EMBEDDED DESIGN SOFTWARE DEVELOPMENT
software development
stay up to date to be the most secure.
In order to reduce these
vulnerabilities, embedded systems
need to have secure updates
integrated into the lifecycle of the
software to protect the integrity of the
device now and into the future.
Overcoming challenges
Embedded software developers
play a critical role in mitigating the
many risks possible in IoT devices
by managing and protecting the
integrity of its embedded systems and
components.
In order to properly secure
embedded systems, those systems
must be designed with consideration
of the needs of the device and the
potential risks in mind. The level of
risk must be identified first because
the greater the level of risk, the greater
level of security is needed. With every
device being unique, there is not one
solution that can be applied to address
the many types of attacks that are
possible with IoT embedded systems.
In addition, one solution cannot
be relied on during an embedded
system’s lifecycle. System updates will
be needed throughout the life of the
device and a process must be followed
to ensure remote management of the
integrity of the device.
An adaptive process
To secure software and firmware
during the embedded system
development process, there are
a series of practices that Trusted
Computing Group (TCG) recommends
for a variety of unique devices.
Firstly, security must be built into
all steps of the development process
so that all potential weak points are
considered. From there, a thorough
threat analysis is recommended to
identify which countermeasures will
be needed during the design and
maintenance of their embedded
system. With new and emerging
threats constantly appearing, a
consistent approach to applying best
practices for security and improving
them over time will ensure the
integrity of the device is maintained
through its lifetime.
Using the latest technology and
solutions, such as the TCG Trusted
Platform Module (TPM), enables
embedded system managers to
identify the integrity of device software
remotely with 100 commands in each
TPM available to take appropriate
action when needed. The TPM can
safeguard cryptographic keys and
decrypt payloads to symmetrically
encrypt the transportation of data
between the distribution server
and the device. This is essential to
performing secure firmware updates
to maximise device integrity and
ensure that a high level of security is
provided.
Even when devices are
compromised, they must still be
capable of being updated to ensure
the weakest link in the device at
risk of exploitation can be detected
and properly protected. The TPM
also supports measurement and
attestation capabilities when used
alongside the CTRM (core root-oftrust
for measurement) or DICE.
This enables both local and remote
attestation to detect failed updates,
for full transparency over device
performance and integrity.
Based on a careful analysis of the
present and future needs and risk
levels of the device when deployed in
the field, the right technology can be
selected to provide secure software
and firmware updates.
Before installing software updates,
the origin and integrity of the software
must be verified by the recipient.
A properly secured update signing
system is key to achieve this but
is often overlooked providing an
opportunity for attackers to distribute
malicious code by exploiting the
defects in the signing process.
To avoid this, a secure update
signing system should use separate
keys and certificates for signing
production code and development
code. It is also best practice to use
reliable and trustworthy cryptographic
algorithms and tools throughout the
whole process.
During this process of investing
in the right technologies, it is also
critical to invest in security training of
people so the best practices can be
consistently implemented.
The trustworthiness of the tools and
libraries used throughout each step
of embedded system development
must also be considered to avoid
compromising on the integrity of the
system throughout this journey. Finally,
a careful process of risk identification
and incident response is key to quickly
identifying and responding to new
risks, thus mitigating their impact as
much as possible.
Overall, by establishing a
process of securing embedded
system development and reacting
to vulnerabilities when needed,
developers can ensure that we
protect our customers and employers
from threats that may emerge now
and in the future.
Author details:
Steve Hanna
is co-chair of
TCG’s embedded
systems, IoT and
Industrial Works
Group
www.newelectronics.co.uk 22 September 2020 27
/www.newelectronics.co.uk