Canon Security Measures to Protect Against Malware and Tampering of Firmware/Applications
Since its inception, the imageRUNNER ADVANCE series has been designed with security in mind. Security measures to protect against malware/firmware tampering have been implemented that do not allow for installation or execution of programs without a digital signature applied by Canon when updating firmware, executing processes, or installing MEAP applications. In order to further assist in the prevention of data disclosure due to unknown attacks/springboard attacks, additional security enhancements have been made for the third generation imageRUNNER ADVANCE 3rd edition, imageRUNNER ADVANCE DX and imagePRESS Lite models. The following program tampering detection function is introduced to counter unknown attacks.
Verify System at Startup McAfee Embedded Control Note:
These features are only available on third generation imageRUNNER ADVANCE 3rd edition models, imageRUNNER ADVANCE DX and imagePRESS Lite, and must be enabled. McAfee Embedded Control requires Unified Firmware Platform (UFP) v3.9 or later
Verify System at Startup Once enabled, the Verify System at Startup function runs a process during startup to verify that tampering of boot code, OS, firmware and MEAP applications has not occurred. If tampering of one of these areas is detected, the system will not start. By using the hardware as the ‘Root of Trust’, enhanced security against software tampering is provided. Furthermore, standard cryptographic technologies (hash, digital signature) are used for verification. In order to use this function, the administrator should set “Verify System at Startup” to ON (Default: OFF). * Settings/Registration>Management Settings>Security Settings>Verify System at Startup When this function is turned ON, warmup time is increased because the verification process is performed when the device is started. However, it does not affect the time to wake up from sleep mode or the restore time for quick startup, because the verification process is only performed at device startup. If tampering of boot code/OS/firmware/MEAP applications is detected, the device boot process is halted, and an error code is displayed on the control panel. In order to recover from that state, it may be necessary to reinstall the firmware/MEAP application.
Platform Firmware Resiliency (Automatic Recovery) The Platform Firmware Resiliency is firmware automatic recovery function. This feature will attempt to continue operation using the backup program without stopping the startup when an illegal program is detected by Verify System at Startup. More specifically, when an illegal operation is detected in started program, it is overwritten with a program in the backup area. If both the normal startup program and the backup area program are illegal programs at the same time, startup will be stopped. This feature is only available for imagePRESS Lite C270/265.
McAfee Embedded Control
McAfee Embedded Control Once enabled, McAfee Embedded Control allows only known programs contained in the dynamic whitelist to be executed on the MFP. Other programs not listed in the whitelist are considered unauthorized and will not be permitted to execute. This helps prevent worms, viruses, spyware, and other malware from compromising the device. A log of all prevented executions is available in the Audit Log when Runtime Intrusion Detection is enabled.
McAfee Embedded Control delivers the following:
- Provides file integrity of Canon authorized firmware/applications against the whitelist to help prevent tampering.
- Helps prevent the execution of unknown software code (malware) not on the whitelist.
- Helps prevent unauthorized rewriting of registered software modules.
- Detects tampering of the whitelist itself.
- Permits only authorized system processes to implement changes on device.
To turn on McAfee Embedded Control, it is necessary to turn on Verify System at Startup (Default OFF). * Settings/Registration>Management Settings>Security Settings>Verify System at Startup The administrator will also need to set “McAfee Embedded Control” to ON (Default OFF). * Settings/Registration>Management Settings>Security Settings>McAfee Embedded Control Whitelists are created in each storage partition in which native device software modules are installed. McAfee Embedded Control checks the value held in the whitelist in advance of the module executing, and verifies the value generated by the execution of the module during operation. If the two values match, the verification is successful. If the two values do not match, the verification is unsuccessful, and execution of the module fails.
The following outlines what will occur if the verification is unsuccessful:
(a) The firmware verification process begins when the execution module registered in whitelist is started. If verification fails, the execution is blocked, and an error code (E614-xxxx) is displayed.
(b) When attempted execution of a non-registered software module is detected, the execution stops, and the event is reported in the audit log.
(c) When attempts to rewrite or delete a registered software module located on the whitelist is detected, the attempt is blocked, and a record of the error code is saved in the audit log.
(d) Validation of the whitelist itself is performed at startup of any software module. If tampering of the whitelist is detected, the execution is blocked, and an error code is displayed. The error code is displayed according to the location of the software module where tampering was detected. · Error code example: (E614-xxxx for firmware, E602-xxxx for MEAP application)
(e) The whitelist is updated as required when the system firmware is updated or when authorized MEAP applications are installed. In order to maintain consistency, when the software module is updated, the whitelist itself and the transaction log recording the change history of the whitelist are also updated. Audit Log Related to Runtime System Protection Function All recordable activities related to the Verify System at Startup and Runtime Intrusion Detection with McAfee Embedded Control processes are listed in the Device Management Log and can be notified in real time to a Security Admin through integration with a SIEM system.