|
|
(3 intermediate revisions by one other user not shown) |
Line 1: |
Line 1: |
| {{taggedDocument | | {{taggedDocument |
− | | type=design | + | | type=delete |
| + | | comment=Tagged via fixme/delete. |
| }} | | }} |
− |
| |
− | # V20: Internet of Things Verification Requirements
| |
− | This section contains controls that are Embedded/IoT device specific. These controls must be taken in conjunction with all other sections of the relevant ASVS Verification Level.
| |
− |
| |
− | ## Control Objective
| |
− |
| |
− | Embedded/IoT devices should:
| |
− |
| |
− | * Have the same level of security controls within the device as found in the server, by enforcing security controls in a trusted environment.
| |
− | * Sensitive data stored on the device should be done so in a secure manner.
| |
− | * All sensitive data transmitted from the device should utilize transport layer security.
| |
− |
| |
− |
| |
− | ## Security Verification Requirements
| |
− |
| |
− | | # | Description | L1 | L2 | L3 | Since |
| |
− | | --- | --- | --- | --- | -- | -- |
| |
− | | **20.1** | Verify that application layer debugging interfaces such USB or serial are disabled. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that cryptographic keys are unique to each individual device. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that memory protection controls such as ASLR and DEP are enabled by the embedded/IoT operating system, if applicable. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that on-chip debugging interfaces such as JTAG or SWD are disabled or that available protection mechanism is enabled and configured appropriately. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that physical debug headers are not present on the device. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that sensitive data is not stored unencrypted on the device. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the device prevents leaking of sensitive information. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the firmware apps protect data-in-transit using transport security. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the firmware apps validate the digital signature of server connections. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that wireless communications are mutually authenticated. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that wireless communications are sent over an encrypted channel. | ✓ | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the firmware apps pin the digital signature to a trusted server(s). | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify the presence of physical tamper resistance and/or tamper detection features, including epoxy. | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that identifying markings on chips have been removed. | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that any available Intellectual Property protection technologies provided by the chip manufacturer are enabled. | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify security controls are in place to hinder firmware reverse engineering (e.g., removal of verbose debugging strings). | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify the device validates the boot image signature before loading. | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the firmware update process is not vulnerable to time-of-check vs time-of-use attacks. | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify the device uses code signing and validates firmware upgrade files before installing. | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the device cannot be downgraded to old versions of valid firmware. | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify usage of cryptographically secure pseudo-random number generator on embedded device (e.g., using chip-provided random number generators). | | ✓ | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message. | | | ✓ | 3.1 |
| |
− | | **20.1** | Verify that only microcontrollers that support disabling debugging interfaces (e.g. JTAG, SWD) are used. | | | ✓ | 3.1 |
| |
− | | **20.1** | Verify that only microcontrollers that provide substantial protection from de-capping and side channel attacks are used. | | | ✓ | 3.1 |
| |
− | | **20.1** | Verify that sensitive traces are not exposed to outer layers of the printed circuit board. | | | ✓ | 3.1 |
| |
− | | **20.1** | Verify that inter-chip communication is encrypted. | | | ✓ | 3.1 |
| |
− | | **20.1** | Verify the device uses code signing and validates code before execution. | | | ✓ | 3.1 |
| |
− | | **20.1** | Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required. | | | ✓ | 3.1 |
| |
− | | **20.1** | Verify that the firmware apps utilize kernel containers for isolation between apps. | | | ✓ | 3.1 |
| |
− |
| |
− |
| |
− |
| |
− | ## References
| |
− |
| |
− | For more information, see also:
| |
− |
| |
− | * [OWASP Internet of Things Top 10](https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf)
| |
− | * [OWASP Internet of Things Project](https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project)
| |
− | * [Trudy TCP Proxy Tool](https://github.com/praetorian-inc/trudy)
| |