You Now Know that VxWorks is Vulnerable. Now What?

Posted on August 22, 2019
Author: RunSafe Security

Securing a large complex enterprise network is a challenging, never-ending process. The move to cloud has intensified the problem. Often, there is nothing to protect an IT system when a breach makes it past perimeter defenses. Moreover, memory corruption bugs are common in 3rd party code and patch management is often inept, late and not-continuous.

Now, a critical VxWorks flaw is exposing millions of connected hardware devices to hacking.

VxWorks is a real-time operating system (RTOS) that can be used in embedded systems. It is the most popular RTOS and is currently installed on over 2 billion devices. As of July 2019, a paper published by Armis exposed 11 critical vulnerabilities including remote code executiondenial of service, information leaks, and logical flaws.

RunSafe Alkemist is an easy, proven method for cyberhardening legacy software and hardware by reducing the attack surface used to compromise firmware, operating systems, and applications within IT/OT environments. Alkemist protections are broadly applicable and suitable in power plants, utilities, data centers, communications networks, vehicles, medical devices, IoT and much more.

RunSafe is:

  • Easy and quick to deploy
  • A gap filler in cybersecurity defenses
  • Protection based at code level
  • A way to eliminate an entire class of vulnerabilities
  • Avoid need for perfect patching with built in protection

Alkemist was tested for 60 days by the Georgia Tech Research Institute and it was shown that:

  • Alkemist cyberhardening does not introduce failures or alter program execution
  • All transformed binaries initiated identically to their original counterparts
  • There was no performance impact across transformed binaries
  • Alkemist protections show promise when applied to legacy systems
  • Alkemist protections show promise for completely self-contained applications
  • Alkemist disrupts attacks on stack overflow-based vulnerabilities

Because of its one-time software transform function, Alkemist’s protections can be applied when deploying a future system or when updating software on a legacy system and the security protections will endure. It requires no new software for the protected device; makes no source code modification; and works within current system resources (memory, storage, power, with minimal overhead) so that no new hardware is required.

ALKEMIST ELIMINATES AN ENTIRE CLASS OF CYBERATTACKS

RunSafe Security’s Alkemist addresses the need for increased resilience, offering a proven solution for protecting software across the IT stack against memory corruption errors and buffer overflow exploits – the techniques attackers often use to gain control of embedded systems.\

Buffer overflows are one of the oldest and most common memory corruption vulnerabilities in software. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage files, change data, disclose confidential information, shut the system down, or provide false readouts.

The application of Alkemist yields secure IT and OT systems, increasing cyber resilience. This approach works for legacy and future systems– both 3rd Party/Open Source and in-house developed code – during development, test, deployment and maintenance. It is well-suited for the complex electronics supply chain. In summary, Alkemist resets the system security baseline, mitigating threats in IT systems throughout the life cycle, from design through sustainment

To learn more about how RunSafe cyberhardens legacy, open source and custom code like yours, click here to see how Alkemist works.

RunSafe Security’s 2025 Product Security Predictions

RunSafe Security’s 2025 Product Security Predictions

Product security has come a long way since  the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory...

read more