The Role of Tools in Improving Embedded Software Security / Part 2: Security Improvement and the Software Development Lifecycle

By Bill Graham In many of my previous posts, I’ve discussed Wind River's 5+1 step improvement framework for embedded device security. By design, it’s meant to complement the software development lifecycle (SDLC) that our customers are using – the stages or phases how they define them and the processes they follow. It’s important for a discussion on tools to put them in…

The Role of Tools in Improving Embedded Software Security / Part 1: Automation is the Key

By Bill Graham Security Vulnerabilities are Expensive Shipping security vulnerabilities in a finished product and having them discovered or worse, exploited, is a very expensive proposition for embedded device vendors. As I’ve discussed in an earlier post, security defects are much more expensive to patch and fix the later they are discovered. If you’re lucky to catch a vulnerability during…

Simplifying the Security Approach

By AJ Shipley As a security professional in the business of helping Wind River customers protect their systems from malicious intent I am frequently asked how they should approach security.   Here are my thoughts on a tried and true approach to security. At a very high level, you can approach security from one of two possible paths; you can secure…

Identifying Backdoors in Production-Ready Code

By Ido Sarig The security world is abuzz with news about a “backdoor” - undocumented  access to its programmatic interface -  found in a popular FPGA manufactured in China and used in US military applications. Whether you are concerned that this is a deliberate Chinese plot to attack Western militaries, or relieved to hear that this is just a "common" backdoor,…

Security Regulations and the Public/Private Relationship

By AJ Shipley Last week the U.S. House of Representatives passed a cyber-security bill and sent it on to the Senate.  This got me thinking, what is government’s role in regulating the security requirements of our nation’s critical infrastructure?  Security's primary goal is to establish a trusted relationship and protect people, products, and services from un-authorized or malicious intent.  When…

Improving Embedded Operating System Security Part 6: Harden the System Against Attack

By Bill Graham In the previous posts I’ve discussed various steps that need to be taken in order to improve security, but these are all preventative measures that require validation before a device is ready for market. Enabling the security features of your embedded OS is the first step, but it’s important to test the system continuously throughout development. The…

Improving Embedded Operating System Security Part 5: Securing Code and Data

By Bill Graham Secure the Boot and Execution Embedded systems are vulnerable at boot time. For example, it’s common for hobbyists to re-flash consumer products’ firmware to change the way it operates. However, malicious attacks on device boot up and operation are undesirable for mission critical systems. In addition, devices often allow updates via web interfaces or other remote access…

Improving Embedded Operating System Security Part 4: Partition Systems to Protect Essential Components

By Bill Graham An effective security technique is to separate different major components of a system into partitions. In some cases these partitions are physical, i.e., separate devices with physical separation. With modern virtualization technologies these partitions can be virtual, in software, on the same device or processor. An example of this would be combining a general purpose OS (GPOS)…

Improving Embedded Operating System Security Part 3: Secure Your Network Communication

By Bill Graham Many security issues with embedded systems stem from their connection via a network with access open to a large population (enterprise network) or even directly to the Internet.  Also, devices designed for small local private networks are increasingly connected to large corporate networks or the Internet directly. It’s safer to assume that all external connections to your…

Improving Embedded Operating System Security Part 2: Enable a More Secure Configuration

By Bill Graham Despite the hype surrounding the state of embedded security, many of the runtime platforms that these systems are based on can be made more secure through proper configuration. Moreover, it’s important to keep the platform updated since the RTOS likely has many security vulnerabilities fixed that were present in older versions.  Default configurations for embedded operating systems…