[GitHub] [incubator-nuttx] nix7965 edited a comment on issue #3011: Nsh Debug Commands Vulnerability Report

[GitBox <gi...@apache.org>]

nix7965 edited a comment on issue #3011:
URL: https://github.com/apache/incubator-nuttx/issues/3011#issuecomment-797603358


   I would suggest we may need to disable "mw"-like commands as @patacongo mentioned at default because it does not look like such useful....
   Also, I have the following opinions.
   
   1.  I think "firmware extraction permission" != "NSH access". 
   If there was no "mw" command, firmware extraction is not possible.
   Meanwhile @btashton said that STM32F4's readout protection is very broken (I assume you mean we can disable STM32F4's readout **without any problem such as no original firmware erasure**).
   But, I remember there is no practical way to do that.... Sorry for my ignorance. Could you tell me how to do that? 
   Even if that is really very broken, that does not mean we should not protect against this vulnerability. 
   Because this can happen on other "unbroken" boards, I think we should make it more secure.
   
        Again, NSH access itself is not firmware extraction permission. Additionally, if applications running on NSH are properly implemented, NSH may not cause serious security issues IMO.
   
   2. Second, @patacongo mentioned PROTECTED mode. But, I think NuttX is open source. Therefore, I guess what the vendors really protect is their **"application code from the extraction"**. In that case, I guess "mw" commands work for "application code". If my understanding is correct, please let me know. That's good to learn.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org