Daniel Micay on Twitter: "Remember this thread? https://t.co/GfSXW2kjOv This exploit chain is a great example of what I was talking about there: https://t.co/x5vYMcBORr https://t.co/2DKVkK88Ip Compare this to @laginimaineb's early research exploiting Broadcom Wi-Fi where the firmware had full control." / Twitter

Remember this thread? twitter.com/DanielMicay/st This exploit chain is a great example of what I was talking about there: defcon.org/html/defcon-27 blade.tencent.com/en/advisories/ Compare this to

@laginimaineb

's early research exploiting Broadcom Wi-Fi where the firmware had full control.

Quote Tweet

Daniel Micay

@DanielMicay

Jul 30, 2019

How does GrapheneOS defend against attacks on the cellular baseband, Wi-Fi baseband or other firmware / hardware? reddit.com/r/GrapheneOS/c By carefully choosing hardware targets since the OS is only part of what matters. OS mostly just needs to avoid screwing up IOMMU isolation.

Show this thread

10:35 PM · Aug 6, 2019Twitter Web App

Replying to

and

They needed an exploit to compromise the Wi-Fi firmware, followed by a privilege escalation exploit to gain full control over the modem ("WLAN firmware is integrated into the Modem subsystem as an isolated userspace process") and then a kernel exploit to get control of the OS.

1

3

2

Daniel Micay

@DanielMicay

Aug 6, 2019

Additionally, take note of "multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc.". This is not the case for most competing basebands. You get this isolation and hardening with a Qualcomm SoC, not so much elsewhere.

2

8

11

Daniel Micay

@DanielMicay

Aug 6, 2019

Here's the kernel patch for the vulnerability used to break out of the modem isolation: android.googlesource.com/kernel/msm.git It's a perfect example of how kernel drivers need to avoid trusting hardware to maintain hardware-based isolation. Hard to come up with better examples for my thread.

2

9

Conversation