This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Embedded Application Security"
From OWASP
Aaron.guzman (talk | contribs) (→Embedded Best Practices) |
Aaron.guzman (talk | contribs) (→Embedded Best Practices) |
||
Line 63: | Line 63: | ||
###Consider where variables are stored: stack, static or allocated structure | ###Consider where variables are stored: stack, static or allocated structure | ||
###Explicitly initialize variables | ###Explicitly initialize variables | ||
+ | ##Ensure secure compiler flags or switches are utilized upon each firmware build. (e.g. For GCC -fPIE, -fstack-protector-all, -Wl,-z,noexecstack, -Wl,-z,noexecheap etc..) | ||
##Find Vulnerable C functions in source. <br/>Example <br/> | ##Find Vulnerable C functions in source. <br/>Example <br/> | ||
<pre>find . -type f -name '*.c' -print0|xargs -0 grep -e 'strncpy.*strlen'|wc -l</pre> | <pre>find . -type f -name '*.c' -print0|xargs -0 grep -e 'strncpy.*strlen'|wc -l</pre> | ||
<pre>strncat( buffer, SOME_DATA, strlen( SOME_DATA )); /* WRONG */</pre> | <pre>strncat( buffer, SOME_DATA, strlen( SOME_DATA )); /* WRONG */</pre> | ||
<pre>char buffer[SOME_SIZE]; strncat( buffer, SOME_DATA, sizeof(buffer)); /* RIGHT */</pre> | <pre>char buffer[SOME_SIZE]; strncat( buffer, SOME_DATA, sizeof(buffer)); /* RIGHT */</pre> | ||
− | + | #Ensure all untrusted data and user input is validated, sanitized, and output encoded to prevent from unintended system execution. | |
− | # Ensure all untrusted data and user input is validated, sanitized, and output encoded to prevent from unintended system execution. | ||
Example:The following command injection code is based upon wrapping the UNIX command cat which prints the contents of a file to standard output.: | Example:The following command injection code is based upon wrapping the UNIX command cat which prints the contents of a file to standard output.: | ||
<pre> | <pre> |
Revision as of 22:06, 26 October 2016
- Buffer and Stack Overflow Protection - Prevent the use of dangerous functions and APIs in efforts to protect against memory-corruption vulnerabilities inside firmware. (e.g. Use of unsafe C functions - strcat, strcpy, sprintf, scanf) [1]
- Buffer Considerations
- What kind of buffer and where it resides: physical, logical, virtual memory
- What data will remain when the buffer is freed or left around to LRU out
- What strategy will be followed to insure old buffer do not leak data (example: clear buffer after use)
- Initialize buffers to known value on allocation
- Consider where variables are stored: stack, static or allocated structure
- Explicitly initialize variables
- Ensure secure compiler flags or switches are utilized upon each firmware build. (e.g. For GCC -fPIE, -fstack-protector-all, -Wl,-z,noexecstack, -Wl,-z,noexecheap etc..)
- Find Vulnerable C functions in source.
Example
- Buffer Considerations
find . -type f -name '*.c' -print0|xargs -0 grep -e 'strncpy.*strlen'|wc -l
strncat( buffer, SOME_DATA, strlen( SOME_DATA )); /* WRONG */
char buffer[SOME_SIZE]; strncat( buffer, SOME_DATA, sizeof(buffer)); /* RIGHT */
- Ensure all untrusted data and user input is validated, sanitized, and output encoded to prevent from unintended system execution.
Example:The following command injection code is based upon wrapping the UNIX command cat which prints the contents of a file to standard output.:
#include <stdio.h> #include <unistd.h> int main(int argc, char **argv) { char cat[] = "cat "; char *command; size_t commandLength; commandLength = strlen(cat) + strlen(argv[1]) + 1; command = (char *) malloc(commandLength); strncpy(command, cat, commandLength); strncat(command, argv[1], (commandLength - strlen(cat)) ); system(command); return (0); }
- Ensure robust update mechanisms utilize cryptographically signed firmware images for updating functions.
- Do not hard code secrets such as passwords, usernames, tokens, private keys or similar variants into firmware images.
- Dispose and securely wipe sensitive information stored in buffers or temporary files during runtime after they are no longer needed (e.g. Wipe buffers from locations where personal identifiable information is stored before releasing the buffers)
- Modify Busybox and embedded frameworks alike to only libraries and functions that are being used. (e.g.. Remove unused languages like perl and services such as Telnet, FTP etc)
- Validate all debugging and pre-production code have been removed prior to firmware deployment.This includes potential "backdoors code" and accounts left behind by ODM's code base. [2]
- Ensure all methods of communication are utilizing industry standard encryption configurations for TLS.
- Limit collection, storage, and sharing of personal identifiable information (PII) to items that are only required for operation.
- Ensure the kernel, software packages and third party libraries utilized in embedded images are updated to prevent from known publicly available exploits. (e.g. Rompager [3] UPnP [4]
This list was created based upon community feedback discussed here [5]
Draft-The items below are subject to change
Introduction
Release Notes
Risk Involved
Top 10
E1 – Memory Protections
E2 – Injection
E3 – Firmware Updates and Cryptographic Signatures
E4 – Secrets and Keys
E5 – Disposal of Temporary Files and Buffers
E6 – Embedded Framework Hardening
E7 – Debug Code and Interfaces
E8 – Transport Layer Security
E9 – Data collection and Storage
E10 – Components and Third Party Code
Note on Hardware
Get Involved
- Angr - [6]
- Firmadyne [7]
- Firmwalker [8]
- Binary Analysis [9]
- Flaw Finder [10]
- IDA Pro (supports ARM / MIPS)
- Radare2 [11]
- GDB
- Binwalk [12]
- Firmware-mod-toolkit [13]
- Capstone framework [14]
- Shikra [15]
- JTagulator [16]
- UART cables
- JTAG Adapters (JLINK)
- BusPirate
- BusBlaster
- CPLDs (in lieu of FPGAs)
- Oscilloscopes
- Multimeter (Ammeter, Voltmeter, etc)
- Logic Analyzers for SPI [17]
- OpenOCD
- GreatFET [18]
2016-2017 Roadmap
- Curate a list of embedded secure coding best practices.
- Create a Top 10 Embedded Application Security list.
- Participate in PR-related activities to involve the embedded community at large.
Feel free to join the mailing list and contact the Project leader if you feel you can contribute.