Solutions to extend security to installed low-level code and high-level applications is a fundamental requirement for IT ecosystem health. Unfortunately, the solutions for validating the authenticity of firmware and software updates are failing to keep pace with two hyper evolving adversaries. The first is explosive growth of the threat surface that is unfortunately not maintained with scalable and reliable solutions. A blend of the Covid-19 pandemic, Industry 4.0, and the rapid proliferation of IoT devices is exposing a sheer volume of both sophisticated and “rushed to market” intertwined individual components that require monitoring and maintenance. The second adversary is monetarily driven, often politically motivated, and operating in a space where innovation is critical for self-preservation.
Successful infiltrations are now being labeled as terrorism and acts of war. The strategies of organized State-run adversaries are considered by some to be tipping the deck in their favor with demonstrated increased sophistication and strict operational security. The widely publicized high-profile breaches linked to the suspected Russian-backed group UNC2452 started with SolarWinds to access multiple high value government entities, consulting organizations and non-governmental organizations in North America and Europe who have data of high interest to the Russian government. Mandiant recently reported that UNC2452 continues to innovate and has been infiltrating technology services and resellers. Recent activity likely related to UNC2452 suggest that the target has shifted to multiple cloud solution providers and managed service providers. “The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” according to Mandiant’s report.
Modified firmware images quickly hijack and misuse the compromised component allowing exploitation of shared services that are hard to detect, often until well after the damage has been done. Two CISA professionals recently encouraged agency CISOs and security chiefs to add firmware to their Software Bill of Materials immediately because, “the place we find the majority of exploits (most, not all) is in UEFI code.” You also may have noticed recent firmware standards have been released including, NIST 800-53 Rev. 5, NIST 800-171, FedRAMP, and PCI DSS. While many are playing catchup to meet recommended standards to implement controls within organizations to verify due diligence, others are developing new solutions that extend security to the low-level code.
Firmware and software unfortunately share many of the same vulnerabilities. A lack of proactive layered defenses and alerting tools paired with organizational challenges with managing the explosion in network connected devices that require increasingly difficult patching has resulted in a soft target that is being exploited (VPN attacks up nearly 2000% as companies embrace a hybrid workplace). Once the authentication method is circumvented, hackers can exploit hundreds of thousands of devices in seconds with a single targeted malicious update.
Just as the adversaries are displaying highly adaptive and flexible approaches, so should those tasked with protecting devices capable of being compromised for access to critical data. So, who and at what stage should firmware and software updates be validated to ensure that they come from the trusted source, are properly signed, have not been altered, and carry only the intended payloads? Let’s explore the case for a 3rd party solution to ensure devices are only running valid vendor authorized code that has been verified to not contain modified or hidden threats.
To truly authenticate the application, the validation process needs to exist in a separate threat plane, and it needs to validate the actual software package, including source code, libraries, etc. This tool would protect the process from start to finish, including development, review, merge/publish, distribution, and execution. Utilizing blockchain for such a tool creates the necessary and challenging (to bad actors) secondary attack vector, along with powerful immutability not available in more pedestrian methods. As code is created and compiled, hash validation is performed to authenticate the components, as well as the compiled platform. Furthermore, as the firmware or application package is distributed and installed, it is checked again against the trusted hashes committed to the blockchain throughout the software development lifecycle. Such checks can also run periodically to prevent manipulation by actors that find alternative paths onto user machines.
Another key vulnerability that is often overlooked is the embedded secrets that exist within the code bases themselves. It is believed this played a role in the SolarWinds breach where credentials were stored within plain text, either in the code or XML files. In many cases these credentials are a default password that the administrator is supposed to change. Far too often this does not happen. With this solution, after install the system could check the hash to ensure the password has been changed, rehash the new package, and proceed. If the password has not been changed the system could begin reminding the administrator to do so – ensuring this critical vulnerability is closed.
Dell currently uses a somewhat similar non-blockchain embedded method to verify BIOS – but without the use of blockchain and a secondary application to perform the checks, the effectiveness of the solution is inadequate – leaving exposed too many opportunities to circumvent the process. We believe that Polymer Proof is uniquely positioned to deliver this type of solution for several reasons. First, the throughput capabilities of our blockchain allow even the most widely distributed and used software applications to be checked in real time. Second, while it is true that the hashing could be committed to virtually any blockchain, Polymer Chain is the only one to combine the necessary performance with cost-effectiveness, keeping the solution from being cost prohibitive. Finally, the architecture of our solution ensures virtually every vulnerability gap that can be closed is closed. Polymer Proof with Polymer Chain has the ability to protect code from the time it is created on a developer’s machine through the time it resides and runs on the end-user’s devices, providing a strong protective layer on the software supply chain.