Introduction to Embedded
Systems Security
Chapter Outline
1.1 What is Security? 1
1.2 What is an Embedded System? 2
1.3 Embedded Security Trends 4
1.3.1 Embedded Systems Complexity 4
1.3.1.1 Case Study: Embedded Line 6
1,3.2 Network Connectivity 12
1.3.3 Reliance on Embedded Systems for Critical Infrastructure 14
1.3.4 Sophisticated Attackers 15
1.3.5 Processor Consolidation 16
1.4 Security Policies 18
1.4.1 Perfect Security 18
1.4.2 Confidentiality, Integrity, and Availability 18
1,423 Isolation 19
1.4.4 Information Flow Control 20
1.4.5 Physical Security Policies 21
1.4.6 Application-Specific Policies 21
1.5 Security Threats 22
1.5.1 Case Study: ViWorks Debug Port Vulnerability 22
1.6 Wrap-up 23
1.7 Key Points 23
1.8 Bibliography and Notes 24
1.1 What is Security?
Any book about security must start with some definition for it. If ten security professionals are
asked to define the term, ten different results will be forthcoming. To attain validity for the
innumerable variety of embedded systems and their functions, our brush uses a broad stroke:
Security isthe ability of an entity to protect resources For which ic bears protection responsibilty2 Chapter 1
In an embedded system, this protection responsibility may apply to resources within or
resources of the overall system to which the embedded system is connected or in which it is
subsumed, As we discuss later in this chapter, the protective properties of a component or
system are embodied in its security policy.
1.2 What is an Embedded System?
Attempts to define “embedded system” are also often fraught with controversy. For the
purposes of this book, we define embedded system as follows:
‘An embedded system is an electronic product that contains a microprocessor (one or more) and
software to perform some constituent function within a larger entity
Any definition of embedded system must be augmented with examples. We do not claim an
aircraft is an embedded system, but its flight control system; traffic collision avoidance system
(TCAS); communication, navigation, and surveillance system (CNS); electronic flight bag
system (BFB); and even in-flight entertainment system are all examples of embedded systems
within the aircraft (see Figure 1.1).
We do not claim the automobile is an embedded system. But its infotainment “head-unit,” anti-
lock breaking system, powertrain engine control unit, digital instrument cluster, and a plethora
of other electronic subsystems—dozens in the typical moder car—are all examples of
embedded systems (see Figure 1.2).
Embedded systems are often characterized by what they are not: the antithesis of the embedded
system is the desktop personal computer whose main Intel Architecture (IA)-based
microprocessor powers the human interface and application environment that serves as the
entity’s sole purpose. Similarly, a rack-mounted server's main microprocessor performs
a dedicated service, such as hosting a website.
A gray area causes the aforementioned controversy. Some argue whether a smartphone is an
embedded system or just a miniature desktop computer. Nevertheless, there is little debate that
individual components within the phone, such as the radio with its own baseband
microprocessor and software, are embedded systems, Similarly, some servers contain auxiliary
daughter cards that perform health monitoring and remote management to improve overall
availability. Each card contains a microprocessor and software and hence meets our definition of
embedded system.
The scope of this book liberally includes smartphones whose overall security is highly
dependent upon embedded hardware and software,Introduction to Embedded Systems Security 3
Figure 1.1:
Embedded systems within modern commercial aircraft.
Chassis & Safety Infotainment
Instrument Cluster
Gateways
Powertrain
Figure 1.2:
Some embedded systems within a typical automobile.