Riscure True Code

True Code helps development teams efficiently deliver secure code by automating vulnerability identification in the SDLC and DevSecOps process. True Code enables natural collaboration between security evaluators and the development team to discover vulnerabilities as early as possible and resolve issues with better efficiency to make the shift to the left. Leveraging years of experience in connected device security in many industries to prevent hacks that bring down customer trust, cause revenue loss and costly mitigations after the product release.

Find vulnerabilities in embedded software earlier with True Code Static code checks and Dynamic Fault Injection simulation and Fuzzing.

True Code is explicitly designed for analyzing embedded code closely connected to the hardware it is intended to run on.

True Code is highly flexible, allowing users to define and customize test scenarios based on their specific needs and requirements.

True Code Highlights

Why we started it?

​The size of software running on devices is constantly growing, which makes manual testing impractical. The attack surface for a potential hacker is getting larger (because of the larger codebase), so the likelihood of future exploits increases and, therefore, developers need to address the requirement for more testing. At the same time, general-purpose code checking tools often do not provide meaningful data. It is sometimes difficult to identify serious issues from minor coding errors. Meanwhile, research indicates that addressing a vulnerability during production can be over 100 times more expensive than identifying it during the design phase. To address these challenges, provide actionable security data and highlight serious security vulnerabilities specifically for embedded software, we developed Riscure True Code, a software testing solution for automating vulnerability identification in the SDLC and DevSecOps processes.

Automating security evaluation

Comprehensive automation capabilities

True Code will automatically check for vulnerabilities that are hard to prevent and find for a development team.

Integration

Embed code security check-up into your existing workflow.

Unique security insights

Obtain vulnerability data that no other tool offers.

Actionable data

Ensure response to security vulnerabilities from the development team during the design phase.

Static Analysis

Our Static Analysis module is a White Box testing method that provides all the logical static checks that can help you efficiently make the shift to the left. Especially for embedded software, we extended the list of static checks with all the checks that the Riscure Lab has developed over the last 2 decades: the Fault Injection sensitive checks are specific for situations where the software meets the hardware. Those can be performed with function-level granularity. It is fully compatible with code written in C.

 

 

Dynamic Analysis

Dynamic Analysis is a testing method that we use to provide actionable feedback and the precise location in the C code where a security vulnerability exists. We use two methods to check for vulnerabilities at runtime:

Fault Injection simulation

This method simulates fault injections in the target architecture (Risc-V, Arm, or bespoke RTL) and discovers undesired behavior.

Fuzzing

This method increases robustness of your code by exhausting potential inputs to the functions, potentially leading to security breaches and crashes. Therefore it discovers unexpected behavior at runtime in vulnerable interfaces.

 

 

Collaboration

We enable a natural collaboration between security evaluators and the development team during the entire development process. 

The collaboration feature helps your team to easily track, organize and resolve those findings in a timely manner. The result is reduced development time and certification costs.

 

Mitigation assistance

Mitigation of the security risk should be part of any development process. For the embedded software development process it is especially important to comply with the standards.
We assist developers in the manual review of source code, by using different mitigation techniques, which help them identify the most critical lines:
• Control flow
• Data flow
• Attack path identification

In this way, developers get direct feedback on the code and can quickly start with the mitigating actions.

 

 

DevSecOps

Finding security vulnerabilities and issues during the development phase and immediately resolving them can be up to 100 times cheaper compared to doing the same later in the process. We bring this promise of shifting to the left within reach through tight integration in the SDLC, sharing discovered vulnerabilities instantly with all team members.

 

 

True code datasheet

Riscure True Code 2023.1 Release

New feature: Benchmarks

We completely redesigned packaging of fuzzing and fault injection simulation in the form of benchmarks. The redesign integrates the dynamic analysis
into a typical development workflow, enabling continuous monitoring of security vulnerabilities in C projects.

Hardware abstraction for FI Simulation

In this release you will find a new hardware abstraction layer (HAL) to enable custom mock implementations of memory-mapped devices. Using the HAL instead of source code stubbing, you can simulate code that directly accesses hardware addresses without modifications to source code.

Server API

The new True Code API server allows you to setup a central space for these diagnostic on your network. With the server, we release Java, Python, and Javascript clients to enable custom integration of True Code’s diagnostics into your ticket system or to script reporting, even on workstations or servers that do not have the True Code toolchain installed.

True Code for automotive

The ISO/SAE 21434 heavily emphasizes risk identification methods and establishes processes to address security risks. Automotive Safety Integrity Level (ASIL) is used for the classification of the hazards. The distinction between unintended (safety) risks and intended (security) risks has not been made in this standard. It goes without saying that vehicles cannot truly be safe if they are not also secure.

Modern vehicles can have up to 100 Electronic Control Units (ECUs in them depending on their class, make, and model, with the number of ECUs rising even higher in the case of electric vehicles. Each ECU has embedded software running on them. Mitigation of the security risk should be part of the embedded software development process to comply with the standards.

Managing cyber security risks in Automotive is done with Threat Analysis and Risk Assessment (TARA). In this model, the threats are identified and mitigating actions are determined. With True Code, you will have a complete implementation for the development and test phase in the TARA model. From static and fault injection code checks to fault injection simulation and Fuzzing at runtime.

True Code for IoT

Connected IoT devices comprise many parts from different manufacturers. This creates a complex ecosystem of manufacturers and suppliers that need to prove the robustness and the hardening of security vulnerabilities of their products. Although security guidelines like SESIP and PSA Certified are helping to address the IoT security challenge, it is not nearly enough to protect these devices against malicious intentions. IoT devices are inexpensive, accessible, and can be physically tampered with, making them an easy target for hackers.

From that perspective, it makes sense to make sure that the embedded software running on that device has no vulnerabilities. Measures are taken with secure elements, asymmetric keys, and digital certificates, but it is also important to make sure that glitches in the hardware do not result in code being skipped and therefore undo the countermeasures.

True Code does specific embedded software and firmware code checks to make sure that the code is not vulnerable to hardware Fault Injection. By simulating fault injection on the target architecture the behavior of the software at runtime is tested and feedback is supplied to take mitigating actions. Interfaces can be tested at runtime by using our automated Fuzzing. All these checks are automated in the development and DevOps process to make sure that the complete code base is checked and regression testing is done each time when new code is submitted.

Request a free trial

Feel free to contact us anytime at inforequest@riscure.com or fill out the form below.

Get in touch with us

Feel free to contact us anytime at inforequest@riscure.com or fill out the form below.

By checking this box you agree to process your data according to Riscure's privacy policy:
Check this box to also subscribe to our monthly newsletter:

Riscure Academy

Actionable and indispensable knowledge of security in Embedded Systems and IoT devices. Training on hardware and software security in a classroom setting, online or hosted in your own knowledge program.

Embedded Code Review

Code reviews are an essential part of the software development process. This is particularly relevant for embedded code, as it adds another layer of complexity – the code interface with the hardware. Discover our Embedded Code Review Service.

Support Portal

Tutorials, manuals, FAQ, release notes, software updates, issue tracking and much more can be found on our support portal. Please sign up and login at: https://support.riscure.com/

An annual user workshop

We organize an annual user workshop where we present the latest developments in side channel analysis and fault injection testing and provide practical tips. The User Workshop is free of charge. Learn more about last years: https://www.riscure.com/riscure-workshop-2022/

Dedicated support

We have a full-time support team to help with any issues you might face while doing your work. Our skilled people will try to get you back on track as fast as possible.

For technical assistance call +31 (0) 15251 4090 or visit our support portal.