Company Overview
Metalware is the name of the company and also the name of a set of software. It mainly performs decomposition, simulation and fuzz testing on embedded firmware. Its entry point is very accurate because there is no existing open source tool that can simultaneously complete the component analysis and fuzz testing of embedded firmware, which shows its founder’s deep research in this field.
Founded in June 2023, the company has two core founders: Ryan Chow and Andrew Nedea. The two met at SpaceX, mainly developing embedded firmware programs for Starlink-related devices. They have a thorough study of the underlying code of embedded devices. Before founding Metalware, Ryan Chow worked at SpaceX for 6 years, with a total of about 10 years of work experience, and the founding team was relatively young. The other team members besides the 2 are not clear, and crunchbase shows that there are two company members [1].
Figure 1 Ryan Chow (CEO) and Andrew Nedea (CTO) [1]
On September 6, 2023, it received USD 3 million of financing from 8 investors [2]. So far, no other financing has been obtained. However, due to its small number of personnel, there will be no financial risk in the short term.
Figure 2 Metalware’s financing situation
Product Introduction
1. Product Functions
Metalware specializes in fuzz testing embedded firmware programs to find more 0day vulnerabilities. In terms of usability, its testing process can be applied to the SDL process; in terms of scalability, the test target can be a single device or a combination of multiple devices; in terms of efficiency, it can give usable results within a few hours, which reduces the workload by more than a half compared to manual testing and improves its ability to find critical vulnerabilities by 2-3 times.
Figure 3 Core Effect of Metalware
To achieve the above effect, Metalware mainly did three things. First, a simulation platform is implemented that can automatically extract firmware components, analyze and run the firmware for dynamic testing. Its dynamic testing process monitors memory changes during operation, rather than just analyzing whether the program has triggered observable exceptions (such as botnets).
Figure 4 Simulation Capability of Metalware
Second, a fuzzy test engine for embedded devices was built, based on the coverage-based fuzzy test method, combined with symbolic execution to detect anomalies. In order to run the firmware more efficiently and accurately, a bootstrap is constructed to ensure that the chip firmware can be correctly initialized in the simulation stage. At the same time, the peripheral register response mechanism of the ARM Cortex M series chip is constructed and implemented as MMIO to ensure the correct response of various communication functions of the chip. According to its description, Metalware should use a fuzz testing tool similar to AFL++. After using the simulation platform to successfully simulate and execute it, perform fuzz testing on the firmware at runtime. As a supplement, symbolic execution technology is used to finally output the test results in combination with the conclusions of the two tests.
Figure 5 Fuzz Testing Capability of Metalware
Third, by analyzing stack data and combining CWE to classify vulnerabilities, the exact conditions under which anomalies occur are recorded. Its internal logging system can also accurately help users reproduce vulnerabilities to help quickly fix them.
Figure 6 Effective Verification and Output Reporting Capabilities of Metalware
Because Metalware’s test objects (embedded devices) have a wide range of applications, its test tools can be used in aerospace, medical, automotive, industrial control, Internet of Things and other fields. The diverse types and complex functions of embedded devices make the general automated testing of such devices ineffective. If its testing tools can achieve accurate vulnerability discovery and reproduction as described in its introduction, its value is self-evident.
2. Supported firmware types
Metalware currently fully supports ARMv6-M and ARMv7-M (32-bit ARM Cortex-M microcontrollers), supporting all bare metal and RTOS applications. In terms of operating system, it supports small real-time operating systems such as FreeRTOS, VxWorks, QNX, ThreadX, Zephyr and Nucleus. Mature operating systems such as Linux and Windows are not supported. This means that it is only suitable for low-power professional embedded devices.
Since the external communication control of such devices often relies on internal registers to control unused peripherals, Metalware has developed MMIO to simulate the response of peripherals to chips to prevent the chip’s register status from being inconsistent with the real device status due to the inability to find peripherals, causing false alarms.
3. Applicable targets
Metalware is suitable for three groups of people, namely attack teams, security teams on buyer’s side and regulatory agencies. The attack team can dig up more 0days to enrich the attack arsenal. Buyer3’s security team can detect more software vulnerabilities in advance and fix product vulnerabilities this morning. Regulators can use the software to test embedded devices and notify corresponding companies to make rectifications.
Similar Products/Companies
1. Refirm-labs
Refirm-labs[3] is a finalist for the 2018 Innovation Sandbox. Its creator and inventor of the binwalk tool, devttys0, was acquired by Microsoft in June 2021 for an undetermined amount.
Figure 7 Refirm-labs’ financing and acquisition information
2. Eclypsium
Eclypsium[4] is a finalist in the 2019 Innovation Sandbox. Compared with Refirm-labs, the company has grown rapidly and is competitive. The company has raised more than $100 million in total, and about $80 million in the past two years, mainly because it has expanded part of its business to supply chain security. Now it has been rated as a Gartner Cool Vendor, TAG Cyber Distinguished Vendor, Fast Company One of the 10 Most Innovative Security Companies in the World, CNBC Upstart 100, CB Insights Cyber Defender and RSAC Innovation Sandbox 2019 Finalist.
Figure 8 Eclypsium’s Financing
3. FACT
FACT[5] is an open source firmware scanning platform that can be built on the Linux operating system in both docker and source code deployment. The core function of FACT is to disassemble the firmware to analyze files or components in different formats. For executable programs, qemu can be used for dynamic simulation, and potential CVE vulnerabilities and CWE defects in the firmware can also be discovered. However, FACT cannot do fuzz testing and only provides basic software component analysis. In general, fuzz testing of firmware needs to be solved using fuzz testing tools such as AFL++, dyninst or Firm-AFL.
Figure 9 Analysis Functions Supported in FACT
Summary
Since 2017, this is the third manufacturer related to device firmware security. One of the first two manufacturers was acquired and the other transformed into software component analysis and digital supply chain security. After obtaining more financing, it has been able to develop rapidly. Metalware provides a firmware fuzz testing solution with the goal of helping companies discover more security risks and fix them in time before the device is sold (that is, before the firmware is exposed to the market). The entry point is also very accurate. Let’s hope Metalware’s financing goes smoothly, so that it can strive to do more valuable work and maximize the security analysis of embedded devices.
At present, various countries have successively issued regulations to clearly put forward security requirements for IoT devices to improve the security of IoT devices. Driven by regulations, Metalware does have its place. Coupled with Metalware’s deep cultivation in the field of embedded firmware, the future is optimistic.
Reference
[1]. https://www.crunchbase.com/organization/metalware/profiles_and_contacts
[2]. https://www.crunchbase.com/organization/metalware/financial_details
[3]. https://mp.weixin.qq.com/s/9kinTwSPqrXJtcxmxYF-xA
[4]. https://mp.weixin.qq.com/s/vutOuBf_9fdjT4papuqB2Q
[5]. https://github.com/fkie-cad/FACT_core
