Three Purdue University researchers and their teammates at the University of California, Santa Barbara and Swiss Federal Institute of Technology Lausanne have received a DARPA grant to fund research that will improve the process of patching code in vulnerable embedded systems.
“Many embedded systems, like computer systems running in trucks, airplanes and medical devices, run old code for which the source code and the original compilation toolchain are unavailable,” Antonio Bianchi, assistant professor of computer science at Purdue University said.
“Many old software components running in these systems are known to contain vulnerabilities; however, patching them to fix these vulnerabilities is not always possible or easy.”
Without source code, patching a vulnerability necessitates editing the binary code directly, Bianchi said. Additionally, even in a system that has been patched, there is no guarantee that the patch will not interfere with the original functionality of the device. Because of these difficulties, he said, the code running in embedded systems is often left unpatched, even when it is known to be vulnerable.
Ensuring the patch doesn’t interfere with device functionality
The team’s proposed approach entails defining and verifying a set of properties that a patch must have to ensure it doesn’t interfere with the device’s original functionality. The research also aims to develop automatic and minimal code patching for devices that may be vulnerable to cyberattacks.
Minimizing modifications, Bianchi said, will require minimal resources to verify the patched code and prevent the device’s functionality from being harmed. In addition, they will also develop new ways to test the patched code, which does not require it to run on real hardware.