Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development

0iii_Front-Matter
Embedded Systems Security: Practical Methods for Safe and Secure Software
and Systems Development
0iv_Copyright
Copyright
0xi_Foreword
Foreword
0xiii_Preface
Preface
About this Book
Audience
Organization
Approach
0xix_Acknowledgements
Acknowledgements
01_Chapter-1-Introduction-to-Embedded-Systems-Security
1
Introduction to Embedded Systems Security
1.1 What is Security?
1.2 What is an Embedded System?
1.3 Embedded Security Trends
1.3.1 Embedded Systems Complexity
1.3.1.1 Case Study: Embedded Linux
1.3.1.1.1 Linux in Government Systems
1.3.1.1.2 Linux Rate of Change
1.3.1.1.3 CVE-2009-2692—An Illustration of a Total Loss of Security
1.3.1.1.4 Case Study Wrap-Up
1.3.2 Network Connectivity
1.3.3 Reliance on Embedded Systems for Critical Infrastructure
1.3.4 Sophisticated Attackers
1.3.5 Processor Consolidation
1.4 Security Policies
1.4.1 Perfect Security
1.4.2 Confidentiality, Integrity, and Availability
1.4.3 Isolation
1.4.4 Information Flow Control
1.4.5 Physical Security Policies
1.4.6 Application-Specific Policies
1.5 Security Threats
1.5.1 Case Study: VxWorks Debug Port Vulnerability
1.6 Wrap-up
1.7 Key Points
1.8 Bibliography and Notes
025_Chapter-2-Systems-Software-Considerations
2
Systems Software Considerations
2.1 The Role of the Operating System
2.2 Multiple Independent Levels of Security
2.2.1 Information Flow
2.2.2 Data Isolation
2.2.3 Damage Limitation
2.2.4 Periods Processing
2.2.5 Always Invoked
2.2.6 Tamper Proof
2.2.7 Evaluable
2.3 Microkernel versus Monolith
2.3.1 Case Study: The Duqu Virus
2.4 Core Embedded Operating System Security Requirements
2.4.1 Memory Protection
2.4.2 Virtual Memory
2.4.2.1 Guard Pages
2.4.2.2 Location Obfuscation
2.4.3 Fault Recovery
2.4.4 Guaranteed Resources
2.4.5 Virtual Device Drivers
2.4.6 Impact of Determinism
2.4.7 Secure Scheduling
2.5 Access Control and Capabilities
2.5.1 Case Study: Secure Web Browser
2.5.2 Granularity versus Simplicity of Access Controls
2.5.3 Whitelists versus Blacklists
2.5.4 Confused Deputy Problem
2.5.5 Capabilities versus Access Control Lists
2.5.5.1 Case Study: MLS Resource Manager
2.5.6 Capability Confinement and Revocation
2.5.7 Secure Design Using Capabilities
2.6 Hypervisors and System Virtualization
2.6.1 Introduction to System Virtualization
2.6.2 Applications of System Virtualization
2.6.3 Environment Sandboxing
2.6.4 Virtual Security Appliances
2.6.5 Hypervisor Architectures
2.6.5.1 Monolithic Hypervisor
2.6.5.2 Console Guest Hypervisor
2.6.5.3 Microkernel-based Hypervisor
2.6.6 Paravirtualization
2.6.7 Leveraging Hardware Assists for Virtualization
2.6.7.1 ARM TrustZone
2.6.8 Hypervisor Security
2.6.8.1 SubVirt
2.6.8.2 Blue Pill
2.6.8.3 Ormandy
2.6.8.4 Xen Owning Trilogy
2.6.8.5 VMware’s Security Certification and Subsequent Vulnerability Postings
2.7 I/O Virtualization
2.7.1 The Need for Shared I/O
2.7.2 Emulation
2.7.3 Pass-through
2.7.4 Shared IOMMU
2.7.5 IOMMUs and Virtual Device Drivers
2.7.6 Secure I/O Virtualization within Microkernels
2.8 Remote Management
2.8.1 Security Implications
2.9 Assuring Integrity of the TCB
2.9.1 Trusted Hardware and Supply Chain
2.9.2 Secure Boot
2.9.3 Static versus Dynamic Root of Trust
2.9.4 Remote Attestation
2.10 Key Points
2.11 Bibliography and Notes
093_Chapter-3-Secure-Embedded-Software-Development
3
Secure Embedded Software Development
3.1 Introduction to PHASE—Principles of High-Assurance Software Engineering
3.2 Minimal Implementation
3.3 Component Architecture
3.3.1 Runtime Componentization
3.3.2 A Note on Processes versus Threads
3.4 Least Privilege
3.5 Secure Development Process
3.5.1 Change Management
3.5.2 Peer Reviews
3.5.2.1 Security-Oriented Peer Review
3.5.3 Development Tool Security
3.5.3.1 Case Study: The Thompson Hack
3.5.4 Secure Coding
3.5.4.1 Coding Standards
3.5.4.2 Case Study: MISRA C:2004 and MISRA C++:2008
1 Rule 7.1: Octal constants (other than zero) and octal escape sequences shall not be used.
2 Rule 8.1: Functions shall have prototype declarations and the prototype shall be visible at both the function definition ...
3 Rule 8.9: An identifier with external linkage shall have exactly one external definition.
4 Rule 8.11: The static storage class specified shall be used in definitions and declarations of objects and functions that ...
5 Rule 16.2: Functions shall not call themselves, either directly or indirectly.
6 Rule 9-3-2: Member functions shall not return non-const handles to class data.
3.5.4.3 Embedded C++
3.5.4.4 Complexity Control
3.5.4.5 Static Source Code Analysis
3.5.4.5.1 Limiting False Positives
3.5.4.5.2 Case Study: Open Source Internet Security Applications
3.5.4.5.2.1 Output of a Static Source Code Analyzer
3.5.4.5.2.2 Potential NULL Pointer Access
3.5.4.5.2.3 Buffer Underflow
3.5.4.5.2.4 Resource Leak
3.5.4.5.3 Which Static Analyzer Should an Organization Use?
3.5.4.6 Creating a Tailored Organizational Embedded Coding Standard
3.5.4.7 Preparing for a One-Time Retrofit Cost
3.5.4.8 Allowing for Management-Approved Exceptions to Reduce Regressions
3.5.4.9 Language Standards Are Never Perfect
3.5.4.10 Case Study: Green Hills Standard Mode
3.5.4.11 Importance of Management Resolve
3.5.4.12 Case Study: Netrino Embedded C Coding Standard
3.5.4.13 Dynamic Code Analysis
3.5.4.13.1 Buffer Overflow
3.5.4.13.2 Assignment Bounds
3.5.4.13.3 Missing Case
3.5.4.13.4 Stack Overflow
3.5.4.13.5 Memory Leaks
3.5.4.13.6 Other Dynamic Memory Allocation Errors
3.5.5 Software Testing and Verification
3.5.5.1 Modified Condition/Decision Coverage
3.5.6 Development Process Efficiency
3.6 Independent Expert Validation
3.6.1 Common Criteria
3.6.2 Case Study: Operating System Protection Profiles
3.6.2.1 Configuration Management
3.6.2.2 Functional Specification
3.6.2.3 Assurance Leveling
3.7 Case Study: HAWS—High-Assurance Web Server
3.7.1 Minimal Implementation
3.7.2 Component Architecture
3.7.3 Least Privilege
3.7.4 Secure Development Process
3.7.5 Independent Expert Validation
3.8 Model-Driven Design
3.8.1 Introduction to MDD
3.8.1.1 Trends Driving Adoption of MDD
3.8.1.2 What Is MDD?
3.8.1.3 The Potential Benefits of MDD
3.8.2 Executable Models
3.8.2.1 Formally Verifiable Executable Models
3.8.3 Modeling Languages
3.8.3.1 The Unified Modeling Language
3.8.3.2 The System Modeling Language
3.8.3.3 Executable UML
3.8.4 Types of MDD Platforms
3.8.5 Case Study: A Digital Pathology Scanner
3.8.5.1 Algorithm Development
3.8.5.2 Motion Control and Dynamic System Modeling
3.8.5.3 Supervisory Machine Control Layer Software
3.8.6 Selecting an MDD Platform
3.8.6.1 Examples of Commercial MDD Platforms
3.8.6.1.1 Analytical Software Design Platform
3.8.6.1.2 IBM Rational Rhapsody
3.8.6.1.3 Mentor Graphics Bridge Point
3.8.6.1.4 SCADE Suite
3.8.6.2 MDD Platform Choice Is Strategic
3.8.6.3 Skills
3.8.6.4 Impact on Existing Work Flows
3.8.6.5 Interfacing with Legacy Code and Off-the-Shelf Software
3.8.6.6 Code Generation
3.8.6.7 Runtime Execution Speed
3.8.6.8 Runtime System Requirements
3.8.7 Using MDD in Safety- and Security-Critical Systems
3.9 Key Points
3.10 Bibliography and Notes
0209_Chapter-4-Embedded-Cryptography
4
Embedded Cryptography
4.1 Introduction
4.2 U.S. Government Cryptographic Guidance
4.2.1 NSA Suite B
4.3 The One-Time Pad
4.3.1 Cryptographic Synchronization
4.4 Cryptographic Modes
4.4.1 Output Feedback
4.4.2 Cipher Feedback
4.4.3 OFB with CFB Protection
4.4.4 Traffic Flow Security
4.4.5 Counter Mode
4.5 Block Ciphers
4.5.1 Additional Cryptographic Block Cipher Modes
4.6 Authenticated Encryption
4.6.1 CCM
4.6.2 Galois Counter Mode
4.7 Public Key Cryptography
4.7.1 RSA
4.7.2 Equivalent Key Strength
4.7.3 Trapdoor Construction
4.8 Key Agreement
4.8.1 Man-in-the-Middle Attack on Diffie-Hellman
4.9 Public Key Authentication
4.9.1 Certificate Types
4.9.1.1 Custom Certificate Approaches for Embedded Systems
4.10 Elliptic Curve Cryptography
4.10.1 Elliptic Curve Digital Signatures
4.10.2 Elliptic Curve Anonymous Key Agreement
4.11 Cryptographic Hashes
4.11.1 Secure Hash Algorithm
4.11.2 MMO
4.12 Message Authentication Codes
4.13 Random Number Generation
4.13.1 True Random Number Generation
4.13.1.1 Case Study: Ring Oscillator-based Randomizer
4.13.2 Pseudo-Random Number Generation
4.13.2.1 NIST Special Publication 800-90
4.13.2.1.1 HMAC_DRBG
4.13.2.1.2 CTR_DRBG
4.14 Key Management for Embedded Systems
4.14.1 Case Study: The Walker Spy Case
4.14.2 Key Management—Generalized Model
(1) Registration
(2) Key Generation
(3) Key Distribution
(4) Key Change
(5) Key Destruction
(6) Key Protection
(7) Key Revocation
4.14.3 Key Management Case Studies
4.14.3.1 Case Study: Secure Wireless Push-to-Talk Radio Network
4.14.3.1.1 Option One: Load a Common Red TEK into Each Radio at a Key Load Facility
4.14.3.1.2 Option Two: Load a Black Key in the Field
4.14.3.1.3 Option Three: Key Load Using Public Key Cryptography
4.14.3.1.4 Option Four: Over-the-Air Rekey Capability
4.14.3.2 Case Study: Generalized Phone Communications
4.14.3.2.1 Cryptographic Subsystem Embedment Options
4.14.3.2.1.1 Option One: Cryptographic Subsystem Embedded within the End Instrument
4.14.3.2.1.2 Option Two: Bump-on-the-Line (Attached to End Instrument)
4.14.3.2.1.3 Option Three: Bump-on-the-Handset
4.14.3.2.2 Key Management Options
4.14.3.2.2.1 Option One: Pre-Load a Common TEK to All Instruments
4.14.3.2.2.2 Option Two: Use Public Key Exchange to Derive a Session Key
4.14.3.2.3 Addressing Protection
4.14.3.2.3.1 Option One: Bulk Encryption between Trunk End Points
4.14.3.2.3.2 Option Two: Local Protection of Addresses
4.15 Cryptographic Certifications
4.15.1 FIPS 140-2 Certification
4.15.1.1 FIPS 140-2 Standard
4.15.1.2 FIPS 140-3
4.15.2 NSA Certification
4.15.2.1 Cryptographic Product Classification
4.15.2.2 Cryptographic Requirements for Type 1 Devices
4.15.2.3 NSA’s Cryptographic Interoperability Strategy
4.15.2.3.1 OTS for SECRET
4.15.2.3.2 COTS for SECRET
4.16 Key Points
4.17 Bibliography and Notes
0289_Chapter-5-Data-Protection-Protocols-for-Embedded-Systems
5
Data Protection Protocols for Embedded Systems
5.1 Introduction
5.2. Data-in-Motion Protocols
5.2.1. Generalized Model
5.2.1.1 Point-to-Point
5.2.1.2 Point-to-Multipoint
5.2.2 Choosing the Network Layer for Security
5.2.3 Ethernet Security Protocols
5.2.3.1 802.1X
5.2.3.2 802.11i
5.2.3.3 WPA2
5.2.3.4 802.1AE
5.2.4 IPsec versus SSL
5.2.5 IPsec
5.2.5.1 Integrated versus Bump-in-the-Stack
5.2.5.2 IPsec RFCs
5.2.5.3 IKE
5.2.5.4 IPsec Hardware Offload
5.2.5.4.1 Flow-through versus Lookaside
5.2.5.5 IPsec for Very Low Power Devices
5.2.5.6 HAIPE
5.2.6 SSL/TLS
5.2.6.1 OpenSSL
5.2.6.2 GnuTLS
5.2.7 Embedded VPN Clients
5.2.7.1 Openswan and Racoon2
5.2.7.2 OpenVPN
5.2.8 DTLS
5.2.9 SSH
5.2.9.1 Additional Protocols Based on SSH
5.2.9.2 OpenSSH
5.2.10 Custom Network Security Protocols
5.2.10.1 Traffic Flow Confidentiality
5.2.11 Application of Cryptography within Network Security Protocols
5.2.11.1 NSA Suite B Guidance
5.2.12 Secure Multimedia Protocols
5.2.12.1 Signaling Protocols
5.2.12.2 Multimedia Transport Protocols
5.2.12.2.1 SRTP
5.2.12.2.2 DTLS-SRTP
5.2.13 Broadcast Security
5.2.13.1 Single TEK
5.2.13.2 Group TEKs
5.2.13.3 Single KEK
5.2.13.4 KEK Per Receiver
5.2.13.5 Single KEK with Group TEKs
5.3 Data-at-Rest Protocols
5.3.1 Choosing the Storage Layer for Security
5.3.2 Symmetric Encryption Algorithm Selection
5.3.2.1 Tweakable Ciphers
5.3.2.2 XTS-AES
5.3.3 Managing the Storage Encryption Key
5.3.3.1 Generating the Storage Encryption Key
5.3.3.2 Remote Key Provisioning
5.3.3.3 Key Escrow
5.3.4 Advanced Threats to Data Encryption Solutions
5.4 Key Points
5.5 Bibliography and Notes
0349_Chapter-6-Emerging-Applications
6
Emerging Applications
6.1 Embedded Network Transactions
6.1.1 Anatomy of a Network Transaction
6.1.2 State of Insecurity
6.1.3 Network-based Transaction Threats
6.1.3.1 Man-in-the-Middle and/or Eavesdropping
6.1.3.2 Phishing and Other Social Engineering Attacks
6.1.3.3 Malware Attacks
6.1.3.4 Web Application Attacks
6.1.3.5 Pharming Attacks
6.1.3.6 Combinations of Attacks
6.1.4 Modern Attempts to Improve Network Transaction Security
6.1.4.1 Anti-malware
6.1.4.2 Secure Browsers
6.1.4.3 Two-Factor Authentication
6.1.4.4 Network Access Control
6.1.4.5 Secondary Device Verification
6.1.4.6 Zone Trusted Information Channel
6.1.4.7 Virtualized Web Client
6.1.4.8 Summary: Modern Approaches to Transaction Security
6.1.5 Trustworthy Embedded Transaction Architecture
6.1.5.1 Communications Proxy
6.1.5.2 Transaction Verifier
6.1.5.3 Cryptosystem and PKI Policy Enforcement
6.2 Automotive Security
6.2.1 Vehicular Security Threats and Mitigations
6.2.1.1 Local-Physical
6.2.1.2 Remote
6.2.1.3 Internal-Electronic
6.3 Secure Android
6.3.1 Android Security Retrospective
6.3.2 Android Device Rooting
6.3.3 Mobile Phone Data Protection: A Case Study of Defense-in-Depth
6.3.4 Android Sandboxing Approaches
6.3.4.1 Separate Hardware
6.3.4.2 Multi-Boot
6.3.4.3 Webtop
6.3.4.4 Mobile Device Management Encrypted Containers
6.3.4.5 Remoting
6.3.4.6 Type-2 Hypervisor
6.3.4.7 Sandboxes Built on Sand
6.3.4.8 Type-1 Hypervisor
6.3.4.9 Physical Security
6.4 Next-Generation Software-Defined Radio
6.4.1 Red-Black Separation
6.4.2 Software-Defined Radio Architecture
6.4.3 Enter Linux
6.4.4 Multi-Domain Radio
6.5 Key Points
6.6 Bibliography and Notes
0389_Index
Index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Z