Embedded Security Woes: Part 1
What are the coming woes as the embedded world is increasingly linked to public networks like the Internet?
If your friend told you about a set of computers that were joining the Internet for the first time and may have security issues, you'd think you'd joined some Life on Mars episode set in 1993, when PC's, both Windows and Mac, were added to the Internet.
Not so! Let's discuss the security challenges that many embedded architectures have. As a prerequisite, you need to read any and all of the articles that Dr. McGraw has on application security (especially,"Getting past the bug parade"). Seth Fogies blogs on SCADA are another great source of information.
I can't do any better than the many issues with C & C++ coding that Gary McGraw outlines for us. It is a difficult syntax and a difficult time coding clearly. It does have several archiac, yet widely used functions, functions that create buffer overflow types of conditions.
It is also the preferred language for most embedded device development.
Therefore, as the world is filled with embedded and mobile devices, expect worm attacks if important basics aren't done. These basics include everything from giving developers security software training to enforcing mandatory Architecture reviews and decompositions. As the Informit Blogosphere points out consistently, chosing something other than strcpy is just part of the battle. Simplistic session IDs will undo all your work with 'correct' functions.
But Architectural Decompositions takes time and, well, Money; two vital things often unavailable with a low-cost wireless router whose shelf-life is 6 months before winding up in the bargain bin at your local retailer. Afterall, would you spend thousands of dollars to improve the safety and security of a disposable lighter?
I would if the same lighter's flaws would cause my automobile to stall in the middle of freeway traffic.
More information is coming at time permits. See you then.