Bugproof your Firmware with BugProve

Cristi Vlad
6 min readMar 30, 2023

I guess the graphic above depicts the essence of BugProve, a recently launched European IOT Security company.

I’m rarely excited when I see a new product or service emerging on the market because many of them are just very expensive abstractions for something that you could do yourself, provided that you click a few more buttons and run a few more commands here and there.

For example, I’d pay for Burp Suite Professional with my eyes closed because it helps me in my day-to-day work with my pentesting projects and my cybersecurity assessments. Likewise, ChatGPT4 falls into the same category, as well as my VPS provider. All of these offer sufficient value as free products, and then you get significantly higher value with their paid versions.

In my experience, that line of reasoning applies to BugProve as well. The most simple explanation of how BugProve works is this:

You see, that’s what I love about good products, they are counterintuitive.

You don’t need a user manual to use ChatGPT4. I couldn’t say the same thing about Burp Suite though, for which the learning curve is quite steep. Plus you need expertise in the field to know what you are doing.

As for BugProve, you get how easy it is to use it. When it comes to what comes out of it, I guess it can benefit multiple types of professionals:

  • expert researchers with deep knowledge of IOT security
  • bug bounty hunters
  • managers (due to the graphical-friendly interpretation of the results).

Now, for an even better understanding of BugProve, let’s go through a typical workflow of security firmware analysis.

1. Upload a firmware or an ELF binary

In this case, I’ll be using the Damn Vulnerable Router Firmware. Once your file is uploaded and before scanning, you can select a few different options for your analysis, but we’ll go with the defaults for this analysis.

2. After about 3–4 minutes, the initial analysis is ready

Here in the dashboard, where you get a few insights into the analysis, such as whether or not it competed successfully, the number of total vulnerabilities found alongside their severity, and also the unconfirmed vulnerabilities.

It’s really important to point out what happens under the hood. BugProve looks for discovering:

  • 0-day vulnerabilities
  • coding mistakes
  • vulnerable dependencies
  • misconfiguration
  • other security issues.

3. Let’s dive deeper into the scan

Overview

This gives you a 10k feet perspective on the analysis, providing the most important metrics when it comes to the security of the firmware. In this specific case, it found close to 2,000 issues, many of which are of high and medium severity.

One of the most important things I need to point out here is the Zero Days Scans section. This leverages on BugProve’s proprietary PRIS engine, the first of its kind to offer concolic analysis on binaries (combining concrete and symbolic execution for behavioral analysis). PRIS is capable of finding buffer overflows, command injections, and a whole host of other security issues. In my view, this is one of their strong selling points and it should be further developed and refined.

The analysis provides an initial subset of scans on binaries, but you can run subsequent PRIS scans on other binaries. The results of these scans are unconfirmed findings, which you, as an expert researcher, can then look deeper into and confirm or infirm as valid findings.

And you can do this in the Weak Binaries section.

And this is what happens when you run a PRIS on a binary:

It tells you where exactly the issue has been found, what are the implications of it, as well as the remediations for it. And, then, you can mark it as Accepted or Rejected.

Moving on to the Known Vulnerabilities section:

  • they are ranked by severity, and you can further sort them by app or kernel.

Clicking on one of them will give more details about it, as well as the exact files that are affected by it. You can easily navigate to each via the File Explorer section. Quite handy!

Finally, there’s the Cryptography section.

Basically, BugProve looks at all the cryptographic materials used in the firmware and assesses their strengths against best security practices and industry standards.

Using this feature, you can easily identify weaknesses, such as issues with key lengths, the use of insecure hash functions, and you can also inspect certificates in terms of their parameters expiration times.

This level of deep insight usually takes researchers hundreds of hours, if not more, to get into. BugProve lets you sit on top of it in a matter of minutes, and then go deeper manually or with PRIS as a sidekick.

You can try it out yourself for free if you’re a cybersecurity researcher or a bug bounty hunter. For enterprise-level plans, look no further than the pricing section.

Conclusion

It’s hard to believe there’s so much power all contained within a fresh platform. But I know that behind it sits a strong and cohesive team with years of experience in the field.

There might be a few small issues here and there that I’d like to see in the future:

  • Support for other binaries and formats. For example, I’d like to analyze a suspiciously looking .exe. Maybe this is not in the scope of BugProve since they don’t market themselves as such, but it would be a nice integration. I’m not asking for another VirusTotal, but I’m sure there might be room somewhere in between.
  • Seamless report generation. I’d like to be able to download a PDF with the findings, so that I can present it to other parties, such as management for example.
  • AI integration. It’s all about AI these days. I know this is not easy to implement, but similar to PRIS, it would be awesome to add a chat-like AI on top of the analyses. Or maybe within PRIS?

As someone with knowledge in IOT security (though not expert level), I’m personally excited to experiment more with the platform, especially in bounty programs that include firmware in their scope. And I know there are some published CVEs under BugProve and PRIS so I feel like I’m missing out already.

--

--