<
p style=”max-width:100%;color:rgb(27,27,27);font-family:-apple-system-font;font-size:19px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;orphans:auto;text-align:start;text-indent:0;text-transform:none;white-space:normal;widows:auto;word-spacing:0;-webkit-text-size-adjust:none;text-decoration:none;”>
Savage points in particular to a vulnerability Santamarta highlighted in a version of the embedded operating system VxWorks, in this case customized for Boeing by Honeywell. Santamarta found that when an application asks to write to the underlying computer’s memory, the tailored operating system doesn’t properly check that it’s not instead overwriting the kernel, the most sensitive core of the operating system. Combined with several application-level bugs Santamarta found, that so-called parameter-check privilege escalation vulnerability represents a serious flaw, Savage argues, made more serious by the notion that VxWorks likely runs in many other components on the plane that might have the same bug.
<
p style=”max-width:100%;color:rgb(27,27,27);font-family:-apple-system-font;font-size:19px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;orphans:auto;text-align:start;text-indent:0;text-transform:none;white-space:normal;widows:auto;word-spacing:0;-webkit-text-size-adjust:none;text-decoration:none;”>
“Every piece of software has bugs. But this is not where I’d like to find the bugs. Checking user parameters is security 101,” Savage says. “They shouldn’t have these kinds of straightforward vulnerabilities, especially in the kernel. In this day and age, it would be inconceivable for a consumer operating system to not check user pointer parameters, so I’d expect the same of an airplane.”
— Read on arstechnica.com/information-technology/2019/08/a-boeing-code-leak-exposes-security-flaws-deep-in-a-787s-guts/