ForDaySec: Security for Everyday Digitization

Sponsored by Bayerisches Staatsministerium für Wissenschaft und Kunst.

The ForDaySec research network employs an interdisciplinary approach towards protecting everyday digitization. Our methods aim at dealing with existing systems that cannot be changed at will (e.g., because no new software can be installed) and will be usable without detailed specialist knowledge. The project deals with the concrete safeguarding of individual components (hardening or encapsulation), with the secure networking of these hardened individual components to form complex applications and systems, and with the human-centred design of technology and interfaces to users.

Our subproject aims to reliably close vulnerabilities in firmware even without manufacturer support. To do this, we will first develop a method to identify existing open source code in firmware. This allows firmware to be broken down into known and unknown (manufacturer-specific) components. Based on published vulnerabilities in certain versions of open source packages, patterns are to be generated so that they can then be found directly in a firmware binary.

A tailor-made patch should then be created for these vulnerabilities. Since source code is often not available for manufacturer-specific components, they cannot be reliably recompiled. Therefore, the patch should be applied directly to the binary file in a minimally invasive manner. If only local code is to be changed immediately, a patch must be adapted exactly to the target program, since the compiled binary files can differ greatly from one another with the same source code. If a new version of an entire program or package is to be imported, external dependencies and interfaces to other programs must be taken into account.

Our partners in the ForDaySec network are the following Bavarian universities:

• Universität Passau
• Universität Bamberg
• Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)
• Technische Universität München (TUM)