Cosmo Overview

Welcome to the official documentation of Cosmo, the online analysis platform built to secure your embedded devices.

With Cosmo you can automate the analysis and the identification of security vulnerabilities inside your devices.

Cosmo will help you to:

• unveil common vulnerabilities and exposures introduced by open source components in your device

• uncover weak passwords hardcoded in your firmware

• pinpoint potential exploits and vulnerabilities, exactly where they are introduced in the source code

• isolate malware in your device filesystem

• understand your software Bill of Materials, at a glance

How-to use Cosmo

Cosmo is a ready(-and-easy)-to-use online platform.

You have to perform simple actions to achieve great results:

1. sign-up to Cosmo
2. confirm the registration and login
3. upload the firmware you want to be analyzed
4. wait a few minutes for the analysis to be completed
5. check the report of you firmware

Alternatively you can use the Command Line Interface (CLI) in order to automate the analysis processes.

Supported firmware images

Cosmo can analyze almost every firmware image:

• Linux images (generic, Buildroot, OpenWrt and Yocto generated images)

• Containers images (Docker and LXC supported)

• VxWorks images

• UEFI images

Next steps

In order to start using Cosmo, the next steps are described in the section Getting started.

Enjoy!

Getting started

In this section are described the basic steps to carry on in order to let Cosmo analyze your firmware and generate a report.

Let's start!

Sign-up

Cosmo is an online platform available at the web address cosmo.exein.io. The first step is to browse to the sign-up page, fill in the form with the requested fields and click the REGISTER button.

A confirmation email will be sent to your email address: follow the instructions e go to the next step.

Login

Once you are sign-up to the platform you have to perform the login with your credential.

The login form is shown in the next figure: just fill in your email address and password, then click the SIGN IN button.

Firmware image upload

Congratulations, you are in!

Now you can start uploading the firmware image you want to be scanned. You can drag'n'drop the choosen file or click the SELECT FILE button, then browse to the file path.

Cosmo will ask you to choose the firmware type and a report title.

The firmware type can be choosen among the following:

• Linux - Generic

• Linux - Buildroot

• Linux - OpenWrt

• Linux - Yocto

• Container - Docker

• Container - LXC

• VxWorks - Generic

• UEFI - Generic

Linux

For all the Linux-based firmware types, simply load the firmware image and select the build tool used to build the image or select the firmware type "Linux - generic" if you are unsure about it.

Docker

For Docker containers, run:

docker save $CONTAINER_NAME | gzip > $NAME.tar.gz

and then submit $NAME.tar.gz to Cosmo.

(eg, docker save ubuntu:groovy | gzip > ubuntu.tar.gz).

LXC

For LXC containers, run:

cd /var/lib/lxc/$CONTAINER_NAME/; tar --numeric-owner -czvf $NAME.tar.gz *

and then submit $NAME.tar.gz to Cosmo.

VxWorks

For VxWorks firmware, load a VxWorks-based image (version: 5 or 6, arch: ARM or PPC) and select "VxWorks/Generic" as firmware type.

UEFI

For UEFI, run:

chipsec_util.py spi dump $NAME.bin

and then submit NAME.bin to Cosmo.

Once you have done you can click the SCAN FIRMWARE button: the image file will be uploaded and the scan will start automatically.

A progress bar will indicate the upload process progress.

After the firmware image file is correctly uploaded and the scan started, a new entry will be shown in the report table.

The great wait

Cosmo will send you an email as soon as the scan has ended and the report is ready: it's time for a cup of coffee.

Alternatively you can upload other firmware images to Cosmo, in order to queue your scans: click the NEW REPORT button and repeat the upload procedure with your new firmware image file.

Enjoy your report!

Once the scan are complete you will be notified by email: come back to the reports page and click the report name you want to check in details.

Cosmo in depth

Cosmo rating

Every report has an overall rating associated. This rating represents the score (security level) of the scanned firmware image.

Rating level are as follows:

• A: Excellent security level
• B: Good security level
• C: Mediocre security level
• D: Poor security level
• E: Dangerous security level

The rating is shown in the reports table.

Analysis

During the scanning, Cosmo performs the following analysis processes:

• CVE check

• Password hash

• Code analysis

• Security scan

• Binary analysis

• NVRAM analysis

CVE check

The CVE Search Analysis identifies known vulnerabilities in open source components found in your firmware, categorised by severity. For each CVE, Cosmo gives you information about its remediation instructions.

Password hash

The Weak Password analysis looks for hard-coded weak passwords in your firmware.

Code Analysis

The Secure Code Analysis looks for potential buffer overflow or command injection vulnerabilities inside your firmware binary executables.

Security Scan

The Malware Scan analysis looks for known malicious files (such as malware, trojan, etc.) within the file system.

Kernel Security

The Kernel Security analysis looks for third-party kernel security modules installed in the firmware. These modules provide additional security directly at kernel level and having even at least one of them in place is considered good practice from a security standpoint.

Binary Analysis

The Binary Analysis checks that the compiler settings for all executables conform to secure coding practices (i.e. Stack Canaries, etc.).

NVRAM Analysis

The NVRAM Analyzer looks for the definition and use of NVRAM variables. The results are structured in a table that shows the name of the executable, the NVRAM variable's name, and whether it is "set" or "get".

Config Analysis

The Config Analyzer looks for path environment variables and retrieves the commands that were launched to create the container.

PEIM/DXE Analysis

The Config Analyzer looks for path environment variables and retrieves the commands that were launched to create the container.

Secure Boot Analysis

The UEFI Secure Boot Analysis ensures that the Secure Boot verification mechanism is enabled and - if it is - it reports all the keys found in the firmware that denote trusted sources and vendors for the binaries.

Intel BootGuard Analysis

The Intel BootGuard Analysis ensures that the Intel BootGuard processor feature is enabled and - if it is - reports the chain of Intel BootGuard keys and their values. Intel Boot Guard is a processor feature that prevents the computer from running firmware images not released by the system manufacturer. Intel BootGuard attempts to protect the system before Secure Boot starts.

Access Right Analysis

The Intel BootGuard Analysis ensures that the Intel BootGuard processor feature is enabled and - if it is - reports the chain of Intel BootGuard keys and their values. Intel Boot Guard is a processor feature that prevents the computer from running firmware images not released by the system manufacturer. Intel Boot Guard attempts to protect the system before Secure Boot starts.

Attack Surface Analysis

The Attack Surface Analysis identifies NVRAM variables found in the UEFI and categorises them by their type (they can be either EVSA, VSS or NVAR type). NVRAM variables are ofter exploited by attackers for executing malicious code. By knowing all your NVRAM variables, you can infer your attack surface.

Tasks Analysis

The Tasks Analysis looks for every task defined in the image.

Functions Analysis

The Functions Analysis looks for every function defined in the image.

Symbols Analysis

The Symbols Analysis looks for every function defined in the image.

Capabilities Analysis

The Capabilities Analysis determines the capabilities for each function defined in the executable.

Tools

Cosmo provides the following tools:

• Filesystem Explorer

• Crypto Analyzer

• BOM Viewer

Filesystem Explorer

The Filesystem Explorer gives you a convenient way to browse the full firmware filesystem (directories, files, etc.). For each item found in the filesystem, Cosmo also returns its file type.

Crypto Analyzer

The Crypto Analyzer identifies all cryptographic material found in the file system or embedded in the binaries. Crypto files can be either public/private keys or certificates.

BOM Viewer

The BOM Viewer gives you a complete overview of the Software Bill of Materials of open source components, including fingerprinting versions and licenses.

The Cosmo CLI

The Cosmo CLI is the official Command Line Interface that lets you interact with Cosmo.

With the Cosmo CLI you can perform every operation enabled on the Cosmo platform (eg: create new scan or download reports).

Usage

Using the CLI is simple. The base syntax is:

cosmo [command] [arguments]

where command can be one of the following: login, logout, list, create (or new), overview (or show), analysis, delete (or rm), report.

Features in details

The features provided by the CLI are as follows:

• Login/Logout

• Scan CRUD operations

• Get the report overview or the report details

• Download the report PDF

Login

This command lets you perform the sign-in into the Cosmo platform.

$ cosmo login

Logout

This command performs the logout action. After logout any command will be rejected until the next login.

$ cosmo logout

Create new scan

With this command you can ask Cosmo to start a new scan on the specified firware image.

$ cosmo create -f <fw-path> -t <fw-type> -n <report-name> or $ cosmo new -f <fw-path> -t <fw-type> -n <report-name>

Delete existing reports

With this command you can ask Cosmo to delete an existing report.

$ cosmo delete -i <uuid-report> or $ cosmo rm -i <uuid-report>

List personal reports

With this command you can ask Cosmo to list all the reports previously created.

$ cosmo list or $ cosmo ls

Get the report overview

With this command you can ask Cosmo to show the overview of the report identified by uuid-report.

$ cosmo overview -i <uuid-report> or $ cosmo show -i <uuid-report>

View analysis results

With this command you can ask Cosmo to show the whole analysis result.

The analysis type is passed as an argument with the option -a.

$ cosmo analysis -i <uuid-report> -a PeimDxe

For a paginated analysis result you can use the -p (page) and -l (limit) arguments:

$ cosmo analysis -i <uuid-report> -a PeimDxe -p 1 -l 10

Save PDF reports

With this command you can ask Cosmo to download and save the PDF report of a scan.

$ cosmo report -i <uuid-report>

Integrations

Cosmo integrates natively with the most popular build tools such as Yocto and Buildroot, so that security can be implemented right from day zero.

Buildroot

To generate a vulnerability report in the Buildroot environment follow the steps below:

1. Clone the Buildroot integration repository at the same level as Buildroot directory.

git clone https://github.com/Exein-io/cosmo-buildtools.git

1. Instruct Buildroot to include the Exein Cosmo interface in its configuration.

make BR2_EXTERNAL=/path/to/cosmo-buildroot nconfig

1. Execute make with the cosmo-check target

make cosmo-check

1. Use the dashboard to explore your project

Yocto

To generate a vulnerability report in the Yocto environment follow the steps below:

1. Download and extract meta-exein layer

2. Run meta-exein/recipes-exein/cosmo/files/cosmo login

3. Add the meta-exein layer to your bblayers.conf file

4. Add USER_CLASSES += "cosmo" to local.conf file

5. Build your image, for example run bitbake core-image-minimal

6. Use the dashboard to explore your project

OpenWrt (yet to come)

Integration for OpenWrt is under development and will be soon available.