Zenoh Protocol Security Analysis
Zenoh is a communication protocol designed to efficiently facilitate data exchange, storage, and computation across diverse computing environments — from powerful servers in data centers to resource-constrained microcontrollers in IoT devices. Its primary objective is to enable seamless integration and operation of systems throughout the entire cloud-to-microcontroller continuum, overcoming limitations inherent to existing protocols that frequently create isolated "connectivity islands."
Given the critical nature of network protocols and technology infrastructures, it is essential to thoroughly analyze and comprehend Zenoh's security architecture. This article provides a security analysis of the Zenoh protocol, specifically within an automotive sector context, examining scenarios where data traverses nodes outside the direct control and trust boundaries of the OEM. The analysis leverages a lightweight threat modeling approach, accounting for adversaries with varying levels of access and capabilities. Additionally, the article includes a focused case study of a compromised router scenario, uncovering a security gap within Zenoh stemming from its current lack of support for End-to-End Encryption (E2EE).
Introducing Janus: a hierarchical multi-blockchain access control system for policy based access to shared resources
It is very often the case that critical data or critical devices are co-managed by stakeholders from different domains. Any access to such resources should ideally be transparent to all stakeholders involved, and the access itself should comply with any policies set by the resource owner(s). However, this is not what usually happens in today's systems.
Securing the building blocks of embedded software
Embedded systems are special purpose systems that cover a wide range of applications, from home electronics and industrial control systems, to medical devices and avionics. The remote management & telemetry features of the so called "Internet of Things" family of embedded devices, have made them quite popular and their placement is almost ubiquitous. From a security standpoint, embedded software is not that different to software found in other domains. However, the criticality of its operation, its exposure on public networks, but also its security limitations make it a very attractive target for attackers. This article presents an overview of the building blocks of today's embedded software, analyses inherent weaknesses in the way this software is built and deployed, and highlights recent developments in the handling of the relevant risk.
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027)
CENSUS has been investigating for some time now the exploitation potential of Man-in-the-Disk (MitD) [01] vulnerabilities in Android. Recently, CENSUS identified two such vulnerabilities in the popular WhatsApp messenger app for Android [34]. The first of these was possibly independently reported to Facebook and was found to be patched in recent versions, while the second one was communicated by CENSUS to Facebook and was tracked as CVE-2021-24027 [33]. As both vulnerabilities have now been patched, we would like to share our discoveries regarding the exploitation potential of such vulnerabilities with the rest of the community.