Security is of utmost concern for embedded software used in mobile, IoT and automotive industries. Most of such software are built using open source software (OSS) components, despite the fact that significant security vulnerabilities have been discovered in them. Although newer versions of the components without the vulnerabilities are usually available, developers often neglect to use them. To make matters worse, third-party software that many companies rely on is distributed in binary format without the source code, making it extremely difficult to identify the potential security issues.
The general public saw a large-scale example of this problem in the 2017 Equifax security breach. Hackers exploited a vulnerability in the Apache “Struts” component, using it to expose the private information of over 148 million users. Despite having more than two months to execute preventative measures, Equifax failed to address the issue. The data breach was a vivid reminder that OSS-related security vulnerabilities are a common target for hackers to attack and also demonstrated the difficulty enterprises face in monitoring and mitigating these types of risk.
Insignary Clarity enables proactive scanning of embedded firmware or any binaries for known, preventable security vulnerabilities, and also identifies potential license compliance issues. Clarity uses unique fingerprinting technology, which works on the binary without the source code or reverse engineering, making it simple for companies to take proper, preventive action before the deployment of their products.
Insignary Clarity is unique in that it scans for “fingerprints” from the target binary code to examine and then compare against the fingerprints collected from open source components in numerous open source repositories.
How Clarity Works
Clarity uses symbol and string table comparisons (fingerprinting), which enables high fidelity scanning of binary code in firmware, without undertaking any reverse engineering.
Once Clarity determines what open source components are present in the binary, it looks for common associated compliance and security issues. Clarity can help monitor supply chains by automatically identifying open source code in firmware, effectively discovering real-world open source issues.
Build database of open source component fingerprints.
Extract fingerprints such as strings, functions, or variable names from target binary file or firmware.
Match fingerprints from target binary file or firmware with fingerprints in open source database.
Generate Bill of Materials for proper open source risk and license management.
Clarity Supports Your Processes
Clarity is available as a cloud-based or on-premise solution and can be used with its own dedicated Graphical User Interface or through the command line for automatic execution of scripts, build tools, or other security and compliance monitoring solutions.
Clarity reports in Modular JSON, CSV, HTML and Excel formats to deliver customizable information to support your existing processes.
Clarity also provides "fuzzy matching" of binary code, and supports LDAP, RESTful API, and automation servers like Jenkins. Due to its unrivaled accuracy and extensive OSS coverage, Clarity has come to light as the optimal tool for customers with varying OSS management requirements, ranging from embedded software scanning to large scale IT infrastructure scanning.