Summary
The Command Dispatcher is susceptible to a Denial Of Service (DOS) attack where an adversary can cause an ASSERT if simultaneous commands are processed. The result will be a sigabort signal and the FSW will stop executing.
This issue was discovered by both internal JPL Cyber penetration testing and an external company called Vision Space.
Details
CommandDispatcherComponentBase::seqCmdBuff_handlerBase() is a handler base-class function for input port seqCmdBuff, which accepts command buffers and decodes them into commands. The ASSERT is triggered from the qStatus, which is responsible for a non-blocking queue that takes the serialized commands and the error status 8. qStatus is defined in QueueCommon.cpp and is used by the QueueCommon send() function which processes a non-blocking queue and returns the status code of bareSendNonBlock(). BareSendNonBlock() retrieves the BufferQueue object from the handle in line 76. It then calls queue.push() to insert the data into the queue (line 79), which his returning status is compared with the status code 8, used to indicate that the queue is full.
Vison Space has reported this issue as:
CWE-617 & CWE-453: Denial of Service on FSW via queue overflow
To resolve this issue, the Command Dispatcher FPP file to drop messages from the seqCmdBuff port:
async input port seqCmdBuff: [CmdDispatcherSequencePorts] Fw.Com drop
I successfully tested a prototype version of F' with this change. Commands sent were dropped and F' Core continued to execute without issues.
PoC
This issue is simple to reproduce. Simply send a series of CMD_NO_OP's with minimal delay between commands. When this is performed, the last F' function executed is CommandDispatcherComponentBase::seqCmdBuff_handerBase(). This function is executed before the check of the ASSERT.
Impact
This issue should be ranked as a SEVERE HIGH Cyber Vulnerability. Expoiting this vulnerability is trival and the result is any FSW what incoproates F' will cease to execute if an adversary exploits this vulnerability. At the very least this will result in a mission outage; however, an adversary exploited this vulnerability during a critical stage of the mission (ex: Mars Heli Flight or MSR landing sequence) then it would result in the loss of the spacecraft.
Summary
The Command Dispatcher is susceptible to a Denial Of Service (DOS) attack where an adversary can cause an ASSERT if simultaneous commands are processed. The result will be a sigabort signal and the FSW will stop executing.
This issue was discovered by both internal JPL Cyber penetration testing and an external company called Vision Space.
Details
CommandDispatcherComponentBase::seqCmdBuff_handlerBase() is a handler base-class function for input port seqCmdBuff, which accepts command buffers and decodes them into commands. The ASSERT is triggered from the qStatus, which is responsible for a non-blocking queue that takes the serialized commands and the error status 8. qStatus is defined in QueueCommon.cpp and is used by the QueueCommon send() function which processes a non-blocking queue and returns the status code of bareSendNonBlock(). BareSendNonBlock() retrieves the BufferQueue object from the handle in line 76. It then calls queue.push() to insert the data into the queue (line 79), which his returning status is compared with the status code 8, used to indicate that the queue is full.
Vison Space has reported this issue as:
CWE-617 & CWE-453: Denial of Service on FSW via queue overflow
To resolve this issue, the Command Dispatcher FPP file to drop messages from the seqCmdBuff port:
async input port seqCmdBuff: [CmdDispatcherSequencePorts] Fw.Com drop
I successfully tested a prototype version of F' with this change. Commands sent were dropped and F' Core continued to execute without issues.
PoC
This issue is simple to reproduce. Simply send a series of CMD_NO_OP's with minimal delay between commands. When this is performed, the last F' function executed is CommandDispatcherComponentBase::seqCmdBuff_handerBase(). This function is executed before the check of the ASSERT.
Impact
This issue should be ranked as a SEVERE HIGH Cyber Vulnerability. Expoiting this vulnerability is trival and the result is any FSW what incoproates F' will cease to execute if an adversary exploits this vulnerability. At the very least this will result in a mission outage; however, an adversary exploited this vulnerability during a critical stage of the mission (ex: Mars Heli Flight or MSR landing sequence) then it would result in the loss of the spacecraft.