Consumer Electronics Communication Device Provider
Creating Reliable Innovation with TrustInSoft
Challenge
A leading Consumer Electronics Communication Device provider wanted to ensure that the Trusted Execution Environment (TEE) of their flagship device, which hosts the main cryptographic functions and keys, could not be compromised. They decided to use TrustInSoft Analyzer to perform an audit of their TEE firmware to detect the remaining bugs or vulnerabilities. TEEs are secure environments or areas of a processor for executing code, notably with high levels of trust. They protect devices and customers’ sensitive information for applications like fingerprint recognition, facial recognition, mobile payments, and so forth. For a TEE to fulfill its function, the behavior of its code must be perfectly deterministic, reliable, and impervious to attack. Therefore, it must be free of software errors that could be sources of anomalous behavior and vulnerabilities for hackers to exploit. In particular, it must be free of Undefined behaviors (e.g., buffer overflows, integer overflows, non-initialized variables, etc.) which could leave room for anything to happen under hard-to-predict circumstances. Needless to say, hacking a TEE could affect millions of devices and users.
Solution
They analyzed the software with TrustInSoft Analyzer specifically to detect undefined behaviors in the source code that could lead to vulnerabilities in the TEE. They decided to generalize the inputs of all the critical functions of the TEE source code. This enabled them to exhaustively detect all undefined behaviors within the scope of the analysis. Following their detection and correction, they ran the analysis again to mathematically prove the absence of undefined behaviors in their software.
Results Achieved
TrustInSoft Analyzer exhaustively detected all the undefined behaviors left in the software and enabled the customer to achieve 100% test coverage of the critical functions within the parameters of their analysis. They found approximately 400 undefined behaviors across hundreds of thousands of lines of code, several of which were identified to be CVEs. After this initial analysis phase, the process was automated in CI and run continuously throughout the development process to ensure that all bugs and vulnerabilities were removed as developers were adding or changing code and that the software was secure before any new release to customers on the field.
Customer Benefits & Impact
This client can now confidently promote the safety and security of their communication device due to the exhaustive analysis of their TEE and other low-level components. TrustInSoft contributed to the enhancement of the safety and security of the devices. They promote security as a feature in their device to differentiate from their competitors. This addresses the needs of end customers who nowadays consider security as one of the leading purchasing decision criteria.
Learn more about TrustInSoft Analyzer
Learn more about the tool that this leading Consumer Electronics Communication Device provider used to secure their code!
Discover our product