Description
In many embedded and industrial contexts, companies outsource software
development to external suppliers, often providing only technical specifications while
omitting comprehensive security requirements. This gap creates challenges in ensuring
the security and reliability of supplied firmware before deployment. Motivated
by this scenario, this thesis presents a dynamic assessment framework for Linux
firmware security that monitors firmware behavior in real-time without requiring
kernel patches. Inspired by the Embedded Analyzer (EMBA) framework’s advanced firmware
emulation capabilities, the proposed system employs Linux namespaces to sandbox
firmware execution and utilizes two complementary kernel-level monitoring techniques:
Seccomp and extended Berkeley Packet Filter (eBPF). These mechanisms enable
blocking, monitoring and logging of critical system calls. Thanks to the monitoring, the
system can automatic detect versions of binaries and shared libraries integrated with
an automated CVE lookup. Comprehensive performance assessments conducted across various
architectures reveal that monitoring based on eBPF presents considerably reduced runtime
overhead in comparison to Seccomp, especially when extended logging is enabled. On
the other hand, Seccomp-unotify provides greater flexibility for complex user space
decision-making but incurs higher performance costs. These results highlight the trade-offs
between efficiency and flexibility in real-time firmware security monitoring.
The proposed system enhances the ability of companies to verify the security of
externally supplied firmware dynamically, bridging a critical gap in modern
embedded software supply chains. Future improvements include refining version detection
techniques and expanding monitoring policies to further strengthen automated security
assessments.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching