This blog is the final part of a series covering the insights I uncovered at the 2020 Embedded Online Conference.
In the previous blogs in this series, I discussed the opportunities we have in the embedded world to make the next-generation of small, low-power devices smarter and more capable. I also discussed the improved accessibility of embedded technologies, such as FPGAs, that are allowing more developers to participate, experiment, and drive innovation in our industry.
Today, I’d like to discuss another topic that is driving change in our industry and was heavily featured at the Embedded Online Conference – security.
Security is still being under-prioritised in our industry. You only have to watch the first 12 minutes of Maria "Azeria" Markstedter’s ‘defending against Hackers’ talk to see the lack of security features in widely used IoT devices today.
Security is often seen as a burden - but, it doesn’t need to be. In recent years, many passionate security researchers have helped to highlight some simple steps you can take to vastly improve the overall security of your system. In fact, by clearly identifying the threats and utilizing appropriate and well-defined mitigation techniques, systems become much harder to compromize. I’d recommend watching these talks to familiarize yourself with some of the different aspects of security you need to consider:
- Azeria is a security researcher and Arm Innovator, she is passionate about educating developers on how to defend their applications against malicious attacks. In this talk, Maria focusses on shedding the light on the most common exploit mitigations to consider for memory-corruption-based exploits, when writing code for Arm Cortex-A processors, such as Execute Never (XN), Address Space Layout Randomisation (ASLR) and stack canaries. What’s really interesting is that it becomes clear from listening to Azeria’s talk and from seeing the audience comments that there is a lot of low-hanging fruit that we, as developers, are not fully aware of. We should collectively, start to see exploit mitigations as great tools to increase the security of our systems, no matter what type of code we are writing.
- In the same vein as Maria’s talk, Aljoscha Lautenbach discusses some of the most common vulnerabilities and security mechanisms for the IoT, but with a focus on cryptography. He focusses on how to use block cipher modes correctly, common insecure algorithms to watch out for and the importance of entropy and initialization vectors (IVs)
- A different approach is taken by Colin O'Flynn in his talk, Hardware Hacking: Hands-On. I personally really appreciate the angle that Colin takes, as it is something that, as software engineers, we tend to forget. The IoT and embedded devices running our code can be physically tampered in order to extract our secrets. As Colin mentions protecting from these attacks is usually costly, but there are a lot of steps we can take to substantially mitigate the risk. The first step is to analyse the weaknesses of our system by performing a threat analysis to ensure we are covering all bases when architecting and implementing our code. A popular framework to address the issue of security is the Platform Security Architecture (PSA) that Jacob Beningo describes in detail during his talk. Colin then moves on to introduce practical tools and techniques that you can use to test the ability of your systems to resist physical attacks.
The passion of the security community to educate embedded software developers on security system flaws is shown during the talks and the answers to the questions submitted.
With the growing number of news headlines depicting compromised IoT devices, it is clear that security is no longer optional. The collaboration between the security researchers and the software and hardware communities I have seen at this and at many other conferences and events reassures me that we really are on the verge of putting security first.
It has been great to see so many talks at the Embedded Online Conference, highlighting the new opportunities for developers in the embedded world. If you missed the conference and would like to catch the talks mentioned above*, visit www.embeddedonlineconference.com
*This blog only features a small collection of all the amazing speakers and talks delivered at the Conference!
In case you missed the previous posts in this series, here they are: