RunSafe Risk Reduction Analysis offers insights into memory-based CVEs

RunSafe Security launched the RunSafe Risk Reduction Analysis, which analyzes total exposure to Common Vulnerabilities and Exposures (CVEs) and memory-based zero days in software.

Designed for cybersecurity professionals and embedded systems developers, the solution provides much-needed insight into system vulnerabilities as well as data on how runtime mitigations can drastically reduce software exposure.

Critically, the RunSafe Risk Reduction Analysis, part of the company’s Identify solution, focuses on identification and mitigation of memory-based vulnerabilities, which are one of the most exploited classes of security flaws in modern embedded systems. Memory safety flaws leave software susceptible to attacks such as arbitrary code execution, privilege escalation, denial-of-service (DoS), and data theft.

The Risk Reduction Analysis reveals total exposure to these critical flaws while measuring the risk reduction achieved when applying advanced runtime protections.

“Memory safety issues continue to account for nearly 70% of vulnerabilities in embedded systems,” said Joseph M. Saunders, CEO of RunSafe Security. “With the Risk Reduction Analysis, we’re giving organizations the tools and insights to eliminate an entire class of vulnerabilities, significantly improving their resilience against remote code execution attacks and other exploits.”

The Risk Reduction Analysis works by analyzing a software binary or an SBOM to calculate the risk to embedded systems. The tool’s ability to quantify memory-based zero days is developed out of novel research from Linköping University and calculates the number of binary attack vectors, or return-oriented programming (ROP) chains, within software.

In an example analysis, the tool revealed that software was exposed to 1.6 million potential ROP gadgets, but with runtime protections applied, there was a risk reduction of >98.28%.