Method and apparatus for securing embedded device firmware

US 10,657,262 B1
Filed: 09/28/2015
Issued: 05/19/2020
Est. Priority Date: 09/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of embedded device vulnerability identification and mitigation, comprising:

injecting at least one security software component into a vulnerable firmware binary to create a monitored firmware binary, wherein the at least one security software component hooks into an exception handling code of the vulnerable firmware binary;

loading the monitored firmware binary into an embedded device;

collecting a plurality of live forensic information related to the monitored firmware binary via the at least one security software component of the monitored firmware binary, wherein the live forensic information comprises dynamically generated information related to the monitored firmware binary that is collected when the embedded device is in an online state;

aggregating the plurality of live forensic information and static analysis data generated by one or more static analysis techniques, wherein the static analysis data comprises data generated before operation of the vulnerable firmware binary;

detecting an unauthorized modification to the monitored firmware binary by the at least one security software component based on the aggregated live forensic information and static analysis data, the security software component is designed to detect an unauthorized modification of at least one in memory data item acted upon by one or more functions of the monitored firmware binary embodied in native firmware code of the vulnerable firmware binary;

identifying one or more areas within the monitored firmware binary to modify to address the detected unauthorized modification comprising mapping the detected unauthorized modification to one or more in-memory data items;

modifying the identified one or more areas within the monitored firmware binary while the monitored firmware binary is running to change firmware code of the vulnerable firmware binary to create a hardened firmware binary and to mitigate exploitation of the identified one or more areas within the monitored firmware binary; and

communicating the collected live forensic information to other embedded devices in a network where the embedded device is deployed,wherein to mitigate exploitation comprises one or more of deactivating code strings in the identified one or more areas associated with the firmware binary, removing code strings in the identified one or more areas associated with the firmware binary, or obfuscating code strings in the identified one or more areas associated with the firmware binary,wherein the hardened firmware binary is functionally equivalent to the vulnerable firmware binary and the monitored firmware binary.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing embedded devices via both online and offline defensive strategies. One or more security software components may be injected into firmware binary to create a modified firmware binary, which is functionally- and size-equivalent to the original firmware binary. The security software components may retrieve live forensic information related to embedded devices for use in live hardening of the modified firmware binary while the embedded device is online, dynamically patching the firmware. In addition, the live forensic information may be aggregated with other analytical data identifying firmware vulnerabilities. A vulnerability identification and mitigation system can then identify and inject modifications to the original firmware binary to develop secure firmware binary, which may be imaged and loaded onto one or more embedded devices within a network.

100 Citations

View as Search Results

7 Claims

1. A method of embedded device vulnerability identification and mitigation, comprising:
- injecting at least one security software component into a vulnerable firmware binary to create a monitored firmware binary, wherein the at least one security software component hooks into an exception handling code of the vulnerable firmware binary;
  
  loading the monitored firmware binary into an embedded device;
  
  collecting a plurality of live forensic information related to the monitored firmware binary via the at least one security software component of the monitored firmware binary, wherein the live forensic information comprises dynamically generated information related to the monitored firmware binary that is collected when the embedded device is in an online state;
  
  aggregating the plurality of live forensic information and static analysis data generated by one or more static analysis techniques, wherein the static analysis data comprises data generated before operation of the vulnerable firmware binary;
  
  detecting an unauthorized modification to the monitored firmware binary by the at least one security software component based on the aggregated live forensic information and static analysis data, the security software component is designed to detect an unauthorized modification of at least one in memory data item acted upon by one or more functions of the monitored firmware binary embodied in native firmware code of the vulnerable firmware binary;
  
  identifying one or more areas within the monitored firmware binary to modify to address the detected unauthorized modification comprising mapping the detected unauthorized modification to one or more in-memory data items;
  
  modifying the identified one or more areas within the monitored firmware binary while the monitored firmware binary is running to change firmware code of the vulnerable firmware binary to create a hardened firmware binary and to mitigate exploitation of the identified one or more areas within the monitored firmware binary; and
  
  communicating the collected live forensic information to other embedded devices in a network where the embedded device is deployed,wherein to mitigate exploitation comprises one or more of deactivating code strings in the identified one or more areas associated with the firmware binary, removing code strings in the identified one or more areas associated with the firmware binary, or obfuscating code strings in the identified one or more areas associated with the firmware binary,wherein the hardened firmware binary is functionally equivalent to the vulnerable firmware binary and the monitored firmware binary.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein injecting the at least one security software component comprises:
    - identifying one or more injection points within the firmware binary;
      
      randomly selecting at least one injection point; and
      
      injecting the at least one security software component into the randomly selected at least one injection point.
  - 3. The method of claim 1, wherein the security software component is further designed to gather a plurality of contextual information regarding the detected unauthorized modification.
  - 4. The method of claim 3, wherein the plurality of contextual information includes one or more of:
    - a path of exploitation;
      
      identification of the at least one in memory data item;
      
      identification of the one or more functions of the modified firmware binary; and
      
      the unauthorized modification of at least one in memory data item.
  - 5. The method of claim 1, wherein the embedded device is deployed within a network of a plurality of embedded devices, the method further comprising:
    - distributing to the plurality of embedded devices one or more security modifications associated with creating the more secure firmware binary, or commands to create said security modifications.
  - 6. The method of claim 1, wherein injecting the at least one security software component occurs when the embedded device is in an offline state.
  - 7. The method of claim 1, further comprising:
    - collecting a plurality of live forensic information related to the more secure firmware binary via at least one forensic component included within the more secure firmware binary;
      
      aggregating the plurality of live forensic information and static analysis data generated by one or more static analysis techniques applied to the more secure firmware binary;
      
      identifying one or more vulnerabilities within the more secure firmware binary based on the aggregated live forensic information related to the more secure firmware binary and the static analysis data based on one or more static analysis techniques applied to the more secure firmware binary;
      
      determining one or more additional security modifications; and
      
      modifying the more secure firmware binary utilizing the one or more additional security notifications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Balloon Security, Inc.
Original Assignee
Red Balloon Security, Inc.
Inventors
Cui, Ang, Stolfo, Salvatore J.
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/868,204
Time in Patent Office

1,695 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/572   Secure firmware programming...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 8/65   Updates security arrangemen...

Method and apparatus for securing embedded device firmware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

100 Citations

7 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for securing embedded device firmware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

7 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others