Esc

Firmware Behavior Analysis

D3-FBA
D3-FBA (Firmware Behavior Analysis)

Definition

Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.

Synonyms: Firmware Timing Analysis .

How it works

Firmware behavior analysis provides protections by ensuring that installed firmware has not been tampered with or modified. Firmware analysis applies to mutable firmware and immutable read-only memory (ROMs).

Firmware in deployed network devices is typically not analyzed and monitored for vulnerabilities and thus is subject to potential attacks. This technique makes use of known and measured behavioral attributes, including timing attributes, of analyzed firmware on deployed devices.

A behavioral method that employs known timing measurements may use the timing results from a challenge and response protocol to detect the presence of malware in embedded firmware. Firmware device timing measurements are made, specific to the installed device, and are used in the verifying function.

The original firmware image is modified by injecting a monitoring software component into the embedded firmware code. The injected software components will allow for a software root of trust, the challenge and response protocol, to be implement in the firmware.

A challenge-response is issued and includes a nonce so that replays are not allowed. The firmware will calculate a checksum over all of memory, including the nonce, and return the result. The verification system will compare the computed checksum and the time it took for the computation of the checksum to determine if the firmware has been modified.

Considerations

  • The firmware code will need to be modified to include the behavioral monitoring functionality.
  • This technique is sensitive to the device the embedded firmware is hosted on and it is expected that the devices and firmware will need to be profiled and analyzed to determine timing estimation.
  • This technique is not expected to be one hundred percent correct as you would expect in a hardware root of trust solution and may require some tuning.
loading...
json
loading...

References

All
Academic Paper

The following references were used to develop the Firmware Behavior Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

ConFirm: Detecting Firmware Modifications in Embedded Systems using Hardware Performance Counters

Reference Type: Academic Paper Organization: Department of Electrical and Computer Engineering, Polytechnic School of Engineering, New York University and Department of Electrical and Computer Engineering, New York University Abu Dhabi Author: Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, Ramesh Karri
Source: http://sites.nyuad.nyu.edu/moma/pdfs/pubs/C22.pdf

VIPER: Verifying the Integrity of PERipherals' Firmware

Reference Type: Academic Paper Organization: CyLab, Carnegie Mellon University Author: Yanlin Li, Jonathan M. McCune, Adrian Perrig
Source: https://dl.acm.org/doi/pdf/10.1145/2046707.2046711

A knowledge graph of cybersecurity countermeasures