Binary Code Analysis for IEC 62443-4-1 SVV-3

preview_player
Показать описание
The IEC 62443-4-1 standard mandates vulnerability testing for its third Security Verification and Validation (SVV-3) requirement. A sub-requirement targets binary executable files, including firmware with four types of problem to identify: known vulnerabilities, vulnerable third-party libraries, security rule violations and compiler settings.

Unfortunately, IEC 62443-4-1 does not offer supplemental guidance on how to do this beyond explicitly recommending experts be involved.

Hugo and the team Hitachi Energy Research faced this issue and created a methodology using fully open-source tools in two parts to help both developers and cybersecurity professionals to perform binary code analysis on their products. 

The first, aimed at developers and operators, catches low-hanging fruits, and provides enough context to help without the need for cybersecurity knowledge.

The second, aimed at cybersecurity professionals, builds on the first version while enabling power-user features and customization to cover more use-cases and allow them to create their own analysis.

Additionally, Hugo presents the challenges that binary code analysis is still facing and potential research directions including support for custom file formats and proprietary components.
  1. S4 Events
Рекомендации по теме
Binary Code Analysis 0:25:24

Binary Code Analysis for IEC 62443-4-1 SVV-3

MotionWorks IEC - 0:08:02

MotionWorks IEC - Logic Analyzer

Dynamische Codeanalyse und 0:11:23

Dynamische Codeanalyse und Code Coverage (064)

USENIX Security '21 0:12:55

USENIX Security '21 - ICSFuzz: Manipulating I/Os and Repurposing Binary Code to Enable Instrume...

ASCII, Unicode, UTF-8: 0:03:29

ASCII, Unicode, UTF-8: Explained Simply

Coding for global 0:39:05

Coding for global languages Unicode, charsets, strings and binaries - MARC SUGIYAMA

[CPP'23] ASN1*: Provably 0:24:36

[CPP'23] ASN1*: Provably Correct, Non-Malleable Parsing for ASN.1 DER

Combining Dynamic Testing 1:12:33

Combining Dynamic Testing and Static Analysis for ISO 26262 Development

Understanding the execution 0:15:10

Understanding the execution flow of the binary - White Box Unboxing 1/4 - RHme3 Qualifier

Qualification of Libraries 0:59:29

Qualification of Libraries Using Static Analysis and Requirements Based Testing - Joint webinar LDRA

Webinar CODESYS Profiler 0:27:47

Webinar CODESYS Profiler (E)

Improve the Software 0:49:46

Improve the Software Quality with Static Analysis

Lecture 'Channel Coding: 0:15:11

Lecture 'Channel Coding: Graph-based Codes', Chapter 4, Vid. 8, 'General Channels: EX...

How to use 0:07:13

How to use Prancer unified reporting feature for IaC Static code analysis (SCA) and CSPM

Analyzing TRISIS - 1:03:00

Analyzing TRISIS - the first Safety Instrumented System malware by K. Reid Wightman & Jimmy Wyli...

[CB16] Using the 0:46:41

[CB16] Using the CGC’s fully automated vulnerability detection tools by Inhyuk Seo & Jisoo Park...

Webinar: MotionWorks IEC 0:30:22

Webinar: MotionWorks IEC Programming Tips - Memory Allocation & Optimization

Binary Data Sizing 0:20:37

Binary Data Sizing & Measurement | OL | By ZAK

NDSS 2019 ICSREF: 0:21:07

NDSS 2019 ICSREF: A Framework for Automated Reverse Engineering of ICS Binaries

Units of Measurement 0:07:25

Units of Measurement - Binary and Metric

[Webinar] Elevating your 0:48:49

[Webinar] Elevating your Embedded ARM Project Security with Static Code Analysis

CC02B: Microcontrollers Enabling 0:36:17

CC02B: Microcontrollers Enabling Safer Designs -- Nelson Quintana

Cyber attacks - 0:45:27

Cyber attacks - Hitta CWE/SANS Topp 25 med CodeSonar

Implementing Commodore's IEC 0:25:55

Implementing Commodore's IEC bus protocol on a KIM-1 single board computer