您希望搜索哪方面的内容?
Embedded Code and Design Review
Improve code quality and identify security vulnerabilities with our embedded code and design review.
Addressing Embedded Code Challenges
Embedded code reviews require specialized techniques due to their integration with hardware. Embedded code, or firmware, is permanently stored in a device's non-volatile memory and executed by its processor or microcontroller to control its functions. It's designed for a particular hardware platform, allowing it to utilize hardware features and optimizations for improved performance and power efficiency. Teams must carefully review and test embedded code to ensure efficient memory usage, reduced execution time, and compatibility with a device's hardware and existing software.
Our embedded code review services, including fuzzing and fault injection simulation, help teams address these challenges. These services streamline workflows and improve code quality, readability, maintainability, and security. With Keysight, you can deliver high-quality products on time and within budget.
Reduce Risk and Improve Quality with an Embedded Code Review
Look to Keysight’s embedded code review experts to help you:
- Catch mistakes and identify potential issues, ensuring that code is consistent, readable, and maintainable.
- Identify security vulnerabilities and facilitate targeted fault injection and side-channel analysis, making a penetration test more efficient and results more accurate.
- Address hardware dependencies by analyzing the hardware architecture so exploitable vulnerabilities aren’t overlooked.
- Ensure embedded code adheres to established standards, guidelines, and regulations; identify gaps in compliance.
- Drive continuous learning among your team and leverage expertise of our security lab analysts with market exposure to thousands of hacks and code problems.
- Uncover areas for improvement by providing a forum to share ideas and identify opportunities to achieve a better security outcome.
Manual Versus Automated Code Review
When deciding between manual and automated code reviews, consider your project needs and available resources. Both methods can be valuable, often working together to improve code quality and security.
Advantages of manual reviews
- Manual embedded code reviews offer a deeper dive, leveraging human expertise to pinpoint potential issues.
- Teams with a strong grasp of the code's context can provide more valuable insights. For instance, market knowledge of Trusted Execution Environments (TEEs) and payment systems can enhance the review process.
- Manual reviews offer flexibility, easily adapting to evolving project needs. They also serve as a valuable check on automated tool results, ensuring accuracy.
Advantages of automated reviews
- Automated embedded code reviews offer speed and efficiency, applying consistent standards across all code.
- They easily scale to handle large codebases and can be an excellent fit for smaller teams or organizations with limited resources.
- Automated reviews provide objective feedback based on predefined rules. However, their effectiveness depends on the quality of the test configuration, especially for embedded code.
Fuzzing Embedded Code to Find and Fix Bugs
Keysight offers fuzzing for embedded code to identify bugs and coding mistakes automatically. You can use our services as a subscription or as a one-off.
Which types of bugs can fuzzing uncover?
- Memory buffer errors
- Data validation issues
- Pointer issues
- Numeric errors
- Concurrency issues
- Bad coding practices
Faced with increasing security regulations, embedded software developers must run automated security tests prior to shipping products. Consequently, various industries and ISO standards advise integrating automated fuzz testing, particularly in sectors that have high quality and security standards — for example, ISO / SAE 21434 and UNECE WP.29 (UN R155 and UN R156).
Fuzzing enables efficient, high code coverage. By generating numerous automated test cases every second and tracking the path taken by the inputs through the code, a fuzzing tool can obtain comprehensive information on code coverage with zero false positives. And it provides inputs that can be used to reproduce the identified bugs, helping developer teams learn from and improve code.
Most fuzzing tools are not equipped to fuzz embedded code, meaning they do not take the hardware that the code runs on into account and therefore may not detect certain bugs. Due to the software integration with hardware architecture, embedded code fuzzers are more challenging to configure and operate. Prioritizing which parts of the code to fuzz requires deep expertise that enables teams to monitor and adapt tests based on coverage progression as well as analyze the impact of test results. Because fuzzers report a high number of results, developer teams also need market knowledge and experience to prioritize bugs that have a higher security impact and demand urgent attention.
Consider fuzzing embedded code with Keysight:
- If you need to meet accreditation or compliance of a product (e.g., R155, R156, ISO 21434).
- If you do not have the time or expertise to configure or install a fuzzing tool. For all automated testing, Keysight will provide the applied test configurations used to deliver the results. This helps customers who integrate fuzzing into their development toolchain to conduct further regression testing themselves after having applied mitigations.
- If you do not have the expertise to perform the test and analyze the results.
- If you want to improve your team’s skills by leveraging third-party expertise.
- If you want a high-coverage code review.
Following is a short list of standards and norms that recommend fuzzing:
Automotive
- ISO 26262: Road Vehicles – Functional Safety
- ISO / SAE 21434: Road Vehicles – Cybersecurity Engineering
- UNECE WP.29 (UN R155 and UN R156): United Nations World Forum for Harmonization of Vehicle Regulations
Healthcare
- UL2900-1 and UL2900-2-1: Healthcare and Wellness Systems – Software Cybersecurity for Network-Connectable Products
General
- ISA / IEC 62443-4-1: Secure Product Development Lifecycle Requirements
- ISO / IEC / IEEE 29119: Software and Systems Engineering – Software Testing
- ISO / IEC 12207: Systems and Software Engineering – Software Life Cycle Processes
- ISO 27001: Information Technology – Security Techniques – Information Security Management Systems
- ISO 22301: Security and Resilience – Business Continuity Management Systems
- NIST (National Institute of Standards and Technology) Special Publication 800-53: Security and privacy controls for federal information systems and organizations
- CERT Secure Coding Standards: Provides guidelines for developing secure software
- CWE (Common Weakness Enumeration): A community-developed list of common software security weaknesses
Fault Injection Simulation to Detect Glitches
Our fault injection simulation helps discover and mitigate security issues in your device or system.
Examples of fault injection manipulation:
- Change program execution flow
- Memory data modification
- Memory dump
- Cryptographic failure
- Cryptographic attacks
- Change security configuration
- Bypass security countermeasures
- Change life-cycle status (open debug interfaces)
Fault injection (FI) is a security testing technique, which involves introducing flaws or faults into a system to evaluate its response. This method helps testers identify issues that might not show up through conventional testing approaches, and evaluate the system’s capacity to handle faults and recover without crashing.
Fault injection testing is widely used in sectors with strict security requirements such as payment and content protection. In a typical FI attack, a device’s security mechanism gets bypassed, also known as “introducing a glitch.” FI is a hardware attack that exploits unsecure practices in software. Developers can employ Fault Injection Simulation to understand how their code will respond when confronted with a glitch, ideally allowing them to make design modifications before deploying their application into production.
FI results are unpredictable, and detecting them later in the design phase or during certification or market acceptance can drive up costs and impact time to market. By simulating a code base for fault injection vulnerabilities, developers can identify problems early and mitigate them.
Consider fault injection simulation with Keysight:
- If you plan to engage in a certification program that includes FI and want to reduce the risk of issues during certification by identifying problems in development.
- If you do not have the time or expertise to configure or install an FI tool. For all automated testing, Keysight will provide the applied test configurations used to deliver the results. This helps customers who integrate an FI tool into their development toolchain to do further regression testing. themselves after having applied mitigations.
- If you do not have the expertise to perform the test and analyze the result.
- If you want to improve your team’s skills by leveraging third-party expertise.
- If you want a high-coverage code review.
Following is a short list of standards and organizations that recommend fault injection:
- Common Criteria
- EMVCo
- FeliCa
- GSMA
- SESIP
- ARM
- PSA
- Global-Platform
- Irdeto
- Nagra
- Verimatrix
- Viaccess-Orca
- Synamedia
- OTT vendors: Netflix, Amazon
- Content creators: MovieLabs
Interested in this service? Reach out to learn more.