SlideShare a Scribd company logo

Securing embedded systems

Download as PPTX, PDF
aissa benyahya
aissa benyahya

security is something we don't like but we cant do without it, as embedded systems growing news vulnerabilities are shown, here is some powerful steps to secure an embedded system.

Technology
1 of 29
Securing Embedded System Realized by : Aissa Ben yahya
AGENDA What is Security ? What is an Embedded System ? Who are the attackers ? Physical attack Secure boot technique Security Requirements Security basics Steps to secure embedded system
WHAT IS SECURITY ? • Security is the ability of an entity to protect resources for which it bears protection responsibility. • Security, in information technology (IT), is the defense of digital information and IT assets against internal and external, malicious and accidental threats.
WHAT IS AN EMBEDDED SYSTEM ? An embedded system is an electronic product that contains a microprocessor (one or more) and software to perform some constituent function within a larger entity.
WHAT IS AN EMBEDDED SYSTEM ? • An embedded system is a controller programmed and controlled by a real-time operating system (RTOS) with a dedicated function within a larger mechanical or electrical system, often with real-time computing An embedded system on a plug-in card with processor, memory, power supply, and external interfaces constraints. • But how we define “Embedded” ? – Essentially, if you inherently know there’s a computer in there some place, but don’t see a keyboard, mouse, and monitor, it’s probably embedded
WHY EMBEDDED SYSTEM SECURITY? “September 2007, Israel jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of Syrian radar, supposedly state of the art, to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident of electronic warfare and not just any kind. Post after post speculated that the commercial off the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar” Source : IEEE spectrum, 2007.
WHY EMBEDDED SYSTEM SECURITY? • The Stuxnet worm is likely the first malware to directly target embedded process control systems. • Stuxnet infiltrated Siemens process control systems at nuclear plants by first subverting the Microsoft Windows workstations operators use to configure and monitor the embedded control electronics • SCADA networks are controlled by common PCs
WHO ARE THE ATTACKERS ? The attackers actually fall in three basic categories • Amateur hackers (Script kiddies) A script kiddie or “skiddie” is someone who lacks programming knowledge and uses existing software to lunch an attack. Often a script kiddie will use these programs without even knowing they work or what they do
WHO ARE THE ATTACKERS ? • Professional hackers Blackhat Like all hackers, black hat hackers usually have extensive knowledge about breaking into computer networks and bypassing security protocols. They are also responsible for writing malware, which is a method used to gain access to these systems.
WHO ARE THE ATTACKERS ? • Professional hackers Whitehats White hat hackers are choose to use their powers for good rather than evil. Also known as “ethical hackers white hat hackers can sometimes be paid employees or contractors working for companies as security specialists that attempt to find security holes via hacking
WHO ARE THE ATTACKERS ? • Professional hackers Grayhats As in life, there are gray areas that are neither black nor white. Gray hat hackers are a blend of both black hat and white hat activities.
WHO ARE THE ATTACKERS ? • State-sponsored hackers The state-sponsored hackers are typically black hat, they are paid by a government to find and obtain important informations
PHYSICAL ATTACK Physical access Physical Access is a Problem • Any time you allow physical access to a sensor, data processing or network communications equipment you open up security vulnerabilities • There are a number of physical attacks against computer platforms that simply can’t be done remotely – Ranging from simply unplugging power to sophisticated electromagnetic techniques such as Differential Power Analysis
PHYSICAL ATTACK • Direct physical access requires the attacker to access the device physically. However, the attacker might not need any privileges to access the service of the device • Techniques to thwart physical access include: – Adding anti-temper sensor – Placing the device in anti-temper case – Using special screws – Removing debugging interfaces • All of this can be defeated giving enough time – Assume that your device will be compromised sooner or later
PHYSICAL ATTACK Side-Channel Attack • A Side-Channel attack is any attack based on information gained from the physical implementation of a cryptosystem(embedded system).
PHYSICAL ATTACK Power Analyze Attack • attacker studies the power consumption of a cryptographic hardware device (such as a smart card, tamper-resistant "black box", or integrated circuit).
SECURE BOOT TECHNIQUES Firmware: For any device( printer, scanner, digital camera, etc.) to start running, It should have an initial program to run when it is powered up/booted. It is also called as bootstrap program, BIOS. It is mounted on ROM(a non-volatile memory, whose contents are permanent). Firmware locates the operating system's kernel and loads it into primary memory(RAM) at the time of startup. assembly or C/C++.
SECURE BOOT TECHNIQUES • There is typically a window of vulnerability for any system during the boot sequence – Fortunately, there are now techniques to address this • There are several approaches to ensuring that the computer boots with known-good software images – Most of this rely on the availability of security hardware such as smart card or trusted Platform Module (TPM)
SECURITY REQUIREMENTS • Confidentiality – This is probably one of the easiest characteristics of security to understand – The goal of confidentiality is simply that no unauthorized individuals can read the data you want protected – Confidentiality is often associated with privacy • But, we can achieve privacy without encryption
SECURITY REQUIREMENTS Integrity • verifies the correctness and ensures that stored and transmitted sensitive data is protected against corruption. • Integrity encompasses a couple of different concepts – System integrity – Message integrity • System integrity can be addressed initially by ensuring a secure boot cycle • Message integrity is a somewhat different matter – We need to concern ourselves that the message was delivered intact – And, we need to ensure that the message wasn’t modified
SECURITY REQUIREMENTS • Authentication – Authentication is the act of verifying a claim of identity . When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe, a claim of identity, the bank teller asks to see a photo ID, so he hands the teller his driver’s license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe . If the photo and name match the person, then the teller has Authenticated that John Doe is who he claimed to be. Similarly, by entering the correct password, the user is providing evidence that he is the person the username belong to.
SECURITY REQUIREMENTS • Authentication – There are three different type of information that can be used for authentication • Something you know : things such as a PIN, Password • Something you have : such as a smart cart • Something you are : biometrics, fingerprints, voice prints – Strong authentication requires providing more than one type of authentication
SECURITY REQUIREMENTS • Authorization – after a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Authorization to access information and other computing services begins with administrative policies and procedures.
SECURITY BASICS • Disable services / exclude tools / minimize attack surface • Use writable storage only when you must • Regular updates, automatic updates! Signed updates • Mandatory access control (SELinux) • Increase complexity in system, increase level of efforts to secure it
STEPS TO SECURE EMBEDDED SYSTEM • Physical Security for Embedded Devices – Remove any debugging interfaces • Blow the e-fuses, if available, to prevent access to internal registers or storage – Place the unit in a tamper-resistant case • Use potting, special screws, etc. – Assume the device will be compromised physically
STEPS TO SECURE EMBEDDED SYSTEM • Data Security on Embedded Devices – Implement a secure boot mechanism – Eliminate all non-essential services and software – Periodic auditing of installed software – Monitor and install software updates for the system regularly – Two-factor authentication for accessing the system
STEPS TO SECURE EMBEDDED SYSTEM • Network Security – Know what devices are on your network • Periodically re-inventory to detect new devices – Implement IPv4 and IPv6 firewall policies – Plan for periodic updates to your networking equipment firmware – Close all non-essential ports and network services • can devices with tools like nmap, SATAN, SAINT, etc. – Use VPNs for extended-term communications link requirements – Consider hiring penetration testers periodically
CONCLUSION • “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable”
THANKS FOR ATTENTION

Recommended

CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacymalik1972
 
BAIT1003 Chapter 11
BAIT1003 Chapter 11BAIT1003 Chapter 11
BAIT1003 Chapter 11limsh
 
AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDSCondition Zebra (CONZebra)
 
Week 12
Week 12Week 12
Week 12Joey Pierce
 
network security lec2 ccns
network security lec2 ccnsnetwork security lec2 ccns
network security lec2 ccnsDanish Mahmood
 
Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.Ankur Kumar
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationHafiza Abas
 

Recommended

CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacymalik1972
 
BAIT1003 Chapter 11
BAIT1003 Chapter 11BAIT1003 Chapter 11
BAIT1003 Chapter 11limsh
 
AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDSCondition Zebra (CONZebra)
 
Week 12
Week 12Week 12
Week 12Joey Pierce
 
network security lec2 ccns
network security lec2 ccnsnetwork security lec2 ccns
network security lec2 ccnsDanish Mahmood
 
Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.Ankur Kumar
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
The Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationThe Perimeter Protection Issues, Technique and Operation
The Perimeter Protection Issues, Technique and OperationHafiza Abas
 
Steve brueckner-atc-ny
Steve brueckner-atc-nySteve brueckner-atc-ny
Steve brueckner-atc-nyjcaire
 
Personal Data Protection
Personal Data ProtectionPersonal Data Protection
Personal Data ProtectionCreatorsCircle
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Cellebrite
 
Unit v
Unit vUnit v
Unit vbharatnaruka90
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
internet securityand cyber law Unit2
internet securityand cyber law Unit2internet securityand cyber law Unit2
internet securityand cyber law Unit2Royalzig Luxury Furniture
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
Computer security
Computer securityComputer security
Computer securityMahesh Singh Madai
 
Intrusion Systems
Intrusion SystemsIntrusion Systems
Intrusion Systemstamilarasan
 
Free Libre Open Source Software Development
Free Libre Open Source Software DevelopmentFree Libre Open Source Software Development
Free Libre Open Source Software DevelopmentFrederik Questier
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
The ways in which ict is used
The ways in which ict is usedThe ways in which ict is used
The ways in which ict is usedgracepm28
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesCe hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesVi Tính Hoàng Nam
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and VirusesWasif Ali Syed
 
CNIT 140: Perimeter Security
CNIT 140: Perimeter SecurityCNIT 140: Perimeter Security
CNIT 140: Perimeter SecuritySam Bowne
 
XBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft
 
Computer Security
Computer SecurityComputer Security
Computer SecurityGreater Noida Institute Of Technology
 
amrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapalibuildersreviews
 
Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architectureImran Khan
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 

More Related Content

What's hot

Steve brueckner-atc-ny
Steve brueckner-atc-nySteve brueckner-atc-ny
Steve brueckner-atc-nyjcaire
 
Personal Data Protection
Personal Data ProtectionPersonal Data Protection
Personal Data ProtectionCreatorsCircle
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Cellebrite
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
Intrusion Systems
Intrusion SystemsIntrusion Systems
Intrusion Systemstamilarasan
 
Free Libre Open Source Software Development
Free Libre Open Source Software DevelopmentFree Libre Open Source Software Development
Free Libre Open Source Software DevelopmentFrederik Questier
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
The ways in which ict is used
The ways in which ict is usedThe ways in which ict is used
The ways in which ict is usedgracepm28
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesCe hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesVi Tính Hoàng Nam
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and VirusesWasif Ali Syed
 
CNIT 140: Perimeter Security
CNIT 140: Perimeter SecurityCNIT 140: Perimeter Security
CNIT 140: Perimeter SecuritySam Bowne
 
XBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft
 
amrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapalibuildersreviews
 

What's hot (20)

Steve brueckner-atc-ny
Steve brueckner-atc-nySteve brueckner-atc-ny
Steve brueckner-atc-ny
 
Personal Data Protection
Personal Data ProtectionPersonal Data Protection
Personal Data Protection
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
 
Unit v
Unit vUnit v
Unit v
 
06. security concept
06. security concept06. security concept
06. security concept
 
internet securityand cyber law Unit2
internet securityand cyber law Unit2internet securityand cyber law Unit2
internet securityand cyber law Unit2
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
 
Computer security
Computer securityComputer security
Computer security
 
Intrusion Systems
Intrusion SystemsIntrusion Systems
Intrusion Systems
 
Free Libre Open Source Software Development
Free Libre Open Source Software DevelopmentFree Libre Open Source Software Development
Free Libre Open Source Software Development
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
The ways in which ict is used
The ways in which ict is usedThe ways in which ict is used
The ways in which ict is used
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1
 
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesCe hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devices
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
 
CNIT 140: Perimeter Security
CNIT 140: Perimeter SecurityCNIT 140: Perimeter Security
CNIT 140: Perimeter Security
 
XBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. Hagar
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
amrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdf
 

Similar to Securing embedded systems

Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architectureImran Khan
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433Terry Gilsenan
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).pptGooglePay16
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to HackingRishabha Garg
 
Information security questions
Information security questions Information security questions
Information security questions gamemaker762
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustProtecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustDan Griffin
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
 
Information security
Information security Information security
Information securityJin Castor
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacyeiramespi07
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and crackingHarshil Barot
 
Hacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guideHacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guidePankaj Dubey
 

Similar to Securing embedded systems (20)

Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architecture
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433
 
IoT security
IoT securityIoT security
IoT security
 
IoT-Device-Security.pptx
IoT-Device-Security.pptxIoT-Device-Security.pptx
IoT-Device-Security.pptx
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).ppt
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to Hacking
 
Information security questions
Information security questions Information security questions
Information security questions
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustProtecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
 
Information security
Information security Information security
Information security
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
 
Hacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guideHacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guide
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Securing embedded systems

  • 1. Securing Embedded System Realized by : Aissa Ben yahya
  • 2. AGENDA What is Security ? What is an Embedded System ? Who are the attackers ? Physical attack Secure boot technique Security Requirements Security basics Steps to secure embedded system
  • 3. WHAT IS SECURITY ? • Security is the ability of an entity to protect resources for which it bears protection responsibility. • Security, in information technology (IT), is the defense of digital information and IT assets against internal and external, malicious and accidental threats.
  • 4. WHAT IS AN EMBEDDED SYSTEM ? An embedded system is an electronic product that contains a microprocessor (one or more) and software to perform some constituent function within a larger entity.
  • 5. WHAT IS AN EMBEDDED SYSTEM ? • An embedded system is a controller programmed and controlled by a real-time operating system (RTOS) with a dedicated function within a larger mechanical or electrical system, often with real-time computing An embedded system on a plug-in card with processor, memory, power supply, and external interfaces constraints. • But how we define “Embedded” ? – Essentially, if you inherently know there’s a computer in there some place, but don’t see a keyboard, mouse, and monitor, it’s probably embedded
  • 6. WHY EMBEDDED SYSTEM SECURITY? “September 2007, Israel jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of Syrian radar, supposedly state of the art, to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident of electronic warfare and not just any kind. Post after post speculated that the commercial off the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar” Source : IEEE spectrum, 2007.
  • 7. WHY EMBEDDED SYSTEM SECURITY? • The Stuxnet worm is likely the first malware to directly target embedded process control systems. • Stuxnet infiltrated Siemens process control systems at nuclear plants by first subverting the Microsoft Windows workstations operators use to configure and monitor the embedded control electronics • SCADA networks are controlled by common PCs
  • 8. WHO ARE THE ATTACKERS ? The attackers actually fall in three basic categories • Amateur hackers (Script kiddies) A script kiddie or “skiddie” is someone who lacks programming knowledge and uses existing software to lunch an attack. Often a script kiddie will use these programs without even knowing they work or what they do
  • 9. WHO ARE THE ATTACKERS ? • Professional hackers Blackhat Like all hackers, black hat hackers usually have extensive knowledge about breaking into computer networks and bypassing security protocols. They are also responsible for writing malware, which is a method used to gain access to these systems.
  • 10. WHO ARE THE ATTACKERS ? • Professional hackers Whitehats White hat hackers are choose to use their powers for good rather than evil. Also known as “ethical hackers white hat hackers can sometimes be paid employees or contractors working for companies as security specialists that attempt to find security holes via hacking
  • 11. WHO ARE THE ATTACKERS ? • Professional hackers Grayhats As in life, there are gray areas that are neither black nor white. Gray hat hackers are a blend of both black hat and white hat activities.
  • 12. WHO ARE THE ATTACKERS ? • State-sponsored hackers The state-sponsored hackers are typically black hat, they are paid by a government to find and obtain important informations
  • 13. PHYSICAL ATTACK Physical access Physical Access is a Problem • Any time you allow physical access to a sensor, data processing or network communications equipment you open up security vulnerabilities • There are a number of physical attacks against computer platforms that simply can’t be done remotely – Ranging from simply unplugging power to sophisticated electromagnetic techniques such as Differential Power Analysis
  • 14. PHYSICAL ATTACK • Direct physical access requires the attacker to access the device physically. However, the attacker might not need any privileges to access the service of the device • Techniques to thwart physical access include: – Adding anti-temper sensor – Placing the device in anti-temper case – Using special screws – Removing debugging interfaces • All of this can be defeated giving enough time – Assume that your device will be compromised sooner or later
  • 15. PHYSICAL ATTACK Side-Channel Attack • A Side-Channel attack is any attack based on information gained from the physical implementation of a cryptosystem(embedded system).
  • 16. PHYSICAL ATTACK Power Analyze Attack • attacker studies the power consumption of a cryptographic hardware device (such as a smart card, tamper-resistant "black box", or integrated circuit).
  • 17. SECURE BOOT TECHNIQUES Firmware: For any device( printer, scanner, digital camera, etc.) to start running, It should have an initial program to run when it is powered up/booted. It is also called as bootstrap program, BIOS. It is mounted on ROM(a non-volatile memory, whose contents are permanent). Firmware locates the operating system's kernel and loads it into primary memory(RAM) at the time of startup. assembly or C/C++.
  • 18. SECURE BOOT TECHNIQUES • There is typically a window of vulnerability for any system during the boot sequence – Fortunately, there are now techniques to address this • There are several approaches to ensuring that the computer boots with known-good software images – Most of this rely on the availability of security hardware such as smart card or trusted Platform Module (TPM)
  • 19. SECURITY REQUIREMENTS • Confidentiality – This is probably one of the easiest characteristics of security to understand – The goal of confidentiality is simply that no unauthorized individuals can read the data you want protected – Confidentiality is often associated with privacy • But, we can achieve privacy without encryption
  • 20. SECURITY REQUIREMENTS Integrity • verifies the correctness and ensures that stored and transmitted sensitive data is protected against corruption. • Integrity encompasses a couple of different concepts – System integrity – Message integrity • System integrity can be addressed initially by ensuring a secure boot cycle • Message integrity is a somewhat different matter – We need to concern ourselves that the message was delivered intact – And, we need to ensure that the message wasn’t modified
  • 21. SECURITY REQUIREMENTS • Authentication – Authentication is the act of verifying a claim of identity . When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe, a claim of identity, the bank teller asks to see a photo ID, so he hands the teller his driver’s license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe . If the photo and name match the person, then the teller has Authenticated that John Doe is who he claimed to be. Similarly, by entering the correct password, the user is providing evidence that he is the person the username belong to.
  • 22. SECURITY REQUIREMENTS • Authentication – There are three different type of information that can be used for authentication • Something you know : things such as a PIN, Password • Something you have : such as a smart cart • Something you are : biometrics, fingerprints, voice prints – Strong authentication requires providing more than one type of authentication
  • 23. SECURITY REQUIREMENTS • Authorization – after a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Authorization to access information and other computing services begins with administrative policies and procedures.
  • 24. SECURITY BASICS • Disable services / exclude tools / minimize attack surface • Use writable storage only when you must • Regular updates, automatic updates! Signed updates • Mandatory access control (SELinux) • Increase complexity in system, increase level of efforts to secure it
  • 25. STEPS TO SECURE EMBEDDED SYSTEM • Physical Security for Embedded Devices – Remove any debugging interfaces • Blow the e-fuses, if available, to prevent access to internal registers or storage – Place the unit in a tamper-resistant case • Use potting, special screws, etc. – Assume the device will be compromised physically
  • 26. STEPS TO SECURE EMBEDDED SYSTEM • Data Security on Embedded Devices – Implement a secure boot mechanism – Eliminate all non-essential services and software – Periodic auditing of installed software – Monitor and install software updates for the system regularly – Two-factor authentication for accessing the system
  • 27. STEPS TO SECURE EMBEDDED SYSTEM • Network Security – Know what devices are on your network • Periodically re-inventory to detect new devices – Implement IPv4 and IPv6 firewall policies – Plan for periodic updates to your networking equipment firmware – Close all non-essential ports and network services • can devices with tools like nmap, SATAN, SAINT, etc. – Use VPNs for extended-term communications link requirements – Consider hiring penetration testers periodically
  • 28. CONCLUSION • “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable”