Is there extra security testing that should be done when working with embedded software systems?
My answer is a qualified “no.” Recent SCADA vulnerabilities and exploits (including Stuxnet) have caused embedded and other automation control systems designers concern regarding system security. When compared to the security testing that’s obviously been performed to date, the answer is an emphatic “yes.” Clearly embedded developers have missed security vulnerabilities in their operating systems and their applications. Is there more security testing to be performed than in, for instance, full computer operating platforms such as Windows? Probably not.
The key to delivering a secure embedded system application is three-fold. First, you must understand the security environment in which your application runs, and be able to deliver best-practices and other hardening information. Second, as a developer you need to ensure your application functions in a hardened environment. And third, you must perform security testing throughout your application.
Security in an embedded environment is difficult to answer in a single “Ask the Expert” column simply because embedded environments differ from one another. The strategy here is simple: become very familiar with industry standards for locking down your environment. Understand core security analysis and penetration techniques used to harden and assess an environment, and put them to practice in the embedded environment. Understand how role-based access works in the embedded environment, and be confident in your application’s use of user roles. Be intimately familiar with networking and other potential vulnerabilities and how to compensate for them. Finally, be aware of ongoing security vulnerabilities in the platform and ensure your test environments are locked down accordingly.
The next critical step in security testing is to perform functional testing against your application. Functionality testing needs to be performed to ensure the application functions as expected after the embedded environment is fully hardened. Ensure that user roles, authentication, and networking all function per specification after the manufacturer’s hardening steps have been followed. Double-check install and uninstall scenarios (especially in environments where administrative roles are defined).
Once you have ensured application functionality, start penetration testing. The testing you perform will be similar to what you would perform against a web or OS application in a full computer operating system. Check for standard vulnerabilities, file manipulation/fuzzing testing, network interaction testing and so forth. Look for impersonation vulnerabilities and for the ability to elevate privilege. Where your application exposes sensitive system information or configuration, ensure appropriate controls exist in your application to protect them.
This was first published in June 2011