View source for OWASP Embedded Application Security

= Main = 
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Embedded Application Security Project ==

Every year the prevalent use of embedded software within enterprise and consumer devices continues to rise exponentially. With widespread publicity of the Internet of Things (IoT), more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as routers, managed switches, medical devices, Industrial Control Systems (ICS), VoIP phones, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include, but are not limited to, the Original Design Manufacturer (ODM) supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goals of this project are to create a list of best practices, provide practical guidance to embedded developers, and to draw on the existing OWASP resources that can bring application security expertise to the embedded world. It is important to note, each of the items and guidance points listed below are longstanding within software security. This document purely tailors issues that OWASP has previously provided guidance upon (e.g. OWASP Top 10, Mobile Top 10, etc.) to the embedded community. ''Given the prevalence of Linux kernels utilized within embedded devices, all code examples are geared towards a POSIX environment but the principles are designed to be platform agnostic.''


| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Mailing List / Group Communication ==

[https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec Embedded Sec Mailing List]
[http://owasp.herokuapp.com/ Please join our OWASP Slack channel; look for the #embeddedappsec]

== Project Leaders ==

[https://owasp.org/index.php/User:Aaron.guzman Aaron Guzman] [mailto:aaron.guzman@owasp.org @]
<br>
[https://owasp.org/index.php/User:Alex.Lafrenz Alex Lafrenz] [mailto:alex.lafrenz@owasp.org @]

== Related Projects ==

* [[OWASP Internet of Things Project]]
* [[C-Based Toolchain Hardening]]
* [[OWASP Mobile Security Project]]

| valign="top"  style="padding-left:25px;width:200px;" |

== News and Events ==
Conferences that project leaders will be speaking at based upon the Embedded Application Security Project 
* [07 April 2017] Sam Houston University (SHACS) Conference
* [07 April 2017] BSides Edinburgh
* [19 May 2017] HackMiami
* [02 June 2017] SecurityFest

== Releases ==
 [https://scriptingxss.gitbooks.io/embedded-application-security-best-practices/content/ Click here for version 1]

==Classifications==

   {| width="200" cellpadding="2"
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]  
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
   |-
   | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
   |-
   | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]]
   |}


|}

= Embedded Best Practices =

The Working Document can be found here (Google Docs) https://docs.google.com/document/d/1NxpVCeiglY1wHhmw7U-e9jnHgd-jQI-Y6sbdeKzUpQE/edit?usp=sharing

= Table of Contents =

Draft-The items below are subject to change

==Introduction==
==Release Notes==
==Risk Involved==
==Top 10==
===	E1 –  Memory Protections ===
===	E2 – Injection Prevention ===

===	E3 – Firmware Updates and Cryptographic Signatures ===
===	E4 – Usage of Secrets and Keys ===
===	E5 – Identity Management ===
===	E6 – Embedded Framework Hardening ===
===	E7 – Usage of Debug Code and Interfaces ===

===	E8 – Transport Layer Security ===
===	E9 – Data collection Usage and Storage - Privacy === 
===	E10 – Third Party Code and Components ===
== Note on Hardware ==
== Get Involved ==

= Embedded Device Firmware Analysis Tools =

* Angr - [https://github.com/angr/angr]
* Firmadyne [https://github.com/firmadyne/firmadyne]
* Firmwalker [https://github.com/craigz28/firmwalker]
* Binary Analysis [http://www.binaryanalysis.org/en/content/show/download]
* Flaw Finder [https://sourceforge.net/projects/flawfinder/]
* IDA Pro (supports ARM / MIPS)
* Radare2 [https://github.com/radare/radare2]
* GDB
* Binwalk [http://binwalk.org/]
* Firmware-mod-toolkit [https://code.google.com/archive/p/firmware-mod-kit/]
* Capstone framework [http://www.capstone-engine.org/]
* Shikra [http://int3.cc/products/the-shikra]
* JTagulator [http://www.grandideastudio.com/jtagulator/]
* UART cables
* JTAG Adapters (JLINK)
* BusPirate
* BusBlaster
* CPLDs (in lieu of FPGAs)
* Oscilloscopes
* Multimeter (Ammeter, Voltmeter, etc)
* Logic Analyzers for SPI [https://www.saleae.com/logic16]
* OpenOCD
*GreatFET [https://greatscottgadgets.com/greatfet/]

= Roadmap =

== 2016-2017 Roadmap ==
* Curate a list of embedded secure coding best practices.
* Create a Top 10 Embedded Application Security list.
* Participate in PR-related activities to involve the embedded community at large.
* Contribute to ASVS with embedded security principles 

Feel free to join the mailing list and contact the Project leader if you feel you can contribute.

__NOTOC__ <headertabs />

[[Category:OWASP_Project]]