Software and Firmware Vulnerabilities

Introduction

Software vulnerabilities are defined as weaknesses or errors in code which can be exploited by a malicious actor to perform something (typically an malicious action) which was not intended by the programmers. They can be as simple as using a deprecated and insecure function such as `gets()` or `strcopy()` or complex issues which are not discovered for years (zero day vulnerabilities).

Reasons for occurring

There may be numerous reasons why vulnerabilities occur in software, here are a few:

  • Bad practice: As mentioned before, some programmers may use bad functions which do not check bounds and continue to copy a certain buffer into memory without prior checking. This is most evident in the C programming language with functions like gets(). The manual page of gets() itself commands the user to Never use this function. Bad practice and bad code can also be subject to exploitation via formatting, syntax and logic errors; thus it is most important that programmers adhere to good coding practices 1

  • Invalidated user input: While this can go under bad practice it deserves a section of its own. During university I was taught that all user input is bad. User input allows a user to directly interact with the application. This can lead to XSS, SQL Injections, code injections and many, many more vulnerabilities. Proper sanitisation and validation must always be performed where user input is required.

  • Broken Authentication and Access Controls User authentication is very significant in software security. Restricting unauthorised actions and setting the appropriate permissions can minimise the risk of software security failures. Broken access enables users to access parts of the application/software which they should not (like an administrator panel, for example). There are a few simple steps to reduce the attack surface of this vulnerability, by: using the principle of least privilege, turn on login failures and blocking access after numerous failed attempts, follow best practices regarding passwords and using multi-factor authentication 2.

Firmware

  • At a fundamental level, firmware is simply software running at a lower level (closer to the hardware). Firmware is typically hidden from users as it is embedded into the hardware device purchased by the consumer. Firmware is also stored on non-volatile memory meaning data is retained when power is turned off from the device (akin to hard drives, solid state drives; including m.2 variations). Firmware controls the basic functions of the hardware 3.

  • Firmware security threats are becoming increasingly common due to the rise of IoT devices (Internet of Things), for example. However, they can also occur in other devices, such as motherboards. Just recently in May 2023, Gigabyte patched a UEFI firmware vulnerability which enabled backdoor-like behaviour which affected roughly "7 million devices" 4. If not resolved and updated by the consumer, it could allow persistent malware to be installed on the user's hardware.

Firmware Security Threats

Just like software, firmware security is vulnerable to a number of threats if the code is not properly written and maintained. Here are a couple:

  • Buffer and Stack Overflow protection: Buffer and stack overflows are one the most simple, but most common vulnerabilities that an attacker can exploit. They work by overwriting a space in memory (and depending on the type of overflow) can overwrite the IP (instruction pointer) and point to a memory space defined by the malicious actor. This allows the attack to control the flow of the program and execute functions or shell code. Modern systems protect against these vulnerabilities by using stack canaries and PIE (position independent executable), to list a couple. Furthermore, modern languages like Rust protect against these vulnerabilities inherently with security features built into the language like ownership and memory safety. 5

  • Firmware Updates: Keeping firmware up-to-date is critical. As mentioned before, the Gigabyte UEFI vulnerability which allowed backdoor access was resolved via a firmware update. Non-tech savvy individuals who don't know how to update their motherboard firmware or even know what it is, are more vulnerable to exploitation, unfortunately. Updating firmware or software ensures known vulnerabilities or bugs are fixed, leading to a more secure device.

Summary

  • Software and firmware vulnerabilities must be taken seriously. While most of the vulnerabilities overlap for both software and firmware; the latter is definitely an overlooked area when it comes to security. Detecting faults or vulnerabilities in firmware via security software may also be an issue due to the embedded nature of firmware (where it resides in relation to hardware). In addition, the fact that it is usually not 'seen' by the average consumer also influences developers to focus on areas which will directly affect the user. The fact that operating systems and software has a greater focus with regards to security; this leaves an open opportunity for attackers to look for other areas in devices for vulnerabilities.

  • As is common in security; it is a process and not a destination. Security must be part of each stage of the development process, and security assessments and code reviews should be conducted regularly. However, integrating levels and layers of security is not easy, but developers should remember that it is a matter of when, and not if their software is exploited.

PreviousZero Trust Architecture

Last updated