Unique properties of embedded code
Embedded code in hardware, also known as firmware, is code that is permanently stored in a device’s non-volatile memory, such as ROM or flash memory. This code is executed by the device’s processor or microcontroller and is responsible for controlling the device’s functions and behavior.
The key difference between embedded code and other software is that it is specifically designed to run on a particular hardware platform, and is often tightly integrated with the device’s hardware. This means that embedded code can take advantage of specific hardware features and optimizations, and can be optimized for performance and power consumption.
Another important difference is that embedded code is often more constrained in terms of available resources than traditional software running on a general-purpose computer. This means that embedded code must be carefully optimized to minimize memory usage and execution time, while still providing the necessary functionality.
Finally, embedded code is typically more difficult to update or modify than traditional software, as it is often stored in non-volatile memory and cannot be easily changed or overwritten. Firmware updates typically require specialized tools and procedures and must be carefully tested to ensure compatibility with the device’s hardware and existing software.
Why conduct a Code Review?
Improving code quality:
Code reviews help catch mistakes and identify potential issues before they become bigger problems. They ensure that the code is consistent, readable, and maintainable.
Identifying security vulnerabilities:
Code reviews can help identify security vulnerabilities before they are exploited. Reviewers can identify potential security issues and suggest ways to mitigate them. Furthermore, code reviews are used to narrow down areas of interest to perform fault injection and side-channel analysis, making the penetration test more efficient, saving time and money, and delivering more accurate results.
Hardware dependency:
Embedded code reviews require, in addition to software expertise, hardware expertise. Failing to take the hardware architecture into account, exploitable vulnerabilities might be overlooked.
Ensuring compliance:
Code reviews can help ensure that the code adheres to established standards, guidelines, and regulations. They can also help identify areas where compliance may be lacking.
Benefits of conducting a code review with Riscure
Manual vs Automated code review
When it comes to the code review approach there are two main types: manual code reviews and assisted code reviews. Manual code reviews are performed by experts without the use of automated tools and tool. Assisted code reviews alternatively use software tools to automate or assist with the review process, such as static analysis tools or dynamic tools. An example of such tool is Riscure True Code. Ultimately, the choice between manual and automated code reviews depends on the needs of the project and the resources available. Both approaches can be effective, and many organizations use a combination of both to ensure thorough and accurate code reviews. The two approaches are usually complementary because no single approach can find every error.
Both manual and automated code reviews have their advantages and limitations. Here are some advantages of each type.
Advantages of manual code reviews:
- Human intelligence and experience: Manual code reviews rely on human intelligence and experience to identify potential issues, which can lead to more thorough and accurate reviews
- Contextual understanding: Manual code reviews allow reviewers to better understand the context of the code, which can lead to better insights and more accurate reviews. This is particularly relevant for market knowledge. Good examples are TEEs and payment.
- Flexibility: Manual code reviews can be tailored to the specific needs of the project and can be adapted as the project evolves.
- Validation of automated tools: Manual code reviews can be used to validate the results of automated tools. Reviewers can confirm that the tools have correctly identified issues and provide additional feedback or context that may have been missed by the tools.
Advantages of automated code reviews:
- Efficiency: Automated code reviews can be done quickly and efficiently, which can save time and resources.
- Consistency: Automated code reviews ensure that the same set of standards and rules are applied consistently across all code submissions, regardless of the developer. This helps to maintain a higher level of code quality.
- Scalability: Automated code reviews can be used to review large amounts of code, which can be difficult to do manually.
- Cost-effectiveness: Automated code reviews can reduce the cost of code reviews, as they require less time and fewer resources than manual code reviews. This can be particularly beneficial for smaller development teams or organizations with limited resources.
- Objectivity: Automated code reviews provide objective feedback based on predetermined rules and criteria, reducing the risk of bias or subjectivity. This can help to ensure that code reviews are fair and consistent.
- NOTE: automated code reviews are typically only as strong as the test configuration which the user applies, particularly for embedded code!
Fuzzing embedded code
Riscure offers a code review portfolio, which now also includes fuzzing for embedded code. Riscure experts have the relevant technology and market knowledge to mitigate all the before mentioned limitations. You can use our services as a subscription or as a one-time off.
Which types of bugs can be discovered through fuzzing?
|
|
- Advantages and limitations
- New fuzzing service by Riscure – is it for you?
- List of standards that recommend fuzzing
The rise of security regulations is compelling embedded software developers to carry out automated security tests on their products prior to shipping them. Consequently, various industries and ISO standards advise integrating automated fuzz testing into the development process, particularly in sectors that already have high standards of quality and security. ISO/SAE 21434 and UNECE WP.29 (UN R155 and UN R156), both of which focus on the security of automotive software, are good examples.
Fuzzing has great advantages. Fuzzing is a type of dynamic code analysis. Dynamic code analysis relies on studying how the code behaves during execution, in opposition to static code analysis where the study is done without executing any of the code. This means the code is being tested with random, invalid, and unexpected inputs. By generating numerous automated test cases every second and tracking the path taken by the inputs through the code, a fuzzing tool can obtain comprehensive information on the code coverage combined with the specific inputs used during the execution of the code. Fuzzing enables high code coverage, efficiently. Fuzzing does not have false positives and it provides inputs that can use to reproduce the identified bugs, which can be used not only to improve the code but also as a training opportunity for the developer and test teams.
Despite all the advantages, fuzzing also has its limitations. Fuzzing requires expertise at various levels – from the selection of the tool to its set-up and interpretation of test results. Not all fuzzing tools are the same; most fuzzing tools are not equipped to fuzz embedded code, as they do not take the hardware that the code runs on into account. This is a severe limitation, as the hardware can have a meaningful impact on the execution of the code; as a result, fuzzers not hardware aware may not detect certain bugs. Embedded code fuzzers are more challenging to configure and operate, due to the interface with the hardware layer. Expertise is also required to prioritize which parts of the code to fuzz, to monitor and adapt the tests based on the coverage progression, and to analyze the impact of the test results. Fuzzers report a high number of results; developer teams need market knowledge and experience to prioritize which bugs have a higher security impact and therefore, should be fixed with urgency.
Absolutely!
- If you need fuzzing to meet accreditation/compliance of a product (example: R155 / R156 / ISO 21434)
- If you do not have the time or expertise to do the configuration, installation of the fuzzing tool. In all cases of automated testing, Riscure will also provide the applied test configurations that delivered the results. This can allow customers who would opt to integrate such tooling into their development toolchain to do further regression testing themselves after having applied mitigations.
- If you do not have the expertise to perform the test and analyze the results
- If you wish to improve the skills of your team by using the expertise of a third party
- If you want a high-coverage code review
Below, there is a non-exhaustive list of standards and norms that recommend fuzzing:
Automotive
- ISO 26262: Road vehicles – Functional Safety
- ISO/SAE 21434: Road Vehicles — Cybersecurity Engineering
- UNECE WP.29 (UN R155 and UN R156): United Nations World Forum for Harmonization of Vehicle Regulations
Healthcare
- UL2900-1 and UL2900-2-1: Healthcare and Wellness Systems – Software Cybersecurity for
Network-Connectable Products
General
- ISA/IEC 62443-4-1: Secure Product Development Lifecycle Requirements
- ISO/IEC/IEEE 29119: Software and Systems Engineering – Software Testing
- ISO/IEC 12207: Systems and Software Engineering – Software Life Cycle Processes
- ISO 27001: Information Technology – Security Techniques – Information Security Management Systems
- ISO 22301: Security and Resilience — Business Continuity Management Systems
- NIST (National Institute of Standards and Technology) Special Publication 800-53: This publication provides a catalogue of security and privacy controls for federal information systems and organizations. It recommends the use of fuzz testing as a technique for identifying potential vulnerabilities in software.
- CERT Secure Coding Standards: The CERT Secure Coding Standards provide guidelines for developing secure software.
- CWE (Common Weakness Enumeration): CWE is a community-developed list of common software security weaknesses.
- NIST SP 800-53: NIST SP 800-53 is a set of security and privacy controls for federal information systems and organizations.
- ISO/IEC 29119 Software Testing Standard: This standard provides a comprehensive framework for software testing.
Fault Injection Simulation
Riscure is also enriching the code review portfolio with Fault Injection Simulation.
Examples of Fault Injection manipulation:
|
|
- Advantages and limitations
- New FI simulation service by Riscure – is it for you?
- List of standards with Fault Injection in scope
Fault injection (FI) is a security testing technique, which involves intentionally introducing flaws or faults into a system to evaluate its response. This method helps testers identify issues that might not be detectable through conventional testing approaches and evaluate the system’s capacity to handle errors and recover without crashing.
Fault injection testing is widely used in high-profile sectors such as payment and content protection, where strict security requirements are in place. In a typical fault injection attack, a device is manipulated to bypass its security mechanism, also known as ‘introducing a glitch.’ Fault injection is a hardware attack that exploits unsecure practices in software. Developers can employ Fault Injection testing to understand how their code will respond when confronted with a glitch, ideally allowing them to make design modifications before deploying their application into production.
Fault injection results are unpredictable and detecting them later in the design phase and or for certification or market acceptance (like type approval in automotive, or while the vehicle is already in the field) can be expensive, and impact the time-to-market. By simulating a code base for fault injection vulnerabilities, developers have the opportunity to identify them in an early stage and mitigate them.
Absolutely!
- If you plan to engage in a certification program that includes Fault Injection and want to reduce the risk of issues during the certification, by identifying problems during the development phase.
- If you do not have the time or expertise to do the configuration, installation of the FI tool. In all cases of automated testing, Riscure will also provide the applied test configurations that delivered the results. This can allow customers who would opt to integrate such tooling into their development toolchain to do further regression testing themselves after having applied mitigations.
- If you do not have the expertise to perform the test and analyze the results
- If you wish to improve the skills of your team by using the expertise of a third party
- If you want a high-coverage code review
Below, there is a non-exhaustive list of standards and norms that recommend fault injection:
- Common Criteria
- EMVCo
- FeliCa
- GSMA
- SESIP
- ARM PSA
- Global-Plarform
- Irdeto
- Nagra
- Verimatrix
- Viaccess-Orca
- Synamedia
- OTT Vendors: Netflix, Amazon
- Content creators: Movielabs
Riscure True Code
Find vulnerabilities in embedded software earlier with True Code Static code checks and Dynamic Fault Injection simulation and Fuzzing. Riscure True Code allows your team to integrate security testing from the beginning of the development process.