"Software Security Fundamentals for Embedded"
* An Introductory Course for Embedded Software Developers, Designers, Quality and Security Engineers
* How to Design and Develop Embedded Software Systems that will Continue to Operate Correctly while Under Attack
* 2 Day Intensive Class (lectures, discussions, example software threat scenarios, classroom exercises)
This course examines the activities and methods involved in systematically preventing security vulnerabilities in
embedded and real-time software as it undergoes development.
While areas such as secure network communication and data encryption are touched upon, the main focus of this
course is on security vulnerabilities within application software. Most attacks on embedded devices exploit such
application software vulnerabilities. The course begins with a discussion of the main concepts for secure coding of
embedded systems software. Common security defects are studied in detail, including incomplete input validation,
missing exception handling, buffer overflows and race conditions. Mitigation ideas are presented for many kinds of
software vulnerabilities. Emphasis is placed on uniquely embedded security issues such as weaknesses in
interfacing, multitasking and timing, rather than on general data processing security issues.
The class continues with an examination of principles and approaches important in embedded software security,
such as threat analysis, security requirements engineering, attack patterns, architectural design patterns for security,
and secure coding reviews. Disciplined techniques and tools are presented to support these approaches.
Participants are asked to do detailed exercises on many of the security issues presented, so that the concepts and
methods taught are reinforced and absorbed into the participant's arsenal of embedded software development skills.
This course is not a general course about software security, but rather it is highly focused on the security of
embedded, time-constrained, resource-constrained software. Multitasking and real-time operating system ("RTOS")
security issues will be emphasized if relevant for course participants.
WHO SHOULD ATTEND ?
This course is intended for practicing real-time and embedded systems software designers, developers, quality and
security engineers who have responsibility for designing and implementing the software for secure embedded and
real-time computer systems.
Course participants are expected to have some background in software development for real-time and embedded
systems. It would be helpful, although it is not required, for course participants to have some familiarity with at least
one RTOS. [This knowledge can be gained at one of our introductory courses "Introduction to Embedded Systems
and Software" or "Introduction to Real-Time Operating Systems".]
The primary goal of this course is to give the participant the skills necessary to systematically design, develop and
implement secure software for embedded and real-time computer systems. This is a very practical, results-oriented
course that will provide knowledge and skills that can be applied immediately.
Day 1 Morning: Fundamentals of Embedded Software Security
Definitions and Overview
Application Software Vulnerabilities
Security Practices for Embedded Software
Taxonomy of Embedded Code Vulnerabilities
Concurrency and Multi-Tasking Issues
Exercise: Buffer Overflow can Hijack a System
Day 1 Afternoon: Plethora of Embedded Code Security Vulnerabilities
Exercise: Function Pointer Shenanigans
Exercise: Dynamic Memory Attack
Exercise: JPEG Vulnerability
"TOCTOU" in Embedded Software
Software Security Principles
Day 2 Morning: Embedded Software Patterns of Attack and Defense
Architectural Design Patterns for Embedded Software Security
Exercise: Threat Modeling and Attack Modeling for an Automated Train
Overview of Cryptography for Embedded Software
Embedded System-Level Security: How-To's
Day 2 Afternoon: Practical Methods for Embedded Software Security
Real-Time Operating Systems for Security
Hardware Help for Embedded Software Security
Update on Static Code Analysis for Embedded Software Security
Exercises: Coding Flaws Open the Gates to Attackers
Metrics for Software Defects and Vulnerabilities
Exercise: Cyclomatic Complexity
INSTRUCTOR: Dr. David Kalinsky
|© Copyright 2013, D. Kalinsky Associates, All Rights Reserved.
This page Updated August 27, 2013