| D. Kalinsky Associates |
| Home | Training Courses | Online Learning | Resources | About Us | Contact | Site Map |
Foundation Course:
"Software Security for Embedded"
* An Introductory Course for Embedded Software Developers, Designers, Quality and Security Engineers
* How to Design and Develop Embedded Software Systems that will Continue to Operate Correctly while Under Attack
* 2 Day Intensive Class (lectures, discussions, example software threat scenarios, classroom exercises)
"Software Security for Embedded"
* An Introductory Course for Embedded Software Developers, Designers, Quality and Security Engineers
* How to Design and Develop Embedded Software Systems that will Continue to Operate Correctly while Under Attack
* 2 Day Intensive Class (lectures, discussions, example software threat scenarios, classroom exercises)
COURSE OVERVIEW
This course examines the activities and methods involved in systematically preventing security vulnerabilities in
embedded and real-time software as it undergoes development.
While areas such as secure network communication and data encryption are touched upon, the main focus of this
course is on security vulnerabilities within application software. Most attacks on embedded devices exploit such
application software vulnerabilities. The course begins with a discussion of the main concepts for secure coding of
embedded systems software. Common security defects are studied in detail, including incomplete input validation,
missing exception handling, buffer overflows and race conditions. Mitigation ideas are presented for many kinds of
software vulnerabilities. Emphasis is placed on uniquely embedded security issues such as weaknesses in
interfacing, multitasking and timing, rather than on general data processing security issues.
The class continues with an examination of principles and approaches important in embedded software security,
such as threat analysis, security requirements engineering, attack patterns, architectural design patterns for security,
and secure coding reviews. Disciplined techniques and tools are presented to support these approaches.
Participants are asked to do detailed exercises on many of the security issues presented, so that the concepts and
methods taught are reinforced and absorbed into the participant's arsenal of embedded software development skills.
This course is not a general course about software security, but rather it is highly focused on the security of
embedded, time-constrained, resource-constrained software. Multitasking and real-time operating system ("RTOS")
security issues will be emphasized if relevant for course participants.
WHO SHOULD ATTEND ?
This course is intended for practicing real-time and embedded systems software designers, developers, quality and
security engineers who have responsibility for designing and implementing the software for secure embedded and
real-time computer systems.
Course participants are expected to have some background in software development for real-time and embedded
systems. It would be helpful, although it is not required, for course participants to have some familiarity with at least
one RTOS. [This knowledge can be gained at one of our introductory courses "Introduction to Embedded Systems
and Software" or "Introduction to Real-Time Operating Systems".]
COURSE OBJECTIVES
The primary goal of this course is to give the participant the skills necessary to systematically design, develop and
implement secure software for embedded and real-time computer systems. This is a very practical, results-oriented
course that will provide knowledge and skills that can be applied immediately.
COURSE CONTENTS
Day 1 Morning: Fundamentals of Embedded Software Security
Definitions and Overview
Application Software Vulnerabilities
Security Practices for Embedded Software
Taxonomy of Embedded Code Vulnerabilities
Concurrency and Multi-Tasking Issues
Exercise: Buffer Overflow can Hijack a System
Day 1 Afternoon: Plethora of Embedded Code Security Vulnerabilities
Stack Smashing
Code Injection
Arc Injection
Exercise: Function Pointer Shenanigans
Tainted Inputs
Exercise: Dynamic Memory Attack
Mitigation Approaches
Data Sanitization
Exercise: JPEG Vulnerability
Concurrency Vulnerabilities
"TOCTOU" in Embedded Software
Day 2 Morning: Embedded Software Security Principles and Patterns
Software Security Principles
Threat Modeling
Attack Patterns
Architectural Design Patterns for Embedded Software Security
Exercise: Threat Modeling and Attack Modeling for an Automated Train
Day 2 Afternoon: Practical Methods for Embedded Software Security
Overview of Cryptography for Embedded Software
Embedded System-Level Security: How-To's
Real-Time Operating Systems for Security
Update on Static Code Analysis for Embedded Software Security
Metrics for Software Defects and Vulnerabilities
Exercise: Cyclomatic Complexity
INSTRUCTOR: Dr. David Kalinsky
This course examines the activities and methods involved in systematically preventing security vulnerabilities in
embedded and real-time software as it undergoes development.
While areas such as secure network communication and data encryption are touched upon, the main focus of this
course is on security vulnerabilities within application software. Most attacks on embedded devices exploit such
application software vulnerabilities. The course begins with a discussion of the main concepts for secure coding of
embedded systems software. Common security defects are studied in detail, including incomplete input validation,
missing exception handling, buffer overflows and race conditions. Mitigation ideas are presented for many kinds of
software vulnerabilities. Emphasis is placed on uniquely embedded security issues such as weaknesses in
interfacing, multitasking and timing, rather than on general data processing security issues.
The class continues with an examination of principles and approaches important in embedded software security,
such as threat analysis, security requirements engineering, attack patterns, architectural design patterns for security,
and secure coding reviews. Disciplined techniques and tools are presented to support these approaches.
Participants are asked to do detailed exercises on many of the security issues presented, so that the concepts and
methods taught are reinforced and absorbed into the participant's arsenal of embedded software development skills.
This course is not a general course about software security, but rather it is highly focused on the security of
embedded, time-constrained, resource-constrained software. Multitasking and real-time operating system ("RTOS")
security issues will be emphasized if relevant for course participants.
WHO SHOULD ATTEND ?
This course is intended for practicing real-time and embedded systems software designers, developers, quality and
security engineers who have responsibility for designing and implementing the software for secure embedded and
real-time computer systems.
Course participants are expected to have some background in software development for real-time and embedded
systems. It would be helpful, although it is not required, for course participants to have some familiarity with at least
one RTOS. [This knowledge can be gained at one of our introductory courses "Introduction to Embedded Systems
and Software" or "Introduction to Real-Time Operating Systems".]
COURSE OBJECTIVES
The primary goal of this course is to give the participant the skills necessary to systematically design, develop and
implement secure software for embedded and real-time computer systems. This is a very practical, results-oriented
course that will provide knowledge and skills that can be applied immediately.
COURSE CONTENTS
Day 1 Morning: Fundamentals of Embedded Software Security
Definitions and Overview
Application Software Vulnerabilities
Security Practices for Embedded Software
Taxonomy of Embedded Code Vulnerabilities
Concurrency and Multi-Tasking Issues
Exercise: Buffer Overflow can Hijack a System
Day 1 Afternoon: Plethora of Embedded Code Security Vulnerabilities
Stack Smashing
Code Injection
Arc Injection
Exercise: Function Pointer Shenanigans
Tainted Inputs
Exercise: Dynamic Memory Attack
Mitigation Approaches
Data Sanitization
Exercise: JPEG Vulnerability
Concurrency Vulnerabilities
"TOCTOU" in Embedded Software
Day 2 Morning: Embedded Software Security Principles and Patterns
Software Security Principles
Threat Modeling
Attack Patterns
Architectural Design Patterns for Embedded Software Security
Exercise: Threat Modeling and Attack Modeling for an Automated Train
Day 2 Afternoon: Practical Methods for Embedded Software Security
Overview of Cryptography for Embedded Software
Embedded System-Level Security: How-To's
Real-Time Operating Systems for Security
Update on Static Code Analysis for Embedded Software Security
Metrics for Software Defects and Vulnerabilities
Exercise: Cyclomatic Complexity
INSTRUCTOR: Dr. David Kalinsky
| © Copyright 2011, D. Kalinsky Associates, All Rights Reserved. This page Updated August 15, 2011 |
| New |