Centrifuge IoT Security Platform Updates - May 2017


June 01, 2017

We did a lot of darn work on the Centrifuge IoT Security Platform in May. Here's a list of the most recent changes you should know:

General

  • Expired users are no longer immediately logged out of their sessions and can view pre-existing reports. They may continue exploring their firmware evaluation reports on CSP after expiration, but upload privileges remain locked.
  • Hundreds of simultaneous database queries were overwhelming the server and preventing it from responding to authorized HTTP requests. The server would eventually recover by completing all of the queries, but it took a really long time. This process was streamlined and resolved.

Extractors

  • Extractors use file streams for recording output (instead of limited-sized buffers) that would throw exceptions whenever an extraction tool generated too much output data. This has been resolved.
  • The extractor was optimized to set a maximum concurrency for extraction because CSP was a bit overzealous when extracting all things. It spent more CPU cycles performing context switches between processes than it did performing extraction of firmware images and servicing of client requests.
  • The system was so focused on finding extractable file system images embedded at arbitrary offsets within files that it neglected to extract file systems located at offset zero. It can now squash images to handle offset zero.
  • A logic error, which prevented symlinks located in the root extracted directory from being readjusted to point to their proper targets within the scope of their extracted directories, was fixed.

    Analyzers

    • A race condition bug that would cause the same file to be assigned multiple unique identifiers was corrected.
    • The entropy graph analysis was fixed to properly count the number of signatures in a firmware image.
    • A bug with poorly formatted version number strings found in library binaries was corrected.
    • The analyzers were over-anxiously bailing out whenever any kind of error was being reported, resulting in lost analysis data. They now acknowledge the presence of reported analysis errors and continue to store successful analysis data.
    • CSP is now gracefully handling what used to be an HTTP 500 error when a user would lookup the Library Analysis view and no libraries were identified in a firmware image.
    • DSA private keys were added to KeySearch.
    • A new analyzer was created to identify commands that are run at system startup. The analyzer is still in its infancy, but will evolve through the study of more firmware images.
    • A band-aid was put on an open wound to prevent the KeySearch analyzer from reporting the same key more than once if it is found within a nested file system. Internal discussions continue on how to implement a more elegant solution to handling/analyzing nested file system content.

    Emulation (Beta)

    • Function-level emulation for Linux ELF binaries were added. CSP can now reanimate cold, lifeless binaries from their firmware image stasis, pulling out functions that contain vulnerable library calls and running them with contrived user arguments in order to pinpoint the most likely exploitation candidates. This technique produces far fewer false positives than the traditional static vulnerability analysis, though it's fresh out of the test tubes and still has that new analyzer smell. The emulation results are intended to be viewed as a concentrated subset of the static vulnerabilities.

    WebUI

    • Emulated function call data was added to the Code Analysis view.
    • Hover-activated tool-tips were added to further describe what analysis results mean to human beings without being too intrusive to the user experience.
    • A bug in the Code Analysis view, which prevented details from being updated when interacting with binaries that had zero emulated functions, was fixed.
    • Symlinks are now rendered differently from regular files in the filesystem browser; they include their link target path in addition to their file name, and a swanky new icon.
    • Emulation routes were added and a few inconsistencies in the REST API documentation were corrected.
    • Every report view now includes the filename of the uploaded file that was analyzed; examining different reports simultaneously shouldn't be as overwhelming.
    • The footer date is procedurally generated and includes the running commit hash. This prevents the dev team from having to enter the code management algorithm.
    • The "Add Firmware" buttons are now disabled for expired user accounts.
    • The in/active user tables were amalgamated into a single user table with a status column.
    • The user list loads in the same order every time the administration panel is rendered.
    • The frequency the system load average and disk usage statistics were updated on the administration panel.

    REST API

    • The new API endpoints are:
      • /api/report/startup/:ufid: to get startup command analyzer results
      • /api/upload/:ufid/file: enables a user to download their originally uploaded file.
    • The file size was added to the data structure that's provided to the client when they request details about a previously uploaded file.

    Minor

    • The symlink adjustment code was rewritten to make sure they point to their intended target, despite being extracted someplace below the root of the file system.
    • The REST API re-engineering has begun to include code to make it more elegant, consistent, and most importantly, more testable. These changes will not produce any modified behavior in the API.
    • CSP keeps an eye on its available storage space and when available storage space dips below a specified threshold, it emails the dev team to indicate disk space is low.

    Known Issues

    • Empty directories show arrows next to them in the filesystem browser, giving the illusion there are files contained therein.

     

    View the short video on Firmware Evaluations with the Centrifuge IoT Security Platform >