Software Security in Embedded Systems and Internet of Things
What You Need to Know About Software Safety and Security in Embedded Systems
Technology is booming now more than ever, and every day brings new products and functionality for every unimaginable task. It is not just about mobile apps and computers anymore; instead, it is all about embedded systems and Internet-of-Things (IoT) devices that have quickly become so commonplace in our day-to-day lives.
It feels like these devices are running software for just about everything: baby monitors, speakers, fitness trackers, security cameras, thermostats, and vehicles to name just a few.
Regarding this new world, architect, MIT professor, and author Nicholas Negroponte stated, “Like air and drinking water, being digital will be noticed only by its absence, not its presence.” To Negroponte’s point, we have become surrounded by digital technology, and we don’t even notice it until it is absent or — I might add — becomes a safety or security issue.
What we know as IoT devices — which includes embedded systems — have processors, sensors, and other features that connect via the internet. While when we talk about embedded systems, we are referring to processors with dedicated functions within a larger digital, mechanical, or electric system. Embedded systems can be firmware in IoT devices or electronic control units (ECUs) in cars, robots, credit card readers, mobile phones, gadgets, networking equipment, medical devices or just about anything.
Why C and C++ Are Important for Embedded Systems Software Safety and Security
Due to size and cost limitations, the software in embedded systems works with limited compute resources for processing, memory, and power. With the need for lightweight software, programming languages such as C and C++ are predominant in embedded systems, just like they are on the Linux kernel currently running most of the servers in the cloud. While C++ requires more computing resources than C, the availability of more powerful microprocessors has made C++ to be the language of choice for millions of embedded systems around the world.
Other programming languages such as Python are used in embedded systems, but C and C++ are the predominant languages of choice. There’s also an embedded C++ (EC++), which is a subset of the C++ language that allows greater space and speed efficiencies with the main functionality of the full C++ language. Microprocessors today can come loaded with C++ compilers, which make it even easier to start coding for embedded systems.
Coding for embedded systems is like no other type of application. First, you have resource limits, then you have to design for fault tolerance, for real-time functionality, reliability, and for the most part, no downtime. But, more importantly, the code must be safe and secure. Think about the criticality of embedded systems and IoT devices in the healthcare and pharma industries, or automotive and aerospace industries. Not only will the absence of this technology be noticeable, but it will be a critical issue if they are not safe and secure.
Why Static Analysis Is Important for Embedded Systems Software Safety and Security
One of the most important tools to ensure source code does not have flaws that may lead to vulnerabilities and exploits is static analysis. Also known as static application security testing, or SAST, static analysis scans applications’ source code, including code for embedded systems and IoT. The highly specialized code scan looks for specific flaws based on the corresponding programming language and framework used. Static analysis tools — such as Perforce Helix QAC and Klocwork — also report on compliance with coding standards.
Static analysis tools enable development and security teams to analyze thousands or even millions of lines of code. They look for flaws in the code and enforce coding standards based on rules and policies. Most importantly, they have become an indispensable part of the software development life cycle and a step that has to be run on source code on a regular basis — every time the code changes or before a new release is issued.
As we are surrounded by digital technology in the form of embedded systems and IoT, the importance of safety and security increases, especially in terms of mission-critical functionality across industries. The static analysis discovery of safety and security flaws could prevent mass production of defective devices and save money and companies’ reputations.
Security in embedded devices is about reducing the number of vulnerabilities. Severity levels vary, with the highly severe vulnerabilities representing higher risk of critical exploitation. There are several common types of vulnerabilities in all software, regardless of where it is deployed. For example, remote code execution and cross-site scripting vulnerabilities. In embedded systems and IoT devices, for the most part, vulnerabilities relate to memory buffer overflows, resource leaks, improper access control, cryptographic issues, and code injections. These are some of the most common embedded security vulnerabilities found by static analysis scans in embedded systems.
Why Coding Standards Are Important for Embedded Systems Safety and Security
As previously mentioned, C and C++ are predominantly used in embedded systems. Over the years, organizations have recognized the importance of safety and security in all code, especially for C and C++ in embedded devices where the costs of failure can be more than just financial. Coding standards have been created and improved over time to help increase the level of security, portability, reliability, and maintainability of the software. Static analysis, in addition to searching for flaws and vulnerabilities in the source code, can also apply rules and recommendations stated in coding standards. This is particularly useful for organizations that need to verify compliance with industry standards. Common examples of coding standards for embedded systems include MISRA, AUTOSAR, and CERT.
There are also a number of functional safety (FuSa) standards such as ISO 21434, ISO 26262, IEC 61508, ISO 13849, and IEC 62061 specific to embedded systems in different industries including automotive and manufacturing.
Coding for embedded systems, following coding standards, and making static analysis part of the software development life cycle will make our digital world safer and more secure. As stated earlier, “like air and drinking water, being digital will be noticed only by its absence” and in the case of a breach of safety and security.
If you would like to experience first-hand why thousands of developers rely on Perforce static analysis tools, register for a free trial today.