Addressing IoT impact on software engineering

Manufacturers need to carefully evaluate the cyber threats and the level of exposure of IoT devices. New levels of software integrity can only be achieved if teams can eliminate both accidental coding errors and intentional design-in vulnerabilities, through efficient analysis techniques suitable for the typical highly complex applications of today.


By Bill Graham, GrammaTech              Download PDF version of this article


Powered by the forces of the cloud, connected endpoints, wireless technologies, and big data, the Internet of Things (IoT) evolution is forming a perfect storm for software engineering teams. This single, transformative force is bigger than anything in the history of tech industry, fueling an unparalleled consumer-oriented features race, expected to advance at an incredible rate over the next decade.

And why not? Vendors are racing to claim a piece of the predicted 8.9 trillion dollar IoT market by 2020, made up of more than 50 billion IoT devices spanning nearly all markets – automotive, energy/utilities, home appliance, consumer electronics, medical, education, manufacturing, and more. Although exciting to consumers and businesses alike, this race for IoT dominance also brings a significant dark side as embedded applications open communication to send and receive data between networks and other applications that may not always be known or friendly.

Figure 1. CodeSonar has been proven to provide the deepest static analysis, finding more critical defects than any other static analysis tool on the market

 

Current manufactures are still developing products using old and entrenched supply chain, engineering, and QA processes that weren’t designed for the complexities of  highly-connected smart devices today. Engineering teams are utilizing a progressively diverse set of suppliers and relying on third-party software to save time while trying to satisfy the business and market thirst for IoT demands. Unfortunately, many software development teams treat security in much the same way they have in the past, running only basic checks, if any, during their QA cycle.

This confluence of drivers – the lack of a security-first engineering philosophy, the increased use of third party software, and the continually growing time-to-market pressures from business executives complacent about IoT security – will continue to put software engineers in an ever-increasing tough spot, ripe for cyber criminals and nation states looking to exploit these connected devices and networks. These software vulnerabilities have already put consumer safety and privacy at risk, increasing corporate liabilities, eroding trust, and in some cases, shutting down critical public and industry services.

The fact of the matter is that today smart devices are anything but smart. One recent study found that 70% of the top 10 IoT smart devices are vulnerable to exploitation. The daily onslaught of news reports regarding new devices, appliances, and systems that have been hacked, includes stories that are quite terrifying, such as hackers remotely taking control of an automobile through its wireless hot spot connection and successfully commanding brakes and other critical systems.

And unlike typical server applications that are housed in secured facilities with restricted access and controlled network connections, IoT devices (and their applications) are easily compromised. Allowing unprecedented time and access to isolate, reverse-engineer and repeatedly stress test for weaknesses. The reality of this is that if software engineers are unwilling or unable to find the cracks in their applications, someone else will. Possibly with bad intent.

Figure 2. Taint Analysis allows to visualize notoriously hard-to-find tainted data pathways as an overlay on the code or superimposed on a graphical visualization of the program.

 

So how do we evolve manufacturing processes to better protect our next-generation IoT devices? First, it starts with a sound plan that includes next-generation software assurance and a security first methodology. Teams need to rethink how they deliver software quickly – with security, safety, and quality in mind from design to deployment. However, rethinking should not be restarting. For example, trying to train every developer in the tactics hackers might use to exploit their software is not only impractical, but very time consuming. To do this successfully, teams should leverage the best tools available that help them analyze the software they are developing looking for problems that IoT presents – including both in-house source and third-party binary code.

As IoT applications become more feature-rich, with additional elements of internet-connectivity and device intelligence, the risks of built-in security vulnerabilities are increasing. Despite this trend, awareness of the risks associated with insecure code is still low among IoT developers and QA teams, and not a priority with most management teams.

Modern static-analysis tools are popular because they have proven to be effective, they are simple to introduce, and they can be used by development, QA, and security audit teams. Furthermore, in contrast to traditional dynamic testing, the code analyzed is never executed, so there is no additional test case development overhead and static analysis can be applied very early in the development process.

When programmers use static analysis as soon as code is written, bugs and security vulnerabilities can be found and eliminated even before the unit testing or integration testing phases begin. The earlier a defect is found, the cheaper it is to fix; this cost saving is a major advantage of automated static analysis.

Fortunately, static-analysis tools for source and binary have the ability to detect vulnerabilities before products are shipped, dramatically reducing security threats and corporate exposures that cost organizations several millions of dollars.

We’ve seen this numerous times in the recent news – with Toyota’s unintended acceleration issue (estimated $3 billion in costs), in addition to the brand’s first black eye; potential safety hazards with Jeep’s recently-hacked Uconnect vulnerability, affecting over 470,000 vehicles; and the several SCADA systems recently hacked, most notably the Stuxnet exploitation, used to attack and destroy industrial equipment.

It’s simply unacceptable, and more importantly, easily avoidable, for development teams to not implement proper checks for security, reliability and hacking today. The added level of software assurance, which CodeSonar provides, can be easily deployed for the cost of a developer’s morning coffee and a scone.

Over the last few years, third-party code has moved from a minor factor in software development to a dominant force in the industry. It is now used throughout software development in all applications, from highly sensitive government applications to security-intensive financial systems to safety-critical applications to consumer and mobile applications.

According to the latest report from VDC Research, the majority of software that runs on embedded devices is now developed by external sources, not in-house development teams. Some of this is open-source, but in embedded applications, nearly 30% of code is third-party commercial software – so the source is often unavailable. Such components include graphics toolkits, cryptography libraries, and communications middleware (network, USB, Bluetooth), which make up nearly 70% of the common embedded attack vectors.

GrammaTech, leveraging over 10 years of collaborative research, has developed a binary analysis capability to examine third-party code without requiring access to source code. This capability is fully integrated within our proven static analysis tool, CodeSonar, the first and only commercially-available binary analysis product.

Figure 3. Due to the ever-rising amount of third-party code, strict check of third-party binaries is required. To realize this CodeSonar integrates binary code analysis.

 

CodeSonar’s binary analysis technology provides developers with the ability to evaluate, check, and inspect third-party code, and provides businesses with more options within their supply chain, enabling them to utilize software from new, innovative companies that might not have an established reputation. When source code is available, you can use CodeSonar in mixed source/binary mode, analyzing your complete application.

The days of developing a standalone application are gone – the Internet of Everything has rapidly forced manufacturers to rethink how their products will support connected economy today, and changed the threat landscape forever. Nowadays reality is that there are educated attackers whose sole function is to break into IoT systems for many reasons, including fun, intellectual stimulation, profit, or worse, offensive attacks and terrorism. Today software development teams must adopt a robust secure design lifecycle, giving them the insights and capability to get it right first, to prevent these attackers from having a chance at breaking in. A general rule of thumb for teams to follow involves an end-to-end threat assessment (from a third-party audit team), security optimized designs, and security-scanning tools, of source and binaries.

The Internet of Things is a paradigm that is impacting our daily life – for good and bad – today. IoT software needs security by design; for this reason, it must be a business imperative. Manufacturers must carefully evaluate the cyber threats and the level of exposure of IoT devices, implementing all the necessary design checks and countermeasures to respond to an accelerating set of menaces. GrammaTech was founded 26 years ago, with a firmly-grounded purpose to help organizations develop tomorrow’s software. Given the ever-increasing dependence of software in today’s connected world, our experts are focusing on solving the most challenging software issues through a thorough portfolio of software and security assurance solutions. IoT is here, it is our responsibility to ensure our software is ready for it.


Related


Give Your Product a Voice with Alexa

Join us for a deep dive into the system architecture for voice-enabled products with Alexa Built-In. Device makers can use the Alexa Voice Service (AVS) to add conversational AI to a variety of produc...

The two big traps of code coverage

Code coverage is important, and improving coverage is a worthy goal. But simply chasing the percentage is not nearly so valuable as writing stable, maintainable, meaningful tests. By Arthur Hick...

Securing the smart and connected home

With the Internet of Things and Smart Home technologies, more and more devices are becoming connected and therefore can potentially become entry points for attackers to break into the system to steal,...

Accurate and fast power integrity measurements

Increasing demands on power distribution networks have resulted in smaller DC rails, as well as a proliferation of rails that ensure clean power reaches the pins of integrated circuits. Measuring r...

 

nVent Schroff at Embedded World 2019

The theme of the nVent Schroff booth at Embedded World 2019 was “Experience Expertise – Modularity, Performance, Protection and Design”. Join us as our experts give an overview of th...


Garz & Fricke Interview at Embedded World 2019 with Dr. Arne Dethlefs: We are strengthening our presence in North America

Through its US subsidiary, located in Minnesota, Garz & Fricke is providing support for its growing HMI and Panel-PC business in the USA and Canada while also strengthening its presence in North A...


SECO's innovations at embedded world 2019

In a much larger stand than in previous years, at embedded world 2019 SECO showcases its wide range of solutions and services for the industrial domain and IoT. Among the main innovations, in this vid...


Design and Manufacturing Services at Portwell

Since about two years Portwell is part of the Posiflex Group. Together with KIOSK, the US market leader in KIOSK systems, the Posiflex Group is a strong player in the Retail, KIOSK and Embedded market...


Arrow capabilities in design support

Florian Freund, Engineering Director DACH at Arrow Electronics talks us through Arrow’s transformation from distributor to Technology Platform Provider and how Arrow is positioned in both, Custo...


Arm launches PSA Certified to improve trust in IoT security

Arm’s Platform Security Architecture (PSA) has taken a step forward with the launch of PSA Certified, a scheme where independent labs will verify that IoT devices have the right level of securit...


DIN-Rail Embedded Computers from MEN Mikro

The DIN-Rail system from MEN is a selection of individual pre-fabricated modules that can variably combine features as required for a range of embedded Rail Onboard and Rail Wayside applications. The ...


Embedded Graphics Accelerates AI at the Edge

The adoption of graphics in embedded and AI applications are growing exponentially. While graphics are widely available in the market, product lifecycle, custom change and harsh operating environments...


ADLINK Optimizes Edge AI with Heterogeneous Computing Platforms

With increasing complexity of applications, no single type of computing core can fulfill all application requirements. To optimize AI performance at the edge, an optimized solution will often employ a...


Synchronized Debugging of Multi-Target Systems

The UDE Multi-Target Debug Solution from PLS provides synchronous debugging of AURIX multi-chip systems. A special adapter handles the communication between two MCUs and the UAD3+ access device and pr...


Smart Panel Fulfills Application Needs with Flexibility

To meet all requirement of vertical applications, ADLINK’s Smart Panel is engineered for flexible configuration and expansion to reduce R&D time and effort and accelerate time to market. The...


Artificial Intelligence

Morten Kreiberg-Block, Director of Supplier & Technology Marketing EMEA at Arrow Electronics talks about the power of AI and enabling platforms. Morten shares some examples of traditional designin...


Arrow’s IoT Technology Platform – Sensor to Sunset

Andrew Bickley, Director IoT EMEA at Arrow Electronics talks about challenges in the IoT world and how Arrow is facing those through the Sensor to Sunset approach. Over the lifecycle of the connected ...


AAEON – Spreading Intelligence in the connected World

AAEON is moving from creating the simple hardware to creating the great solutions within Artificial Intelligence and IoT. AAEON is offering the new solutions for emerging markets, like robotics, drone...


Arrow as a Technology Provider drive Solutions selling approach

Amir Sherman, Director of Engineering Solutions & Embedded Technology at Arrow Electronics talks about the transition started couple of years ago from a components’ distributor to Technology...


Riding the Technology wave

David Spragg, VP, Engineering – EMEA at Arrow Electronics talks about improvements in software and hardware enabling to utilize the AI capabilities. David shares how Arrow with its solutions is ...


ASIC Design Services explains their Core Deep Learning framework for FPGA design

In this video Robert Green from ASIC Design Services describes their Core Deep Learning (CDL) framework for FPGA design at electronica 2018 in Munich, Germany. CDL technology accelerates Convolutional...


Microchip explains some of their latest smart home and facility solutions

In this video Caesar from Microchip talks about the company's latest smart home solutions at electronica 2018 in Munich, Germany. One demonstrator shown highlights the convenience and functionalit...


Infineon explains their latest CoolGaN devices at electronica 2018

In this video Infineon talks about their new CoolGaN 600 V e-mode HEMTs and GaN EiceDRIVER ICs, offering a higher power density enabling smaller and lighter designs, lower overall system cost. The nor...


Analog Devices demonstrates a novel high-efficiency charge pump with hybrid tech

In this video Frederik Dostal from Analog Devices explains a very high-efficiency charge-pump demonstration at their boot at electronica 2018 in Munich, Germany. Able to achieve an operating efficienc...