Why Secure Coding in Embedded Systems is Our Defensive Advantage
There are plenty of pop culture references to AI and rogue robots, as well as devices that turn on their human masters. It’s science fiction, fun and fantasy, but with IoT and connected devices more and more prevalent in our homes, we need more talk about cybersecurity and security.
Software is all around us, and it’s very easy to forget how much we rely on lines of code to do all of these smart things that give us so much innovation and convenience.
Much like web software, APIs, and mobile devices, vulnerable code in embedded systems can be exploited if discovered by an attacker.
Although it is unlikely that a toaster army will come to enslave the human race (although the Tesla robot is a bit of a concern) following a cyber attack, malicious cyber events are still possible. Some of our cars, airplanes and medical devices also rely on complex on-board systems code to perform key tasks, and the prospect of these objects being compromised is potentially deadly.
As with all other types of software, developers are among the first to get their hands on the code, right from the start of the creation phase. And just like any other type of software, it can be the breeding ground for insidious and common vulnerabilities that might go undetected until the product goes live.
Developers aren’t security experts, and no business should expect them to play this role, but they can be equipped with a much more powerful arsenal to tackle the kind of threats that affect them. Embedded systems – typically written in C and C ++ – will be used more frequently as our technological needs continue to grow and evolve, and specialized security training for developers on the tools in this environment is a critical defensive strategy against cyber attacks.
Explosive air fryers, capricious vehicles… are we really in danger?
While there is some Secure development best practice standards and regulations To keep us safe, we need to make much more specific and meaningful progress towards all types of software security. It might seem like a stretch to think of a problem that can be caused by someone hacking an air fryer, but it happened in the form of a remote code execution attack (allowing the threat actor to raise the temperature to dangerous levels), as well as vulnerabilities leading to vehicle takeovers.
The vehicles are particularly complex, with multiple on-board systems, each supporting micro-functions; everything from automatic wipers to engine and braking capabilities. Interwoven with an ever-growing stack of communications technologies such as Wi-Fi, Bluetooth and GPS, the connected vehicle represents a complex digital infrastructure that is exposed to multiple attack vectors. And with 76.3 million connected vehicles are expected to be on the roads around the world by 2023, which represents a monolith of defensive foundations to be laid for real security.
MISRA is a key organization effectively combating threats to embedded systems, having developed guidelines to facilitate code safety, security, portability and reliability in the context of embedded systems. These guidelines are a north star in the standards that every company should strive to achieve in their embedded systems projects.
However, to create and run code that adheres to this golden standard requires embedded systems engineers who are confident – let alone safe – about the tools.
Why is the rise in skills in the security of embedded systems so specific?
C and C ++ programming languages are geriatric by today’s standards, but still widely used. They form the functional core of the embedded systems code base, and Embedded C / C ++ enjoys a modern and brilliant life within the world of connected devices.
While these languages have rather old roots – and exhibit similar vulnerability behaviors in terms of common issues like injection faults and buffer overflow – so developers are really successful in mitigating security bugs in systems. embedded, they must become familiar with code that mimics the environments in which they work. Generic C training in general security practices simply won’t be as powerful and memorable as if extra time and care were spent working in a C Embedded setting.
With a dozen to over a hundred systems embedded in a modern vehicle, it is imperative that developers receive specific training on what to look for and how to fix it, right in the IDE.
Protecting on-board systems from the start is everyone’s responsibility
The status quo in many organizations is that speed of development trumps security, at least when it comes to developer responsibility. They are rarely evaluated on their ability to produce secure code, but the rapid development of impressive features is a sign of success. The demand for software will only increase, but it’s a culture that has set us up for a losing battle against vulnerabilities and the cyber attacks they allow.
If developers aren’t trained, it’s not their fault, and it’s a void that a member of the AppSec team must help fill by recommending the right, accessible (not to say evaluable) development programs. ) for their entire development community. From the start of a software development project, security should be a primary consideration, with everyone – especially developers – given what they need to play their role.
Become familiar with the security issues of on-board systems
Buffer overflow, injection faults, and business logic bugs are all common pitfalls in embedded system development. When buried deep in a maze of microcontrollers in a single vehicle or device, it can spell disaster from a safety standpoint.
Buffer overflow is particularly prevalent, and if you want to dig deeper into how it helped compromise that air fryer we talked about earlier (allowing remote code execution), check out this report on CVE-2020-28592.
Now, it’s time to get acquainted with a buffer overflow vulnerability, in real embedded C / C ++ code. Take this challenge to see if you can locate, identify, and fix the bad coding patterns that lead to this insidious bug:
How did you do? Visit www.securecodewarrior.com for precise and effective training on the security of on-board systems.