Skip to main content

Broken Encapsulation, how hacking is really just finding ways to play middle man to component systems.

The annual black hat and defcon conferences are well known events where hackers and crackers of all types of systems come together to demonstrate their latest "exploits". These range from ways to snoop data or voice off of open cell or wifi networks to ways to modify the function of various hardware systems. In this years Defcon conference a team of hackers introduced some exploits of the computer systems inside a modern automobile. You can see a video of some of their results here, the interesting thing about hacking though that goes beyond the FUD generation that the media seems intent on producing by publishing such stories is that they aren't really that surprising.

Engineering systems is about learning to cleverly use abstractions and functional encapsulation to built extremely complex systems. In object oriented programming the concepts of encapsulation are a fundamental aspect of good OO design principles and I've written extensively on these ideas in posts in the past. Exploitation in the physical realm of hardware systems is realized by breaking the encapsulation of the physical components of the system (in this case a car) and then introducing a middle man to modulate the system directly or remotely. When one sees them this way it really is no surprise that they are possible, in OO programming the encapsulation layers are hidden behind layers of code abstractions that never present themselves for manipulation by outside agents. In software only the interface presented to the end user affords the possibility of an input  vector for committing some exploit (for example cross site scripting and validation attacks) but these offer a very small attack surface and one that can be readily fixed by software engineers once discovered.

Hardware is a bit different, most of the components in your car or tv or computer are directly accessible by you simply with the aid of a screw driver in many cases, you can break through the layers of physical encapsulation that otherwise would mask the interfaces you are presented from your ability to change the deeper components that present the functions in those interfaces. So it is in this exploit where the hackers had to gain physical access to the various control computers in the car in order to hijack and modulate their inputs and outputs...this type of broken encapsulation affords an attack surface that is not fixed as it is in a software UI where access to chop down behind the interface is not provided outside of the functional buttons, fields, drop downs provided by the engineers.

The attack surface for physical devices can be expanded by third party access...the breaking of the contracts of encapsulation that enable component based systems of hardware to function creates vulnerabilities for modulation of the interaction of those components...this should make perfect sense and should not be seen as a flaw in the design of the systems. A car computer should not necessarily have to be more protected from external access than they currently are by the physical barriers of the car that keeps them hidden and to expect that car companies build them such that such systems are impervious to access can be done but will come quite literally at a higher cost.

Links:

https://en.wikipedia.org/wiki/Object-oriented_programming

http://sent2null.blogspot.com/2008/02/objects-abstractions-symmetry-and-pop.html

http://sent2null.blogspot.com/2008/04/avoiding-de-spaghettification-in-client.html

http://sent2null.blogspot.com/2008/02/on-origins-of-comlexity-in-life.html

http://sent2null.blogspot.com/2008/03/another-late-night-and-building-with.html

http://sent2null.blogspot.com/2013/01/is-core-principle-that-guides-evolution.html

https://en.wikipedia.org/wiki/DEF_CON

Comments

Popular posts from this blog

the attributes of web 3.0...

As the US economy continues to suffer the doldrums of stagnant investment in many industries, belt tightening budgets in many of the largest cities and continuous rounds of lay offs at some of the oldest of corporations, it is little comfort to those suffering through economic problems that what is happening now, has happened before. True, the severity of the downturn might have been different but the common factors of people and businesses being forced to do more with less is the theme of the times. Like environmental shocks to an ecosystem, stresses to the economic system lead to people hunkering down to last the storm, but it is instructive to realize that during the storm, all that idle time in the shelter affords people the ability to solve previous or existing problems. Likewise, economic downturns enable enterprising individuals and corporations the ability to make bold decisions with regard to marketing , sales or product focus that can lead to incredible gains as the economic ...

How many cofactors for inducing expression of every cell type?

Another revolution in iPSC technology announced: "Also known as iPS cells, these cells can become virtually any cell type in the human body -- just like embryonic stem cells. Then last year, Gladstone Senior Investigator Sheng Ding, PhD, announced that he had used a combination of small molecules and genetic factors to transform skin cells directly into neural stem cells. Today, Dr. Huang takes a new tack by using one genetic factor -- Sox2 -- to directly reprogram one cell type into another without reverting to the pluripotent state." -- So the method invented by Yamanaka is now refined to rely only 1 cofactor and b) directly generate the target cell type from the source cell type (skin to neuron) without the stem like intermediate stage.  It also mentions that oncogenic triggering was eliminated in their testing. Now comparative methods can be used to discover other types...the question is..is Sox2 critical for all types? It may be that skin to neuron relies on Sox2 ...

AgilEntity Architecture: Action Oriented Workflow

Permissions, fine grained versus management headache The usual method for determining which users can perform a given function on a given object in a managed system, employs providing those Users with specific access rights via the use of permissions. Often these permissions are also able to be granted to collections called Groups, to which Users are added. The combination of Permissions and Groups provides the ability to provide as atomic a dissemination of rights across the User space as possible. However, this granularity comes at the price of reduced efficiency for managing the created permissions and more importantly the Groups that collect Users designated to perform sets of actions. Essentially the Groups serve as access control lists in many systems, which for the variable and often changing environment of business applications means a need to constantly update the ACL’s (groups) in order to add or remove individuals based on their ability to perform cert...