chadbrewbaker
commented
4 years ago @ryber what would it take for megacorp to contribute an Oak spec of their small utility vehicle with the touch screen accessory? If this takes off I could see the FCC/NTSB mandating Oak specs on all major vehicle manufacturers.
Modulo broken hardware (Spectre) and broken authentication (not securing AWS S3 buckets) - there are two common classes of application vulnerabilities: shotgun parsers (Shellshock/ImageTragic/Heartbleed) and code able to make system calls that should have no business making system calls.
Where in this project does it focus on:
1) Formal parser verification 2) Auditing extraneous system calls 3) Corollary of #2, ensuring production builds strip unused code: i.e. https://rajanvaja.wordpress.com/2017/06/09/gcc-gc-sections-to-remove-unused-code-and-data/ 4) Corollary of #1 - red-listing binaries like device drivers, "trusted" vendor applications, and firmware that we don't have source for. 5) A manifest of all the FCC IDs for the system under audit. Example documents filed on the latest iPhone: https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=LIPMngH3Ytx5KhiIxRdq4A%3D%3D&fcc_id=BCG-E3309A
For Oak to be meaningful it should document a concrete system like the stock Linux container for https://colab.research.google.com See https://github.com/chadbrewbaker/AwesomeColab for my rough notes. You can use the same tricks as LambCI for vacuuming up binaries for local analysis: https://github.com/lambci/docker-lambda/blob/master/base/dump-python38.py
Also get a third party data center like LightEdge to spec everything on a commodity vendor server rack. Blame for the oligopoly of Google/FB/MS/AWS on hyperscale server data centers that led to anti-trust hearings this week needs to be placed squarely on vendors. In 2020 you should be able to buy an auditable firmware hyperscale server rack with a DC power bus that you just connect the network, air/water flow, and electric.