Comments
View Comments: newest first | oldest first | threaded
Bruce Gain
User Rank
Blogger
Firmware attack case study
Bruce Gain   2/17/2014 12:25:10 PM
NO RATINGS

This research paper serves as an excellent case study and tutorial on firmware attacks: http://ids.cs.columbia.edu/sites/default/files/ndss-2013.pdf

prabhakar_deosthali
User Rank
Supply Network Guru
re:
prabhakar_deosthali   2/16/2014 1:53:40 AM
NO RATINGS

I just fail to understand how a firmware can b eprone to malware attack. A "forware" is a kind of code which cannot be modified unlike the code that runs in some kind of RAM and is prone to be replaced or modified by the malware.

 

So unless , at some point in the supply chain if unauthorised firmware enters into the product as a counterfeit part, then only such attack is possible, in my opinion

 

_hm
User Rank
Supply Network Guru
Cost and time to market
_hm   2/15/2014 9:47:57 AM
NO RATINGS

Yes, this is very desirable. But when you experience pressure for time to market and cost control, this is pretty difficult. May be some standard tools/technique help little bit.

Hailey Lynne McKeefry
User Rank
Blogger
Re: Open Source or What Else?
Hailey Lynne McKeefry   2/15/2014 12:09:00 AM
NO RATINGS

@Bruce, I agree with you. Often to move the ball forward there's a fairly high up front cost... but not doing it in the long run will be even more detrimental.

Hailey Lynne McKeefry
User Rank
Blogger
Re: malicious code in firmware
Hailey Lynne McKeefry   2/15/2014 12:07:55 AM
NO RATINGS

@t.alex: there are a number of techniques to discover malware that has been put into firmware by testing before sending out the products. The three main categories are:

1) anamoly-based detection. In this approach, the malware detection program learns what normal behavior of a system looks like and compares it on an ongoing basis--sounding the alarm when the behavior is deemed abnormal. The downside of this approach is a high number of false alarms.

2) Specification-based detection. Basically this compares a set of rules about what the program or application is supposed to do and compares it to what it is doing.

3) Signature-based detection. This uses known malware signatures to try to identify malware (this is familar to anyone with a basic anti-malware on a PC).


Malware gets increasigly sophisticated--and so detection techniques have to keep up. it isn't an easy game to win.

Bruce Gain
User Rank
Blogger
Open Source or What Else?
Bruce Gain   2/14/2014 3:19:58 PM
NO RATINGS

Yes, verification processes do exist. But the main point I was trying to make is that the firmware code is an easy target for the bad guys who are learning about these security holes. It also does look like firmware needs to move to open source, despite the inevitable effects on the business model. But if open source will not work, what is the alternative?

Jacob
User Rank
Supply Network Guru
Re: malicious code in firmware
Jacob   2/14/2014 4:41:10 AM
NO RATINGS
1 saves

"Take the case of Dell, for example, how would it possible to detect bad firmware code inside the motherboard before mass production?"

Alex, it's part of V & V (verification and Validation) during the testing and QA process before burning to the chip.

Jacob
User Rank
Supply Network Guru
Making Open source
Jacob   2/14/2014 4:39:06 AM
NO RATINGS
1 saves

"Firmware in embedded systems should thus be completely open-source, and OEMs should be able to fix it easily if a vulnerability is discovered. This, of course, means chip suppliers will have to invest more engineering dollars in fixing their firmware."

Bruce, I don't how far it's possible. Moreover, the entire business model has to be reworked inorder to make the codes open source

t.alex
User Rank
Supply Network Guru
malicious code in firmware
t.alex   2/13/2014 8:59:51 AM
NO RATINGS

Take the case of Dell, for example, how would it possible to detect bad firmware code inside the motherboard before mass production?





Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EBN Dialogue / LIVE CHAT
EBN Dialogue enables you to participate in live chats with notable leaders and luminaries. Open to the entire EBN community of electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!
Upcoming Dialogues
REMIND ME
Live Chat 10/16: Applying a Macroeconomic Lens to the Supply Chain
EBN blogger Apek Mulay will be our guest as we talk about how macroeconomic reforms have the potential to impact the supply chain.
10/16/2014
Remind Me
Archived Dialogues
Live Chat 9/25: Minimizing Risk in the Global Supply Chain
Dave Bowen, CEO of e-sourcing firm MarketMaker4, will be our guest as we explore ways to minimize and manage geo-political and corporate risk in supply chain and sourcing through the use of technology.
Live Chat 8/20: Supply Chain Trends to Watch for the Rest of 2014
The supply chain hasn't quite reached the complexity of global phenomena like weather. So we've asked Jim O'Reilly to predict trends while answering your questions.
Latest Poll
EBN Newswire
THIEF RIVER FALLS, MN   9/26/2014
Optoelectronic Leader QT Brightek & Digi-Key ...
THIEF RIVER FALLS, MN   9/26/2014
Proant AB Embedded Antenna Products Signs Global ...
Twitter Feed
EBN Online Twitter Feed