GlobalSupervision: Ali Abbasi Start date: as soon as possible Duration: 6 month More details: [QNX 7.0 Architecture] [QNX Vault7]
QNX is a commercial, unix-like real-time operating system (RTOS) with POSIX support aimed primarily at the embedded market. Initially released in 1982 for the Intel 8088 and later acquired by BlackBerry. QNX forms the basis of BlackBerry OS and act as the basis of Cisco’s IOS-XR which is used in carrier-grade routers. QNX also dominates the automotive market and is found in millions of cars and is being deployed in highly sensitive embedded systems such as industrial automation PLCs, Unmanned Aerial Vehicles (UAVs), tactical military radios, turbine control systems and nuclear power-plants.
QNX Security History:
Most of the relatively scarce public research available on QNX security has been the byproduct of research into BlackBerry’s QNX-based mobile operating systems (BlackBerry OS 10) most of which has not focused on QNX itself. Curiously, a series of documents from the United States Central Intelligence Agency (CIA) obtained and released by WikiLeaks under the name ’Vault 7’ have shown interest on part of the CIA’s Embedded Development Branch (EDB) in targeting QNX.
Since no existing (public) research has evaluated QNX’s Micro-Kernel security, we will investigate the first qualitative evaluation of QNX 7.0 Micro-Kernel via Coverage-based fuzzing. The tasks that are to be solved includes:
- Familiarizing with QNX 7.0 Micro-Kernel and understanding QNX Message-based and Interprocess Communication.
- Integrating SYSSEC AFL-Based fuzzer to support message-based Micro-Kernel and essential userspace-based software of QNX 7.0.
- Integrating the similar approach to other message-based Micro-Kernel Based RTOSes (e.g. Integrity or a DO-178B certified OS).
The student is expected to be comfortable in reading assembly code as well as programming in a language suited for the task (e. g., C/C++, Python). Knowledge of AFL and IDA Pro is a plus.