cache, but it can (needs to be able to) WRITE to cache
* This exploit does as follows:
 1. Measure the baseline response time of the processor
 2. Write to a single cell of CPU cache
 3. Measure the response time of the processor
 4. Compare the response time against the baseline response
  ** Rinse and Repeat
* If the processor response time drops, it's most likely b/c the cell contained some of the page table.
* Since you overwrote the page table, the CPU needs to get a fresh copy from main memory, which slows the processor

** Do this enough times, and you can figure out where the code is executed in memory.

* This exploit can be done with JavaScript
* You shouldn't be allowing JS at all
* Very hard to mitigate b/c it's a hardware problem
* Most of the proposed mitigations involve playing with CPU response time to fool the malware, but that means we're giving up some of the performance.


Blackmagic Design URSA Mini 4K (EF Mount)    ~$2950    
Blackmagic Design URSA Mini 46K    ~$4950    

Blackmagic Design Micro Cinema    ~$1000    
Design Philosophy        
* It's an action-camera format, but with the quality and flexibility of a cinema-style camera        
* It's for those who want a quality camera, but don't want to risk a $50k rig        
* Active Micro Four-Thirds Lens Mount (Can use focus/iris control with the proper lenses)        
* Super 16mm sensor        
* Internet stereo omnidirection + 3.5mm Audio In        
* Buttons for Record, Play, Rewind, Forward, Menu and Power        
* SDHC/SDXC Memory Card Slot        
* HDMI Out        
* Uses Canon Batteries        
* Expansion Port with Radio Control leads        
 - power        
 - LANC (Logic Application Control Bus)        
 - Video Out        
 - genlock        
 - 4 Analog PWM (Perfect for quadcopters)        
 - 18 channel S.Bus controls (for futaba transmitters)        
That's the hardware... let's talk about the specs        
* 13 Stops of Dynamic Range (A stop up is doubling, a stop down is halving)        
* Records in CinemaDNG RAW or Apple ProRes 422 at 220Mbps        
 - 1080p 23.98 / 24 / 25 / 29.97 / 30 / 50/ 5994 / 60        
Blackmagic Design Micro Studio Camera 4K    ~$1300    
Design Philosophy        
* For those who want 4K quality in places where larger format 4K cameras won't fit        
* For DSLR users who don't want to switch up their workflow        
* For Studio Use        
* Sensor size: 13.056mm x 7.322mm        
* Active MFT mount (supports focus and iris control on supporten lenses)        
* 1 SDI Input (1.5g 3g, 6g)        
* 1 SDI Output (1.5g 3g, 6g) (Supports control thorough SDI)        
* 1 HDMI Output        
* Integrated stereo mic + Mic In        
* Talkback        
* Expansion Port        
 - Power         
 - LANC        
 - S.Bus        
 - PTZ Output        
 - B4 Lens Control        
 - Genlock        
* Resolutions: 3840 x 2160 (4k) & 1920 x 1080 (1080)        
 - 4k @ 23.98 / 24 / 25 / 29.97 / 30        
 - 1080 @ 23.98 / 24 / 25 / 29.97 / 30 / 50 / 59.94 / 60 / 50(i) / 59.94(i) / 60(i)       

Connect with us!

Thanks to CacheFly for the bandwidth for this show.