Closed chadbrewbaker closed 2 years ago
@ryber what would it take for megacorp to contribute an Oak spec of their small utility vehicle with the touch screen accessory? If this takes off I could see the FCC/NTSB mandating Oak specs on all major vehicle manufacturers.
@nstarke same for your megacorp. How much work to get an auditable manifest of firmware and systems code for one of their data center switches?
Modulo broken hardware (Spectre) and broken authentication (not securing AWS S3 buckets) - there are two common classes of application vulnerabilities: shotgun parsers (Shellshock/ImageTragic/Heartbleed) and code able to make system calls that should have no business making system calls.
Where in this project does it focus on:
1) Formal parser verification 2) Auditing extraneous system calls 3) Corollary of #2, ensuring production builds strip unused code: i.e. https://rajanvaja.wordpress.com/2017/06/09/gcc-gc-sections-to-remove-unused-code-and-data/ 4) Corollary of #1 - red-listing binaries like device drivers, "trusted" vendor applications, and firmware that we don't have source for. 5) A manifest of all the FCC IDs for the system under audit. Example documents filed on the latest iPhone: https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=LIPMngH3Ytx5KhiIxRdq4A%3D%3D&fcc_id=BCG-E3309A
For Oak to be meaningful it should document a concrete system like the stock Linux container for https://colab.research.google.com See https://github.com/chadbrewbaker/AwesomeColab for my rough notes. You can use the same tricks as LambCI for vacuuming up binaries for local analysis: https://github.com/lambci/docker-lambda/blob/master/base/dump-python38.py
Also get a third party data center like LightEdge to spec everything on a commodity vendor server rack. Blame for the oligopoly of Google/FB/MS/AWS on hyperscale server data centers that led to anti-trust hearings this week needs to be placed squarely on vendors. In 2020 you should be able to buy an auditable firmware hyperscale server rack with a DC power bus that you just connect the network, air/water flow, and electric.