The one about MIPS that you probably didn’t see…
Wave Computing Open Sources MIPS R6
You’ve likely heard the exciting news this week, Wave Computing in coming months will open source the latest MIPS core, the MIPS R6 core will join early open sourced MIPS cores. So far this millennium, 8.5 billion MIPS-based chips and counting have shipped according to folks at Wave Computing. I am old enough to remember and young enough to recall, when MIPS was the “arm” of IoT; which was many years before Kevin Ashton coined the term IoT. This is exciting and good news for the MIPS core fandom.
All cybersecurity blogs have rules; and rule #1, for each nice story, you must have an obligatory not so nice story. This next bit keeps our equation balanced, luckily I stumbled onto one or two tweets – not even Slashdot picked this one up. The team at Cyber-ITL.org have identified some serious problems with the Linux/MIPS platform. This story deserves some recognition, especially since the majority of those 8.5 billion cores shipped this millennium are likely running Linux.
The defects are not with Linux, nor with MIPS; but the platform combination. And these types of doors are the type we all thought had been shut long ago. As it turns out, they have remained open on Linux/MIPS, when no one was looking.
A Way to Run Code on the Stack
The first door allows attackers to run code on a stack. What’s a stack? A stack is region of memory used to hold temporary data used for tracking the state of an application that is running. Decades ago, attackers found it was quite easy to sneak and execute code into an application through buffer overflows on the stack. A simple fix was created to stop this attack by marking stack space as no execution allowed; data execution prevention (DEP). The tools used to build applications for MIPS are not always building applications correctly to mark stack space as a no execution allowed zone; so the fix is for the tools to mark the stack space appropriately under all conditions (Note: LLVM marks correctly for cross compilation builds, but has an issue for on-target – it has to be a silly bug).
Attackers Can Leverage FPU Kernel Capabilities of Linux
The second door is much more difficult door to close, or perhaps not. The second door relates to the Linux kernel emulating a Floating Point Unit (FPU). As much as CPUs love 1s and 0s, FPUs love the numbers between 1s and 0s; known as floats (think fractions). Floating-point arithmetic in software is very slow, so FPUs do this hard math in hardware — greatly improving performance. Not all MIPS cores are created equal, some will have different FPU instructions – to smooth out these difference, Linux kernel has slick feature to emulate those missing instructions making it easier for compiler and library developers to do their job. As we know, memory that can be written and executed is big problem. In this emulation code requires a page of memory (4096 bytes or more) that can be used as temporary storage for reads and writes. And you are correct this same page of memory can be executed as well, which makes it a great for attackers to use as well. But this may not be big problem, for vast majority of IoT devices FPUs are unused; therefore, this slick feature can be removed. For developers, a small tip, consider fixed point arithmetic for those rare square root of two moments; easy to convert to big integers for minding your Ps & Qs.
If you want a very satisfying headache, check out the kernel mail list thread on “MIPS: Allow FPU emulator to use non-stack area.” And of course, coders on Linux/MIPS, must check out Cyber ITL’s article. A core tenet of Dellfer, all software defects, including malicious kinds can be corrected, once identified.
Some time ago, I stumbled upon the term “Heisenbug.” What a perfect name for a bug! If you’re a coder, be forewarned this article may