Come Join the CAFSA - Continuous Automated Firmware Security Analysis

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=y6HTBICjgrw


Duration: 44:00
4 views
0

Come Join the CAFSA - Continuous Automated Firmware Security Analysis
Collin Mulliner | Dr, Cruise Automation
Location: Lagoon JKL
Date: Wednesday, August 7 | 2:40pm-3:30pm
Format: 50-Minute Briefings
Tracks: Security Development Lifecycle, Hardware/Embedded

Modern devices are complex and their firmware often consists of multiple parts that together make up the software stack of a product. Securing firmware is hard work since firmware changes over time and engineering focus shifts to different aspects like prototyping, development, testing, and finally production. Shipping 'bad' firmware can have a ripple effect on your entire product and infrastructure, possibly preventing security controls from being properly implemented to costing millions due to recall. Preventing this ripple effect to occur will ultimately save you money and keep your product reputation.

This talk is about processes and tools that we designed, built, and deployed in the last couple of years while working on securing devices at multiple companies, most notably in my current role at Cruise Automation. We determined that well engineered simple yet powerful processes integrated into the development and release flow can achieve great victories.

Our approach is centered around a tool for analyzing firmware images, specifically filesystem images. The tool provides an automated way to model and check the security properties of files and file content. Checks can be as simple as flagging suid executables or world writable files and as complex as ensuring that a release build contains production CAs signed with production keys. Our approach is vastly different and more impactful compared with traditional tools such as vulnerability scanners that try to identify buggy and insecure code or tools, CVEs within in your software stack.

One core component of the process deals with reporting and further processing of information extracted and gathered during the analysis and checking phase. All steps generate machine readable reports that allow integration in continuous development environments as well as extending the process and tools to new targets. We plan to opensource the tool kit together with a library of checks for various targets.

The talk is based on the experience of securing Linux-based devices including highly customized Android devices built in-house and by 3rd parties.

Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-08The Future of Securing Intelligent Electronic Devices Using the IEC 62351 7 Standard for Monitoring
2022-01-08Operational Templates for State Level Attack and Collective Defense of Countries
2022-01-08Internet Scale Analysis of AWS Cognito Security
2022-01-08Paging All Windows Geeks Finding Evil in Windows 10 Compressed Memory
2022-01-08Legal GNSS Spoofing and its Effects on Autonomous Vehicles
2022-01-08Reverse Engineering WhatsApp Encryption for Chat Manipulation and More
2022-01-08Lessons and Lulz The 5th Annual Black Hat USA NOC Report
2022-01-08Rogue7 Rogue Engineering Station Attacks on S7 Simatic PLCs
2022-01-08PeriScope An Effective Probing and Fuzzing Framework for the Hardware OS Boundary
2022-01-07Attacking iPhone XS Max
2022-01-07Come Join the CAFSA - Continuous Automated Firmware Security Analysis
2022-01-07Defense Against Rapidly Morphing DDOS
2022-01-07Automation Techniques in C++ Reverse Engineering
2022-01-07He Said, She Said – Poisoned RDP Offense and Defense
2022-01-07Command Injection in F5 iRules
2022-01-07Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically
2022-01-07Denial of Service with a Fistful of Packets: Exploiting Algorithmic Complexity Vulnerabilities
2022-01-07HostSplit: Exploitable Antipatterns in Unicode Normalization
2022-01-07Behind the scenes of iOS and Mac Security
2022-01-07How Do Cyber Insurers View The World?
2022-01-07Controlled Chaos: The Inevitable Marriage of DevOps & Security


Tags:
data
hacker
security
internet
technology
hacking
attack
virus
information
hack
online
password
code
web
concept
thief
protection
scam
fraud
malware
secure
criminal
phishing
software
system
firewall
communication
business
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Collin Mulliner
CAFSA
firmware
security analysis
automated