An engineer at self-driving car service Cruise is easing the pain with the release of FwAnalyzer, a tool he and his Cruise colleagues developed themselves. Collin Mulliner spent more than a decade scouring firmware found in phones and other devices before becoming Cruise’s principal security engineer. He helped write FWAnalyzer to provide continuous automated firmware analysis that could aid engineers at any phase of the code’s lifecycle.
The tool has a menu of configuration rules engineers can select to tailor the analysis. The options include rules that are applied to file metadata such as permissions, type and ownership, rules that target the content of a file, and rules that analyze file system metadata. They can be used to detect SETUID files to help identify potentially dangerous executables. They can also be used to identify any debugging code that was mistakenly left behind. That can help prevent hackers from later misusing that code. The full capabilities go well beyond that.