Thursday, December 6, 2012

Military wants to test your Widgets Firmware for Malice

Defense Advanced Research Projects Agency (DARPA) starts the DARPA-SN-13-07: VET - Vetting Commodity IT Software and Firmware program and announces upcoming Proposers' Day on December 12th.

DARPA wants to make sure that any devices used by the Department of Defense (DoD) does not contain any hidden backdoors, such as this real world case from this week [Dec/6/2012] as reported in @RISK: The Consensus Security Vulnerability Alert; Vol. 12, Num. 49, from the SANS Institute:

ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could
allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)

If you are printing Classified Documents, or documents that your competitor would really like to see, can you be sure that your printer is not spying on you? Point your web browser at your printers IP address and you might find there is a web server running there that you knew nothing about.

How would you check your printer for such a backdoor? Now how would you check millions of different devices for possibly millions of different ways of exploiting the device? This is the challenge facing the DoD. They need an automated way to vet devices to prove that no such backdoors exist. I covered this to some degree a couple of years ago in Killed by Code: Software Transparency in Implantable Medical Devices. Making source code available for independent audits is one approach (admittedly a bit self-serving as I do such audits on occasion), but that method does not scale to the number of devices in question. What would you do, is what the DoD wants to know?

VET will attempt to address three technical challenges:

"DoD relies on millions of devices to bring network access and functionality to its users," said Tim Fraser, DARPA program manager. "Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception."

VET will attempt to address:

  • Defining malice: Given a sample device, how can DoD analysts produce a prioritized checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out?
  • Confirming the absence of malice: Given a checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out, how can DoD analysts demonstrate the absence of those broad classes of hidden malicious functionality?
  • Examining equipment at scale: Given a means for DoD analysts to demonstrate the absence of broad classes of hidden malicious functionality in sample devices in the lab, how can this procedure scale to non-specialist technicians who must vet every individual new device used by DoD prior to deployment?

Anyone up for a Road Trip to Arlington, VA for the Proposers meeting? Note that DARPA is a secure facility. Visitors should arrange an appointment with a program manager or other DARPA staff prior to visiting.