primer: the top ten automotive cybersecurity vulnerabilities of 2015
TRANSCRIPT
1© 2015 Rogue Wave Software, Inc. All Rights Reserved.
1
Primer:The top ten automotive cybersecurity vulnerabilities of 2015
2© 2015 Rogue Wave Software, Inc. All Rights Reserved.
2
Methodology
National Vulnerability Database
MITRE
Categorized 8000+ NVD entries from 2015 as embedded or not
Filtered to include only those vulnerabilities with an identified CWE
Sorted list and tallied numbers
3© 2015 Rogue Wave Software, Inc. All Rights Reserved.
3
Cryptographic issuesCWE-310: Weaknesses related to the use of cryptography
Vulnerabilities countdown
Numeric errorsCWE-189: Improper calculation or conversion of numbers
10
9
Remediation: provide clear bounds, sanity check all calculated variables, detect overflows, etc.
Remediation: review design with crypto expert, validate errors are checked, verify non-standard control flow, etc.
4© 2015 Rogue Wave Software, Inc. All Rights Reserved.
4
Vulnerabilities countdown
Code injectionCWE-94: Improper control of generation of code8
Remediation: ensure use of most recent black box components, clean all external data before use, etc.
Code weaknessesCWE-17: Weaknesses introduced during development, including specification,
design, and implementation7
Remediation: use well-identified coding patterns, create consistent API contracts, identify unclean code, etc.
5© 2015 Rogue Wave Software, Inc. All Rights Reserved.
5
Resource management errorsCWE-399: Improper management of system resources
Vulnerabilities countdown
6Remediation: examine assumptions, add C++ wrappers to prevent misused/dangling resources, perform fuzz testing, etc.
Improper access controlCWE-284: Software does not restrict or incorrect restricts access to a resource
from unauthorized actor5
Remediation: manage privileges carefully, compartmentalize system, use principle of least privilege, etc.
6© 2015 Rogue Wave Software, Inc. All Rights Reserved.
6
Vulnerabilities countdown
Improper input validationCWE-20: Incorrect or missing validation on input that can affect program’s
control flow or data flow4
Remediation: assume all data is malicious, check data on both client and server side, use same character encodings, etc.
Information exposureCWE-200: Intentional or unintentional disclosure of information to an actor not explicitly authorized
3Remediation: perform weakness analysis, compartmentalize system, perform fuzz testing, etc.
7© 2015 Rogue Wave Software, Inc. All Rights Reserved.
7
Vulnerabilities countdown
Access controlCWE-264: Weaknesses related to the management of permissions, privileges,
or other security features2
Remediation: perform weakness analysis, examine the granting of access controls, etc.
Memory buffer problemsCWE-119: Software can read or write to locations outside of the boundaries of
the memory buffer1
Remediation: examine all buffer access, use static code analysis, perform fuzz testing, etc.
8© 2015 Rogue Wave Software, Inc. All Rights Reserved.
8
summary
9© 2015 Rogue Wave Software, Inc. All Rights Reserved.
9
These vulnerabilities account for nearly 90% of all vulnerabilities in embedded software.
Awareness of the top ten is essential to protecting your systems.
By the numbers
87.5%
10© 2015 Rogue Wave Software, Inc. All Rights Reserved.
10
Top four best practices
Clean design
Methodical process
Good tools
Careful analysis
1234
11© 2015 Rogue Wave Software, Inc. All Rights Reserved.
11
For details on all vulnerabilities and fixes:
White paper:http://
www.roguewave.com/resources/white-papers/top-automotive-security-vulnerabilities
Webinar:http://
www.roguewave.com/events/on-demand-webinars/top-automotive-vulnerabilities-2015
Blog:http://blog.klocwork.com
www.roguewave.com