Come Join the CAFSA - Continuous Automated Firmware Security Analysis presented at BlackHatUSA2019 2019

by Collin Mulliner,

Summary : Modern devices are complex and their firmware often consists of multiple parts that together make up the software stack of a product. Securing firmware is hard work since firmware changes over time and engineering focus shifts to different aspects like prototyping, development, testing, and finally production. Shipping 'bad' firmware can have a ripple effect on your entire product and infrastructure, possibly preventing security controls from being properly implemented to costing millions due to recall. Preventing this ripple effect to occur will ultimately save you money and keep your product reputation.This talk is about processes and tools that we designed, built, and deployed in the last couple of years while working on securing devices at multiple companies, most notably in my current role at Cruise Automation. We determined that well engineered simple yet powerful processes integrated into the development and release flow can achieve great victories.Our approach is centered around a tool for analyzing firmware images, specifically filesystem images. The tool provides an automated way to model and check the security properties of files and file content. Checks can be as simple as flagging suid executables or world writable files and as complex as ensuring that a release build contains production CAs signed with production keys. Our approach is vastly different and more impactful compared with traditional tools such as vulnerability scanners that try to identify buggy and insecure code or tools, CVEs within in your software stack.One core component of the process deals with reporting and further processing of information extracted and gathered during the analysis and checking phase. All steps generate machine readable reports that allow integration in continuous development environments as well as extending the process and tools to new targets. We plan to opensource the tool kit together with a library of checks for various targets.The talk is based on the experience of securing Linux-based devices including highly customized Android devices built in-house and by 3rd parties.