Comparisons
BugProve and Static Application Security Testing (SAST)
There are good SAST tools for C/C++ that could be used for IoT projects, however these are completely agnostic to the IoT use case, configured to check compliance against certain secure coding rulesets. Your team has probably experienced that even seasoned C/C++ professionals have a hard time understanding these standards, and it is especially hard to prioritise between the classes of findings in terms of practical security risks. Another problem is that on large codebases, SAST algorithms either blow up in waiting times or result in a large number of false positives. This results in alert fatigue, that is, the engineer or Product Security analyst tasked with fixing the vulnerabilities is going to feel hopeless looking at the numerous issues displayed on the dashboard. Triaging results becomes especially difficult after one verifies that a large percentage of the findings are not actual vulnerabilities.
No source code needed
BugProve does not require source code, instead, we take the fully built device firmware and take it apart. BugProve performs a composition analysis on the firmware to collect information on third-party open source libraries and proprietary code. It also pays special attention to networking code that might contain issues that have a higher probability of enabling Remote Code Execution vectors.
For proprietary binaries, either owned by the engineering team of the manufacturer, or one of the corporations on the supply chain, such as the chipset vendor, BugProve creates a risk assessment. Using this information, we run our code analysis engine PRIS on executables and libraries automatically, or guide the user in the direction of components that we find suspicious in terms of code quality.
PRIS itself is a semi-dynamic security analysis engine that builds on cutting-edge ideas from academic research in program analysis, and its main objective is to identify those vulnerabilities that have the highest potential of becoming practically exploitable security weaknesses. PRIS eliminates a lot of false positives associated with SAST tools and implicitly includes a contextual understanding of the whole device firmware. It is better suited for IoT testing than conventional tools, and it focuses on the important vulnerability classes that top security researchers report the most for embedded systems.
BugProve and Software Composition Analysis (SCA)
BugProve is also an SCA tool for firmware binaries as it assembles SBOMs automatically and cross-references known vulnerabilities (CVEs) for outdated components. Competing SCA solutions that work on binary code have formidable pricing and are not at all tailored for IoT use cases specifically. Some leading SCA solutions in the application security domain only handle technologies and programming languages where there is an established package management solution, neglecting C and C++ as used in a generic IoT project.
BugProve and Dynamic Application Security Testing (DAST)
Finally, DAST tools are predominantly web technology focused. A lot of embedded devices feature web interfaces where certain techniques could theoretically be applicable, and BugProve’s research team has ongoing research investigating the possibilities. However, completely dynamic testing approaches require a running firmware or access to the actual hardware. Emulation is difficult to do in the embedded Linux case, and almost impossible for devices powered by RTOS or bare metal code.