Oxide and Friends Twitter Space: April 4th, 2022

Another LPC55 ROM Vulnerability

We've been holding a Twitter Space weekly on Mondays at 5p for about an hour. Even though it's not (yet?) a feature of Twitter Spaces, we have been recording them all; here is the recording for our Twitter Space for April 4th, 2022.

In addition to Bryan Cantrill and Adam Leventhal, our special guest was Laura Abbott.

Other speakers on April 4th included Ian, jasonbking, Todd Gamblin?, Ben ?, MattSci, jasonbking and Evan?. (Did we miss your name and/or get it wrong? Drop a PR!)

Some of the topics we hit on, in the order that we hit them:

• Jonathan Goldstein's Heavyweight podcast
• Oxide and Friends podcast
  • transistor.fm launch point, has links to Spotify, Google, Amazon etc players
• Laura did talk about the first LPC55 vulnerability in the May 3, 2021 space, but the recording for that day missed it.
  • Laura Abbott (30 April, 2021) Exploiting Undocumented Hardware Blocks in the LPC55S69 write-up
    • And DEF CON talk with Rick Altherr
• @4:01 Today's topic: Laura Abbott (23 March 2022) Another vulnerability in the LPC55S69 ROM write up
  • How do you brick a chip?
• @7:20 The spreadsheet, ROM patch after boot
  • Company dismisses or downplays vulnerabilities
  • Sees CVEs as optional??
• @15:19 CVEs as more software focused. What does a CVE for hardware even mean?
  • NXP doesn't want to open their software
• "Even though we are not believers in security by obscurity, the product specific ROM code is not open to external parties except for approved test labs for vulnerability reviews"
• @19:43 The story of the current vulnerability
  • Ghidra
• @27:26 Picking apart the code
  • Bounds checks, writing outside the bounds of the buffer
  • DICE by Trusted Computing Group
  • Request for Discussion
  • Evaluating potential chips when building a product
• @41:09 Secure hardware, work around potential pitfalls
  • Open source would help
• @45:37 Disclosed to NXP, more receptive this time
  • Discussion on HN
  • @54:21 Security review industry
• @57:11 Ian: building up your own (open) documentation on LPC55?
• @1:01:31 Jason: questionable definitions of "open" source
  • Access to source as building confidence in the product
• @1:05:20 Todd: securing supply chain for code in large scale projects with lots of contributors
  • Vulnerabilities can occur so easily
• @1:08:54 Ben: custom setups abound. Hard to trust a whole stack of assembled pieces
• @1:12:16 Matt: what is the ROM doing? Assembly or C? Could the provider's hands be tied as far as releasing proprietary code?
• @1:17:19 Jason: X.509 parsing as a good place to look for vulnerabilities?
• @1:18:25 Evan: encouragement around fuzzing X.509
• Next time: more tales from the bringup lab!

If we got something wrong or missed something, please file a PR! Our next Twitter space will likely be on Monday at 5p Pacific Time; stay tuned to our Twitter feeds for details. We'd love to have you join us, as we always love to hear from new speakers!