Secure development for embedded systems

Next course: 16-18/04/2024
Place: Online
Enrol by: 15/03/2024
Language: English
Price: 23.500 SEK
Price: 2 150 EUR

Request more information

Heidi Lehtomäki – Finland
phone: +358 40 196 0142
heidi.lehtomaki@nohau.fi

Lena Bernhardsson – Sweden
Phone: +46 (0) 40 59 22 09
lena.bernhardsson@nohau.se

Flemming Jensen – Denmark
Phone: +45 44 52 16 60
fkj@nohau.dk

The security of embedded systems is important today and even more in the future.

 

Learn how to safely use C/C++ in critical systems, including best practices for memory management, input validation, and error handling. Secure embedded systems combine numerous strategies and procedures for the complete coordination of cyber security in the programming and hardware of embedded frameworks.

You will learn about embedded security and industry standards, including ISO/SAE 214341, IEC 62443, NIST SP 800-53, Common Criteria, and OWASP. You also get an introduction to the RUST programming language and its built-in security features, including Memory-safety and Type-safety.

Training format

  • 3 days online training: 18 hours, 3 sessions, 6 hours each
  • Course dispensed using the Teams video-conferencing system.

Course Objectives

  • Introduction to embedded security and industry standards, including ISO/SAE 214341, IEC 62443, NIST SP 800-53, Common Criteria, and OWASP.
  • Learn about secure coding practices for C/C++ programming languages, including best practices for memory management, input validation, and error handling.
  • Introduce the RUST programming language and its built-in security features, including memory safety and type safety.
  • Learn about secure software development methodologies, including threat modelling, secure design principles, and secure coding standards.
  • Introduce techniques for ensuring security in embedded systems, including security testing, security provisioning, and secure boot processes.
  • Introduce cryptography in embedded system.
  • The course covers the design and implementation of secure embedded system hardware architecture, including secure boot processes and secure communication protocols.
  • Learn about secure communication in embedded systems, including network protocols, secure communication protocols, and secure data transfer.
  • Get an overview of security issues and best practices for Internet of Things (IoT) devices and systems.

Theoretical course

  • PDF course material (in English)
  • Course dispensed using the Teams video-conferencing system.
  • The trainer to answer trainees’ questions during the training and provide technical and pedagogical assistance through the Teams video-conferencing system.

Practical activities

  • During exercises you will connect remotely to Linux PC to performing the activities.
  • The trainer has access to trainees’ Online PCs for technical and pedagogical assistance.
  • Downloadable preconfigured virtual machine for post-course practical activities.

Day one
Embedded Security and programming languages C/C++, RUST

Introduction to embedded security (3 hour)

Embedded Security Trends

  • Embedded Systems Complexity
  • Sophisticated Attacks
  • Processor consolidation

Security policies

  • Perfect Security
  • Embedded Security Challenges
  • Confidentiality, Integrity, and Availability
  • Isolation
  • Information Flow Control
  • Physical Security Policies

Security Threats

  • Summary of issues
  • Cyberattack exploits

Legacy Systems

  • Updatability
  • Securing Legacy Systems
  • Project Requirements
  • Performance

Security standards

  • ISO/IEC
  • IEEE
  • UL 2900-2-2

IoT recommended Security standards

Secure C/C++ Code (3 hour)

Secure C

  • Preprocessor and macros
  • Compilation, Declaration, definition, and initialization
  • Types
  • Pointers and arrays
  • Structure and unions
  • Expressions
  • Conditional and iterative structures
  • Functions
  • Memory Management
  • Error handling
  • Standard Libraries

Secure C++

  • Declarations and Initialization
  • Expressions
  • Integers
  • Containers
  • Characters and Strings
  • Memory Management
  • Input Output
  • Exceptions and Error Handling
  • Object Oriented Programming
  • Concurrency
  • Miscellaneous

Exercise:  Memory Overflow Attacks

Security in RUST  (1 hour)

  • Development environment
  • Libraries
  • Language generalities
  • Memory management
  • Type system
  • Foreign function interface (FFI)
  • Recommendations

Day two
Secure Software Development and Testing

Secure Software Development (3 hour)

 Threat modelling

  • Introduction to threat modelling
  • Example threat models

Risk analysis

Software Assurance Maturity Model (SAMM)

Platform Security architecture (PSA)

Frameworks and Standards

  • NIST SP 800-160:

o   Overview of the NIST SP 800-160 framework

o   Guidelines for embedded systems

o   Tools and resources for embedded systems

  • ISO/IEC 27001:2013:

o   Overview of the standard

o   Guidlelines and best practices

  • ISO/IEC 15408:

o   Overview of the ISO/IEC 15408

o   Evaluating the security of embedded systems using Common Criteria

  • IEC 61508: Functional Safety of electrical/electronic/programmable electronic safety-related systems

o   Overview of the IEC 61508 standard

o   IEC 61508 guidelines and best practices for embedded systems

  • UL 2900-2-2: Software cybersecurity for network-connectable products

o   Overview of the UL 2900-2-2 standard

o   UL 2900-2-2 guidelines and best practices for embedded systems

Security Knowledge Framework and Certifications

Ensuring security in Embedded Systems (2 hours)

Introduction

Security Testing

  • Penetration testing
  • Vulnerability scanning
  • Risk assessment
  • Static Analysis
  • Dynamic analysis
  • Protocol fuzzing

Security provisioning

  • Security configuration management
  • Identity and access management
  • Incident response and management
  • Compliance and regulatory requirements

Security Testing Tools overview

Cryptography introduction (2 hours)

  • Overview of cryptography
  • Classic Cryptography
  • Information assurance
  • Symmetric encryption
  • Asymmetric encryption
  • Random number generation
  • Integrity and authentication
  • Access authentication
  • Elliptic Curve cryptography
  • Certificates and Public Key infrastructures
  • Rules and recommendations

Exercise:  Encryption/Decryption

Exercise:  Private/Public Keys

Exercise:  Authentication and Integrity on IoT Devices

Day one
Hardware Architecture, Transport Layer Security and IoT security recommendations

Secure Embedded System Hardware Architecture (2 hours)

Crypto-Accelerator Overview

ARM TrustZone

Intel Software Guard eXtensions

SoC Security overview

  • Memory Protection
  • Trusted Boot and Firmware update overview
  • Secure Elements
  • Trusted Platform Module (TPM)
  • Hardware Security Module (HSM)

Exercise:  Secure boot

Exercise:  ARM TrustZone application (secure/non secure)

Overview of Secure Communication in embedded Systems (3 hours)

Introduction

Transport Layer Security (TLS)

IPsec/IKE

Network layer

  • Bluetooth
  • WiFi
  • 5G
  • NFC
  • RFID
  • SigFox

IoT security (2 hours)

Secured IoT architecture

IoT standard and recommendations

Software development architecture and practices

Cryptology

Software security

Hardware protection

Network security

Life cycle and support

Do you wish more information!

Contact us for offers, information or advice!