Comments
View Comments: newest first | oldest first | threaded
Bruce Gain
User Rank
Blogger
Firmware attack case study
Bruce Gain   2/17/2014 12:25:10 PM
NO RATINGS

This research paper serves as an excellent case study and tutorial on firmware attacks: http://ids.cs.columbia.edu/sites/default/files/ndss-2013.pdf

prabhakar_deosthali
User Rank
Supply Network Guru
re:
prabhakar_deosthali   2/16/2014 1:53:40 AM
NO RATINGS

I just fail to understand how a firmware can b eprone to malware attack. A "forware" is a kind of code which cannot be modified unlike the code that runs in some kind of RAM and is prone to be replaced or modified by the malware.

 

So unless , at some point in the supply chain if unauthorised firmware enters into the product as a counterfeit part, then only such attack is possible, in my opinion

 

_hm
User Rank
Supply Network Guru
Cost and time to market
_hm   2/15/2014 9:47:57 AM
NO RATINGS

Yes, this is very desirable. But when you experience pressure for time to market and cost control, this is pretty difficult. May be some standard tools/technique help little bit.

Hailey Lynne McKeefry
User Rank
Blogger
Re: Open Source or What Else?
Hailey Lynne McKeefry   2/15/2014 12:09:00 AM
NO RATINGS

@Bruce, I agree with you. Often to move the ball forward there's a fairly high up front cost... but not doing it in the long run will be even more detrimental.

Hailey Lynne McKeefry
User Rank
Blogger
Re: malicious code in firmware
Hailey Lynne McKeefry   2/15/2014 12:07:55 AM
NO RATINGS

@t.alex: there are a number of techniques to discover malware that has been put into firmware by testing before sending out the products. The three main categories are:

1) anamoly-based detection. In this approach, the malware detection program learns what normal behavior of a system looks like and compares it on an ongoing basis--sounding the alarm when the behavior is deemed abnormal. The downside of this approach is a high number of false alarms.

2) Specification-based detection. Basically this compares a set of rules about what the program or application is supposed to do and compares it to what it is doing.

3) Signature-based detection. This uses known malware signatures to try to identify malware (this is familar to anyone with a basic anti-malware on a PC).


Malware gets increasigly sophisticated--and so detection techniques have to keep up. it isn't an easy game to win.

Bruce Gain
User Rank
Blogger
Open Source or What Else?
Bruce Gain   2/14/2014 3:19:58 PM
NO RATINGS

Yes, verification processes do exist. But the main point I was trying to make is that the firmware code is an easy target for the bad guys who are learning about these security holes. It also does look like firmware needs to move to open source, despite the inevitable effects on the business model. But if open source will not work, what is the alternative?

Jacob
User Rank
Supply Network Guru
Re: malicious code in firmware
Jacob   2/14/2014 4:41:10 AM
NO RATINGS
1 saves

"Take the case of Dell, for example, how would it possible to detect bad firmware code inside the motherboard before mass production?"

Alex, it's part of V & V (verification and Validation) during the testing and QA process before burning to the chip.

Jacob
User Rank
Supply Network Guru
Making Open source
Jacob   2/14/2014 4:39:06 AM
NO RATINGS
1 saves

"Firmware in embedded systems should thus be completely open-source, and OEMs should be able to fix it easily if a vulnerability is discovered. This, of course, means chip suppliers will have to invest more engineering dollars in fixing their firmware."

Bruce, I don't how far it's possible. Moreover, the entire business model has to be reworked inorder to make the codes open source

t.alex
User Rank
Supply Network Guru
malicious code in firmware
t.alex   2/13/2014 8:59:51 AM
NO RATINGS

Take the case of Dell, for example, how would it possible to detect bad firmware code inside the motherboard before mass production?





Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
Latest Poll
EBN Dialogue / LIVE CHAT
EBN Dialogue enables you to participate in live chats with notable leaders and luminaries. Open to the entire EBN community of electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!
Archived Dialogues
Live Chat 4/3: Business Networks Emerge as Procurement's Future
Rachel Spasser, SVP and CMO at Ariba, discusses the key elements of a strong business community.
Live Chat 3/27: Finding the Procurement and Technology Sweet Spot
Increasingly, choosing the right software and technology tools is critical to empowering procurement to realize strategic advantages.
The Velocity Report Archive
Click here to see our newsletter archive.
EBN Newswire
THIEF RIVER FALLS, MN   4/15/2014
Digi-Key Debuts Innovative Mobile App for Freescale
SANTA MONICA, CA   4/9/2014
Master Electronics Acquires Electro Sonic
Twitter Feed
EBN Online Twitter Feed