Attacking VxWorks: From Stone Age to Interstellar presented at SyScan360 2015

by Zhenhua Liu, Yannick Formaggio,

Summary : VxWorks is the world's most widely-used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few. The safety critical nature of these applications make VxWorks security a major concern.
Our team has conducted a thorough security analysis on VxWorks, including its supported network protocols and OS security mechanism. We will present the tool we developed for VxWorks assessment. The main goal of our tool is to provide effective penetration testing by implementing the WdbRPC protocol in python. To show its effectiveness, we are going to reveal some of the bugs we discovered along the way.
Last but not least, since version 6, VxWorks have introduced lots of memory protection techniques, including buffer overruns / underruns detection, heap block overrun detection, interrupt vector table protection, null pointer reference detection and so on.
We will present one of the vulnerabilities we found which nicely bypass these mitigations.
A quick Internet scan shows that at least 100k devices running VxWorks are connected to the Internet. Considering the popularity of VxWorks in the age of IoT, this issue will have a widespread impact.