This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Embedded Application Security"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
= Main =
 
 
<div style="width:100%;height:105px;border:0,margin:0;overflow: hidden;">[[Image:Low activity.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Low_Activity_Projects]] </div>
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
 
==OWASP Embedded Application Security Project==
 
 
Each year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is crucial that guidelines form OWASP on embedded software should be created. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint.
 
The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world.
 
 
 
==Licensing==
 
The OWASP Embedded Application Security Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
 
== What is the OWASP Embedded Application Security Project? ==
 
 
The OWASP Embedded Application Security Project provides:
 
 
* Items here
 
 
== Project Leaders ==
 
 
* Aaron Guzman
 
 
 
== Related Projects ==
 
 
* [[OWASP_Project|OWASP Project Repository]]
 
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
 
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
 
* [[OWASP_.NET_Project|OWASP .NET]]
 
* [[Java|OWASP Java and JVM]]
 
* [[C/C++|OWASP C/C++]]
 
 
| valign="top"  style="padding-left:25px;width:200px;" |
 
 
 
 
==Classifications==
 
 
  {| width="200" cellpadding="2"
 
  |-
 
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 
  |-
 
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 
  |-
 
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
  |-
 
  |}
 
 
= Embedded Testing Tools =
 
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
 
== Embedded Testing Tools ==
 
 
Provide security testing guidance for Embedded Devices:
 
 
{| border="1" class="wikitable" style="text-align: left"
 
! Section
 
!
 
|-
 
|
 
Device Firmware Vulnerabilties
 
|
 
* Hardcoded credentials
 
* Sensitive information disclosure
 
* Sensitive URL disclosure
 
* Encryption keys
 
* Backdoor accounts
 
* Vulnerable services (web, ssh, tftp, etc.)
 
|-
 
|
 
Device Firmware Guidance and Instruction
 
|
 
* Firmware file analysis
 
* Firmware extraction
 
* Dynamic binary analysis
 
* Static binary analysis
 
* Static code analysis
 
* Firmware emulation
 
* File system analysis
 
|-
 
|
 
Device Firmware Tools
 
|
 
* [https://github.com/craigz28/firmwalker Firmwalker]
 
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
 
* [https://github.com/angr/angr Angr binary analysis framework]
 
* [http://binwalk.org/ Binwalk firmware analysis tool]
 
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
 
|- 
 
|}
 
 
 
 
== What is the Firmware Analysis Project? ==
 
 
The Firmware Analysis Project provides:
 
 
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
 
* Steps for extracting file systems from various firmware files
 
* Guidance on searching a file systems for sensitive of interesting data
 
* Information on static analysis of firmware contents
 
* Information on dynamic analysis of emulated services (e.g. web admin interface)
 
* Testing tool links
 
* A site for pulling together existing information on firmware analysis
 
 
 
 
== Related Projects ==
 
 
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
 
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
 
 
== Email List ==
 
[mailto:[email protected] Mailing List]
 
 
== Resources ==
 
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis]
 
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
 
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
 
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
 
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
 
 
 
== Related Projects ==
 
 
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
 
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
 
 
== Email List ==
 
[mailto:[email protected] Mailing List]
 
 
 
== Project Leaders ==
 
 
 
== Related Projects ==
 
 
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
 
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
 
 
== Email List ==
 
[mailto:[email protected] Mailing List]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
=Project About=
 
=Project About=
  
 
{{Template:Project About
 
{{Template:Project About
 
| project_name =OWASP Embedded Application Security
 
| project_name =OWASP Embedded Application Security
| project_description =  
+
| project_description = Each year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is crucial that guidelines form OWASP on embedded software should be created. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint.
 +
The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world.
 
| project_license =
 
| project_license =
 
| leader_name1 = Aaron Guzman
 
| leader_name1 = Aaron Guzman
Line 183: Line 18:
 
| contributor_email2 =  
 
| contributor_email2 =  
 
| contributor_username2 =
 
| contributor_username2 =
| mailing_list_name =  
+
| mailing_list_name = [mailto:[email protected] Mailing List]
 
| links_url1 =  
 
| links_url1 =  
 
| links_name1 =
 
| links_name1 =
Line 190: Line 25:
 
}}   
 
}}   
  
 +
== Related Projects ==
  
 
+
* [[OWASP_Internet_of_Things_Project|OWASP Internet of Things Project]]
 
+
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
 
 
 
 
  
 
__NOTOC__ <headertabs />
 
__NOTOC__ <headertabs />
  
 
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]
 
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

Revision as of 19:25, 18 July 2016

Project About

PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Embedded Application Security
Purpose: Each year, the number of enterprise and consumer devices with embedded software are on the rise. Given the publicity with IoT and more devices becoming network connected, it is crucial that guidelines form OWASP on embedded software should be created. Embedded Application Security is not often a high priority for embedded devices such as Routers, Managed Switches, IoT devices, and even ATM Kiosks. There are many challenges in the embedded field including ODM supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint.

The goal of this project is to identify the risks in embedded applications on a generalized list of devices, create a list of best practices, draw on the resources that OWASP already has, and bring OWASP expertise to the embedded world.

License: N/A
who is working on this project?
Project Leader(s):
  • Aaron Guzman @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [Mailing List Mailing List Archives]
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Aaron Guzman @ to contribute to this project
  • Contact Aaron Guzman @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

Related Projects

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Embedded_Application_Security&oldid=218992"