Embedded systems vulnerability analysis
Vulnerability analysis in low level software has been applied for a long time to traditional computer systems (such as desktop computers) but only recently to some critical embedded systems such as real-time avionics on-board computers or Electronic Control Units (ECUs) embedded in most modern vehicles. Such vulnerability analysis is justified by the current trend regarding software development and integration in such industrial domains: reduction of costs, increasing use of COTS software, increasing connectivity of the critical embedded systems to other untrusted systems. Our research is aimed at developing a Security for Safety approach in order to identify potential vulnerabilities whose exploitation could have serious consequences on the safety on critical embedded systems such as in planes or cars. The proposed approach includes two parts. The first one aims to identify classes of vulnerabilities that affect the targeted system. The second part provides a methodology for the analysis of these vulnerabilities while the development is pending. As an example, we have defined a taxonomy of attacks for aerospace onboard systems distinguishing two main classes targeting either the computing system core functions or the fault tolerance mechanisms [DDAN12].
The same approach is also investigated to support vulnerability analysis in home-network equipment connected to the Internet. In particular, we are currently analyzing and comparing the security mechanisms implemented in French ADSL boxes.
These studies are carried out jointly with Airbus, Renault and Thales.
[DDAN12] A. Dessiatnikof, Y. Deswarte, E. Alata, V. Nicomette: Potential attacks on onboard aerospace systems. IEEE Secuirty & Privacy, July/August 2012: 71-74