The growth of IoT devices has highlighted the difficulties in ensuring firmware security — especially where the device and software are initially sourced from third parties, or developed under time pressures in-house. Now a new firmware analyzer has been released to open source on GitHub.
Produced by the security team at Cruise, a San Francisco, California-based developer of self-driving cars (owned by General Motors), FwAnalyzer is designed to provide continuous firmware security analysis by targeting filesystem images. It was built for Linux-based devices, including Android, but can be augmented to work on similar platforms, and was announced at Black Hat on Wednesday.
Filesystem images must first be extracted so they can be analyzed. Once this has been done (outside of FwAnalyzer) a menu of configuration rules can be applied to tailor the analysis. There are three types of rule: those that apply to file metadata (such as permissions, type and ownership); rules that target the content of a file; and rules that analyze the filesystem metadata.
The first group allows implementing checks around access control. The second group comprises a large number of checks on the content of a file, each providing different insights. The third group can check whether a specific file or files exist, and can be used to compare two different filesystems to see if any files have been added or removed.
A simple example of one of the rules flags setuid (SUID) files to help identify possibly dangerous executables. SUID files are notorious for local privilege escalation vulnerabilities. The rule can be set to ignore known good SUID files, such as common system utilities.
“Analysis of file content is the core of FwAnalyzer,” comments Collin Mulliner, principal security engineer, autonomous vehicle security at Cruise Automation, in an associated blog. He describes three of the most important mechanisms. First of all, SHA-256 hashes can be compared to a preconfigured hash to confirm that a specified file has the correct content. “This can be useful in the context of development vs. production public keys and certificates stored on the filesystem,” he says.
Secondly, regular expressions can be used to check, for example, that certain settings are present. Similarly, release information can be checked to confirm that an update file is the result of a production build — for example, by checking the ro.build.type on Android.
Thirdly, external scripts can be run against a file extracted to a temporary location. “External scripts,” says Mulliner, “enable easy extension of FwAnalyzer without modifying FwAnalyzer itself.”
The result includes the automated detection any non-stripped binaries, the ability to ensure that files have the right permissions and the firmware does not include any private key files.
“These are just a few examples of what FwAnalyzer can do,” says Mulliner. “Overall checks will be contingent on the product and its functionality, but the underlying mechanisms provided by this tool are universal.”
At the end of the sequence, it can also be used for production signing, since it analyzes the firmware image and only allows it to be signed if it passes all checks. “This step” he says, “should eradicate accidental signing of bad firmware, such as development builds or engineering builds created by an individual developer.”
FwAnalyzer is designed to be integrated into the development, test, and release phases of firmware production in an automated fashion. Automation in security checking is considered to be so important that it is included as one of the six pillars of effective DevSecOps by the Cloud Security Alliance. “Processes that can be automated should be automated, and those that can’t should be automated as much as possible or be considered for elimination,” it says.
Mulliner agrees. “Automating firmware security is a step in the right direction,” he said; adding, “We decided to open source FwAnalyzer to help others to build more secure products as well.” FwAnalyzer can be found on GitHub with a list of the specific configuration options.