AsChina's leading firmware binary security analysis platform provider, Ruler TechnologyThe products have been used in several "national team" customers!
While achieving these results, we also found that when we had technical conversations with some potential customers and partners, customers still raised some questions (or misunderstandings). Even some technicians who have been rooted in the security field for many years still feel confused when faced with firmware binary security analysis.
These questions include:
Can source-based analysis detect all software vulnerabilities?
Is the source-based analysis more accurate?
Why use binary CWE analysis and how is it different from compositional analysis? If we have already carried out rigorous testing on the device, including source ** audit, web penetration, network leakage, etc., do we still need firmware binary security analysis?
Let's answer them one by one.
The answer is no. Actually,Source analysis tools do not detect vulnerabilities in all software。As we all know, in modern software development, no one reinvents wheels; Almost no one will build an entirely new system from scratch from the first source; This is especially true in embedded (or smart device) development. For example, Linux is one of the most commonly used operating systems, and its drivers or some third-party non-open source components are generally distributed as compiled binaries, and developers can only reference and link to them through binaries. This part of the content cannot be checked at all by the source analysis toolBecause there is no source**.
What's more, in some industries,For example, vehicle OEMs, most of the time it is difficult to obtain the source of T1 T2 business parts, but they are responsible for the safety of the vehicle. In this case, the source analysis tool is completely ineffective.
Back to the device terminals that we focus onThrough binary security analysis, the tools of Ruler Technology can cover the entire scope of device firmware, including operating systems, third-party components, and business applications, as well as sensitive information and security issues such as sensitive information, configuration files, and certificate securityThese are all things that cannot be covered by the source audit tool. The following figure shows the coverage of the capability of the terminal firmware security analysis platform of Qiwu Technology.
The answer is no. Because source analysis is less technically difficult than binary analysis, there is a misunderstanding among technicians in this regard. Source ** Analysis (SAST).It is roughly divided into two schools: the first schoolgenre of plain text feature analysis; The second faction,The compilation environment is linked to the analysis genre. They build on the compilation principle of AST analysis and go one step further and use IR CFG-based analysis methods.
In the first faction,The analysis tool will treat the source as pure text, will not consider any ** specific operating environment related information, it is very convenient to use. But here's the thing,The objects that these tools detect (source, or even fragments) are not really the objects that end up, which eventually causedThe false positive rate can be very high。In fact, for compiled languages such as C C++, the final binary object code will vary greatly depending on the target CPU platform and compiler options.
In the second faction,The profiling tool will be linked to the compilation environment before detection。But such tools are often usedOnly a few popular platforms and systems are supported, e.g. x86 windows linux. InEmbedded software is under developmentThe system environment, compilation environment, and development toolchain are all exceptionally complex and diverseThere is little way to support such tools.
The figure below shows the false positive rate (more than 50%) of an international first-line source** analysis tool based on benchmark testing.
The binary analysis of the company is the analysis of the final binary, which is the final form of the program, so we have the means to keep the false positive rate within a fairly low level.
Binary component analysis focuses primarily on known vulnerabilities, while binary CWE analysis focuses primarily on unknown vulnerabilities. The general technical principle of binary component analysis is to confirm the program name and version information based on the comparison of binary file characteristics, and then match the corresponding vulnerability information from the public vulnerability database. So,Essentially, binary component analysis doesn't directly uncover vulnerabilities. Binary CWE analysis is based on the principle of various vulnerabilities, and conducts in-depth analysis of the best logic to dig out the vulnerabilities.
Ruler Technology Binary CWE Analysis TechnologyThe process is the opposite of source analysis, which requires the binary executable to be disassembled, and then the sink code is mapped to a custom intermediate expression (IR) layer to build a specific semantic structure, and then vulnerability analysis is carried out based on this IR layer to discover new risk points. Different from the source analysis, the source analysis tools are mostly based on the risk point detection of rule matching, while the binary CWE analysis technology of Ruler Technology comprehensively adopts a variety of analysis methods such as "symbol execution, hybrid execution, fuzz testing, taint analysis", and builds a set of complex analysis models, which adopts a combination of dynamic and staticThis ensures that the false positive rate is kept to a fairly low level.
At the same time, the ruler technology also passedVirtual execution, function call stackand other innovative means to clearly demonstrate the mechanism of vulnerability formationThis allows analysts to quickly identify risks。The effect is shown in the figure below.
Yes. Source ** audit, web penetration, network leakage scanning, etc., such comparisonsTraditional detection methods focus on issues at the network level, including application-layer protocols, such as OWASP TOP10. The reason for this is that the basic assumption of traditional network security is that core equipment such as PCs or servers are physically controlled (such as physical protection of data centers or office environments), and hackers can only attack from the network.
ButIn embedded, IoT scenarios, our devices are mostly physically uncontrolledFor example, smart meters, charging piles, cameras, etc. in the community, hackers can easily obtain physical samples of terminal equipment. Based on our years of experience in attack and defense and the cases of other security research teams in recent years,The most central step in an attack on an end device is to reverse the firmware and applications in the deviceto identify vulnerabilities that can be exploited so that they can be used to implement multiple attack vectors, such as:
Impersonate the cloud to send malicious control instructions to the device;
Impersonating a device to send a large amount of fake device data to the cloud, hindering the normal operation of business;
planting Trojans into devices to steal sensitive information;
Use IoT terminal devices as a springboard to attack other targets;
In addition, because the core algorithm is reversed, there is also a risk of leakage of core intellectual property.
And these are things that traditional detection methods don't pay attention to at all. Therefore,Firmware binary security analysis is an indispensable means of discovering security issues on the device side.
Well, that's all for this issue. If you have any other questions, please contact me. We will answer you in more depth. Thank you!