Call for IoT Trainings: Secure Development for embedded Devices
The world is much easier to handle without limits. If you have all your frameworks freely available and have the luxury of running your code with a multi-MB (or -GB) runtime environment, then you are in paradise. The world of embedded devices and the Internet of Things looks different. Saving energy is the prime directive. The power supply might be a battery or the connector pin of another device. Multiple cores are rare, memory is even rarer. If you are acquainted with the container and cloud lifestyle, then embedded systems will be a culture shock. Think kilo instead of mega or giga. Small devices run code, too. So this is where security comes into play. What can you do to design your embedded code to be small and secure?
Secure design and coding have entered the stage of software development in recent years. The art of getting things right and not trusting anything or anyone is hard on platforms where memory, computing power, and storage are plentiful. Saying goodbye to your favourite high-level library or easy deployments involving several megabytes of downloads will transform your development cycle. Instead of including large amounts of code for single function calls, take care of the details yourself. When operating in tight environments developer usually bring their own toolchains and helper libraries in order to save space. Computing is another barrier. Doing expensive cryptography is fine on multi-core processors with excessive memory bandwidth. The same can be challenging on low-core and low-speed systems.
Detailed inside knowledge of the platform you are using is essential. This is especially true for the IoT and embedded devices world. Once upon a time software developer would first look up the specifications of the hardware before designing and implementing the first line(s) of code. This has changed because most programming languages hide the complexity of the platform from the developers. Usually, this is desirable. Security-wise it shifts to the problem since low-level bugs/design flaws with deep roots have bitten the applications on top (Spectre and Meltdown for example). If you run on small devices, the issues get more critical.
DeepSec is looking for expert trainers in IoT and embedded software development. We would like to connect the abstract thinking of coding without limits with the actual world in the growing IoT sector. There is no smart home without smart code. Let’s make smart security happen.
Originally published at https://blog.deepsec.net on March 24, 2021.