Patching embedded systems aids cybersecurity efforts

Improving the process of patching code in vulnerable embedded systems is a major cybersecurity concern because much of the code currently running is vulnerable to hackers.

By Kelsey Schnieders Lefever August 25, 2020

Three Purdue University researchers and their teammates at the University of California, Santa Barbara and Swiss Federal Institute of Technology Lausanne (EPFL) have received a DARPA grant to fund research that will improve the process of patching code in vulnerable embedded systems.

Purdue’s Antonio Bianchi and Dave Tian, both assistant professors of computer science; and Dongyan Xu, the Samuel Conte Professor of Computer Science and director of CERIAS (the Center for Education and Research in Information Assurance and Security); and their team members received the grant, which totals about $3.9 million as part of a project called “Assured Micropatching.” The project is expected to last four years.

“Many embedded systems, like computer systems running in trucks, airplanes and medical devices, run old code for which the source code and the original compilation toolchain are unavailable,” Bianchi said. “Many old software components running in these systems are known to contain vulnerabilities; however, patching them to fix these vulnerabilities is not always possible or easy.”

Without source code, patching a vulnerability necessitates editing the binary code directly, Bianchi said. Additionally, even in a system that has been patched, there is no guarantee that the patch will not interfere with the original functionality of the device. Because of these difficulties, he said, the code running in embedded systems is often left unpatched, even when it is known to be vulnerable.

The team’s proposed approach entails defining and verifying a set of properties that a patch must have to ensure it doesn’t interfere with the device’s original functionality. The research also aims to develop automatic and minimal code patching for devices that may be vulnerable to cyberattacks. Minimizing modifications, Bianchi said, will require minimal resources to verify the patched code and prevent the device’s functionality from being harmed. In addition, they will also develop new ways to test the patched code, which does not require it to run on real hardware.

All three researchers are affiliated with CERIAS, which is providing administrative assistance. The researchers are looking for graduate and undergraduate students and postdoctoral researchers to work on this project.

– Edited by Chris Vavra, associate editor, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.


Author Bio: Kelsey Schnieders Lefever, Purdue University