Dynamic SBOM for Smarter Vehicle Security – PlaxidityX Ep 19

00:00:00:12 - 00:00:03:15 Welcome to cars, hackers and cybersecurity. 00:00:04:04 - 00:00:07:04 Here we break down the latest in automotive cybersecurity, 00:00:07:04 - 00:00:10:18 helping you stay ahead in building secure connected vehicles. 00:00:12:19 - 00:00:13:14 Hi. 00:00:13:18 - 00:00:16:03 Today we'll discuss dynamic S bomb 00:00:16:03 - 00:00:20:16 and explore its role in tracking live library calls to streamline security fixes. 00:00:21:07 - 00:00:23:11 Monitoring a systems S bomb, 00:00:23:11 - 00:00:26:02 Which stands for software Bill of materials. 00:00:26:02 - 00:00:48:05 is a crucial part of developing and maintaining a secure system throughout its lifetime. Tracking the S bomb enables developers to continuously detect vulnerabilities and decide on proper mitigations. Dynamic S bomb or DSS bomb, represents an advancement in software security assessment compared to its predecessor, known as static S bomb. 00:00:48:07 - 00:01:13:18 While the static S bomb analysis provides a comprehensive overview of the system components, including libraries and dependencies, the dynamic S, a bomb adds a layer of real time insight by actively monitoring the calls made to third party libraries during code execution. The distinguishing feature of dynamic S bomb is its ability to accurately identify and track the actual usage of libraries within an application. 00:01:13:20 - 00:01:24:18 This real time monitoring ensures a more precise understanding of the software's ecosystem and potential vulnerabilities, leading to more effective prioritization of security mitigations. 00:01:25:07 - 00:01:27:21 What are the benefits of DSS bomb? 00:01:28:06 - 00:01:33:13 Dynamic S bomb makes prioritizing mitigations easier and far more effective. 00:01:33:13 - 00:01:41:12 For example, the static gas bomb reported as CVE 2023 31484 00:01:41:12 - 00:01:44:13 is related to lib Perl 5.360. 00:01:44:15 - 00:02:05:10 The dynamic scan doesn't show any use of this library for this specific application. However, the dynamic S bomb does indicate that the application loads lib curl. By cross-referencing this with the static S bomb. One can see that the version of lib curl is 7.86.0, which has CVE 20 and 23 00:02:05:10 - 00:02:12:18 27534. It's now easy to determine prioritization if this application needs to be assessed. 00:02:12:20 - 00:02:13:19 CBE 00:02:13:19 - 00:02:15:04 2023. 00:02:15:04 - 00:02:20:20 314844 lib Perl can wait. While CVE 2023 00:02:20:20 - 00:02:24:04 27534 for lib curl is more urgent. 00:02:24:15 - 00:02:26:20 How DSS bomb works. 00:02:27:06 - 00:02:38:03 At the outset, the Plac City Zs bomb replaces all calls to the dynamic libraries with a trap, interrupt or breakpoint. Works on X 64 00:02:38:03 - 00:02:39:19 And arch 64. 00:02:39:22 - 00:02:45:23 This is accomplished by replacing the assembly code in memory. Then the code is executed. 00:02:46:01 - 00:02:54:14 Key considerations for using dynamic S bomb. It's important to take into account the following considerations when utilizing dynamic S bomb. 00:02:54:14 - 00:02:58:04 Why use DSS bomb instead of l trace? L trace 00:02:58:04 - 00:03:04:07 records every call to external libraries, including those that repeat themselves, resulting in slower performance. 00:03:04:14 - 00:03:10:21 DSS bomb on the other hand, registers each call only once, optimizing speed and efficiency. 00:03:10:21 - 00:03:19:07 Additionally, L trace only has visibility in the direct calls from the app, but cannot track inner functions or transitive calls from other libraries. 00:03:19:11 - 00:03:33:11 In contrast, DSS bomb can identify the critical path within the code. For instance, if a vulnerability exists in a particular function, DSS bomb can provide an alert even if the call comes from a third party library. 00:03:33:13 - 00:03:36:12 Use DSS bomb to complement static analysis. 00:03:37:04 - 00:04:04:20 Dynamic S bomb complements static analysis, but cannot replace it entirely for several reasons. Incomplete coverage. Dynamic analysis may not provide full coverage of all application functionalities due to insufficient code coverage. Necess imitating the use of static analysis to identify potential exploits for dependency impact, even if a particular library is not directly utilized by the main application. 00:04:04:22 - 00:04:22:16 Another component or subsystem may rely on it, impacting the prioritization of vulnerability fixes. Unused libraries. Identifying and removing unused libraries from the system based on dynamic S bomb results can enhance system security by reducing attack services 00:04:23:08 - 00:04:37:15 coverage and effectiveness. The results of dynamic S Bom correlate directly with the coverage achieved during monitoring. Higher coverage achieved through comprehensive testing methodologies like unit tests or products such as Plex City 00:04:37:15 - 00:04:46:04 X Auto Test or Automotive Fuzz testing tool leads to more reliable and actionable results for enhancing system safety and security. 00:04:46:06 - 00:04:53:15 Line coverage measures the percentage of code lines executed during testing. This is the metric used in DSS bomb analysis. 00:04:53:15 - 00:05:03:04 The fact that DSS bomb relies on coverage means that even with high coverage, if it doesn't cover the areas where the libraries are called, the results will still be poor. 00:05:03:06 - 00:05:16:02 Therefore, it's a matter of coverage quality, not just quantity. Another point worth mentioning is that DSS bomb also reports on all required libraries, even if they were not called. For example, none of their functions were called. 00:05:16:02 - 00:05:22:00 In a sample we took. We saw that only 11% of the loaded libraries were called in areas with high coverage. 00:05:22:00 - 00:05:23:21 This could mean three things. 00:05:24:18 - 00:05:49:10 dead code. There is unnecessary use of third party code that is not needed to low coverage. This code is not tested. Third, a transitive dependency. There is nothing to do, as it's common to utilize only partial functionality of a library. Following the DSS bomb analysis, we can see that only 14 out of 1000 libraries are actively used. 00:05:49:12 - 00:06:09:03 This is critical insight when it comes to prioritizing vulnerability mitigations. Such a streamlined approach makes the lives of CISOs much easier. Not to mention the programmer and product manager. Highlighting the areas that have more critical vulnerabilities simplifies decision making, as well as helping analysts avoid alert fatigue. 00:06:09:12 - 00:06:10:15 In conclusion, 00:06:11:01 - 00:06:20:16 dynamic Bomb has emerged as a pivotal tool in enhancing software security assessment by providing real time insights into library usage during code execution. 00:06:20:17 - 00:06:53:00 Its ability to complement static analysis, although not entirely replace it, showcases its importance in uncovering vulnerabilities that static analysis alone may overlook or prioritize incorrectly. By accurately identifying and tracking library usage. Dynamic as bomb aids in prioritizing security mitigations effectively. However, it's also crucial to note the dynamic S bomb's coverage and effectiveness are directly tied to monitoring coverage, emphasizing the need for comprehensive testing methodologies. 00:06:53:02 - 00:07:04:20 Additionally, the reporting of all required libraries, regardless of their usage, serves as a valuable indicator of system requirements and potential issues such as dead code or low testing coverage. 00:07:04:20 - 00:07:05:23 Dynamic as bomb. 00:07:06:00 - 00:07:15:06 When integrated judiciously alongside static analysis, can contribute significantly to fortifying software ecosystems against potential threats. 00:07:16:20 - 00:07:22:18 That's all for today's episode. Keep your engines running smooth and your cyber defense is sharp. 00:07:22:18 - 00:07:27:06 Stay connected by subscribing and visiting plaxidityX.Com. 00:07:27:07 - 00:07:31:07 Until next time, stay safe on the road and in the cloud.