Introduction to Embedded Systems Security Chapter Outline 1.1 What is Security? 1 1.2 What is an Embedded System? 2 1.3 Embedded Security Trends 4 1.3.1 Embedded Systems Complexity 4 1.3.1.1 Case Study: Embedded Line 6 1,3.2 Network Connectivity 12 1.3.3 Reliance on Embedded Systems for Critical Infrastructure 14 1.3.4 Sophisticated Attackers 15 1.3.5 Processor Consolidation 16 1.4 Security Policies 18 1.4.1 Perfect Security 18 1.4.2 Confidentiality, Integrity, and Availability 18 1,423 Isolation 19 1.4.4 Information Flow Control 20 1.4.5 Physical Security Policies 21 1.4.6 Application-Specific Policies 21 1.5 Security Threats 22 1.5.1 Case Study: ViWorks Debug Port Vulnerability 22 1.6 Wrap-up 23 1.7 Key Points 23 1.8 Bibliography and Notes 24 1.1 What is Security? Any book about security must start with some definition for it. If ten security professionals are asked to define the term, ten different results will be forthcoming. To attain validity for the innumerable variety of embedded systems and their functions, our brush uses a broad stroke: Security isthe ability of an entity to protect resources For which ic bears protection responsibilty2 Chapter 1 In an embedded system, this protection responsibility may apply to resources within or resources of the overall system to which the embedded system is connected or in which it is subsumed, As we discuss later in this chapter, the protective properties of a component or system are embodied in its security policy. 1.2 What is an Embedded System? Attempts to define “embedded system” are also often fraught with controversy. For the purposes of this book, we define embedded system as follows: ‘An embedded system is an electronic product that contains a microprocessor (one or more) and software to perform some constituent function within a larger entity Any definition of embedded system must be augmented with examples. We do not claim an aircraft is an embedded system, but its flight control system; traffic collision avoidance system (TCAS); communication, navigation, and surveillance system (CNS); electronic flight bag system (BFB); and even in-flight entertainment system are all examples of embedded systems within the aircraft (see Figure 1.1). We do not claim the automobile is an embedded system. But its infotainment “head-unit,” anti- lock breaking system, powertrain engine control unit, digital instrument cluster, and a plethora of other electronic subsystems—dozens in the typical moder car—are all examples of embedded systems (see Figure 1.2). Embedded systems are often characterized by what they are not: the antithesis of the embedded system is the desktop personal computer whose main Intel Architecture (IA)-based microprocessor powers the human interface and application environment that serves as the entity’s sole purpose. Similarly, a rack-mounted server's main microprocessor performs a dedicated service, such as hosting a website. A gray area causes the aforementioned controversy. Some argue whether a smartphone is an embedded system or just a miniature desktop computer. Nevertheless, there is little debate that individual components within the phone, such as the radio with its own baseband microprocessor and software, are embedded systems, Similarly, some servers contain auxiliary daughter cards that perform health monitoring and remote management to improve overall availability. Each card contains a microprocessor and software and hence meets our definition of embedded system. The scope of this book liberally includes smartphones whose overall security is highly dependent upon embedded hardware and software,Introduction to Embedded Systems Security 3 Figure 1.1: Embedded systems within modern commercial aircraft. Chassis & Safety Infotainment Instrument Cluster Gateways Powertrain Figure 1.2: Some embedded systems within a typical automobile.