Blog

Our CTO, Sun Chan, recently had a question and answer article published on Sohu in China. He provides some great insight into the critical threats faced by developers of Internet of Things devices. He also provides some advice on using coding standards to reduce the number of vulnerabilities that can manifest themselves in the world of IoT. Read on.

1. You are a seasoned expert in software vulnerability management. Tell us a little about your technical background and experience.

My background covers a number of technical areas including program optimization as well as product development and research. I’ve worked for companies including MIPS, SGI and Intel. At SGI I was involved in high performance computing (HPC) and at Intel, I was Director of the Intel-Tsinghua University Joint Lab focusing on advanced mobile computing technology and also Director of Embedded Systems at Intel Labs. I have a deep understanding of large-scale program analysis and how to apply it to security vulnerabilities. Because of this combined with my extensive experience in software development, I really know what to look for when analyzing source code which of course, is what we do at Xcalibyte. In my 30 plus years career, I have accumulated over twenty patents and have been published in many technical and academic journals.

2. With the rise of Internet of Things (IoT) technology, it is widely applied in various industries. How do security threats differ from before?

The IoT environment consists of devices and products of varying size and complexity in design and technology. Typically, an IoT system will consists of many “constraint devices” with very primitive Operating Systems (OS) and little protection. Everything is interconnected and the devices talk to each other with data flowing among them. Often times, the data will flow amongst these devices without strict security protocols and sometimes is not encrypted so can be intercepted and exploited by attackers. Data leakage can easily occur in the world of IoT. If you have two systems talking to each other, it is likely that they will have different levels of security where one has been constructed with a stronger security focus and the other less so. In this scenario, the weaker one can be exploited which in turn could potentially allow access to the more secure device. Attackers in the IoT look for and identify the weakest link. To breach the system at Jet Propulsion Laboratory in California Institute of Technology last year, a hacker merely had to tap into a low-cost a Raspberry Pi device which was connected to the network. The Raspberry Pi was clearly not vetted properly for security and the attacker was able to obtain 500 megabytes of confidential data. If it can happen to CalTech, it can happen to anyone.

In July 2019, it was revealed by security researchers from Armis that 11 vulnerabilities known as the “Urgent11” impact a wide range of devices. The vulnerabilities cause issues with VxWorks, a real-time operating system (RTOS) which can be considered as a small memory footprint embedded OS commonly used in IoT devices such as home security cameras, smart meters or wearable devices. The flaws reside in the TCP/IP networking stack which is used in the VXWorks RTOS and manages a device’s ability to connect to the Internet and other devices on a local network. This will affect more than 200 million devices.

3. What are the main solutions or points of focus for companies developing code for IoT products to ensure they avoid critical threats?

Unfortunately, security is not always a top priority for manufacturers who are trying to get their products to market as fast as possible. In certain cases, devices are built such that they are configured once only and do not receive patches or updates, due to power and/or cost considerations, to prevent security concerns such as viruses. By 2025, it is predicted that there will be as many as 41.6 billion connected IoT devices in the world according to an IDC forecast report. Much of the embedded firmware running on these devices is insecure and highly vulnerable, meaning that many critical systems and data around the world are at risk. An example of this is smart meter products, which are IoT devices that often come set up with a default password hard coded into the software which can increase the susceptibility of the meter to malicious attacks. This is more common that you might think and if you have a range of smart meter products and the same default password is used for all other meters in that product range, it’s not going to take much research for an attacker to discover that password. Historically, security has not been a focus for IoT, but the industry is changing and adopting a quality-first mindset with a security by design approach is critical for software developers.

This is further complicated in the world of IoT because, despite consortiums like the Open Connectivity Foundation (OCF) trying to create open standards, most devices are still too fragmented as they fail to adopt common means of networking and programming. Most companies develop their own proprietary systems as this has been their mode of operation for many years. A lack of a clear dominant standard in IoT comes at a price, in terms of conformance to standards that are still in the process of heavy changes and revisions. And being conformant to one specific standard means you are in a silo, especially with existing legacy IoT devices such video cameras, meters etc. which use propriety software systems. I believe that open standards will prevail but we’re still many years away from that.

4. How important are code compliance standards like CERT and MISRA? Why are they so important for China?

Engineers and software developers from all over the world collaborate with institutes such as the CMU-Software Engineering Institute in the US to identify vulnerabilities and weaknesses – they then prepare software development rules and guidelines to follow that work towards avoiding exposure of your products and application to risk or malicious attackers. By conforming to standards such as CERT for C/C++/Java, you are taking advantage of minds of developers all over the world who have thought through software defects so that you don’t have to do all the thinking by yourself. Some standards have been developed for specific categories such as MISRA which is a compliance standard developed for the automobile industry.

It is important to note that these rules and guidelines are created after the fact. There are no rules for a yet to be hacked program pattern. A good example of this is the ‘HeartBleed’ bug where the most popular method of securing data on the Internet, Open Secure Socket layer (OpenSSL), had a vulnerability that allowed the stealing of information which would have otherwise been protected by OpenSSL. The bug was there for a long time and no tool was able to discover that until patches were created, and it was later classified and added to the Common Vulnerabilities and Exposures (CVE) database.

In China, there is a huge need for speed to market with IoT products. The faster a product gets to market, the more competitive advantage you will have. Adhering to code compliance will ensure that you at least cover the basic and known vulnerabilities. This is particularly relevant as IoT software development is often done using the C/ C++ programming languages which are well known for being error prone for memory corruption.

5. Why do you feel there are big issues with source code quality in China and how can XcalScan improve the source code quality?

Whereas many international markets have developed mature processes for the Software Development Lifecycle (SDLC), China by comparison remains relatively immature. Security along with quality assurance are often sacrificed due to the need for delivering products to market quickly. Developers are aware of the need for program quality, it is simply not practiced as rigorously as it could be. Along with this, many technologies that are available for design through to deployment are not regularly used. The use of static code analysis tools is few and far between and so more emphasis should be placed on this to ensure higher quality of code, standards compliance and fewer vulnerabilities

6. Compared to the existing solutions, from the technical point of view, what are the advantages of the XcalScan?

Our key advantage is that we use state of the art, in-depth compiler optimization technology to get a better understanding of how the application will run before it is compiled. We have developed new linear algorithms to improve analysis time and memory usage which allows our solution to perform very aggressive analysis. We examine large source code bases from a holistic standpoint rather than examining one function at a time. This allows us to identify defects with a greater level of accuracy and produce fewer false positives in our results which is a big concern to many of our users as it consumes time to manually check each one. Bugs similar to ‘HeartBleed’ would not have been discovered without looking at the source code with a wider scope of analysis. Compared to our competitors, we also have achieved greater accuracy for adhering to CERT rules.

In the future we will be looking at providing features so our customers can tailor rules by themselves thus ensuring they can analyze code that works with data that is of the highest importance to their business. In the meantime, our industry goal is foster a quality first mindset and security by design approach for the software development community.