Embedded Systems Need Embedded Security

All critical infrastructure is under cyber attack, all the time. The attack on the Oldsmar, FL water supply is a recent known example. And it’s getting worse; vulnerability to cyber attack is increasing as the embedded devices controlling these critical infrastructures become more connected. The DevOps approach to software development offers an antidote—an opportunity to embed run-time security into the software for embedded systems.

Automated run-time protections are crucial for cyber defense that scales. Protecting critical infrastructure is too vast an undertaking for human-based monitoring and response alone. As an example, there are approximately 54,000 drinking water systems in the United States, and many do not have someone watching IT operations 24/7 as KrebsOnSecurity reports.

The Ubiquitous Buffer Overflow Vulnerability

Some of my colleagues at RunSafe used to be secret agents—well, modern-day ones, in that they were on the cyberattack side for the U.S. Government. They spent a long time preparing and searching software for vulnerabilities. Ultimately, they crafted sophisticated attacks in the form of cyber kill chains (as defined by Lockheed Martin), running from reconnaissance through actions on objectives.

One of their go-to techniques was the exploitation of a memory corruption vulnerability, such as stack overflow, heap overflow, and use-after-free. Most of the time their cyber kill chains included these exploits.

Why the popularity of memory exploitation? Is it because they had access to classified tools and they’re super smart? Well, they did and they are, but that’s not the reason. In fact, memory corruption vulnerabilities are ubiquitous, persistent, and exploitable for remote code execution. Here are three pieces of evidence:

  1. Google reported in February of 2021: 70% of security updates for Google’s Chrome database and Microsoft products relate to memory corruption vulnerabilities.
  2. CVE database showed in the summer of 2020: 40% of the published CVEs for the studied C/C++ projects are related to memory.
  3. Armis discovered in July of 2019: 55% of the 11 zero-day vulnerabilities in VxWorks®, used by over 2 billion devices including critical industrial, medical, and enterprise devices, are classified as critical and enable Remote Code Execution (RCE).

The Power of DevOps in Embedded Systems

DevOps is bringing a cultural and technological shift to software development. The goal is a holistic team, including developers and operators, using automated tools to achieve CI/CD (continuous integration and continuous delivery). It recognizes that software is never done, should not be created by developers working in a vacuum, and requires constant iteration.

The U.S. Department of Defense has a powerful DevOps initiative called PlatformOne. It’s about cultural change, which in the case of the DoD, includes a change to acquisition policy. It’s about technology, having a unified technology stack as key to modularity, and avoiding vendor lock.

Ultimately, it’s about speed, with one of its ambitious goals being to update the operational flight program (OFP) on an in-flight fighter jet. This agility is not for show, but necessary given peer adversaries.

Many have expanded DevOps to DevSecOps, indicating cybersecurity is part of this holistic, iterative, automated approach. That’s a great goal. Unfortunately, traditional cybersecurity practices are not a good fit. Static scanning is a standard tool for cybersecurity, although it is known to be woefully incomplete in its ability to identify errors. More damaging in the DevOps context, the practice undermines the team culture by pointing a finger at the developers, while cybersecurity is still on the outside.

Equally important, scanning undermines important automation and speed objectives. Scanning generates alerts that software developers must address or ignore. This find and fix approach takes valuable time for an incomplete solution. Scanning is not like the handy spell check I’m using rigt now…I mean right now.

How Can RunSafe Help with Your Embedded Devices?

Remember my colleagues who used to be secret agents? At RunSafe, they’ve switched to cyber defense using their spooky experience. I’ve seen this dynamic before in electronic warfare. The best electronic protection (defense) experts began as electronic attack experts.

First, they break adversary stuff, then they defend our stuff. Attack gets more attention, just like offense in sports (touchdowns, goals, baskets), but it’s often defense that delivers the win.

RunSafe takes a new approach to cyber defense to ensure critical infrastructure keeps operating through attacks, using sophisticated automation and mitigation, rather than brute force find and fix. RunSafe design tenets are: do no harm to the original software, be scalable, be widely applicable. As a result, RunSafe’s cyber defense is tightly aligned with the DevOps movement and the reality of the constant attack.

Our defense software integrates easily into a DevOps CI/CD toolchain. Software developers set flags in their compilation process to make a call to our software. That’s it—done. DevOps culture and speed are enhanced. Security is embedded into the process rather than criticizing from the outside.

RunSafe’s approach means embedded systems are protected against both known and unknown, yet-to-be-exploited vulnerabilities. The benefit is mitigation of memory corruption vulnerabilities, those ubiquitous vulnerabilities comprising 40-70% of identified vulnerabilities, depending on the code stack. Mitigation happens automatically at run-time when embedded devices are under constant attack, ensuring the smooth operation of critical infrastructure.

To learn more about the superpower next-level technology, read our whitepaper today: RunSafe Security and Memory Threats: Using Alkemist® to Fight the Exponential Growth in Memory Vulnerabilities and Immunize Software from Attacks.