Come Join the CAFSA - Continuous Automated Firmware Security Analysis

Conference:  BlackHat USA 2019



The presentation discusses the benefits of using an open-source firmware security analysis tool in the development process to automate security checks and improve the security of products.
  • Using an open-source firmware security analysis tool can provide visibility into revisions and help with vendor assessments.
  • The tool can be deployed in front of production signing and used for firmware security analysis.
  • Config files can be created for different file system images and shared with others.
  • Automation of feedback during development can help catch security relevant changes and improve the security of products.
  • The open-source release includes example files and an end-to-end analysis tool for Android framework.
The speaker mentions that the tool has shown value in catching security issues that would have otherwise gone unnoticed. They also thank their co-workers for contributing code and various people for their support and interesting discussions.


Modern devices are complex and their firmware often consists of multiple parts that together make up the software stack of a product. Securing firmware is hard work since firmware changes over time and engineering focus shifts to different aspects like prototyping, development, testing, and finally production. Shipping 'bad' firmware can have a ripple effect on your entire product and infrastructure, possibly preventing security controls from being properly implemented to costing millions due to recall. Preventing this ripple effect to occur will ultimately save you money and keep your product reputation.This talk is about processes and tools that we designed, built, and deployed in the last couple of years while working on securing devices at multiple companies, most notably in my current role at Cruise Automation. We determined that well engineered simple yet powerful processes integrated into the development and release flow can achieve great victories.Our approach is centered around a tool for analyzing firmware images, specifically filesystem images. The tool provides an automated way to model and check the security properties of files and file content. Checks can be as simple as flagging suid executables or world writable files and as complex as ensuring that a release build contains production CAs signed with production keys. Our approach is vastly different and more impactful compared with traditional tools such as vulnerability scanners that try to identify buggy and insecure code or tools, CVEs within in your software stack.One core component of the process deals with reporting and further processing of information extracted and gathered during the analysis and checking phase. All steps generate machine readable reports that allow integration in continuous development environments as well as extending the process and tools to new targets. We plan to opensource the tool kit together with a library of checks for various targets.The talk is based on the experience of securing Linux-based devices including highly customized Android devices built in-house and by 3rd parties.