Modern systems are only as secure as their software and firmware. Vulnerabilities in these layers have been at the root of some of the most devastating cyberattacks, from ransomware outbreaks to targeted intrusions in vehicles and aircraft. Identifying and managing these vulnerabilities requires both technical depth and organisational agility. The REWIRE Project addresses this need with a dedicated Software/Firmware Vulnerability Analysis (SFVA) framework, integrated into its broader risk assessment architecture. This framework is designed to provide deep, automated insights into weaknesses within both source code and binaries, thereby enabling proactive identification and mitigation of threats.
The Challenge of SW/FW Vulnerabilities
REWIRE’s SFVA framework is built to address these challenges by combining automation, modular analysis, and integration with live threat intelligence. Software and firmware vulnerabilities present unique challenges. Firmware in particular is notoriously difficult to secure, as it often operates beneath the operating system and remains invisible to conventional security tools. Many firmware components are proprietary, and binaries may lack sufficient documentation to make analysis straightforward. Because firmware runs at such a low level, any vulnerability can be extremely persistent, surviving across reboots and even software patches. Worse, a firmware-level compromise often gives attackers control over entire devices, undermining all higher-level protections.
How REWIRE Performs Vulnerability Analysis
The process begins with the collection of inputs. When source code is available, it is analysed with static tools that detect common weaknesses such as buffer overflows, memory leaks, or improper input validation. In cases where only binaries are available, automated disassembly and symbolic execution techniques are applied to reverse engineer the software and identify possible flaws. Configuration files and metadata are also ingested to capture vulnerabilities that stem not from the code itself but from misconfigurations.
Vulnerability discovery proceeds through a combination of static and dynamic analysis. Static analysis works on both source and binaries, identifying potential flaws without execution. Dynamic analysis, by contrast, executes binaries in controlled environments to observe abnormal behaviours. To identify vulnerabilities that may be introduced in the course of software updates, REWIRE applies differential analysis, which compares different versions of firmware or software.
Once potential vulnerabilities are identified, they are scored and prioritised. REWIRE uses the Common Vulnerability Scoring System (CVSS) as a baseline but introduces additional contextual weighting based on the domain of deployment. For example, a vulnerability in automotive braking firmware is assigned a much higher priority than a flaw in an infotainment subsystem.
The final step is integration. The vulnerabilities identified and scored by the SFVA feed directly into the REWIRE Risk Assessment Engine, ensuring that the overall risk profile of the system is continuously recalibrated to reflect new discoveries.
Conclusion
The REWIRE Software/Firmware Vulnerability Analysis framework provides the technical backbone of its risk assessment architecture. By offering deep, automated, and context-aware analysis of vulnerabilities, it enables system operators to act decisively against threats before they can be exploited. The REWIRE approach provides comprehensive coverage, as it works on both source code and binaries. It automates much of the reverse-engineering process, reducing dependency on scarce human expertise. By integrating findings directly into the larger risk management ecosystem, it avoids the silo effect that plagues many organisations. Perhaps most importantly, it is context-aware, tailoring vulnerability scoring to the actual safety and security implications of the application domain.