About

IsolatOS: Detecting Double Fetch Bugs in COTS RTOS by Re-enabling Kernel Isolation
Double-fetch vulnerabilities arise when the kernel repeatedly retrieves data from user-space memory without ensuring consistency between the successive data fetches. This issue is especially severe in Real-Time Operating Systems (RTOS), where strict timing requirements limit the use of synchronization mechanisms like mutexes, thus favoring low-latency memory access at the cost of security. Most current detection techniques use static source code analysis, which cannot be applied to commercial off-the-shelf (COTS) RTOS with proprietary kernels. Dynamic methods that employ heuristic time-window thresholds to detect repeated cross-boundary memory accesses are used instead. However, these methods often produce a high number of false positives due to overly broad pattern recognition and lead to significant emulation overhead. We introduce IsolatOS, a hardware-supported detection method that utilizes kernel isolation features to spot cross-boundary memory accesses that indicate double-fetch vulnerabilities. The main difficulty is in maintaining transparency while enforcing isolation boundaries without causing crashes in RTOS systems to boost efficiency. IsolatOS overcomes this by first implementing dynamic instrumentation that intercepts privileged accesses to user memory, recording metadata about accesses. Then exception recovery techniques upholds system stability during fault handling. At post-execution stage, the causal analysis examines violation traces to differentiate between legitimate dual accesses and exploitable double-fetches. Evaluations across QNX, VxWorks, and seL4 demonstrate efficiency of IsolatOS, 70× runtime overhead reduction compared to emulation-based approach, identification of 42 unique vulnerabilities (39 vendor-confirmed, 2 CVEs assigned). These results validate hardware-assisted kernel isolation is a viable paradigm for double-fetch detection in COTS RTOS environments. We also demonstrate the real-world impact of our findings in automotive systems by exploiting them.

Automotive USB interface vulnerabilities
USB is a common interface in cars, and under certain specific circumstances, attackers may have physical access to this port. So, can the USB interface actually be exploited by attackers? What makes such a simple interface vulnerable? In this presentation, we will share some known USB vulnerabilities from major automotive manufacturers and delve into the root causes behind these security flaws.