• Aucun résultat trouvé

Analyzing thousands of firmware images and a few physical devices. What?s next?

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Analyzing thousands of firmware images and a few physical devices. What?s next?"

Copied!
1
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Analyzing Thousands of Firmware Images and a Few Physical Devices. What’s Next?

Aurélien Francillon

Eurecom, France

[email protected]

ABSTRACT

In this talk we will make an overview of security problems that have been found with a large scale automated static analysis (within the firmware.re project [1, 2]) and with a more focused and more manual dynamic analysis (using the Avatar project [4, 5]). We will then discuss what we think we can do about this and how. We argue that to be more trustworthy devices need to be made more transparent (so that users can inspect them), controllable (so that users can do something about it) and resistant to attacks (so that devices will resist to basic attacks).

Keywords

Embedded systems security; Trust

Studying Embedded (In)security

Most of the connected or smart devices we analyzed have a disappointing security level. What is especially disappoint- ing is that they are massively produced devices and that the problems found are often problems that we know how to ad- dress. One of the most surprising case is that of firmware images which include public and private key pairs. Those keys are used for serving web pages over HTTPS. Not only those keys are used as is in thousands of similar devices that are online, they are not even changed across different brands (likely because of white labels products).

This should not be problems that we find in real devices, in particular, a lot of research efforts have been put into con- structing secure systems and those are very basic problems.

In fact, many products have a good level of security (e.g., secure smart cards), but others are really insecure. Some are security devices: security is at the core of their purpose;

while other are not. Unfortunately, such systems with a poor level of security seem to outnumber the secure systems. We nevertheless often rely on their security in our daily life and their failure can have serious consequences.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored.

For all other uses, contact the owner/author(s).

TrustED’16 October 28-28 2016, Vienna, Austria c 2016 Copyright held by the owner/author(s).

ACM ISBN 978-1-4503-4567-5/16/10.

DOI:http://dx.doi.org/10.1145/2995289.2995296

So What’s Next?

A part of the problem is an economic problem: develop- ing secure products is difficult and expensive, and may be overlooked if incentives are unclear.

Second, trust is something that is not blindly granted but that is earned, e.g., by verifying it [3]. Currently, trusted computing mechanisms often rely on unconditional trust on the systems manufacturer. However, users have too few ways to verify that the systems are trustworthy other than blindly trusting the manufacturer, i.e., one can only trust a system fully if he can inspect it. Unfortunately, the first se- curity measures that are implemented in embedded systems often prevent such an independent analysis (e.g., deactiva- tion of a debug port, secure boot, encrypted file system, ob- fuscation). There is a conflict situation: such measures are often useful in securing a system (slowing down an attacker) but should not jeopardize our ability to analyze them (in- dependently discover software vulnerabilities). Ideally, this problem should be solved during design, we call this Design For Security Testing.

We should design systems where the users, i.e., the de- vices owners, can decide whom and what to trust. We call this Design For User Trust, where users are in control of the system. Without this, a user may not be able to solve the problem he is able to detect. Finally, devices needs to be designed in a more resilient way, for this we still need to cre- ate new methodologies for design, test and building blocks which are easy to integrate in future systems.

We conclude that more research is needed to make it eas- ier to build secure systems, in particular, in the areas of concrete architectures for Design For User Trust and Design For Security Testing.

1. REFERENCES

[1] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. A Large Scale Analysis of the Security of Embedded Firmwares. USENIX Security, 2014.

[2] A. Costin, A. Zarras, and A. Francillon. Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces. ASIACCS, 2016.

[3] A. Francillon. Trust, But Verify: Why and how to establish trust in embedded devices (invited paper). DATE, 2016.

[4] J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti.

Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares. NDSS, 2014.

[5] J. Zaddach, A. Kurmus, D. Balzarotti, E. O. Blass, A. Francillon, T. Goodspeed, M. Gupta, and I. Koltsidas.

Implementation and implications of a stealth hard-drive backdoor. ACSAC, 2013.

Références

Télécharger maintenant ( PDF - 1 Page - 106.11 KB )

Documents relatifs

Semantics Preservation Issues in the Design and Optimization of SW Architectures for Automotive Systems

The talk will present work performed in cooperation with GM R&D and UC Berkeley, in which we optimized several aspects of the software architecture design, including the

Optimization of concrete mix design to account for strength and hydration heat in massive concrete structures

Optimization of concrete mix design to account for strength and hydration heat in massive concrete structures... Optimization of concrete mix design to account for strength

Study and Design of Blockchain Based Decentralized Trust Management System for Secure Transactions

In IoT, we apply our SE BC Stratagem (SEBS) to solve the pressing issue of holistic data security in resource constrained devices i.e., securing data at all 3 points viz.,

Comparison of Multidisciplinary Design Optimization Architectures for the design of Distributed Space Systems

Later, three monolithic MDO architectures, namely, Individual Discipline Feasible (IDF), Simultaneous Analysis and Design (SAND) and Multidisciplinary Feasible (MDF) are compared

The Principle of Transparency and Access to Documents in the EU: for what, for whom, and of what?

this second line of cases, the Court started off by shielding specific legal regimes of access to documents – set out in sector or, otherwise, specific laws ruling access

What do we do and what is it for?

In his writings, Feldenkrais uses a constellation of notions linked together: body image, body schema, self- image, awareness and habits.. Schilder’s book is seminal for it

Insights from User Experience Research in the Factory: What to Consider in Interaction Design

Overall, this work contributes to an orientation for designers and researchers regarding the interplay be- tween user, system and context in a factory environment by pointing

Do We Have What Is Needed to Change Everything?

In this study, we use a data (n=160) from a survey to the Finnish software businesses to evaluate how software companies perceive the labour shortage and its implications in the