Zero-Day Mitigation and Protection for Connected Device Firmware

“If you don’t know anything about computers, just remember that they are machines that do exactly what you tell them but often surprise you in the result.”

Richard Dawson, The Blind Watchmaker

“Less than 10% of the code has to do with the ostensible purpose of the system; the rest deals with input-output, data validation, data structure maintenance, and other housekeeping.”

Mary Shaw

Why Cybersecurity?

There are many different motivations for attacking connected devices–a new challenge, curiosity, boredom, street cred, revenge, activism, financial gains, espionage, political meddling, and even warfare. Hacking is big business–exceeding most people’s expectations. Attackers are not the stereotypical lone wolves wearing pajamas down in their basements – they have organized into wolf pack enterprises, albeit with a relaxed dress code and flexible work from home policies. In 2020, one active Russian Hydra Darknet hacking team stole $1.3 Billon. If hacking is a country by 2025, it will be the world’s third-largest economy at $10 Trillion.

These criminal organizations’ high profitability and low operating costs are fueling marketplaces selling Zero-Day exploits. Some security researchers are tempted to earn far more in these marketplaces than through bug bounty programs or positive notoriety. Remote code execution Zero-Day vulnerabilities trade for millions of dollars. Frankly, there is a history of companies not greeting security researchers’ efforts with open arms. It’s not entirely surprising that some researchers decide to trade in these marketplaces that appreciate their IP enough to shower with life-changing cash. And, of course, nation-states have their own militarized hacking teams discovering Zero-Day exploits, too.

Connected devices are silent victims in strategic locations. Most attacks go entirely unnoticed; a failed attack will have no visible signs to alarm operators or administrators. The victim devices are easy to discover, too; Shodan.io is a search engine for finding public internet-connected devices–to hone attacks without in-house hardware.

Building connected device firmware code is messy. Connected devices’ build tools default build settings are weak and may produce code without basic memory protections. The compiler and the linker introduced many critical or hidden (but necessary!) control flow variables that, when tainted, dramatically change the code’s behavior; return addresses, function pointers, global and platform offset tables, virtual function tables, jump buffers, signal handlers, etcetera. By altering any of these variables, an attacker bends the good code’s flow to their will.

Ensuring the protection of millions of ephemeral control flow variables is a tedious and challenging manual task, but protection is necessary. The defense must extend beyond applications to third-party libraries as well. Building libraries and applications securely and correctly require specialized knowledge. Security must be automatically applied to maintain development velocity and ensure full code coverage protection. The build process is the ideal moment to add run-time protections and sanity checks transparently. Adding checks manually is not possible in all circumstances, and leads to madness.
				
					// if we used goto's for function returns, we could write
// code without any risk of ROP attacks! maintenance is %S#!

int main()
{
    ...
    goto func_a;
return_func_a:
    ...
    exit(0);    // avoid ROP attack on the final return
func_a:
    ...
    goto return_func_a;
    ...
}
				
			

Today, attackers have an asymmetric advantage over the defenders. The combination of large open-source libraries, legacy code, size of the code base, security expertise shortages, development team load, and inadequate development tools create an unfair advantage for attackers.

With Dellfer’s ZeroDayGuard platform, firmware developers gain a special ally against the attackers. Dellfer’s ZeroDayGuard platform combines build tools, a device agent, and an incident monitoring service. During the build process, the code is Dellferized; the firmware is transparently protected and hardened without source code level changes. Detection and protection are instrumented into the firmware binary at the instruction code level. Code instrumented at the instruction code level cannot be bypassed. Transparently instrumenting the code at build time ensures each release is consistently protected and doesn’t risk the madness of the manual change process across millions of lines of code.

				
					// if we checked every indirect branch at time of use, we could write
// code without any risk of JOP attacks! maintenance is %$#@!

static STATUS
someFunc(ctx *pCtx)
{
    ...
    if ((callbackFoo == funcPtr) || (callbackBar == funcPtr) || 
        (callbackBaz == funcPtr) || (callbackQux == funcPtr) ) 
    {
        if (OK > (status = funcPtr(pCtx, pBuf, bufLen)))
                return status;
     }
        
     ...
}
				
			
As the Dellferized firmware code runs on a connected device, critical control flow variables are checked at the time of use to thwart the attacker’s attempts to subvert. The ZeroDayGuard agent reports attacks to the incident monitoring service. The incident monitoring service acts as a cyber crash log. The service tracks each event, including details to fix defects rapidly, application code-level visibility with a stack trace, type of vulnerability, and other critical information. To remediate a vulnerability requires some knowledge to develop a patch: 1) proof of concept code allowing a developer to reproduce the exploit; and 2) the location of the exploited vulnerable code. Even with this knowledge, we often see rushed, ineffective patches. A Dellferized firmware continues to run safely and reporting each incident, providing developers’ time to write and deploy patches, avoiding suboptimal patches.

Firmware reporting incidents is critical in the fight against attackers; attackers are no longer able to operate in the shadows. Each incident shines a bright, no false-positive warning signal to the defenders. Defenders are empowered with vital data to fight back, identify and seize control back of subverted systems. The average time to discover a breach is nine months. Dellfer goes beyond control flow for applications and libraries to protect the platform too. 

Inverting the asymmetric advantage from attackers to defenders is critical. An approach of protection and visibility of threats is the ideal action. Drafted connected devices’ pervasiveness will be a valuable resource for locating cyber-marauders, a massive advantage disrupting the firmware attackers. When a connected device is a threat sensor, attacks are no longer invisible – the defenders can discover, disrupt persistent threats within their networks – and attackers lose a highly prized Zero-Day vulnerability.

The companies that embrace active mitigations and protection will create products, which inspire confidence and unlock new revenue streams. Their development teammates will appreciate no late-night patches, swift defect remediation, and more time to work on valuable features. Unique benefits and efficiencies trickle over to support, security analysts, sales, and quality assurance. The companies’ customers’ security teams will benefit too, with a new ally to help defend their networks.

Enter Your Information to Access This White Paper

  • This field is for validation purposes and should be left unchanged.

Enter Your Information to Access This White Paper

  • This field is for validation purposes and should be left unchanged.

Enter Your Information to Access This White Paper

  • This field is for validation purposes and should be left unchanged.

Enter Your Information to Access This Datasheet

  • This field is for validation purposes and should be left unchanged.

Enter Your Information to Access This White Paper

  • This field is for validation purposes and should be left unchanged.

Enter Your Information to Access This Datasheet

  • This field is for validation purposes and should be left unchanged.