Embedded Software Security Training
Embedded software security is more important than ever in the digital age and due to the increased usage of embedded systems.
The incidence of malicious code and software vulnerability exploits on embedded platforms is constantly on the rise.
The monetary value of data, the ability to cause serious harm, and the interoperability and connectivity of modern embedded systems, including mission-critical systems, make embedded systems popular targets.
Cyberattacks on embedded systems range from disabling vehicle anti-theft devices and degrading the performance of control systems to directing printers to send copies of documents to the hacker and accessing a smartphone’s data.
However, cybersecurity professionals believe there are fixes for embedded software security vulnerabilities. One solution may be a microkernel OS.
A microkernel OS is structured with a tiny kernel space with services like file systems provided in user space, drivers or network stacks. Less code running in kernel space reduces the attack surface and increases security. The microkernel works with a team of optional cooperating processes that run outside kernel space (in the user space) and provide higher-level OS functionality.
Cybersecurity professionals recommend that manufacturers incorporate security measures into embedded devices regardless of their memories or storage limitations.
This is important because a lot of the gadgets and machines powered by embedded devices are also connected to the internet. This means that hackers can gain unauthorized access to them, and run malicious code.
A hack in an embedded device can often spread to other connected components, and/or cripple the entire system. For example, it’s quite possible a cybercriminal could get access to your car by simply gaining control of an embedded device that allows you to put your car on auto-pilot.
Embedded Software Security Training by Tonex
Embedded Software Security Training is a 2-day training program. It explores the foundations of embedded software security. The participants will learn the important embedded software vulnerabilities and attacks that exploit them.
Defenses that prevent or mitigate embedded software attacks, including self-contained cryptography, key-management, crypto-based system or device, advanced software testing, program analysis techniques. Learn about techniques to strengthen the security of software systems including secure embedded C/C++ and Java development.
Audience
Professionals who may benefit include:
- Embedded Applications Developers
- Software Engineers
- Security Analysts
- Systems Engineers
- Embedded Systems Engineers
- System Administrators
- Release Engineers
- Configuration Managers
- Developers and Application Team Members
- Software Managers and Team Leads
Takeaways from this course include to learn knowledge and skills:
- Fundamentals Of Embedded Systems
- Fundamentals Of Cybersecurity in Embedded Software
- Foundation Knowledge of Cyber Security Threats, Risks, Mitigation Strategies Applied to Embedded Software
- Examining How to Fit Cybersecurity in Embedded Software
- Fundamentals Of Embedded Software Product Design Cycle, Project Management, Design for Production, V&V And O&M
- Fundamentals Of Embedded Software Security Requirements
- Fundamentals Of Hardware, Firmware and Application Analysis and Design in Embedded Software Design
- Fundamentals Of Vulnerabilities in Embedded Software
- Exploitable Vulnerabilities in Embedded Software and Techniques and Strategies for Software Engineering Embedded Systems
- Communication Protocols, Wired and Wireless Networks, Information and Network Attacks and Their Impact on Embedded Devices
- Risk Assessment Techniques and Methodologies and Using Defensive Tools for Mitigating Risk and Vulnerabilities
Course Topics
Introduction to Embedded Systems and Software Security
- Components of Embedded System Architecture
- Embedded Systems vs. Software Security
- What Is Embedded Software Security?
- Embedded Software Security Threat Actors
- Embedded Software Cyberattack Targets
- Embedded Software Security Challenges
- Embedded Software Security Goals
- Overview of Embedded Software Security Mitigation Techniques
Embedded Software Security Vulnerabilities and Exploits
- Analysis of Hardware, Firmware and Software Architecture
- Analyzing Embedded Operating System (OS), Middleware and User Applications
- Analyzing Malicious Behavior in Embedded Software Systems
- Analyzing Software Security in Embedded Connected systems
- Embedded Software Security Attack Vectors and Surfaces
- Analyzing Network (or physical) Access
Analyzing Most Common Types Of Software Vulnerabilities In Embedded Systems
- Buffer Overflow Attack
- Improper Input Validation
- Improper Authentication
- Information Exposure
Embedded Software Security: Hardware-Software Partnership
- Embedded Systems Root of Trust Architecture
- Hardware Roots of Trust
- Authentication IC
- Using Public Key Infrastructure (PKI)
- Hardware Security Module (HSM)
- Managing Keys, Performs Encryption and Decryption Functions
- Function to Embeds Keys for OS And Application Use.
- System-on-a-chip (SoC) Components
- CPU Offload for Bulk Encryption and Decryption
- Offload Network Cryptographic Functions
- Secure Boot
Key Concepts of Trusted Execution Environment (TEE)
- A Trusted Execution Environment (TEE)
- Hardware Security Zone
- Trusted Platform Module (TPM)
- Essential Defense Mechanisms Of A Secure OS
- Essential User Application Defense Mechanisms E
- Executable Space Protection (ESP)
- Address Space Layout Randomization (ASLR)
- Stack Canaries
Mitigation for Embedded Software Cybersecurity
- Security Policies
- Data Confidentiality at Rest Based Encryption
- Data Integrity
- Embedded Security Encryption
- Unrestricted Access to System Resource Managers
- Unauthorized System Components
- System Resource Manager Channels
- POSIX Permissions and Access Control Lists (ACLs)
- Filesystem Object Access Control
- Untrusted Code Execution
- Redirect Control Flow
- Repeatability Of Attacks
- Buffer Overflows
- Stack Overflows
- Instrument Code to Mitigate Stack Overflow Attacks
- Compile Code with Stack Canaries
- Secure The /proc Filesystem
- Process Execution with Least Privileges
- Device Hardware Access to Kernel Memory
- Denial Of Service (DoS)
- Supply Chain Security
- Cryptographic Key Management Architecture
Embedded System and Software Cybersecurity Testing and Evaluation (T&E)
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- SAST vs. DAST vs. Penetration Testing
- Binary Code Analysis
- Testing OTA Updates
- Testing Physical unclonable function (PUF)
- Testing Secure Processing Environment
Embedded Systems Zero Trust Architecture
- Zero Trust Basic Concepts
- Zero Trust Embedded Software Design
- Zero Trust Threats
- Zero Trust Access Control
- Zero Trust Risk Management
- Embedded System/Software Zero Trust Reference Architecture
- Embedded System/Software Zero Trust Implementation
- Embedded System/Software Zero Trust Challenges
Best Practices for Embedded Software Security
- Addressing Embedded software vulnerabilities
- Underlying Processes, Hardware, and Embedded Operating System (Reconnaissance)
- Analyzing Vulnerability in the Host-based Protection
- Programmable logic controller (PLC)
- Embedded OS or Middleware
- Manipulate the Controller
- Exploit the vulnerability to attack the system or others
- Managed security service, firewall or intrusion detection and prevention system (IDPS)
- Best Practices in Embedded Software Product Design Cycle, Project Management, Design for Production, V&V And O&M
- Examining Embedded Software Security Requirements
- Examining Hardware, Firmware and Application Analysis and Design in Embedded Software Design
- Analyzing Exploitable Vulnerabilities in Embedded Software and Techniques and Strategies for Software Engineering Embedded Systems
- Evaluating Communication Protocols
- Evaluating SCADA and PLCs Low Level Software
- Risk Assessment Techniques and Methodologies and Using Defensive Tools for Mitigating Risk and Vulnerabilities
- Case Studies: UNECE WP.29 Regulation on Cybersecurity and Software Update Processes; SAE J3061, “Cybersecurity Guidebook for Cyber-Physical Vehicle Systems:” and ISO/SAE 21434, “Road Vehicles – Cybersecurity Engineering:”
Embedded Software Security Training