Design Con 2015
Comments
View Comments: newest first | oldest first | threaded
Bruce Gain
User Rank
Blogger
Firmware attack case study
Bruce Gain   2/17/2014 12:25:10 PM
NO RATINGS

This research paper serves as an excellent case study and tutorial on firmware attacks: http://ids.cs.columbia.edu/sites/default/files/ndss-2013.pdf

prabhakar_deosthali
User Rank
Supply Network Guru
re:
prabhakar_deosthali   2/16/2014 1:53:40 AM
NO RATINGS

I just fail to understand how a firmware can b eprone to malware attack. A "forware" is a kind of code which cannot be modified unlike the code that runs in some kind of RAM and is prone to be replaced or modified by the malware.

 

So unless , at some point in the supply chain if unauthorised firmware enters into the product as a counterfeit part, then only such attack is possible, in my opinion

 

_hm
User Rank
Supply Network Guru
Cost and time to market
_hm   2/15/2014 9:47:57 AM
NO RATINGS

Yes, this is very desirable. But when you experience pressure for time to market and cost control, this is pretty difficult. May be some standard tools/technique help little bit.

Hailey Lynne McKeefry
User Rank
Blogger
Re: Open Source or What Else?
Hailey Lynne McKeefry   2/15/2014 12:09:00 AM
NO RATINGS

@Bruce, I agree with you. Often to move the ball forward there's a fairly high up front cost... but not doing it in the long run will be even more detrimental.

Hailey Lynne McKeefry
User Rank
Blogger
Re: malicious code in firmware
Hailey Lynne McKeefry   2/15/2014 12:07:55 AM
NO RATINGS

@t.alex: there are a number of techniques to discover malware that has been put into firmware by testing before sending out the products. The three main categories are:

1) anamoly-based detection. In this approach, the malware detection program learns what normal behavior of a system looks like and compares it on an ongoing basis--sounding the alarm when the behavior is deemed abnormal. The downside of this approach is a high number of false alarms.

2) Specification-based detection. Basically this compares a set of rules about what the program or application is supposed to do and compares it to what it is doing.

3) Signature-based detection. This uses known malware signatures to try to identify malware (this is familar to anyone with a basic anti-malware on a PC).


Malware gets increasigly sophisticated--and so detection techniques have to keep up. it isn't an easy game to win.

Bruce Gain
User Rank
Blogger
Open Source or What Else?
Bruce Gain   2/14/2014 3:19:58 PM
NO RATINGS

Yes, verification processes do exist. But the main point I was trying to make is that the firmware code is an easy target for the bad guys who are learning about these security holes. It also does look like firmware needs to move to open source, despite the inevitable effects on the business model. But if open source will not work, what is the alternative?

Jacob
User Rank
Supply Network Guru
Re: malicious code in firmware
Jacob   2/14/2014 4:41:10 AM
NO RATINGS
1 saves

"Take the case of Dell, for example, how would it possible to detect bad firmware code inside the motherboard before mass production?"

Alex, it's part of V & V (verification and Validation) during the testing and QA process before burning to the chip.

Jacob
User Rank
Supply Network Guru
Making Open source
Jacob   2/14/2014 4:39:06 AM
NO RATINGS
1 saves

"Firmware in embedded systems should thus be completely open-source, and OEMs should be able to fix it easily if a vulnerability is discovered. This, of course, means chip suppliers will have to invest more engineering dollars in fixing their firmware."

Bruce, I don't how far it's possible. Moreover, the entire business model has to be reworked inorder to make the codes open source

t.alex
User Rank
Supply Network Guru
malicious code in firmware
t.alex   2/13/2014 8:59:51 AM
NO RATINGS

Take the case of Dell, for example, how would it possible to detect bad firmware code inside the motherboard before mass production?





Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EBN Dialogue / LIVE CHAT
EBN Dialogue enables you to participate in live chats with notable leaders and luminaries. Open to the entire EBN community of electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!
Upcoming Dialogues
REMIND ME
Live Chat 11/06: Enterprise Risks, Intellectual Property & Supply Chains
Enterprise risk management (ERM) frameworks can be useful to identify, assess, and manage intellectual property (IP) risks that arise in supply chain compliance. We'll look at real-world examples and strategies for mitigating those risks.
11/6/2014
Remind Me
Archived Dialogues
Live Chat 10/30: Top 10 Metrics That Enhance Procurement Performance
We'll be talking about the 10 most important procurement performance metrics, from the old standards to new and emerging best-practices.
Live Chat 10/16: Applying a Macroeconomic Lens to the Supply Chain
EBN blogger Apek Mulay will be our guest as we talk about how macroeconomic reforms have the potential to impact the supply chain.
Latest Poll
EBN Newswire
FORT WORTH, TX   10/24/2014
Allied Electronics Releases 2015 Catalogue
NEU ISENBURG, GERMANY   10/24/2014
Arrow Receives Its First Responsible Recycling ...
Twitter Feed
EBN Online Twitter Feed