Software Security Issues in Embedded Systems

Embedded systems and networks are becoming increasingly prevalent in critical sectors. Therefore, malicious or accidental failures in embedded systems can have dire consequences. Hence, the integrity of embedded software infrastructures, such as configuration and code, is of paramount importance. The autonomous nature of embedded systems also poses new challenges in the context of system integrity. Embedded systems and networks also often have to operate autonomously in a dynamic environment. Therefore, an embedded system has to adapt its behavior to the change in environment or the overall goal. Unauthorized or unverified updates to the infrastructure of an embedded system can also compromise its integrity. In recent years, there have been significant advances in the area of software security. However, all these techniques are not directly applicable in the context of embedded systems because of following reasons: 1) Embedded systems are generally deployed in environments that are highly dynamic and configurable. 2) Functional requirements of an embedded system change over time. 3) Frequently an embedded system is a complex network of components. Therefore, a malicious or accidental fault in a component can lead to a complex cascade of events in the network. 4) Embedded systems are frequently deployed in mission critical applications where consequences of failures can be dire. Therefore, recovery from failures is extremely important in the context of embedded systems. Extending existing techniques in software security to handle the four above mentioned characteristics of embedded systems is an important research direction. I will provide details of two such research directions.
Presented at the 2007 ARO Planning Workshop on Embedded Systems and Network Security, held in Raleigh, NC on 22-23 Feb 2007and published in proceedings of the same. The original document contains color images. This article is from ADA485570 Proceedings of the ARO Planning Workshop on Embedded Systems and Network Security Held in Raleigh, North Carolina on February 22-23, 2007