Self-Protected Devices

The seamless security approach for embedded systems

Why Self-Protection

Connected devices can’t run bolt-on cybersecurity products such as anti-virus or EDR tools. To enable them to be protected from cyberattacks, connected devices must embed cybersecurity capabilities in their software. Such measures enable the devices to be deterministically self-protected against attacks, without relying on frequent updates or connectivity.

Seamless to Developers

Karamba’s runtime integrity software is seamlessly integrated with the device’s development lifecycle, without changing development processes or interfering with developers. In runtime Karamba’s software performs continuous integrity checks, enabling the device to be-self protected against deviations from the device’s factory settings assuring software integrity.

Feather-light Footprint

Connected devices are often constrained by limited resources, such as CPU power and memory size. In addition, connectivity may also face performance limitations in terms of bandwidth, availability, and costs. Karamba’s patented embedded security agents were designed and implemented with low CPU and memory size of ~5%, ~10% image size and no impact on network overhead.

How to Achieve Self Protection

By integrating Karamba’s tools to the device’s development toolchain, product security teams implement deterministic product security measures with no impact on R&D processes, development timelines, or architectures.

Runtime Integrity Platform

Karamba XGuard platform automatically scans binaries and creates a factory-settings baseline which reflects legitimate binaries, messages and functions calls of the device’s software. Changes from that automatically-created model indicate an exploit attempt, i.e. a cyberattack.

Control Flow Integrity (CFI)

In-memory attacks leverage memory corruption vulnerability to perform remote code execution and other code reuse attacks. XGuard Control Flow Integrity deterministically detects illegitimate memory utilizations of the fileless attacks and can block and report the events. Karamba’s patented CFI has a negligible, 5%, impact on CPU performance and memory usage, applicable to embedded environments.

Executables Whitelisting

In dropper attacks, a self-contained malicious program, library, or script is added to the device and triggered to execute during runtime. Dropper attacks commonly following other exploitations, in order to execute the actual malicious behavior, or to establish a command and control channel.

Applying whitelisting is a strong protection against file traversal and other exploits but it is typically difficult to manually implement and maintain. XGuard Whitelisting automatically creates binary whitelists during the image build process, without developer intervention and without any need to change version release plans.

Authentication Encryption

Critical commands over the network need to be authenticated and doing so with zero network overhead is the unique approach of SafeCAN. Saturated CAN networks can’t handle additional security requirements and with SafeCAN, the critical use cases of safety and mission critical messages are protected with negligible performance impact on the ECUs involved.

Self-Protection Advantages

ECU Protects Itself

Automatic Build

Requires zero developer intervention or updates during the software development lifecycle. XGuard and SafeCAN fit into the current build tools and existing hardware.

Zero False Positives

Strong Defense

Runtime protection, software hardening, and network authentication encryption defend against malware introduction, ransomware, advanced persistent threats, and fileless attacks, preventing remote code execution attempts.

Supports all ECUs

Negligible Performance Impact

Optimized for embedded systems, this patented method enables runtime protection with less than 5% CPU overhead and 0 CAN network overhead.

See Why Our Security Solutions Win Awards

paper

XGuard for Automotive

Read about the products of XGuard Suite and how they protect automotive systems and devices.

paper

XGuard for IoT Device Security

Read about the products of XGuard Suite and how they protect IoT devices.

paper

XGuard Bolt-On Security for IoT

XGuard controls can be added on after the build.

Want to learn more?

Contact Us
Loc

Israel

24 HaNagar Street
Hod Hasharon
45277-13
Tel: +972 9 88 66 113

Loc

USA

41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA

Loc

Germany

Wasserburger
Landstr. 264, Munich
81827
Tel: +49 892 1547 7583