An Azure Sphere Security Breakdown, part 2/???
The Azure Sphere platform is Microsoft's current attempt at standardizing IoT security; with a custom SoC and a fork of the mainline Linux kernel, it's among the more novel IoT devices we've examined. Even trivial tasks such
as executing injected shellcode in process memory or connecting to an unknown IP address are prohibited, and are considered secuirty issues on this platform.
After a previous 3-month Microsoft-official "Azure Sphere Security Research challenge" last year, which resulted in us finding 16 vulnerabilities and an escalation chain (An Azure Sphere Security Breakdown, Part 1), we decided to take another look at Azure Sphere and discovered six more bugs, two in Linux proper, and four in Azure Sphere.
Taking one of our info leaks in Linux and one of the kernel code execution bugs in Azure Sphere, we successfully wrote an exploit to fully escalate within the Linux Normal World (without the aid of a kernel debugger on the device).
In this talk we examine the newer vulnerabilities and demonstrate the kernel exploit. Furthermore, we discuss the post-kernel exploit attack surface, how to interact with Pluton and Security Monitor, and assorted aspects of the system that can't really be examined without having kernel code execution.