Blog

Some Use Cases and Discussion

ThreatSCOPE Exploitability Analysis and Mitigation

150 150 Yeasir Pervej

Since 2002, BlueRiSC has been involved in some of the most advanced R&D for next-generation security solutions with commercial customers in 19 countries spanning both defense agencies and commercial markets. We invent cutting-edge system assurance and privacy solutions for the 21st century and this includes BlueRiSC’s ThreatSCOPE.

The ThreatSCOPE toolkit and runtime support three main use cases:

▪ Interactive exploitability analysis and reporting
▪ Vulnerability testing and coverage
▪ Runtime mitigation/cyber-hardening of deployed systems

In addition, a number of supporting technologies – such as source code generation, generic code insertion at various granularities, and differential versioning for capturing changes in attack surface across subsequent releases – assist users with relevant information and unique capabilities. The goal is to enable a cost-effective cyber-mitigation solution, as well as, to make the framework accessible to end-users in a range of cyber-security roles within organizations.

Figure 1: ThreatSCOPE Static Analysis and Runtime Capabilities

Technology Overview

Cyber threats against embedded systems (weapons, avionics, automotive, medical devices, control systems, IoT, etc.) due to software vulnerabilities are increasingly challenging to identify and test for. This is due to their reliance on external data (i.e., user input, external sensors, etc.), interactions between subsystems, and the complex nature of these systems and their varying connectivity points, which makes testing for vulnerabilities an increasingly complex, ad-hoc, and typically costly activity. Furthermore, due to the existence of silent vulnerabilities (such as the HeartCyber threats against embedded systems (weapons, avionics, automotive, medical devices, control systems, IoT, etc.) due to software vulnerabilities are increasingly challenging to identify and test for. This is due to their reliance on external data (i.e., user input, external sensors, etc.), interactions between subsystems, and the complex nature of these systems and their varying connectivity points, which makes testing for vulnerabilities an increasingly complex, ad-hoc, and typically costly activity. Furthermore, due to the existence of silent vulnerabilities (such as the Heartbleed SSL vulnerability), that do not change the firmware or data per se, the assumption that system state will be maliciously modified as a result of attack can no longer be made. Additionally, simply checking for known vulnerabilities is inadequate as new attack surfaces are discovered at alarming rates.

ThreatSCOPE is a patented technology that relies on a binary-level framework – supporting a variety of embedded CPUs and environments – and capable of automatically extracting artifacts from the software/firmware that contribute to resident vulnerabilities and potentiallyThreatSCOPE is a patented technology that relies on a binary-level framework – supporting a variety of embedded CPUs and environments – and capable of automatically extracting artifacts from the software/firmware that contribute to resident vulnerabilities and potentially exploitable paths. When operating on the embedded binary, ThreatSCOPE is not only capable of performing automatic binary/executable reverse-engineering, but also contains a generic program analytic framework for statically extracting and characterizing potential security defects that are resident in the firmware.

This exploitability characterization technology does not rely on a priori knowledge of an existing vulnerability (or class of vulnerabilities). Rather, it extracts conceptual artifacts that span the operational requirements of a successful exploitation of the embedded system.

ThreatSCOPE’s conceptual exploitability framework relies on the fact that, fundamentally, all exploitation attempts require either system-to-system or user-to-system interactions. During normal operations, these interactions drive the underlying functionality for which the system was designed, but when created or formatted in a specific way, these interactions can serve to provide a means for gaining access to, leaking information from, or exploiting the system. In addition to logical points of interaction in the code, the underlying functionality in the firmware is also of interest with respect to exploitability as only certain types of codes meet the requirements for exploitation. When the codes meeting these exploitability requirements can be tied to those locations that interact with external interfaces, a potentially exploitable path may exist. Often times, these artifacts, and their associated paths, can be mapped into MITRE’s CWE classification of vulnerabilities/weaknesses which can be also visualized if desired in ThreatSCOPE.

Once identified, the ThreatSCOPE exploitability artifacts are logically connected based on execution paths in the firmware (which are also statically disambiguated) forming the Exploitability Artifact Graph (EAG). The EAG encompasses a single embedded system software’s attack surface.

Beyond representing a static view of an application’s attack surface, these artifacts also drive the generation and insertion of ImmuneSoft codes which can be used to generate vulnerability-centric coverage metrics

during  testing  (both  functional and penetration testing) and/or remain in the deployed application resulting in a low- overhead cyber-hardening solution which is able to detect and respond to a cyber-attack occurring at runtime.

Figure 2: ThreatSCOPE Toolkit Architecture

ThreatSCOPE Tool

As shown in Figure 2, the toolkit takes in as an input an embedded device firmware image or software executable.   The tool first performs an automated (and integrated)  executable/firmware reverse engineering.  The result of this reverse-engineering step is an architecture agnostic, intermediate format representing the underlying functionality and containing programmatic information regarding procedures, control-flow, communication conventions as well as criticality and performance models.

The use of this agnostic intermediate format enables program analyses and transformations (for cyber hardening) to be performed directly on the intermediate representation without knowledge of the underlying architecture.  Based on this intermediate representation, the toolkit will first perform automated program analyses aimed at identifying and characterizing exploitability artifacts that represent possible security defects in the software executable. These artifacts can be characterized in many ways related to data-flow (i.e. input or output interface) or the type of attack they enabling (e.g. modifying vs. leaking).   When connected via statically extracted execution paths, these artifacts form the EAG that is visualized and representative of the software’s attack surface.

The results of the exploitability analyses drive the visualization framework (example shown in Figure 3). The example shown highlights exploitability relevant artifacts (yellow, white and purple nodes in the center – a subset of an actual EAG associated with a web server) in procedures contained in an embedded executable while also showing a more detailed control-flow graph (CFG) view on the right (which shows actual instructions and associated execution paths).

Beyond interactive visualization to convey exploitation-relevant locations in the firmware, ThreatSCOPE also contains automated report-generation capabilities to present this information.  Report generation is provided at various levels including an executive summary.

Figure 3: ThreatSCOPE visualization showing multiple granularities of viewing existing security defects as well as the associated artifacts. Vulnerabilities can also be viewed at source code level by simply right-clicking at the identified vulnerable codes.

ThreatSCOPE Runtime Mitigation Components

It is important to note that the ThreatSCOPE exploitability artifacts and their interactions capture a superset of potentially exploitable codes in the software. Some of these vulnerabilities depend on runtime condition; others can be fixed statically.    This is due to the fact that the complex user-system and system-system interactions and associated data-flow, that drive how a software executes at runtime, is not available statically and is often not tractable to exhaustively explore during testing either.

It is therefore increasingly imperative to prepare the embedded software to be able to detect when exploitation occurs at these points.

In order to address this requirement, BlueRISC invented and patented the ImmuneSoft technology that builds on information extracted statically to identify and harden possible weaknesses. ImmuneSoft is able to operate in two contexts: 1) Vulnerability testing and 2) Runtime cyber-attack mitigation (as shown in Figure 4).

In the context of vulnerability testing, ImmuneSoft codes are automatically generated and inserted into the application at the identified artifacts/paths. These ImmuneSoft codes are tasked with extracting vulnerability coverage metrics associated with the particular vulnerability artifacts – i.e. providing the user of the tool information with respect to how well these potentially vulnerable codes have been tested. This is information that is otherwise unavailable and can very useful in understanding how well a penetration testing effort has actually exercised vulnerability-relevant portions of the code.  In addition to tracking covering, these ImmuneSoft codes also enable detection of the conditions that resulted in the successful exploitation of a particular artifact/path.

Figure 4: ThreatSCOPE’s ImmuneSoft code insertion options. Both the user-generated (Insert Custom Code Here) as well as the automatically generation (Insert Vulnerability Mitigation Code) options are shown.

This detection capability directly relates to the second context for which ImmuneSoft codes are used: performing runtime cyber- attack mitigation.    In this context, ThreatSCOPE supports the automated insertion of both user developed ImmuneSoft codes, as well as, automatically generated ones.

Often times, the user of the tool may have some semantic knowledge of the application be analyzed and/or a specific interface in the application (e.g. expected packet format).   This information can enable the user to develop a custom ImmuneSoft code specific to that application/interface (e.g. filtering malicious packets) and utilize ThreatSCOPE to automatically insert this code into the application.

Or,    the   other   option   is    to    allow ThreatSCOPE    to    auto-generate    the ImmuneSoft codes that will recognize the necessary conditions for successful attack at a vulnerability artifact during runtime.   Upon detection of a cyber-attack at runtime, ImmuneSoft codes execute a configurable response mechanism.   These response mechanisms range from those that have no active impact on the application (e.g., logging) to more aggressive responses (e.g., autonomous healing).

These options are provided to the user in ThreatSCOPE and selected during the ImmuneSoft code insertion. The cyber-hardening codes are made sure to be inserted off of the critical path to minimize performance impact.

ThreatSCOPE supports varying levels of automation with respect to which paths should be targeted with cyber-hardening codes and how much user-input is needed to finalize mitigation choices. The paths upon which ImmuneSoft codes are inserted are selectable by the user.  The paths are categorized in depth in terms of criticality and vulnerability type.

Reasons companies and defense trust BlueRiSC’s exploitability analysis and mitigation:

  • Operating at the binary level capturing all aspects of deployed systems
  • Analysis not based on vulnerability signatures but on fundamental system assurance model
  • Available for a wide range of CPUs and embedded operating systems
  • Includes advanced interactive analysis, report generation for various targets
  • Supports incremental/differential analysis and source code generation
  • Supports CWE analysis
  • Automated runtime exploitability mitigation  for identified weaknesses
  • Custom code insertion
  • Cloud-based support

ThreatSCOPE is ideal for automotive, medical device, industrial control and other applications enabling identifying and remedying potential paths for exploits.

If you would like to learn more about ThreatSCOPE, BlueRiSC would be happy to schedule a time to provide a live demonstration of ThreatSCOPE’s capabilities and delve into further technical details. Please contact us at sales@bluerisc.com to schedule a one-hour WebEx demonstration if interested.