06-29, 11:00–12:00 (US/Eastern), Grand Salon
IBM i (aka. AS/400, iSeries, etc.) is a vertically integrated platform implementing revolutionary features such as an object-oriented operating system, single-level storage and an architecture-independent development environment. The performance and reliability of the system made IBM i a crucial component of several critical infrastructure providers such as telecommunication companies and financial institutions. The unique features of IBM i are underpinned by hardware-assisted memory tagging, allowing the translator (IBM i's "integrated compiler") to embed critical security checks inside program objects it generates.
In this talk we show how this architecture (released in 1988!) implements a form of control flow integrity not only to protect its applications but also to keep its security guarantees at Security Level 40. For this research we extended PowerPC support in Ghidra to support IBM's proprietary POWER-AS instruction set and object serialization protocol. These developments allow us to show how the system operates at RISC instruction level, below the Machine Interface. Of course we plan to share these analysis tools with the community as well. Aside of showing that the implemented security scheme is in fact robust, we will also demonstrate an - admittedly convoluted - memory corruption-based exploit on IBM i to inspire the community for further research on this platform.
High-level outline:
- Introducing the Platform
- An Object-Oriented Operating System
- Single-Level Store
- Machine Interface
- Security levels
- REversing Tools
- Parsing Saved Program Objects
- Extending Ghidra's Processor Module for POWER-AS
- Dynamic Analysis - System Service Tools
- Memory Safety
- Calling Convention
- Memory Corruption on IBM i
- Memory Tagging
- Typed Pointers
- Segment Boundary Enforcement
- Memory Corruption Exploitation on IBM i
Bálint Varga-Perke is a founder of Silent Signal where he serves as an IT security expert. Since 2010 he's been performing penetration tests in over a dozen countries for major companies from sectors including finance, healthcare and government. His research focuses on reverse engineering and finding vulnerabilities in widely used software, with a compulsive focus on security products. He is a contributor of the latest CIS Benchmark for IBM i, and works on documenting the security features of the platform at RISC-level.