Figure 1: Typical block diagram of an embedded system. (Courtesy of National Instruments) | Source: https://semiengineering.com/m2m-and-the-internet-of-things/ |
Overview
It has been presumed by many that embedded operating systems are not the very
targets of cyberpunks. These assumptions lead to security is not often considered
as a seriously urgent for embedded designs. Several embedding engineers are not
yet fully aware of just how the software, they put together could be taken
advantage of. These assertions often revolve around on out-of-date theories with
a conviction in protection by obscurity.
A
Mere Hyperbole
We
regularly learned and read about cyber-attacks carried out against governments.
Cyber-attacks are carried out by people or groups and the motives of those
cyber-attacks are wide-ranging, from just being gung-ho, economic, military, or
political. Moreover, these cyber-attacks just keep on coming. These attacks
along with high-level profile hacks wake up businesses in its deep slumber, acknowledging
the facts to its unfounded belief, that embedded systems are not therefore impervious
to cyber-attacks.
Whether
or not it is mere hyperbole, it cannot be refuted that these days mankind is today
living in a world of interconnected things. Whether it is utilizing
electromagnetic waves or cables. It is a realism that humans are interacting through
an assortment of gadgets and devices that are sequentially interactive with
other devices. All of these are here to stay. Tell-tale findings foresee
this year 2020 and in the coming years, connected devices will grow up to 50 -
60 billion. This development is by no means the upshot of an expected increase
in the human population, but rather by the result of the unexampled increase of
interconnected devices and machines. These are on top of vital infrastructure
and functioning technologies such as those found in telecommunications, transport
systems, and on the production floor.
Those
aggressive attacks on embedded systems could result in wide-ranging
destructions to vital infrastructures. These include private and public utilities
such as power generation, telecommunications, transportation, water, waste
control systems, and oil and gas industries.
Figure 2: Major application areas of embedded systems | Source: https://www.semanticscholar.org/ |
By
far there has been no shortage of investments in cybersecurity training such as making procedures and numerous innovations
in technologies. But sad to say that efforts had been generally focused on
adding up security protecting the perimeter thus shooting up the detection
systems and efforts. Because of unexpected confusion, there is now a mounting unanimity
to recognize that a software system needs more security. And that security requires
to be developed into the fabric of all software systems. Software systems need
to improve the development process to improve security. It is of no use to put
a stronger lock on a door if the windows are left often!
The
US Department of Homeland Security says, “Software Assurance has become so
critical because of the dramatic increases in business and mission risks that
are now known to be attributable to exploitable software.”
Particularly,
as the software is being reused and interfaced with other applications in fresh
environments, dangers multiply, causing the introduction of unintentional aftereffects.
It also gives rise to the number of susceptible targets. Given the foregoing,
the risk of exposure is rapidly escalating and poorly understood. Tackling this
crucial problem does not readily mean that an organization must build and employ
fresh security procedures. Intrinsically, concluding in any case, that the
current safety measure such as encryption algorithms are unsuccessful. This only
means that the software system just needs to close that vulnerable gaps.
Security Is A Process
It
is often a belief that best practices signify that a well-organized, repeating,
and continuously security-focused development process must be created, in such
a way that every security application measures are integrated into the software
and programming design process.
In
a setting wherein security is deemed a requirement, as always does in any key
industries, it is often best to address it by incorporating security features
such as encryption and password protection. Or else, software development does
not put too much emphasis on application security. Many organizations do
provide a few if any, systems, and instruments to help software developers
create software that is integrally free of vulnerabilities. A software security perspective does not only integrate protecting,
post-implementation procedures, but it does also tackle the demand to specify, design,
and implement the application so that the attack surface, or to be more specific
the degree of exposure of its weaknesses is substantially reduced.
Embedded
devices run by software, create smarter products, adding up new attributes, and
competences. Many experts are expecting more industries to adopt the IoT
(Internet of Things). Industries will need more than ever software application
technologies for their smart interconnected devices. The ever-increasing
requirement for software application systems and to keep pace with the fast
ever-changing business and shopper trends, software developers are going through a lot of pressure. This leads to the writing
and reuse of more dynamic programming algorithms than ever before to provide
the latest and far better features and accomplish it all in a much safer and
faster way.
The Embedded Operating
Systems’ Challenges
It
has been a long developer concerned the quality of the software they create
they have put in place a detection and elimination flaws processes that undesirably
affect quality. However, many organizations have not yet implemented policies guaranteeing
the security of the software, because fixing issues is both costly and
difficult in a deployed embedded environment. It is a fact that both quality
and security problems are all important especially in the early stages of
development. Comparing this to their counterparts in the software operating
systems developers, for traditional devices such as computers and smartphones,
embedded developers have so many types of variables to consider.
Figure 3: Structure of embedded operating system|Source: https://www.electronicsforu.com/ |
Embedded developers face incomparable and near-impossible challenges of achieving a profound intelligence and expertise in a varied mix of operating systems, platforms, language, and I/O interface. In a normal environment, embedded developers often and constantly work on diverse platforms. In each of which might have manage data storage devices and memory management entirely in a different way. In contrast, traditional developers work only on a reduced number of platforms, thereby allowing them to become more acquainted with certain security concerns. More so, in areas in which common software vulnerabilities can happen at any minute and ultimately be prevented. So many platforms are launched regularly making it almost impossible for embedded developers to discern the susceptibilities of every OS/interface, language/platform sequences.
Difficulties in Producing
A Secure Software for Security Is Not A Priority
Whilst
most organizations talked about quality as part of a discussion, security is routinely
neglected. The stark reality is that up until such time security becomes a
priority, it will often be relegated on the back burner than the two most obvious
items on the developers’ agendas, namely, features and deadlines. Any security concerns
are not often a “well-thought-out” feature or qualification up until such time
that at most in a resulting predicament in which it hardly ever talked about. Also,
whenever a security issue threatens a deadline, they are often to be expected
to be avoided.
Almost
all software engineers and programmers when thinking about security concerns, they
often dwell on security in such thing as algorithms and cryptographic codes,
access control tools, and passwords. Any software application, every bit of
component, every speck of element of the software needing security, must be
safeguarded. Likewise, not just to the components that explicitly focus on security.
In fact, in so many cases, security exploitations and vulnerabilities are not
always associated with security attributes whatsoever. Actually, in a study
conducted by the NIST (National Institute of Standards and Technology), 64
percent of software vulnerabilities result from programming errors.
Consequently,
according to the CWE (Common Weakness Enumeration) database, the leading
security vulnerability in an embedded system is connected to memory buffer overflows, that is when a software program reads from or writes to a
location beyond the borders of a memory buffer. This may not come as a surprise
for C or C++ software developers, as it is a recognized fact that these
programming languages do not provide any bit of built-in protection against getting
access to or overwriting the information in any piece of memory. Moreover, it
does not necessarily and consistently test out the data written to an array is
within the confines of that array. So, with this foregoing fact in mind, no
amount of data encryption could safeguard against exploitations on the memory
buffer overflows.
Typically,
software quality assurance efforts are not getting any security justifications.
Though it is correct that high quality can reduce security flaws attributable
to deficiencies, traditional software quality assurance does not at all address
planned malicious behavior. Guaranteeing software security means ensuring that
it cannot be purposely undermined or forced to fail. In short, a software that
can stay reliable even with intended attempts to compromise that dependability.
Conclusion
Improving
and ensuring the security of embedded operating system applications requires
more than just adding up security features. With the ever-increasing large and
complex code bases, software developers cannot depend on manual inspection and
code review alone. It all depends strongly on the adoption process of devices
and methods to remove weaknesses created during programming. Safeguarding
coding standards offer objectives and uniform practices and policies centered
on proven best practices and years of security research.