This presentation concerns a dissection of QNX: a proprietary,
real-time operating system aimed at the embedded market. QNX is used
in many sensitive and critical devices in different industry verticals
and dominates the automotive sphere. While some prior security
research has discussed QNX, mainly as a byproduct of BlackBerry mobile
research, there is no prior work on QNX exploit mitigations or its
secure random number generators.This work seeks to address that gap by presenting the first
reverse-engineering and analysis of the exploit mitigations, secure
random number generators and memory management internals of QNX. We
dissect the NX / DEP, ASLR, Stack Cookies and RELRO mitigations as
well as the /dev/random and kernel PRNGs of QNX versions up to and
including QNX 6.6 and the brand new 64-bit QNX 7.0 released in March
2017.We subsequently uncover a variety of design issues and vulnerabilities
in these mitigations and PRNGs which have significant implications for
the exploitability of memory corruption vulnerabilities on QNX as well
as the strength of its cryptographic ecosystem. Finally, we provide
information on available patches and hardening measures available to
defenders seeking to harden their QNX-based systems against the
discussed issues.