Testing

59 articles

Identifying Backdoors in Production-Ready Code

By Ido Sarig The security world is abuzz with news about a “backdoor” - undocumented  access to its programmatic interface -  found in a popular FPGA manufactured in China and used in US military applications. Whether you are concerned that this is a deliberate Chinese plot to attack Western militaries, or relieved to hear that this is just a "common" backdoor,…

Improving Embedded Operating System Security Part 6: Harden the System Against Attack

By Bill Graham In the previous posts I’ve discussed various steps that need to be taken in order to improve security, but these are all preventative measures that require validation before a device is ready for market. Enabling the security features of your embedded OS is the first step, but it’s important to test the system continuously throughout development. The…

How Are You Reducing Radiation?

By Pete MacKay A few years back the FDA launched an initiative aimed at reducing radiation exposure in patients undergoing CT scans.  Clearly there are concerns with exposing the human body to ionizing radiation, and due to the prevalence and popularity of these imaging techniques the FDA feels they are in a position to ensure proactive steps are taken to…

Detecting security problems – using static analysis to catch them early and less expensively

By Bill Graham In my previous post I discussed the potential benefits in quality and costs that static analysis brings to software development. In addition to common coding errors, many of the bugs found by static analysis are potential security defects as well.  Buffer overflow, OS command injection, unrestricted string format and integer overflows are among the top 25 most dangerous security coding defects…

Using Static Analysis to Improve Product Quality, Earlier and Cheaper

By Bill Graham Fixing bugs is expensive. Fixing bugs is more expensive the later you leave them, in fact, its been shown to cost a magnitude higher with each major phase of development. The famous defect cost chart from Capers Jones shows the cost of a bug going from $25 at the coding phase to $16,000 in development.  Not only that,…

Hacking Insulin Pumps for Fun and Profit

By Ido Sarig Last month, I had the opportunity to take part in the Amphion Medical Forum in Minneapolis, where the theme was security challenges facing Medical devices. Amphion is a forum that brings together thought leaders from academia, business, government and technology, which was founded to provide a medium for these visionaries to define solutions to some of the…

Secure Mobility Message Resonates at MILCOM 2011

By Chip Downing MILCOM 2011 last week in Baltimore, MD was not only educational, but it was a watershed event.   Last year, it was a “coming out” party for custom Android devices; this year however, was the year where many companies are now using COTS hardware and software to their fullest extent, along the entire supply chain, from core to…

Improving Embedded Security: Proper Runtime Selection

By Bill Graham Selection of secure components for an embedded system is key to a secure system. Leveraging a secure RTOS, middleware, virtualization and tools significantly reduces the effort and development costs. Moreover, there are additional benefits from using commercial-off-the-shelf (COTS) software components over Roll Your Own (RYO) code or self-ported and maintained open source code. Some of the COTS…

Test Management 4.0: Reduce Risk by Understanding the Impact of Change

By Ido Sarig Big day today, we just announced the release of our latest version of Wind River Test Management, WRTM 4.0, the culmination of several years of hard work - kudos to our engineering team! In the coming weeks, I will be covering many of the new features of WRTM 4.0 in detail in a series of separate posts,…

Testing for Security

By Ido Sarig Last summer was a watershed event for security-consciousness in the embedded systems world: Stuxnet, a highly sophisticated worm exploited no fewer than 4 zero day vulnerabilities in Windows in order to attack a specific Siemens PLC and its associated SCADA system. The target was reportedly the Iranian nuclear facilities at Natanz, where uranium-enrichment centrifuges were taken out of…