By Bill Graham
Modern embedded devices are much more than small-scale dedicated systems with a single mode of operation. In fact, embedded systems can host several different functions and typically are evolved and expanded over time. The rise of multi-application embedded devices, partitioned and multi-OS systems implies an increase in the number of applications and updates, changes and installation of new and improved ones over time. As with desktop and server applications it becomes critical that embedded software applications deal with security as well. In fact, applications are likely to be the target of malicious code or data breaches – the installation of malicious application code, modification of existing applications or exploitation of vulnerabilities within the application itself. It’s vital that embedded applications are locked down on the device to prevent unintended data access or loss of operation.
Blacklisting vs. Whitelisting
A whitelist is a set of known to be acceptable and secure applications that can run on your device. This is particularly important if your device is meant ot be upgraded or support multiple applications (yours or your partners). Whitelisting within the device is done by only accepting know whitelisted applications for download and installation. Any software not on the whitelist is not installed and rejected by the system.
A blacklist is a list of known malware and viruses. Blacklisting is matching up applications to be installed with the blacklist and rejecting those on the list. This technique is used by desktop antivirus software and requires sophisticated pattern detection and recognition since most malware is hidden with other applications that seem harmless. Blacklisting requires heavy duty processing and frequent updates to the threat database (the blacklist). Blacklisting is required in an open system such as a desktop where users need the freedom to install applications as they wish.
Whitelisting vs. Blacklisting for Embedded Devices
Blacklisting of malware applications and code is ideal for an open desktop computing environment. Users need the flexibility to install and run the software they need. Embedded devices on the other hand, are (mostly) locked down with occasional need to be updated or enhanced to support new functionality. Of course, there are exceptions to this, particularly in the consumer marketplace, more on that later. Embedded devices typically don’t have the computing resources to handle on-the-fly blacklisting and likely can’t support the frequent updates, data storage and network connectivity required either. Whitelisting on the other hand, makes more sense for embedded devices: applications need to be known, and possibly signed, before they are allowed on the device. This doesn’t preclude the ability to update the device nor enhance it with new functionality. It does, however, make it much more difficult to install software that is not approved or recognized.
Reputation Awareness can provide applications increased security by adapting to potential threats by evaluating the source from which information is being provided. The reputation of the data source, for example, the source IP address might be from a known malware address. When information is transmitted by highly trusted sources, applications can bypass security filters, processing information more quickly. In other cases, when information is coming from sources with no reputation or a bad reputation, the application can determine what steps are required to verify the data’s integrity prior to processing, and in some cases, ignore it altogether. Unlike malware databases, reputation block/allow lists are a significantly smaller amount of data and require less updating.
The final step in improving security in embedded systems is comprehensive lifecycle support that is covered in the next post.
Note: Wind River and McAfee will be presenting these 5 steps in a webinar titled, The State of Embedded Security and Steps to Improvement, on November 10 at 2pm ET. If you're interested in hearing more, register here: http://bit.ly/sPU2a4
For additional information from Wind River, visit: www.facebook.com/WindRiverSystems.