Archive for November, 2009

Please fill the tank, reboot the main CPU and oh don’t forget to clean the windshield.

Monday, November 30th, 2009

According to a recent article in the IEEE Spectrum, the cars we are driving (or at very least our managers) have more electronic control units (ECU) and lines of code than your typical commercial or military aircraft.

The avionics system in the F-22 Raptor, the current U.S. Air Force front line jet fighter, consists of about 1.7 million lines of software code. The F-35 Joint Strike Fighter, scheduled to become operational in 2010, will require about 5.7 million lines of code to operate its onboard systems. And Boeings new 787 Dreamliner, scheduled to be delivered to customers in 2010, requires about 6.5 million lines of software code to operate its avionics and onboard support systems. These are impressive amounts of software, yet if you bought a premium-class automobile recently, it probably contains close to 100 million lines of software code, says Manfred Broy, a professor of informatics at Technical University, Munich, and a leading expert on software in cars

Just like any other software, these millions of lines of code – parked in driveway – have exploitable bugs. A defect density rate of 0.4 defects per thousand lines of code combined with a conservative estimation of 5% of defects that are exploitable yields 2,000 exploitable bugs per 100 million lines of code!!!!!

So where does this leave the average commuter on the way from point A to point B. Probably quite afraid. Many of these bugs are an inevitable back door for hackers, raising serious security concerns.

Faulty lines of code are fact of life and there is not much we can do to pevent them, however some precautions can be taken to ensure that they are not exploited.

  1. Identify malicious code introduction targeted  at using existing exploitable flaws (e.g. secure boot and run time integrity verification).
  2. Allowing valid code images to be revoked and replaced with new, fixed images (renewability mechanisms).
  3. Preventing roll backs to faulty images (again, thru mechanisms like Secure boot and others).

No Comments

Intra-Vehicle Information Security Framework – 7th escar conference

Monday, November 23rd, 2009

Discretix’ Hagai Bar-El will present an internal information security services framework for vehicular environments. The frame-work consists of a logical toolbox a set of logical modules that are installed in a variety of embodiments (e.g., controllers) and which provide security functionality that vehicular applications often require. The framework also includes several enablers, which are higher-level security functions that are integrated into vehicular applications. These enablers use the aforementioned tools to provide for many typical use-cases, such as secure logging, secure code update, and secure feature activation. The purpose of the toolbox is to provide some of the common security functions at the highest e ective abstraction level, and to implement these functions securely in well suited environments. This detachment of security functions from the applications that use them shall allow vehicular application developers to reduce the breadth of security know-how that they shall possess, as well as to reduce the attack surface of their applications.

No Comments

Welcome – Ruthie Sharir – VP of Research and Development

Monday, November 23rd, 2009

Ruthie brings to Discretix more than 25 years of experience in areas such as networking, enterprise storage, real-time systems, software application development and communications controllers. As Discretix’ VP of research and development, she will oversee the company’s product development including system definition, hardware design and verification, software development and quality assurance.

No Comments

Discretix quoted in Business Week article entitled “Smartphones: A Bigger Target for Security Threats”

Tuesday, November 17th, 2009

As the iPhone, BlackBerry, and other devices have become more popular, harmful software such as viruses and spyware is emerging to exploit their vulnerability…
BusinessWeek Article

No Comments

The need for content and platform protection and the “cost” of poor security

Thursday, November 12th, 2009

Recent reports indicate widespread pirating of iPhone games.

  • FRally Master Pro 95% piracy
  • Tap-Fu game 70% piracy

    • Piracy is a fact of life, however at these levels its places a massive question mark over the viability of mobile game developers. When properly implemented digital rights management (DRM) is effective in ensuring a sustainable business for the developer community, offering attractive usage models and encouraging the legal usage of the content.

    In order for DRM to be effective it must be incorporated into the device from the ground up. DRM needs to have a “root of trust” in the application processor hardware, moreover the DRM application must be tightly integrated into the device OS. The device firmware and OS should also be better protected, with verification mechanisms, deployed at boot and run time. These embedded security mechanisms together with secure execution environment, secure key storage and robust crypto engines will also limit “Jailbreak” attacks.

    It is estimated that the cost of fixing a security problem grows by a factor of 10 for each successive phase of the product life cycle. While eliminating security breaks entirely is close to impossible, designing security into the system from the start creates a solution that is far more effective and ultimately significantly cheaper in the long run.

    No Comments

    iPhone doesn’t neither does Droid

    Monday, November 9th, 2009

    Verizon are doing level best to expose the weaknesses of the iPhone in the current “droiddoes” campain. Both the Apple iPhone and Motorola Droid devices are packed full of features, but both do not do security. The ability to install applications on the device – something common to all smartphones – comes with huge security risks, for individual subscribers, service providers and enterprises.

    Limiting subscribers to downloading applications from approved app stores, certainly mitigates some of the risk. However there are several well known and freely available cracks online that will effectively bypass almost any restrictions and protection mechanisms.

    Just in case the simple man on the street felt he had nothing to lose, vulnerabilities of the operating system pose other threats, placing the end-user at risk. Viruses and the trojan horse can reveal and/or modify personal information. These viruses can grab personal payment information such as credit card numbers, illegally obtain contact information from our private phone book stored on the mobile phone, and access our home network using a mobile device’s WiFi capabilities.

    As smartphones become more prevalent and entrenched in our work and home lives, their security requirements increase as well. Without such safeguards in place, people will never feel safe using smartphones, thereby preventing these powerful innovations from ever reaching their full potential.

    No Comments