hi martin and rafael, I agree with Martin. Software security is essential in most embedded systems.
Also note that there is an interesting fractal line between hardware and software in such systems that often makes for interesting security situations. Consider Java-based smart cards (which I worked on a decade ago) which were susceptible to both malicious applets and differential power analysis. Designing a secure system involved understanding both the hardware and the software. At Cigital we continue to do lots of software security work with embedded systems companies, especially in the mobile space. The OS vendors, the carriers, and the application providers all have security responsibilities (and can all screw the whole thing up). By the way, QUALCOMM was a member of the BSIMM study and has a mature software security initiative underway. See http://bsi-mm.com gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com On 8/20/09 5:14 AM, "Martin Gilje Jaatun" <secse-ch...@sislab.no> wrote: Rafael Ruiz wrote: > I am a lurker (I think), I am an embedded programmer and work at > Lowrance (a brand of the Navico company), and I don't think I can't > provide too much to security because embedded software is closed per se. > IMHO, it is very dangerous to assume that "since it is embedded, nobody has the source code". This "security through obscurity" approach was employed by the Bell telephone system in th 70's and 80's, but it turned out that there was no limit to what Phone Phreaks and their kin could dig up of supposedly secret information, including schematics and instruction manuals. In more recent times, reverse engineering of the DVD Content Scrambling System (CSS) and various RFID electronic fare cards has proven that if someone has physical access to a device, you must also assume that they can access the software. -Martin _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
