Proving the Security of Low-Level Software Components & TEEs
- 1. 1 Proving the Security of Low-Level Software Components & TEEs Mathematically Guaranteed Quality, Security and Safety on C and C++ Code
- 2. 2 You will get the slides via email You will get the recording in the coming days Please ask questions in the Q&A section Vic Sharma US executive Jakub Zwolakowski R&D engineer Welcome !
- 4. 4 Over the last 5 years alone firmware vulnerabilities have gone up by over 573% More than 80% of the enterprises have experienced at least one firmware attack in the past two years 4 in 10 companies breached through a mobile device. Semiconductor TEE component vulnerability exposes millions of mobile devices to security threats. Preventing device-level attacks targeting low-level software is the next frontier in cybersecurity. Cyberattacks on critical infrastructure are on the rise.
- 5. 5 Hybrid code Analyzer combining advanced static and dynamic analysis techniques together with formal methods to mathematically guarantee C/C++ code quality & maximize code security and safety TrustInSoft Analyzer
- 6. 6 Resolving the Achilles’ heel of C and C++: Detecting all Undefined Behaviors • Memory access • Buffer overflow • Access out of bounds • Invalid pointers usage • Non-initialized variables • etc… • Arithmetic operations • Division by zero • Integer signed overflows • Overflow in float-to-int conversion • NaN in float computation • etc… • Race conditions Unpredictable outputs or program execution Code execution by an attacker & program intrusion Software misbehavior or crash Undefined behaviors are complex to detect and can lead to disastrous consequences:
- 7. 7 7 6012269011901013063071144571567 1850162787960150597983632424299 4413590530419161514337036842790 287400677240995840 Math can grasp all possible behavior of software This is the number of tests that we can perform in a single run in a few seconds Our secret sauce
- 8. 8 The best-of benefits of security testing TrustInSoft Analyzer Traditional static analyzers Analysis type Semantic Syntactic What it does Applies formal methods to look for issues that cause undefined behaviors and checks execution for all possible input values Looks for suspicious code constructs / coding rules compliance Sound Yes No False positives / False negatives Some/ No Many / Yes Input Tests Coding rules Output All undefined behaviors detected / confidence on code quality List of potential bugs
- 9. 9 Low-Level Software (Open-Source Examples) Secure Communication (ARM Mbed TLS) Linux Kernel Driver Security (Goodix) Device Driver Security (AIS2DW12 Sensor Driver - STMicroelectronics)
- 10. 10 Secure Communication ARM Mbed TLS SSL/TLS Without Undefined Behavior A unique, first-of-its-kind result from the analysis performed using TrustInSoft Analyzer demonstrated, how the ARM Mbed TLS stack, in a described configuration, is immune to popular vulnerabilities including buffer overflows. The verification report details how to compile, configure and deploy the Mbed TLS in a given perimeter in order to be immune from all attacks caused by CWE 119 to 127, 369, 415, 416, 457, 476, 562, 690. All bugs of those kind were found and removed. Link to the full verification report: http://trust-in- soft.com/polarssl-verification-kit
- 11. 11 2016: NIST report to the white house NIST underlines in a report to the White House a result unique in the world performed by TrustInSoft: a mathematical assessment of absence of buffer overflow or memory error in the ARM Mbed TLS, which is at the core of ARM’s mbed environment.
- 12. 12 Device Driver Security AIS2DW12 Driver Analysis (STMicroelectronics) The platform-independent sensor driver stack for the AIS2DW12 digital output motion sensor for Automotive applications from STMicroelectronics was analyzed using TrustInSoft Analyzer to verify absence of undefined behaviors in the source code of the driver. Within the perimeter of the defined tests, through exhaustive analysis, our tool was able to mathematically guarantee that for any given authorized input and any execution path, there were no undefined behaviors in the driver.
- 13. 13 13 ST AIS2DW12 Accelerometer - Driver Analysis The AIS2DW12 3-axis accelerometer was selected as it had the most recent contributions on github TIS Analyzer determined, simulated and cascaded the superset of all possible inputs, code values and behaviors Buffer overflow identified and fixed in less than 1,5 hour (incl. the time to get familiar with ST datasheet and driver) With the proposed fix and the analysis run again, TIS confirms that for all existing tests, whatever registers the HW contains, the driver has no undefined behavior
- 14. 14 Linux Kernel Driver Linux Kernel Driver – GT9xx (Goodix) The GT9xx is a Linux Kernel Driver for the Goodix GT915 capacitive touch chip used in medium and large sized mobile phones. A formal analysis was performed on this kernel driver using TrustInSoft Analyzer, and it was concluded that given the perimeter of the analysis, the driver is safe from a large number of vulnerabilities that could compromise the complete operating system. Within the perimeter, the TrustInSoft Analyzer was able to guarantee the absence of undefined behavior for the GT9xx driver.
- 15. 15 15 Goodix GT915 capacitive touch Driver • We simulated and modelized the HW (Linux Kernel and the driver) for a fixed configuration: HW contains the address of the register to be read following I2C read request i.e. when screen is touched • TIS Analyzer determined, simulated and cascaded the superset of all possible inputs, code values and behaviors. What happens in case of a material defect or if a hacker simulates a screen touch with 256 fingers at the same time? Is the driver robust enough to cope with it? • TIS confirms absence of undefined behavior and driver’s immunity to following families of vulnerabilities: CWE 119 to 127, 369, 415, 416, 457, 476, 562, 690 within the analysis’ model and perimeter
- 16. 16 Trusted Execution Environment (TEE) Security TrustInSoft Analyzer delivers bullet-proof TEE security to Semiconductor Manufacturers - by detecting critical firmware vulnerabilities, early in the development cycle; and providing a mathematical guarantee on absence of undefined behaviors. Exhaustive analysis to secure various TEE components including: TEE Kernel, Secure Monitor, Bootloader, Trusted Applications. Address critical TEE issues: From software bugs (such as buffer overflow or integer overflow) - to side channel attacks or concurrency issues. Ensure there are no inconsistencies between the expected requirements of the TEE firmware and its implementation.
- 17. 17 Incremental journey to maximum security & safety Replay existing tests Generalize inputs & static analysis Check functional implementation • Instant productivity: find more bugs quicker • Mathematical guarantee that Undefined Behaviors resulting from discrete tested values are all detected • 0 false positives & 0 false negatives • Mathematical guarantee that all Undefined Behaviours are detected • 0 false negatives • Achieve up to 100% coverage on critical tests • Ensure implemented SW architecture and functions behave in line with spec • Full mathematical guarantee for safety and security 1. Interpreter 2. Analyzer 3. Functional proof
- 18. 18 Empowering SW developers & testers to… Ensure absence of crashes and deterministic behavior. Detect 0-days before they are known. Platform specific analysis without compiling. Exhaustively find and fix all Undefined Behaviors incl. the most hidden ones Determines and propagates the superset of all possible code values in execution paths. Boost coverage. Perform quickly the equivalent of billions of tests with 1 generalized inputs test Functional proof & absence of Undefined Behaviors (e.g. buffer overflow). Get mathematical guarantees on software security/safety Code safety & security
- 19. 19 How is it deployed TrustInSoft Analyzer can be installed on a dedicated server, either on-premises or in SaaS Can be accessed through a web browser or via command line interface Can be integrated to existing DevOps and Continuous Integration process via command line
- 20. 20 Our customers’ primary drivers § Reduce SW test coverage costs § Bugs identification & remediation optimization § Bug correction prioritization (no false positive) § Perform tests as if on target IMPROVE OPERATIONAL EFFICIENCY § Position safety and/or security as a feature to gain market share § Get certification level / smooth customer validation as a price premium § Secure Time to Market sensitive opportunities GENERATE REVENUE OPPORTUNITIES CONTROL FINANCIAL RISK § Reduce field support costs post-production § Avoid brand/image valuation impact Beyond Software Security and Safety
- 21. Goodix GT915 large-screen 5:00 capacitive touch chip inside the phone Wiko Rainbow 4G 1
- 22. The Code • The GTXX driver source code used for the analysis was taken from this repository 1 : • The commit used for the analysis is f7d281d16eff5031b39c41e6af6c527ecec31385 • The product's official data-sheet was used to model the hardware behavior 2 : 2 1 https://source.codeaurora.org/quic/la/kernel/msm-3.18/tree/drivers/input/touchscreen/gt9xx?h=LA.HB.1.1.1.c2 2 https://datasheetspdf.com/pdf/945606/GOODIX/GT915/1
- 23. 2 perimeters of analysis • We suppose that the attacker controls the hardware (through interrupts). • Result: proven IMMUNITY to a set of security weaknesses. • We suppose that the attacker has direct access to the device's proc file (through the OS filesystem). • Result: found potential VULNERABILITIES! 3