Despite decades of investment in vulnerability scanning, embedded systems remain exposed. Traditional tools like SAST miss up to 80% of flaws, while developers chase false positives and patch management lags behind attacker innovation. This session challenges the outdated “scan-and-patch-everything” mindset and introduces a more strategic approach to evaluating risk from zero-day vulnerabilities.
Rather than focusing solely on known CVEs, the session explores how to assess latent risk—the underlying conditions that expose systems to exploitation regardless of whether a vulnerability has been disclosed. In particular, the session will present a practical methodology to assess zero-day risk by analyzing deployed binaries for the presence of useful Return-Oriented Programming (ROP) chains capable of dangerous system calls. We'll address memory-based zero days, which remain one of the most persistent and dangerous risks to embedded systems across industries.
By identifying the types of weaknesses attackers are most likely to exploit and mapping them to actual system exposure, embedded development teams can shift from reactive patching to resilient, attacker-aware software design.