Connected System Concerns
The evolution of embedded systems into complex, connected systems continues to provide new challenges for embedded software tool vendors. But they are rising to the moment, as security becomes more of a priority than ever.
Gone are the days when most embedded systems worked in isolation, not linked to any networks. In order to reap the opportunities of a hyper-connected IoT era, today’s embedded systems are routinely linked for purposes of monitoring, data collection, software updates and more. As a result, security has moved front and center for embedded software developers.
To keep pace, embedded software tool vendors continue to bulk up their security capabilities. They’ve been doing this both organically, and by adding expertise via key acquisitions and partnerships. Even though all these vendors are addressing a similar need, the major embedded tool vendors each have their own approaches when it comes to providing security capabilities.
SOFTWARE IP IN THE IoT AGE
According to Anders Holmberg, Chief Strategy Officer at IAR Systems, the need for security in today’s embedded software goes hand in hand with the emergence of highly connected systems. In today’s environment, complexity is no longer the only challenge. “When IoT entered the collective mind as a key enabler for new opportunities, that led to increased connectivity and talk about how to protect these connected devices,” says Holmberg. “In recent years, the trend we’ve seen is about the importance of protecting software IP. Today, most of the business value of embedded devices is due to the software, so better protecting embedded devices and the software they run is a key activity to stay competitive.”
Holmberg says that security becomes more and more relevant as more data is collected from both machines and humans, raising such questions about how to manage and store sensitive and functional data. The design of automatic update processes is also an issue.
“A side effect of implementing IP security based on cryptography and strong hardware-based roots of trust is that it enables more fine-grained control of what features are available to a particular user at a given point in time—which in turn enables new business models,” says Holmberg.
For its part, IAR Systems has made a number of advances in recent years focused on security. First, it offers C-Trust, an extension to IAR’s development toolchain IAR Embedded Workbench, which enables developers to add security into the normal development flow and easily protect the application and deliver secure, encrypted code. Figure 1 shows how to enable C-Trust in IAR Embedded Workbench by simply clicking a checkbox.
IAR Systems also offers its Security from Inception Suite. It’s aimed at companies looking for a solution to implement and customize security in their applications and to learn more about both how to deal with security in the development teams as well as take advantage of the coming possibilities on a company level. The suite enables developers to build a platform, which will extend with evolving security needs as threats appear, and as legislation impacts the business. It’s available in different editions and also includes extensive security training resources, and if needed, custom design reviews.
IAR’s toolchain is available in editions certified for functional safety. These editions are certified by the certification organization TÜV SÜD, according to the requirements put forth in the industry standards ISO26262 (automotive), IEC61508 (industrial control), EN50128/ EN50657 (rail transportation) and IEC62304 (medical devices). Along with the toolchain, there is special support for these functional safety editions that allow access to frozen versions of the toolchain for the longevity of the customer’s contract, as well as prioritized technical support and validated services packs.
OPTIMIZED AGILE DEVELOPMENT
For its latest security-related advancement, LDRA in February teamed up with Atlassian, integrating that company’s Jira software to optimize agile development and verification of critical embedded applications. Embedded developers working in safety- and security-critical organizations must demonstrate compliance with industry functional safety and security standards, and to do this they are making the shift toward agile development methods, says LDRA. The new integration gives development organizations an agile solution that optimizes workflows with requirements traceability and automates software quality analysis and verification as well as documentation production.
The LDRA TBmanager Integration Package for Jira delivers bidirectional end-to-end traceability from Jira issues and test cases to requirements, design, code and testing activities and artifacts (Figure 2). This integration supports and enables both Scrum and Kanban agile workflows to address the requirements of critical software safety standards such as DO-178B/C (aerospace and defense), IEC62304, ISO26262, EN50128, IEC60880 (nuclear energy) and IEC61508 applications.
Bidirectional interface and exchange of requirements capabilities, along with test case and test execution results, enable users to see the status and verification of requirements reflected in Jira. Furthermore, developers can verify traceability through Jira’s traceability matrix report and thereby ensure all documented issues in Jira and imported requirements have been addressed. The LDRA TBmanager Integration Package for Jira is available from version 9.8.1 (and newer) of the LDRA tool suite. Users can download a free 30-day trial of the LDRA tool suite with the TBmanager Integration Package for Jira.
Tools that rigorously test embedded software for security form an important part of today’s development tool chains. For its part, GrammaTech announced the availability of its CodeSonar version 5.2. in December. The features in that latest version of CodeSonar provide software development organizations the capability to use a single tool to perform Static Application Security Testing (SAST) to further increase code security, quality and safety covering both embedded and enterprise applications (Figure 3).
CodeSonar now supports AUTOSAR C++14, the latest C++ coding guidelines from AUTOSAR. With MISRA compliance included in previous releases, the addition of AUTOSAR support now sets CodeSonar at the forefront of the MISRA/AUTOSAR merging of standards. The release of CodeSonar 5.2 also includes improved compiler support and open standards, with support for new versions of the IAR, GNU C, and CLANG compilers. Updates to C, C++-17 and C++-20 standards have also been incorporated, providing customers with the confidence that CodeSonar support spans from old to new language features. GrammaTech continues its work on open standards, including contributing to and supporting SARIF version 2.1. This support also means that CodeSonar can work with the latest versions of IDEs such as Microsoft VS Code.
CodeSonar 5.2 continues its tight integration with JuliaSoft by supporting the latest release of the Julia engine, which provides high recall, high-precision detection of security vulnerabilities in Java and C#. In addition, GrammaTech is expanding support for CodeSonar for Binaries to include support for the Power architecture (PPC) in addition to the existing support for x86 and Arm architectures. The addition of the Power architecture support for CodeSonar for Binaries widens the scope of the product to another key processor family used in embedded and server-based systems, such as devices from NXP and IBM. The update is available as a free upgrade to eligible customers under active support and maintenance contracts. A 30-day trial of CodeSonar 5.2 is also available.
AUTOMATED TEST APPROACH
AdaCore has likewise beefed up its security testing capabilities. In June 2019, AdaCore announced a partnership with Code Dx, a provider of an application security management solution that automates and accelerates the discovery, prioritization and risk management of software vulnerabilities. Through this partnership, Code Dx Enterprise now supports AdaCore’s CodePeer advanced static analysis tool, an automatic Ada code reviewer and validator.
The solution provides developers with one central location from which to view the results of multiple application security testing (AST) tools and allows them to easily prioritize vulnerabilities for remediation. Developers can automatically pull results from AdaCore’s CodePeer into Code Dx Enterprise, without downloading and then uploading scan results each time. Users simply open Code Dx Enterprise and the latest results are there.
Code Dx Enterprise supports and integrates with more than 70 commercial AST tools and techniques, including static, dynamic, and interactive tools; third-party component analyzers; and manual reviews, to provide total software application vulnerability correlation and management. The tool enables AdaCore users to more easily collaborate on testing and remediation processes, and to track findings over time.
For CodePeer users who are developing multi-language software within the same application, Code Dx Enterprise provides a single repository to manage all of their AST activities. The CWE-Compatible CodePeer advanced static analysis tool is an automatic Ada code reviewer and validator that can detect and eliminate errors both during development and retrospectively on existing software (Figure 4). CodePeer can detect a number of the “Top 25 Most Dangerous Software Errors” in the MITRE Corp.’s Common Weakness Enumeration (CWE).
SECURE AUTOMOTIVE SOLUTION
Automotive applications are an area where security and safety concerns intersect. In February, Green Hills Software and automotive technology specialist Tata Elxsi announced their partnership to develop software-driven, highly integrated automotive cockpit solutions. At Embedded World earlier this year, the companies showcased the first result of their cooperation: Tata Elxsi’s eCockpit solution running on Green Hills Software’s safe and secure INTEGRITY real-time operating system (RTOS) and INTEGRITY Multivisor secure virtualization.
The Tata Elxsi eCockpit solution addresses the requirements of a full feature vehicle cockpit, supporting infotainment, instrument cluster, HUD and ADAS functionalities on a single SoC while maintaining the highest levels of safety, security and performance (Figure 5). The demonstration at the show paired Tata’s eCockpit with the Green Hills ASIL-certified INTEGRITY RTOS and its Multivisor secure virtualization architecture to safely and securely consolidate mixed-criticality applications on a single, automotive-grade Renesas R-Car H3 processor.
INTEGRITY Multivisor runs Linux and Android in independent, secure virtualized partitions. Tata Elxsi Infotainment is based on Automotive Android and the instrument cluster is running on Linux. Infotainment features are shown through a 2D/3D custom HMI on Automotive Android. V2X features are also integrated and displayed on the instrument cluster as warning messages. Linux guest OS is partitioned using Linux Containers to accommodate sub domains like ADAS. A separate Linux Container runs Tata Elxsi’s Sensor Fusion ADAS IP over Tata Elxsi’s own Adaptive AUTOSAR. Complete vehicle interface functionality is based on Tata Elxsi’s own classic AUTOSAR 4.3.
The INTEGRITY RTOS microkernel architecture is designed for critical embedded systems demanding proven separation, security and real-time determinism. Its separation architecture helps software teams to safely and securely partition software running at different levels of criticality on the Renesas R-Car H3 processor while guaranteeing applications have the system resources required for their proper execution. This enables safe and secure execution of applications running graphics and multimedia while at the same time ensuring the safe operation of critical functions, such as the tell-tale status and warning lights.
CYBER SECURITY EXPERTISE
Another way that embedded software vendors have been bolstering their security capabilities over the past several months has been by integrating capabilities through acquisitions. In an example along those lines, in January Wind River announced its acquisition of Star Lab, a specialist in cybersecurity for embedded systems. According to Wind River, the acquisition broadens the Wind River software portfolio with a system protection and anti-tamper toolset for Linux, an open source–based hypervisor and a secure boot solution. Star Lab is now a wholly owned subsidiary of Wind River.
With the emergence of ubiquitous connectivity paradigms such as IoT and remotely monitored/autonomously controlled industrial and transportation systems, today’s cyber threat landscape is rapidly evolving, says the company. Central to this evolution is the ease with which a focused and resourced adversary can acquire and reverse engineer deployed embedded systems. In addition to modification or subversion of a single specific device, hands-on physical access also aids an attacker in discovery of remotely-triggerable software vulnerabilities.
Specializing in cyber and anti-tamper security software for Linux, Star Lab provides embedded security for the most mission-critical systems, infrastructure and equipment in the world. Star Lab’s products are founded on a secure-by-design engineering philosophy, leveraging design patterns that reduce attack surface, isolate critical functionality and contain or mitigate even successful attacks.
Star Lab’s products, which are conformant with NIST 800-53 technical controls for federal information systems and consistently pass independent verification/validation testing, include the following: Security Suite: The suite offers robust Linux cybersecurity and anti-tamper capabilities for operationally deployed Linux systems and distributions; Embedded Hypervisor: Designed specifically for use in open, hostile computing environments, the Xen-based hypervisor offers a secure open source virtualization solution for embedded mission systems; and Secure Boot: A measured-boot solution ensures that a device’s firmware and boot code is legitimate and has not been maliciously modified or manipulated.
PUBLISHED IN CIRCUIT CELLAR MAGAZINE • MAY 2020 #358 – Get a PDF of the issueSponsor this Article