SBoM Annotations and Audits

Main Room,

SBoM Annotations and Audits

When firmware is only available in binary form, i.e., the end user or corporate
entity has no access to its source code, quality and security assessment is
limited by legal constraints, and fixing bugs and flaws harder to achieve. While
possible escape hatches have been developed, such as replacing large parts of
the stock firmware with auditable environments like LinuxBoot, some uncertainty
still remains regarding drivers and other components that cannot be removed.
However, there are still options to help oneself where the OEM or other vendor
does not offer the flexibility or assurance one needs: We can build up a
knowledge database of drivers, offer guidance towards patching or replacing
them, and provide the tooling to automate the process. With Fiedka the firmware
editor
, components can be annotated and those annotations
exported for reuse. In this short talk, we will evaluate the necessary workflows
and discuss user experience design considerations around the process.