ELTON Vulnerability Analysis Reflects the Real-World Threat Model for Medical Devices

In the real world, medical devices are not attacked through perfect knowledge of the binary or direct mapping of source code. Yet, many vulnerability management tools rely on exact binary or function-level reachability to determine whether a known vulnerability matters. While function-based analysis can be precise in certain environments, it does not scale well to the medical device space, where the broader architecture, not just code snippets, defines the actual risk. In contrast, path-based analysis models how an attacker could traverse a system from an exposed interface or data input toward a vulnerability—considering everything along the way. This approach aligns much more closely with how threats unfold in operational settings, not controlled laboratory environments.

Path-based analysis works by evaluating architectural attack paths through components, trust zones, and control boundaries. It considers whether an attacker can reach a vulnerable library or function based on access requirements, privilege escalation opportunities, and existing controls. It does not depend on identifying whether a specific function is directly called. That kind of determination—typically achieved through static call graph inspection or dynamic instrumentation—can be deeply unreliable for third-party software. Function names may change, calls may be obfuscated, or the vulnerable code may be reachable only through indirect call chains or runtime conditions that static tools miss. Runtime analysis attempts to fill this gap, but it requires a real-time environment, representative workloads, and complex instrumentation that is rarely feasible for embedded or legacy systems.

Call stack analysis and dynamic tracing, while potentially accurate in high-visibility applications like cloud platforms, are not well-suited for embedded medical devices. These tools rely on observing function execution during runtime, but most medical devices are not designed with this level of introspection in mind. Even when possible, dynamic testing must be repeated for every configuration, mode, and software version to maintain accuracy, which quickly becomes resource-intensive and unsustainable. Legacy devices, in particular, often lack the tooling, memory, or performance capacity to support these methods at all. As a result, reliance on function-level precision can leave gaps or produce false conclusions about risk—especially across a portfolio of products with varying firmware maturity and architecture.

ELTON’s path-based methodology offers a scalable and context-aware alternative. By modeling how an attacker could move through a system, identifying the trust boundaries crossed, and evaluating whether mitigating controls exist, ELTON can determine whether a vulnerability is reachable or exploitable without needing function-level certainty. It highlights only the small subset of findings that merit further investigation, focusing teams where it counts. This mirrors how medical devices are assessed in the real world: through architectural resilience and threat paths, not perfect binary knowledge. ELTON reduces unnecessary patching and improves vulnerability decision-making, without the overhead of deep binary reverse engineering for every single release.