Editors: Show
SectionsTable of contents (37 chapters)
About this bookThe evolution of electronic systems is pushing traditional silicon designers into areas that require new domains of expertise. In addition to the design of complex hardware, System-on-Chip (SoC) design requires software devel- ment, operating systems and new system architectures. Future SoC designs will resemble a miniature on-chip distributed computing system combining many types of microprocessors, re-configurable fabrics, application-specific hardware and memories, all communicating via an on-chip inter-connection network. Designing good SoCs will require insight into these new types of architectures, the embedded software, and the interaction between the embedded software, the SoC architecture, and the applications for which the SoC is designed. This book collects contributions from the Embedded Software Forum of the Design, Automation and Test in Europe Conference (DATE 03) that took place in March 2003 in Munich, Germany. The success of the Embedded Software Forum at DATE reflects the increasing importance of embedded software in the design of a System-on-Chip. Embedded Software for SoC covers all software related aspects of SoC design Embedded and application-domain specific operating systems, interplay between application, operating system, and architecture. System architecture for future SoC, application-specific architectures based on embedded processors and requiring sophisticated hardware/software interfaces. Compilers and interplay between compilers and architectures. Embedded software for applications in the domains of automotive, avionics, multimedia, telecom, networking, . . . Keywords
Editors and Affiliations
Bibliographic Information
What Is Embedded Security?Embedded systems security provides mechanisms to protect an embedded system from all types of malicious behavior. In this section, you’ll learn about embedded systems security, related security terms, software and physical security and four qualities of embedded systems that affect security. Definition of Embedded Systems SecurityEmbedded systems security is a cybersecurity field focused on preventing malicious access to and use of embedded systems. Embedded systems security provides mechanisms to protect a system from all types of malicious behavior. Cybersecurity specialists work with systems design teams to ensure the embedded system has the necessary security mechanisms in place to mitigate the damage from these attacks. Embedded systems security focuses on preventing malicious access to and use of embedded systems.Cybersecurity TermsHere are general cybersecurity terms that are helpful to know as you learn about embedded system security:
Software security vs. physical security for embedded systemsTwo types of security apply to embedded systems: physical security and software security.
Qualities of embedded systems that affect securityMany embedded systems perform mission-critical or safety-critical functions vital to a system’s intended function and surrounding environment. Embedded systems security is relevant to all industries, from aerospace and defense to household appliances. Modern embedded systems are starting to become interconnected by the Internet of Things (IoT), which creates additional attack vectors. Connected systemsThe most secure embedded system is one that is turned off, and the next most secure system is completely isolated. When embedded systems were islands of technology that contained minimal information, embedded software security was less important. Embedded systems are now often connected to a communications network that exposes the system to more threat actors. Cyberattack targetsThe monetary value of data, the ability to cause serious harm, and the interoperability and connectivity of modern embedded systems, including mission-critical systems, make embedded systems popular targets. Cyberattacks on embedded systems range from disabling vehicle anti-theft devices and degrading the performance of control systems to directing printers to send copies of documents to the hacker and accessing a smartphone’s data. Cyberattacks on embedded systems create an urgent need for everyone from developers to end users to help prevent, manage and patch vulnerabilities. All elements of the hardware and software architecture need to be secure. Each of the components of embedded system architecture creates an attack surface, from the firmware and embedded operating system (OS) to middleware and user applications. The embedded OS, a foundational piece of embedded systems security, plays the leading role as the backbone of security for an embedded system. Cyberattacks on embedded systems create an urgent need for everyone from developers to end users to help prevent, manage and patch vulnerabilities.Product lifecycleSome embedded systems are in the field for decades, others for just a few years. Many mission-critical systems, such as cars, defense systems and power plants, have a long service life — 20 years or more. Older embedded systems often don’t get updated because the hardware is obsolete and doesn’t support the new software. Designing a system to be secure can greatly increase the viability of keeping systems safely in service and at reduced risk of attack. Developers need to consider hardware and software obsolescence when designing embedded systems to increase system longevity and security. Computing, networking, cyberattacks and embedded systems security will evolve over the lifespan of an embedded system in ways that cannot be foreseen by system developers. As vulnerabilities are identified, they will need to be mitigated with patches, which require software updates. Including security in the design phase helps ensure that an embedded system has a way to get updates and is capable of running new software. Difficult to updateSome embedded systems are easier to update than others. A smart TV or smartphone can be updated regularly with minimal impact to the end user. In comparison, insecure software in a modern vehicle can put lives at risk, so software updates to vehicles are carefully orchestrated (and costly). The type of embedded OS also affects the update process and frequency. Applying an update to an embedded system running a monolithic OS, such as Linux®, is difficult. When the OS and all OS services run in kernel space, applying an OS service patch requires a full OS install, OS refresh, and a full system reboot—all of which increase the scope of testing and the time to deploy. In comparison, the architecture of a microkernel OS, such as the QNX® Neutrino® Real-Time Operating System (RTOS), makes embedded software updates much easier. OS services in a microkernel run outside of kernel space, which allows for the rebooting of a single service, without a kernel reboot, resulting in very minimal impact on kernel behavior. In addition, the footprint of a microkernel OS service update is generally small—it doesn’t necessarily require the kernel to be updated at the same time—reducing the time and cost of testing a patch. Security vulnerabilities and exploitsIt’s good to understand your hidden enemies and their tactics. Some embedded system attacks are active: they change the behavior of the system. Other attacks are passive: they read data and spy. In this section, you’ll learn about the anatomy of an embedded system exploit, four attack paths, the most common vulnerabilities and why some OS present a larger attack surface than others. Anatomy of an embedded system exploitHow does a threat actor exploit an embedded system? In general, most cyberattacks follow these five steps:
Embedded system attack vectors
A threat actor gains control of an embedded system through one of these four paths:
Embedded software vulnerabilitiesLike computers, many embedded systems have security vulnerabilities that can provide a way for a threat actor to gain access to the system. Typically, there is a time lag between the discovery of a specific vulnerability—such as a CVE, misconfiguration, or weak or missing encryption—and the availability and application of a patch or other remediation. Meanwhile, vulnerable systems are at risk. System hardening and the use of additional layers of security—such as a managed security service, firewall or intrusion detection and prevention system (IDPS)—reduce the risk that a threat actor will successfully exploit the vulnerability. The five most common types of software vulnerabilities in embedded systems are as follows: Buffer overflowBuffer overflow attacks occur when a threat actor writes data or code to a memory buffer, overruns the buffer’s limits and starts overwriting adjacent memory addresses. If the application uses the new data or new executable code, the threat actor may be able to take control of the system or cause it to crash. Improper input validationIf an embedded system requires user input, a malicious user or process may provide unexpected input that causes an application to crash, consume too many resources, reveal confidential data or execute a malicious command. The unexpected input could be a negative value, no input at all, a path name outside of a restricted directory, or special characters that change the flow of the program. Improper authenticationAuthentication proves users and processes are who they say they are. Improper authentication may allow a threat actor to bypass authentication, repeatedly try to guess a password, use stolen credentials or change a password with a weak password-recovery mechanism. Improper restriction of operations within the bounds of a memory bufferIf the programming language or the embedded OS do not restrict a program from directly accessing memory locations that are outside the intended boundary of the memory buffer, a threat actor may be able to take control of the system or cause it to crash, much like a buffer overflow attack. Information exposureMany types of sensitive information may be exposed to a threat actor directly or to another party. Information exposure could reveal information ranging from personal data to business secrets and from system logs to message headers. Data spoofing and device hijacking are two of the ways threat actors expose sensitive information. As many as 20 percent of industrial control systems have critical security issues.
BlackBerry QNX can help you find vulnerabilities in open source software and provide peace of mind with software application analysis of your entire embedded system. Best practices for embedded securityEmbedded systems security must be addressed in a holistic manner with best practices throughout the software development life cycle. In this section, you’ll learn about the security advantages of a microkernel OS, the hardware-software partnership, essential defense mechanisms and mitigations of common embedded security challenges, cybersecurity standards for embedded systems developers and more ways to secure embedded systems throughout the software development lifecycle. Security advantages of microkernel OSA microkernel OS is structured with a tiny kernel space with services like file systems provided in user space, drivers or network stacks. Less code running in kernel space reduces the attack surface and increases security. The microkernel works with a team of optional cooperating processes that run outside kernel space (in the user space) and provide higher-level OS functionality. Only the core OS kernel is granted access to the entire system, and component isolation prevents an error in one component from affecting other parts of the system. A determined hacker, as long as they don’t have root access, can only crash one component at a time when the system runs a microkernel OS or a secure embedded hypervisor. The microkernel design and modular architecture of the QNX Neutrino real-time operating system enables BlackBerry QNX customers to create compelling, safe, and secure devices built on a highly reliable OS, a software foundation that helps guard against system malfunctions, malware and security breaches. Embedded security is a hardware-software partnershipNo matter how advanced and security-aware, software alone cannot ensure embedded systems security. Hardware, software and cloud vendors must work together. For example, hardware technologies ensure device boot integrity, and on-chip security capabilities enable robust key management and encryption, which is too computation-intensive for embedded software alone. Hardware capabilities enable the OS to provide functionality, such as access control policies, encrypted file systems, rootless execution, path space control and thread-level anomaly detection. Hardware technologies provide a root of trust and encryption and decryption services.Root of trustA hardware security module (HSM) or hardware root of trust manages keys, performs encryption and decryption functions, and embeds keys for OS and application use. Often these system-on-a-chip (SoC) components provide CPU offload for bulk encryption and decryption, and they may also be used to offload network cryptographic functions. Hardware roots of trust are increasingly available as part of the SoC but can also be integrated using discreet electronics, such as an authentication IC or a TPM. During manufacturing, a private key can be generated on a chip or injected into each chip to serve as a root of trust. When the private key is certified by a public key infrastructure (PKI), the secure device identifier can become a foundational component of trusted device connectivity. For example, a secure device identifier can help a developer or designer establish trusted communications with peer devices and cloud-based services. Secure bootSecure boot leverages the signature provided by a device trust anchor, the public part of the root of PKI used to sign device code. When the embedded system boots, the boot image will be validated using this public key and the corresponding trust chain to ensure that boot-time software has not been tampered with. Establishing the provenance of the original software and of any software updates typically relies on digital signatures from a public key cryptosystem. But in some instances, a hybrid model can be used. In a hybrid model, symmetric key cryptography is used to validate software integrity and speed the boot code verification process for time-critical startup requirements. Unlike code verified with a public key, the symmetric key must remain secret, known only to the device. Trusted execution environmentA trusted execution environment (TEE) or hardware security zone provides hardware-enforced isolation in a secure area built into the main processor, which allows the software developer to establish a device root of trust. A TEE may run in a secure mode of the processor (e.g., ARM TrustZone) or on a separated, isolated CPU core that acts as a security co-processor to the SoC. TEEs typically allow trusted applications to perform security-critical processing on behalf of the embedded system. Trusted platform moduleA trusted platform module (TPM) provides hardware-based security functions such as a cryptoprocessor to generate, store and use internal cryptographic keys; encryption of keys and other sensitive material stored in device memory; and measurement and attestation of the integrity of a system state during the boot process. Essential defense mechanisms of a secure OSEmbedded OS can be made more secure with additional defense mechanisms. For example, memory corruption via buffer overflow is a common vulnerability in embedded software. Three examples of software security techniques—executable space protection (ESP), address space layout randomization (ASLR), and stack canaries—can help the OS defend against exploits. These three capabilities, which we at BlackBerry QNX call the Three Musketeers, are security basics that every OS should have. Let’s look at each one: Executable space protectionExecutable space protection (ESP) marks specific memory regions as non-executable, so that an attempt to execute machine code in those regions causes an exception. Address space layout randomizationAddress space layout randomization (ASLR) allocates the base address of the stack, heap and shared memory regions to new locations every time a new process is executed, making buffer overflow attacks difficult because a threat actor can’t predict where the information will be stored. Stack canariesStack canaries allow the operating system to detect a stack buffer overflow before executing malicious code. The OS places a small random integer before the stack return pointer and checks for it before overwriting memory. If the stack value has changed, the OS will stop execution and cause an exception. Although 70 percent of the most popular embedded OS lack at least one of these defense mechanisms, QNX Neutrino RTOS provides all three.Read more about the Three Musketeers and other risk mitigation techniques in our white paper, The Past, Present and Future of Cybersecurity for Embedded Systems. A secure OS can help solve common embedded security challengesSecurity plays a critical role in keeping embedded systems protected against threat actors. Security needs to be considered at all stages of embedded system design instead of being bolted on at later stages. The design and security features of an embedded OS built for embedded security can allow it to defend and protect itself against a wide variety of attacks and help you mitigate security challenges, such as the following:
Cybersecurity standards for embedded systemsIn addition to using a secure software foundation, security standards provide best practice processes to help developers build secure embedded systems and conform to cybersecurity regulations. While functional safety standards for embedded systems are mature, standards for embedded systems cybersecurity are not. Currently, the automotive industry is leading the way with two publications, SAE J3061 and ISO/SAE 21434, and the WP.29 regulation that goes into effect in January 2021. The following resources provide embedded developers with expert guidance:
Embedded systems developers can also find security guidance in these two cybersecurity frameworks:
Risk assessments lead to security requirementsIn addition to security techniques and security standards, the secure software development lifecycle (secure SDLC or SSDLC) can help every developer build more secure systems. Embedded system design should always begin with an analysis of the device and its intended and potential unintended usage, security risks (attack vectors) and attack surfaces. Security should also be considered at every stage in the SDLC process. The secure SDLC can help every developer build more secure embedded systems.The first step in the SSDLC is a thorough risk assessment, which will inform the security requirements. A risk assessment identifies threats, the likelihood of those threats and the damage they can cause. In addition to the risk assessment, threat models provide a structured approach to identifying and characterize threats to enable a more secure system design. Two popular threat models are STRIDE and DREAD. Supply chain securityA common security requirement is the systematic verification of the security of software and hardware components in the internal and external supply chain. A trusted components program includes requirements such as:
Embedded security encryptionInformation exposure is a common vulnerability in connected systems, so embedded security often involves encryption. Transport layer security (TLS) can thwart information exposure attacks, including data spoofing and device hijacking. How TLS works
Trusted communicationAll communications between modules and between the embedded system and the outside world should be authenticated, trusted and encrypted. Each connected device should have its own unique private key and certified device identifier. This device certificate allows each device to authenticate to a cloud directly or via a separate security gateway to enforce security policies. Additionally, all network traffic should be authenticated and encrypted with rolling keys. Device certificates can be used to support client authentication. This is an increasingly common way to prevent the impersonation of IoT devices and support secure peer-to-peer connectivity. Protecting encrypted dataSecuring sensitive device data, such as user data or proprietary information, is also critical. Only a user or device with authorization should be able to decode the encrypted data. This means sensitive keying material needs to be protected, such as by personalizing embedded devices with their own unique hardware keys or using hardware key stores or integrity protection modules (IPM). It is also a best practice to allow only privileged/authorized processes in a trusted state to have access to OS-level or application key stores. Code review and testingDuring the implementation and testing phase of the secure SDLC, code review and testing is a required step. However, it is important to note that code testing of source code or binary alone will not ensure the system is secure. It will identify security related software bugs, but it will not identify system wide or process related security issues. SAST vs. DAST vs. penetration testingStatic application security testing (SAST), dynamic application security testing (DAST) and penetration testing are three types of software testing that identify vulnerabilities. These types of security testing can also find unnecessary services (FTP, SSH) and open ports that expose attack surfaces. SAST tools look inside the code to identify common security flaws, such as buffer overflows and cross-site scripting vulnerabilities, without running the code. DAST tools, such as vulnerability scanners, run on operating code to find vulnerabilities such as code injection and authentication errors. In penetration testing, an ethical hacker (also called a white hat) attempts to break in to ascertain if a determined attacker could gain access or disrupt the embedded system. Penetration testing is also called pen testing or pentesting. Binary code analysisAlthough most SAST is performed on source code, BlackBerry® Jarvis® is an example of a binary code analysis tool. BlackBerry Jarvis scans binary files included in a build and provides metrics and cautions that tell an embedded software developer what to improve to reduce the security debt of the code, which is the accumulation of outstanding tasks that have relevance to security. (Security debt is a term used in agile development as part of secure agile software craftsmanship.) Threat defense and in-field testsOnce the device is in the field, intrusion detection and intrusion protection systems (IDPS) intercept communications defensively to identify or block attacks and the exfiltration of data. Some embedded systems security services, such as BlackBerry® Cylance®, take a proactive approach through threat hunting and security monitoring of embedded systems and IoT devices. In addition, self-tests assess the security posture of an embedded system in the field. Software for self-testing analytics and diagnostics monitors events, logs crashes and anomalies, and sends this information to the cloud. A cloud-based system can then analyze the information and act to mitigate safety and security risks. Secure OTA updates over the lifetime of a systemMaintenance is the final phase in a secure SDLC. What do you do when you find a vulnerability in software after the product ships? Updating embedded systems once they are out in the world is much more difficult than updating software on personal devices, such as laptop computers. Just identifying the physical location of embedded systems and their status (e.g., software version, in service) can be difficult. So, updating software for safety- or mission-critical systems—where downtime or restarts can have a catastrophic impact—must be performed with the utmost care and only after extensive testing of the impact on the whole system. Until recently most embedded software updates were performed in person, which is incredibly costly and resource intensive. In recent years, a number of over-the-air (OTA) update solutions have emerged for embedded systems. But because embedded system infrastructure components (e.g., authentication mechanisms, end-point management systems, cloud, software repository, communication protocols) don’t often interoperate, out-of-the-box solutions rarely work. BlackBerry QNX has created a flexible OTA solution that can be customized to seamlessly combine existing technology and manage even the most complex update scenarios. How BlackBerry QNX can help youBlackBerry QNX is trusted in critical systems globally to provide the software foundation for safe, secure and reliable systems. In this section, you’ll learn more about our secure software solutions, professional security services and security industry leadership. Secure software foundationBlackBerry QNX’s reputation as a security vendor is backed by 40 years of experience delivering secure and reliable software for embedded systems. BlackBerry QNX offers trusted mobile security, and the QNX Neutrino RTOS and the QNX® Hypervisor are the gold standard in embedded software operating systems and hypervisors. BlackBerry QNX has the expertise needed to help customers build more secure products. BlackBerry QNX provides businesses in the most demanding industries with the building blocks for secure embedded systems; these include:
The QNX Neutrino RTOS and the QNX Hypervisor are the gold standard operating systems for secure embedded software.BlackBerry Security ServicesLeveraging BlackBerry's industry-leading cybersecurity expertise, we can evaluate your software assets to identify vulnerabilities and recommend specific remediation actions. From penetration testing to a holistic appraisal of your company’s security posture, our security and embedded system experts can assess and address security issues with your processes or products at every stage of your software development life cycle (SDLC). We can help you:
Our security services include:
Learn more about our security services. Industry leadershipBlackBerry Advanced Technology Development Labs (BlackBerry Labs) works at the forefront of research and development in the cybersecurity space. With a strong focus on data science and machine learning, BlackBerry Labs’ innovation funnel investigates, incubates and facilitates technologies specifically designed to further our commitment to safety, security and data privacy for BlackBerry customers. BlackBerry® Certicom® provides device security, anti-counterfeiting and product authentication to deliver end-to-end security with managed public key infrastructure, code signing and other applied cryptography and key management solutions. BlackBerry® Cybersecurity offers AI-based endpoint security solutions that prevents breaches and provides added controls for safeguarding against sophisticated threats. Focusing on a stronger prevention-based approach versus signature-based prevention tools, BlackBerry has redefined what an endpoint protection solution can and should do. BlackBerry® QNX® offers the most advanced and secure embedded operating system (OS) and embedded hypervisor for mission-critical and safety-critical embedded systems. Check Out Our Other Ultimate GuidesReal-time Operating Systems Provides embedded RTOS basics and considerations when choosing between an open source or commercial OS options READ THE GUIDE WP.29 Cybersecurity Vehicle Regulation Compliance Information about the UNECE WP.29 regulations, the countries where they apply and how they aim to mitigate the cybersecurity risks posed to passenger vehicles. READ THE GUIDE Offers key concepts and information on standards for safe system design READ THE GUIDE Defines autonomous systems and the various levels of autonomy Read the Guide Click here to download the Ultimate Guide to Embedded Systems Security. Our team of experts are here to answer your questions. What type of management system can help distribute and manage public and corporate apps?MDM software or MDM solution is a type of management or security technology that enables IT admins to monitor, manage and secure corporate or personally-owned mobile devices that run across multiple operating systems. It is also referred to as mobile device management software or MDM server or MDM client.
Which management system is used to support the creation and subsequent editing and modification of digital content by multiple employees quizlet?ANSWER: Content management is used to support the creation and subsequent editing and modification of digital content by multiple employees.
Which type of management system can help facilitate asset tracking?Asset management software solutions centralize asset data to make tracking assets easier across organizations. Modern businesses rely on asset management software to reduce the administrative costs associated with managing assets.
What type of technology can add geographical identification data to media?Geotagging, or GeoTagging, is the process of adding geographical identification metadata to various media such as a geotagged photograph or video, websites, SMS messages, QR Codes or RSS feeds and is a form of geospatial metadata.
|