Skip to main content

Broken Encapsulation, how hacking is really just finding ways to play middle man to component systems.

The annual black hat and defcon conferences are well known events where hackers and crackers of all types of systems come together to demonstrate their latest "exploits". These range from ways to snoop data or voice off of open cell or wifi networks to ways to modify the function of various hardware systems. In this years Defcon conference a team of hackers introduced some exploits of the computer systems inside a modern automobile. You can see a video of some of their results here, the interesting thing about hacking though that goes beyond the FUD generation that the media seems intent on producing by publishing such stories is that they aren't really that surprising.

Engineering systems is about learning to cleverly use abstractions and functional encapsulation to built extremely complex systems. In object oriented programming the concepts of encapsulation are a fundamental aspect of good OO design principles and I've written extensively on these ideas in posts in the past. Exploitation in the physical realm of hardware systems is realized by breaking the encapsulation of the physical components of the system (in this case a car) and then introducing a middle man to modulate the system directly or remotely. When one sees them this way it really is no surprise that they are possible, in OO programming the encapsulation layers are hidden behind layers of code abstractions that never present themselves for manipulation by outside agents. In software only the interface presented to the end user affords the possibility of an input  vector for committing some exploit (for example cross site scripting and validation attacks) but these offer a very small attack surface and one that can be readily fixed by software engineers once discovered.

Hardware is a bit different, most of the components in your car or tv or computer are directly accessible by you simply with the aid of a screw driver in many cases, you can break through the layers of physical encapsulation that otherwise would mask the interfaces you are presented from your ability to change the deeper components that present the functions in those interfaces. So it is in this exploit where the hackers had to gain physical access to the various control computers in the car in order to hijack and modulate their inputs and outputs...this type of broken encapsulation affords an attack surface that is not fixed as it is in a software UI where access to chop down behind the interface is not provided outside of the functional buttons, fields, drop downs provided by the engineers.

The attack surface for physical devices can be expanded by third party access...the breaking of the contracts of encapsulation that enable component based systems of hardware to function creates vulnerabilities for modulation of the interaction of those components...this should make perfect sense and should not be seen as a flaw in the design of the systems. A car computer should not necessarily have to be more protected from external access than they currently are by the physical barriers of the car that keeps them hidden and to expect that car companies build them such that such systems are impervious to access can be done but will come quite literally at a higher cost.

Links:

https://en.wikipedia.org/wiki/Object-oriented_programming

http://sent2null.blogspot.com/2008/02/objects-abstractions-symmetry-and-pop.html

http://sent2null.blogspot.com/2008/04/avoiding-de-spaghettification-in-client.html

http://sent2null.blogspot.com/2008/02/on-origins-of-comlexity-in-life.html

http://sent2null.blogspot.com/2008/03/another-late-night-and-building-with.html

http://sent2null.blogspot.com/2013/01/is-core-principle-that-guides-evolution.html

https://en.wikipedia.org/wiki/DEF_CON

Comments

Popular posts from this blog

On the idea of "world wide mush" resulting from "open" development models

A recent article posted in the Wall Street Journal posits that the collectivization of various types of goods or services created by the internet is long term a damaging trend for human societies.

http://online.wsj.com/article/SB10001424052748703481004574646402192953052.html

I think that the author misses truths that have been in place that show that collectivization is not a process that started with the internet but has been with us since we started inventing things.

It seems that Mr. Lanier is not properly defining the contexts under which different problems can benefit or suffer from collectivization. He speaks in general terms of the loss of the potential for creators to extract profit from their work but misses that this is and was true of human civilization since we first picked up a rock to use as a crude hammer. New things make old things obsolete and people MUST adapt to what is displaced (be it a former human performance of that task or use of an older product) so as to main…

Highly targeted Cpg vaccine immunotherapy for a range of cancer

Significance?


This will surely go down as a seminal advance in cancer therapy. It reads like magic:

So this new approach looks for the specific proteins that are associated with a given tumors resistance to attack by the body's T cells, it then adjusts those T cells to be hyper sensitive to the specific oncogenic proteins targeted. These cells become essentially The Terminator​ T cells in the specific tumor AND have the multiplied effect of traveling along the immune pathway of spreading that the cancer many have metastasized. This is huge squared because it means you can essentially use targeting one tumor to identify and eliminate distal tumors that you many not even realize exist.

This allows the therapy for treating cancer to, for the first time; end the "wack a mole" problem that has frustrated traditional shot gun methods of treatment involving radiation and chemotherapy ...which by their nature unfortunately damage parts of the body that are not cancer laden but …

Engineers versus Programmers

I have found as more non formally trained people enter the coding space, the quality of code that results varies in an interesting way.

The formalities of learning to code in a structured course at University involve often strong focus on "correctness" and efficiency in the form of big O representations for the algorithms created.

Much less focus tends to be placed on what I'll call practical programming, which is the type of code that engineers (note I didn't use "programmers" on purpose) must learn to write.

Programmers are what Universities create, students that can take a defined development environment and within in write an algorithm for computing some sequence or traversing a tree or encoding and decoding a string. Efficiency and invariant rules are guiding development missions. Execution time for creating the solution is often a week or more depending on the professor and their style of teaching code and giving out problems. This type of coding is devo…