Zero-Day Mitigation and Protection for Connected Device Firmware
“If you don’t know anything about computers, just remember that they are machines that do exactly what you tell them but often surprise you in the result.”
Richard Dawson, The Blind Watchmaker
“Less than 10% of the code has to do with the ostensible purpose of the system; the rest deals with input-output, data validation, data structure maintenance, and other housekeeping.”
Mary Shaw
With Dellfer’s ZeroDayGuard platform, firmware developers gain a special ally against the attackers. Dellfer’s ZeroDayGuard platform combines build tools, a device trustee, and an incident monitoring service. During the build process, the code is Dellferized; the firmware is transparently protected and hardened without source code level changes. Detection and protection are instrumented into the firmware binary at the instruction code level. Code instrumented at the instruction code level cannot be bypassed. Transparently instrumenting the code at build time ensures each release is consistently protected and doesn’t risk the madness of the manual change process across millions of lines of code.
// if we checked every indirect branch at time of use, we could write
// code without any risk of JOP attacks! maintenance is %$#@!
static STATUS
someFunc(ctx *pCtx)
{
...
if ((callbackFoo == funcPtr) || (callbackBar == funcPtr) ||
(callbackBaz == funcPtr) || (callbackQux == funcPtr) )
{
if (OK > (status = funcPtr(pCtx, pBuf, bufLen)))
return status;
}
...
}
As the Dellferized firmware code runs on a connected device, critical control flow variables are checked at the time of use to thwart the attacker’s attempts to subvert. The ZeroDayGuard trustee reports attacks to the incident monitoring service. The incident monitoring service acts as a cyber crash log. The service tracks each event, including details to fix defects rapidly, application code-level visibility with a stack trace, type of vulnerability, and other critical information. To remediate a vulnerability requires some knowledge to develop a patch: 1) proof of concept code allowing a developer to reproduce the exploit; and 2) the location of the exploited vulnerable code. Even with this knowledge, we often see rushed, ineffective patches. A Dellferized firmware continues to run safely and reporting each incident, providing developers’ time to write and deploy patches, avoiding suboptimal patches.
Firmware reporting incidents is critical in the fight against attackers; attackers are no longer able to operate in the shadows. Each incident shines a bright, no false-positive warning signal to the defenders. Defenders are empowered with vital data to fight back, identify and seize control back of subverted systems. The average time to discover a breach is nine months. Dellfer goes beyond control flow for applications and libraries to protect the platform too.
Inverting the asymmetric advantage from attackers to defenders is critical. An approach of protection and visibility of threats is the ideal action. Drafted connected devices’ pervasiveness will be a valuable resource for locating cyber-marauders, a massive advantage disrupting the firmware attackers. When a connected device is a threat sensor, attacks are no longer invisible – the defenders can discover, disrupt persistent threats within their networks – and attackers lose a highly prized Zero-Day vulnerability.
The companies that embrace active mitigations and protection will create products, which inspire confidence and unlock new revenue streams. Their development teammates will appreciate no late-night patches, swift defect remediation, and more time to work on valuable features. Unique benefits and efficiencies trickle over to support, security analysts, sales, and quality assurance. The companies’ customers’ security teams will benefit too, with a new ally to help defend their networks.