-
Sébastien Bardin (CEA List)
-
Michaël Marcozzi (Coordinator and local leader, CEA List)
-
Jean-Yves Marion (Local leader, LORIA)
-
Stefano Zacchiroli (Local leader, Telecom Paris)
SECUBIC is a research project funded by the French Agency for Research (France 2030) through the PTCC initiative operated by INRIA. SECUBIC is lead by CEA List and brings together world-class research teams from CEA List, LORIA and Telecom Paris. Its headquarters are at the Campus Cyber cybersecurity hub in Paris, France.
Summary. Many everyday objects (like phones, routers, public transport vehicles, CCTV, etc.) are equipped with computer code in binary format ensuring their operation. At the same time, the reuse of off-the-shelf software components is a massive and widespread practice in computer program development. Therefore, software operating everyday objects may embed up to thousands of pre-existing software components, whose (open source) code was openly available on the Internet. These pre-existing components can implement various and potentially sensitive features, such as cryptography, data management or internet communication. Such a bloated software supply chain opens the door to specific attacks against the binaries included in everyday objects, such as exploiting known vulnerabilities or purposefully injecting vulnerabilities into pre-existing components.
When the user of an everyday object wants to ensure that its operating binary is not vulnerable to such attacks, they must use generic vulnerability detection techniques on the entire binary code. This requires considerable effort and is highly likely to miss many of the vulnerabilities. By replacing these generic techniques with a new approach dedicated to finding vulnerabilities caused by the software supply chain, the SECUBIC project aims at increasing the detection capabilities of such vulnerabilities enough to enable their exhaustive neutralization (or exploitation, from an attacker’s point of view), in reasonable time and budget. The result of the project will be a set of software tools implementing this dedicated approach and an evaluation of their effectiveness, notably on binary code coming from industrial and institutional partners.
Summary. Many everyday objects (like phones, routers, public transport vehicles, CCTV, etc.) are equipped with computer code in binary format ensuring their operation. At the same time, the reuse of off-the-shelf software components is a massive and widespread practice in computer program development. Therefore, software operating everyday objects may embed up to thousands of pre-existing software components, whose (open source) code was openly available on the Internet. These pre-existing components can implement various and potentially sensitive features, such as cryptography, data management or internet communication. Such a bloated software supply chain opens the door to specific attacks against the binaries included in everyday objects, such as exploiting known vulnerabilities or purposefully injecting vulnerabilities into pre-existing components.
When the user of an everyday object wants to ensure that its operating binary is not vulnerable to such attacks, they must use generic vulnerability detection techniques on the entire binary code. This requires considerable effort and is highly likely to miss many of the vulnerabilities. By replacing these generic techniques with a new approach dedicated to finding vulnerabilities caused by the software supply chain, the SECUBIC project aims at increasing the detection capabilities of such vulnerabilities enough to enable their exhaustive neutralization (or exploitation, from an attacker’s point of view), in reasonable time and budget. The result of the project will be a set of software tools implementing this dedicated approach and an evaluation of their effectiveness, notably on binary code coming from industrial and institutional partners.