Introducing: Centrifuge – Software Bill of Materials

by | Oct 3, 2018

Introducing: Centrifuge – Software Bill of Materials

Firmware is typically built upon many software components assembled together to achieve the desired functionality of the product being made. Market pressures to release products quickly have forced firmware developers to rely on existing Free Open Source Software (FOSS) to reduce their time to market. However, firmware developers rarely consider the potential vulnerabilities being introduced by using outdated and un-patched software components.
SBOM_Screenshot
  Today ReFirm Labs is excited to announce a new feature available to all platform subscribers. Software Bill of Materials powered by Centrifuge™ will generate a list of open source components that are present in a firmware image by comparing the files found within the firmware and matching them up with components. This allows our customers to know the exact components that were used when the firmware was developed and to pinpoint any potential risks by comparing those components with Guardian results.  
SBOM_Results
  This feature is a big first step towards being able to provide a scalable and automated way for our customers achieve software component transparency for their firmware images. As you may know the security industry is currently working toward requiring manufacturers to provide a Software BOM with all of their product sales (to learn more about this issue and how it can help prevent attacks against firmware and other products (see the NTIA’s Software Transparency working group page). However these efforts are likely years away from being ratified by all the major device manufacturers and will only be available for new products and products still under a support contract. The Centrifuge™ Software BOM feature is available for all of our supported firmware types and is ready to use today! In the coming months we will be adding support to identify the component version, and then being able to correlate that data with our Guardian results! Stay tuned for more progress on this feature!
Recent Posts
Do We Need to Watch the Eyes Watching Us?

Do We Need to Watch the Eyes Watching Us?

On May 21, 2019 the New York Times reported that the Trump Administration is considering a limit on Hikvision’s ability to buy American technology. Hikvision is one of the world’s largest surveillance camera manufacturers and is 42% owned by the Chinese...

Deep Dive into Binary Firmware Analysis

Deep Dive into Binary Firmware Analysis

The Centrifuge Platform is capable of analyzing binary firmware for previously unknown vulnerabilities and providing detailed reports of great use to developers and vulnerability researchers alike. This document details the interpretation of these code analysis...

The Current State of IoT Security Sucks: Blame the Manufacturers

The Current State of IoT Security Sucks: Blame the Manufacturers

The Current State of IoT Security Sucks: Blame the Manufacturers A recent 2019 Cyber Threat Report by SonicWall illustrates the alarming volume of IoT attacks that occur year-over-year. In my opinion, you can blame the manufacturers – and here’s why. Source: SonicWall...