Four small technology firms earned contracts to create solutions that will automate analysis of mobile technology firmware at scale and identify vulnerabilities and prepositioned cyber-threats.
Components of today’s mobile technology, including smart phones, wearables and Internet of Things (IoT) devices, are manufactured all over the world, heightening risk for introduction of spyware or other forms of malware in device firmware. As a result, this international supply chain poses vulnerabilities and mobile technology users — government and private sector alike — could be susceptible to a cyberattack from within the supply chain.
The contracts ended up awarded through the Small Business Innovation Research (SBIR) contracts by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T).
Under the SBIR solicitation entitled, “Automated & Scalable Analysis of Mobile & IoT Device Firmware,” each awardee will conduct initial research of their proposal to detect, remediate and protect against software vulnerabilities or unwanted functionality prepositioned within device firmware.
These proof-of-concepts must show they can analyze and detect all software vulnerabilities, common vulnerabilities and exposures (CVE), recently discovered Zero Day vulnerabilities, and unwanted functionality in firmware binary code. In a phase I effort, each awardee will work over a six-month period of performance to prove the efficacy of its proposed solution.
“Ensuring the mobile device supply chain is free of vulnerabilities and cyber-threats is essential to securing the technology we use to protect the homeland,” said Emile Monette, program manager of the Office of Cybersecurity and Communications’ Cyber Supply Chain Risk Management program at the National Protection and Programs Directorate. “The techniques and processes being developed will help provide needed insight into the mobile technology supply chain, assuring the ability of Government and enterprises to securely execute their mission,”
“The benefits of automated analysis of firmware binaries are higher assurance for the integrity of mobile technology as it is used and maintained,” said S&T Mobile Security Research and Development (R&D) Program Manager Vincent Sritapan, who will oversee these research efforts. “Also, original equipment manufacturers and enterprises will be able to check the security and privacy of firmware before and after it is deployed. Each performer has presented an innovative approach that bears considerable promise in combatting compromised device firmware.”
The S&T SBIR awardees are:
• Kryptowire LLC, Fairfax, Va., SAFARI: Scalable Analysis of Firmware for AndRoid and iOS — Kryptowire was awarded $149,993 to determine the feasibility of a scalable, comprehensive and automated framework to detect firmware-borne threats — malicious and unintentionally insecure — in Android and iOS devices. The framework will encompass three analysis techniques: Forced-path execution, static analysis and dynamic analysis across multiple software modules and applications to provide analysis of device firmware across different vendors, operating systems and applications.
• RAM Laboratories, Inc., San Diego, California, Automated & Scalable Analysis of Mobile & IoT Device Firmware — RAM Laboratories was awarded $150,000 to prove its concept for Firmalytics, a modular and scalable framework that will automatically analyze firmware for security vulnerabilities, backdoors and malware. As envisioned, the framework also will add the analysis results to a database to support a correlation engine to be used for identifying groups of similar firmware vulnerabilities.
• Red Balloon Security, New York, New York, Firmware Automated Analysis at Scale with Testing — Red Balloon was awarded $149,869 to test its proposed Firmware Automated Analysis at Scale with Testing (FAAST) technology. FAAST will be built on top of the company’s Firmware Reverse Analysis Konsole (FRAK) unpacker for unpacking, analyzing, modifying and packaging firmware images. The goal of the project is to demonstrate feasibility of the mobile and embedded firmware analysis automation technology platform.
• Sekurity LLC, Jersey City, New Jersey, Principled Security Analysis of the Firmware Binaries via Guaranteed Formal Verification and Scalable Dynamic Monitoring — Sekurity was awarded $149,999 to test the feasibility of its proposed firmware binary security analysis framework (BINNSEC) for mobile and IoT devices. To ensure scalability and usability across different firmware binary formats, BINNSEC will use a combination of advanced binary reverse engineering, malware analysis, programming languages techniques, formal methods and dynamic vulnerability assessment algorithms to generate accurate and human-perceivable reports in a timely manner.