InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

Design and manufacturing of a Selective Laser Sintering test bench to test sintering materials

The goal of this project is to design and build a prototype of recoating system for a laser cutting machine to turn it into a selective laser sintering printing machine. This prototype will be used to study new sintering materials and to design, if decided, a SLS 3D printing Machine (Selective Laser Sintering). This project has been developed in the installations and funded by Fundació CIM. The project develops the mechanical design and the electronic system design. Both parts are explained on this paper, so new users can use the machine and can understand the system. With this paper, it is expected that it can be improved in a future to test other parameters and configurations. The paper is divided in three basic blocks that are summed up here: The first block is an introduction to the 3D printing technologies. The most used of them are explained and selective laser sintering is explained in deep. With this block the reader can understand why it is important to develop the SLS technology and what has to be done to improve the machines and the technology. The second block is a discussion on the mechanical design of the machine. The general idea of the machine is explained so the user can understand why the machine is designed in this way. After that, each part is detailed to see how the different mechanical challenges where overtaken. At the end of the block, there is a small calculations section needed on the electronic part. The third block is an extensive explanation of the electronic system that controls and moves the machine. In that block, the different components are explained so the user can understand its basics working principles. It is also explained how the selection of the electronic components was done. Then everything is put together to see the whole electronic system. Along with this paper, there are annexes that provide some extra information for the reader. One of this annexes refers to the mechanical part and the other one has some datasheets and coding for the electronic section. The whole design has been done in SOLIDWORKS cad software and its electric extension ELECWORKS. The programming job was done with Arduino compiler

The STAR MAPS-based PiXeL detector

The PiXeL detector (PXL) for the Heavy Flavor Tracker (HFT) of the STAR experiment at RHIC is the first application of the state-of-the-art thin Monolithic Active Pixel Sensors (MAPS) technology in a collider environment. Custom built pixel sensors, their readout electronics and the detector mechanical structure are described in detail. Selected detector design aspects and production steps are presented. The detector operations during the three years of data taking (2014-2016) and the overall performance exceeding the design specifications are discussed in the conclusive sections of this paper

State of Alaska Election Security Project Phase 2 Report

A laska’s election system is among the most secure in the country, and it has a number of safeguards other states are now adopting. But the technology Alaska uses to record and count votes could be improved— and the state’s huge size, limited road system, and scattered communities also create special challenges for insuring the integrity of the vote. In this second phase of an ongoing study of Alaska’s election security, we recommend ways of strengthening the system—not only the technology but also the election procedures. The lieutenant governor and the Division of Elections asked the University of Alaska Anchorage to do this evaluation, which began in September 2007.Lieutenant Governor Sean Parnell. State of Alaska Division of Elections.List of Appendices / Glossary / Study Team / Acknowledgments / Introduction / Summary of Recommendations / Part 1 Defense in Depth / Part 2 Fortification of Systems / Part 3 Confidence in Outcomes / Conclusions / Proposed Statement of Work for Phase 3: Implementation / Reference

A 96-Channel FPGA-based Time-to-Digital Converter

We describe an FPGA-based, 96-channel, time-to-digital converter (TDC) intended for use with the Central Outer Tracker (COT) in the CDF Experiment at the Fermilab Tevatron. The COT system is digitized and read out by 315 TDC cards, each serving 96 wires of the chamber. The TDC is physically configured as a 9U VME card. The functionality is almost entirely programmed in firmware in two Altera Stratix FPGA's. The special capabilities of this device are the availability of 840 MHz LVDS inputs, multiple phase-locked clock modules, and abundant memory. The TDC system operates with an input resolution of 1.2 ns. Each input can accept up to 7 hits per collision. The time-to-digital conversion is done by first sampling each of the 96 inputs in 1.2-ns bins and filling a circular memory; the memory addresses of logical transitions (edges) in the input data are then translated into the time of arrival and width of the COT pulses. Memory pipelines with a depth of 5.5 $\mu$s allow deadtime-less operation in the first-level trigger. The TDC VME interface allows a 64-bit Chain Block Transfer of multiple boards in a crate with transfer-rates up to 47 Mbytes/sec. The TDC also contains a separately-programmed data path that produces prompt trigger data every Tevatron crossing. The full TDC design and multi-card test results are described. The physical simplicity ensures low-maintenance; the functionality being in firmware allows reprogramming for other applications.Comment: 32 pages, 13 figure

A 3-D Track-Finding Processor for the CMS Level-1 Muon Trigger

We report on the design and test results of a prototype processor for the CMS Level-1 trigger that performs 3-D track reconstruction and measurement from data recorded by the cathode strip chambers of the endcap muon system. The tracking algorithms are written in C++ using a class library we developed that facilitates automatic conversion to Verilog. The code is synthesized into firmware for field-programmable gate-arrays from the Xilinx Virtex-II series. A second-generation prototype has been developed and is currently under test. It performs regional track-finding in a 60 degree azimuthal sector and accepts 3 GB/s of input data synchronously with the 40 MHz beam crossing frequency. The latency of the track-finding algorithms is expected to be 250 ns, including geometrical alignment correction of incoming track segments and a final momentum assignment based on the muon trajectory in the non-uniform magnetic field in the CMS endcaps.Comment: 7 pages, 5 figures, proceedings for the conference on Computing in High Energy and Nuclear Physics, March 24-28 2003, La Jolla, Californi

FlashCam: a fully-digital camera for the medium-sized telescopes of the Cherenkov Telescope Array

The FlashCam group is currently preparing photomultiplier-tube based cameras proposed for the medium-sized telescopes (MST) of the Cherenkov Telescope Array (CTA). The cameras are designed around the FlashCam readout concept which is the first fully-digital readout system for Cherenkov cameras, based on commercial FADCs and FPGAs as key components for the front-end electronics modules and a high performance camera server as back-end. This contribution describes the progress of the full-scale FlashCam camera prototype currently under construction, as well as performance results also obtained with earlier demonstrator setups. Plans towards the production and implementation of FlashCams on site are also briefly presented.Comment: 8 pages, 6 figures. In Proceedings of the 34th International Cosmic Ray Conference (ICRC2015), The Hague, The Netherlands. All CTA contributions at arXiv:1508.0589

Optimization on fixed low latency implementation of GBT protocol in FPGA

In the upgrade of ATLAS experiment, the front-end electronics components are subjected to a large radiation background. Meanwhile high speed optical links are required for the data transmission between the on-detector and off-detector electronics. The GBT architecture and the Versatile Link (VL) project are designed by CERN to support the 4.8 Gbps line rate bidirectional high-speed data transmission which is called GBT link. In the ATLAS upgrade, besides the link with on-detector, the GBT link is also used between different off-detector systems. The GBTX ASIC is designed for the on-detector front-end, correspondingly for the off-detector electronics, the GBT architecture is implemented in Field Programmable Gate Arrays (FPGA). CERN launches the GBT-FPGA project to provide examples in different types of FPGA. In the ATLAS upgrade framework, the Front-End LInk eXchange (FELIX) system is used to interface the front-end electronics of several ATLAS subsystems. The GBT link is used between them, to transfer the detector data and the timing, trigger, control and monitoring information. The trigger signal distributed in the down-link from FELIX to the front-end requires a fixed and low latency. In this paper, several optimizations on the GBT-FPGA IP core are introduced, to achieve a lower fixed latency. For FELIX, a common firmware will be used to interface different front-ends with support of both GBT modes: the forward error correction mode and the wide mode. The modified GBT-FPGA core has the ability to switch between the GBT modes without FPGA reprogramming. The system clock distribution of the multi-channel FELIX firmware is also discussed in this paper