This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Embedded Application Security
From OWASP
Revision as of 02:41, 4 January 2017 by Aaron.guzman (talk | contribs) (→OWASP Embedded Application Security Project)
The Working Document can be found here (Google Docs) https://docs.google.com/document/d/1NxpVCeiglY1wHhmw7U-e9jnHgd-jQI-Y6sbdeKzUpQE/edit?usp=sharing
Draft-The items below are subject to change
Introduction
Release Notes
Risk Involved
Top 10
E1 – Memory Protections
E2 – Injection
E3 – Firmware Updates and Cryptographic Signatures
E4 – Secrets and Keys
E5 – Disposal of Temporary Files and Buffers
E6 – Embedded Framework Hardening
E7 – Debug Code and Interfaces
E8 – Transport Layer Security
E9 – Data collection and Storage
E10 – Components and Third Party Code
Note on Hardware
Get Involved
- Angr - [1]
- Firmadyne [2]
- Firmwalker [3]
- Binary Analysis [4]
- Flaw Finder [5]
- IDA Pro (supports ARM / MIPS)
- Radare2 [6]
- GDB
- Binwalk [7]
- Firmware-mod-toolkit [8]
- Capstone framework [9]
- Shikra [10]
- JTagulator [11]
- UART cables
- JTAG Adapters (JLINK)
- BusPirate
- BusBlaster
- CPLDs (in lieu of FPGAs)
- Oscilloscopes
- Multimeter (Ammeter, Voltmeter, etc)
- Logic Analyzers for SPI [12]
- OpenOCD
- GreatFET [13]
2016-2017 Roadmap
- Curate a list of embedded secure coding best practices.
- Create a Top 10 Embedded Application Security list.
- Participate in PR-related activities to involve the embedded community at large.
- Contribute to ASVS with embedded security principles
Feel free to join the mailing list and contact the Project leader if you feel you can contribute.