This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Embedded Application Security"
Aaron.guzman (talk | contribs) |
Aaron.guzman (talk | contribs) |
||
Line 1: | Line 1: | ||
− | + | = Main = | |
− | |||
− | |||
<div style="width:100%;height:105px;border:0,margin:0;overflow: hidden;">[[Image:Low activity.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Low_Activity_Projects]] </div> | <div style="width:100%;height:105px;border:0,margin:0;overflow: hidden;">[[Image:Low activity.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Low_Activity_Projects]] </div> | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | ||
+ | |||
+ | ==OWASP Embedded Application Security Project== | ||
+ | |||
+ | Each year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is crucial that guidelines form OWASP on embedded software should be created. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. | ||
+ | The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world. | ||
+ | |||
+ | |||
+ | ==Licensing== | ||
+ | The OWASP Embedded Application Security Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. | ||
+ | |||
+ | == What is the OWASP Embedded Application Security Project? == | ||
+ | |||
+ | The OWASP Embedded Application Security Project provides: | ||
+ | |||
+ | * Items here | ||
+ | |||
+ | == Project Leaders == | ||
+ | |||
+ | * Aaron Guzman | ||
+ | |||
+ | |||
+ | == Related Projects == | ||
+ | |||
+ | * [[OWASP_Project|OWASP Project Repository]] | ||
+ | * [[OWASP_Mobile_Security_Project|OWASP Mobile Security]] | ||
+ | * [[OWASP_Top_Ten_Project|OWASP Web Top 10]] | ||
+ | * [[OWASP_.NET_Project|OWASP .NET]] | ||
+ | * [[Java|OWASP Java and JVM]] | ||
+ | * [[C/C++|OWASP C/C++]] | ||
+ | |||
+ | | valign="top" style="padding-left:25px;width:200px;" | | ||
− | |||
+ | ==Classifications== | ||
+ | |||
+ | {| width="200" cellpadding="2" | ||
+ | |- | ||
+ | | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]] | ||
+ | | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] | ||
+ | |- | ||
+ | | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]] | ||
+ | |- | ||
+ | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] | ||
+ | |- | ||
+ | |} | ||
+ | = Embedded Testing Tools = | ||
− | = | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div> |
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | ||
+ | |||
+ | == Embedded Testing Tools == | ||
+ | |||
+ | Provide security testing guidance for Embedded Devices: | ||
+ | |||
{| border="1" class="wikitable" style="text-align: left" | {| border="1" class="wikitable" style="text-align: left" | ||
+ | ! Section | ||
+ | ! | ||
+ | |- | ||
+ | | | ||
+ | Device Firmware Vulnerabilties | ||
+ | | | ||
+ | * Hardcoded credentials | ||
+ | * Sensitive information disclosure | ||
+ | * Sensitive URL disclosure | ||
+ | * Encryption keys | ||
+ | * Backdoor accounts | ||
+ | * Vulnerable services (web, ssh, tftp, etc.) | ||
+ | |- | ||
+ | | | ||
+ | Device Firmware Guidance and Instruction | ||
+ | | | ||
+ | * Firmware file analysis | ||
+ | * Firmware extraction | ||
+ | * Dynamic binary analysis | ||
+ | * Static binary analysis | ||
+ | * Static code analysis | ||
+ | * Firmware emulation | ||
+ | * File system analysis | ||
+ | |- | ||
+ | | | ||
+ | Device Firmware Tools | ||
+ | | | ||
+ | * [https://github.com/craigz28/firmwalker Firmwalker] | ||
+ | * [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit] | ||
+ | * [https://github.com/angr/angr Angr binary analysis framework] | ||
+ | * [http://binwalk.org/ Binwalk firmware analysis tool] | ||
+ | * [http://www.binaryanalysis.org/en/home Binary Analysis Tool] | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | |||
+ | |||
+ | == What is the Firmware Analysis Project? == | ||
+ | |||
+ | The Firmware Analysis Project provides: | ||
+ | |||
+ | * Security testing guidance for vulnerabilities in the "Device Firmware" attack surface | ||
+ | * Steps for extracting file systems from various firmware files | ||
+ | * Guidance on searching a file systems for sensitive of interesting data | ||
+ | * Information on static analysis of firmware contents | ||
+ | * Information on dynamic analysis of emulated services (e.g. web admin interface) | ||
+ | * Testing tool links | ||
+ | * A site for pulling together existing information on firmware analysis | ||
+ | |||
+ | |||
+ | |||
+ | == Related Projects == | ||
+ | |||
+ | * [[OWASP_Mobile_Security_Project|OWASP Mobile Security]] | ||
+ | * [[OWASP_Top_Ten_Project|OWASP Web Top 10]] | ||
+ | |||
+ | == Email List == | ||
+ | [mailto:[email protected] Mailing List] | ||
+ | |||
+ | == Resources == | ||
+ | * [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis] | ||
+ | * [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images] | ||
+ | * [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit] | ||
+ | * [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video] | ||
+ | * [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU] | ||
+ | |||
+ | |||
+ | == Related Projects == | ||
+ | |||
+ | * [[OWASP_Mobile_Security_Project|OWASP Mobile Security]] | ||
+ | * [[OWASP_Top_Ten_Project|OWASP Web Top 10]] | ||
+ | |||
+ | == Email List == | ||
+ | [mailto:[email protected] Mailing List] | ||
+ | |||
+ | |||
+ | == Project Leaders == | ||
+ | |||
+ | |||
+ | == Related Projects == | ||
+ | |||
+ | * [[OWASP_Mobile_Security_Project|OWASP Mobile Security]] | ||
+ | * [[OWASP_Top_Ten_Project|OWASP Web Top 10]] | ||
+ | |||
+ | == Email List == | ||
+ | [mailto:[email protected] Mailing List] | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
=Project About= | =Project About= | ||
+ | |||
{{Template:Project About | {{Template:Project About | ||
− | | project_name =OWASP Embedded Application Security | + | | project_name =OWASP Embedded Application Security |
| project_description = | | project_description = | ||
| project_license = | | project_license = | ||
Line 32: | Line 177: | ||
| leader_email2 = | | leader_email2 = | ||
| leader_username2 = | | leader_username2 = | ||
− | | contributor_name1 = | + | | contributor_name1 = |
| contributor_email1 = | | contributor_email1 = | ||
| contributor_username1 = | | contributor_username1 = | ||
Line 46: | Line 191: | ||
− | [[Category: | + | |
+ | |||
+ | |||
+ | |||
+ | |||
+ | __NOTOC__ <headertabs /> | ||
+ | |||
+ | [[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]] |
Revision as of 18:08, 3 March 2016
OWASP Embedded Application Security ProjectEach year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is crucial that guidelines form OWASP on embedded software should be created. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world.
LicensingThe OWASP Embedded Application Security Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. What is the OWASP Embedded Application Security Project?The OWASP Embedded Application Security Project provides:
Project Leaders
Related Projects |
Classifications
|