This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Embedded Application Security"
Aaron.guzman (talk | contribs) (→Embedded Device Firmware Analysis Tools) |
Aaron.guzman (talk | contribs) (→Embedded Best Practices) |
||
| Line 62: | Line 62: | ||
* Ensure all methods of communication are utilizing industry standard encryption configurations for TLS. | * Ensure all methods of communication are utilizing industry standard encryption configurations for TLS. | ||
* Limit collection, storage, and sharing of personal identifiable information (PII) to items that are only required for operation. | * Limit collection, storage, and sharing of personal identifiable information (PII) to items that are only required for operation. | ||
| − | * Ensure kernel and software packages on embedded images are updated to prevent from known publicly available exploits. | + | * Ensure kernel and software packages on embedded images are updated to prevent from known publicly available exploits. (i.e Rompager [https://www.kb.cert.org/vuls/id/561444] UPnP [https://www.kb.cert.org/vuls/id/922681] |
This list was created based off of community feedback discussed here [https://groups.google.com/a/owasp.org/forum/?hl=en#!topic/embedded-appsec/6D6X8Lf_QTw] | This list was created based off of community feedback discussed here [https://groups.google.com/a/owasp.org/forum/?hl=en#!topic/embedded-appsec/6D6X8Lf_QTw] | ||
Revision as of 23:31, 18 July 2016
OWASP Embedded Application Security ProjectEach year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is essential to create secure coding guidelines for embedded software. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world.
|
Mailing ListProject LeadersRelated Projects |
News and Events
In PrintWe will be releasing a user guide soon! Classifications
| |||||||
- Prevent the use of dangerous functions and APIs in efforts to protect against memory-corruption vulnerabilities inside firmware functions. (e.g. Use of unsafe C functions - strcat, strcpy, sprintf, scanf) [1]
- Ensure secure compiler flags or switches are utilized upon each firmware build. (i.e For GCC -fPIE, -fstack-protector-all, -Wl,-z,noexecstack, -Wl,-z,noexecheap etc..)
- Ensure robust update mechanisms utilize cryptographically signed firmware images for updating functions.
- Do not hard code secrets such as passwords, usernames, tokens, private keys or similar variants into firmware images.
- Dispose and securely wipe sensitive information stored in buffers or temporary files during runtime after they are no longer needed (e.g. Wipe buffers from locations where personal identifiable information is stored before releasing the buffers)
- Modify Busybox and embedded frameworks alike to only libraries and functions that are being used. (e.g. Remove unused languages like perl and services such as Telnet, FTP etc)
- Validate all debugging and pre-production code have been removed prior to firmware deployment.
- Ensure all methods of communication are utilizing industry standard encryption configurations for TLS.
- Limit collection, storage, and sharing of personal identifiable information (PII) to items that are only required for operation.
- Ensure kernel and software packages on embedded images are updated to prevent from known publicly available exploits. (i.e Rompager [2] UPnP [3]
This list was created based off of community feedback discussed here [4]
- Angr - [5]
- Firmadyne [6]
- Firmwalker [7]
- Binary Analysis [8]
- Flaw Finder [9]
- IDA Pro (supports ARM / MIPS)
- Radare2 [10]
- GDB
- Binwalk [11]
- Firmware-mod-toolkit [12]
- Capstone framework [13]
- Shikra [14]
- JTagulator [15]
- UART cables
- JTAG Adapters (JLINK)
- BusPirate
- BusBlaster
- CPLDs (in lieu of FPGAs)
- Oscilloscopes
- Multimeter (Ammeter, Voltmeter, etc)
- Logic Analyzers for SPI [16]
- OpenOCD
2016-2017 Roadmap
- Curate a list of embedded secure coding best practices.
