Weitere ähnliche Inhalte Ähnlich wie Primer: The top ten automotive cybersecurity vulnerabilities of 2015 (20) Mehr von Rogue Wave Software (20) Kürzlich hochgeladen (20) Primer: The top ten automotive cybersecurity vulnerabilities of 20151. 1© 2015 Rogue Wave Software, Inc. All Rights Reserved. 1
Primer:
The top ten automotive
cybersecurity
vulnerabilities of 2015
2. 2© 2015 Rogue Wave Software, Inc. All Rights Reserved. 2
Methodology
National Vulnerability Database
MITRE
Categorized 8000+ NVD entries from 2015 as embedded or not
Filtered to include only those vulnerabilities with an identified CWE
Sorted list and tallied numbers
3. 3© 2015 Rogue Wave Software, Inc. All Rights Reserved. 3
Cryptographic issues
CWE-310: Weaknesses related to the use of cryptography
Vulnerabilities countdown
Numeric errors
CWE-189: Improper calculation or conversion of numbers
10
9
Remediation: provide clear bounds, sanity check all calculated
variables, detect overflows, etc.
Remediation: review design with crypto expert, validate errors
are checked, verify non-standard control flow, etc.
4. 4© 2015 Rogue Wave Software, Inc. All Rights Reserved. 4
Vulnerabilities countdown
Code injection
CWE-94: Improper control of generation of code8
Remediation: ensure use of most recent black box
components, clean all external data before use, etc.
Code weaknesses
CWE-17: Weaknesses introduced during development, including specification, design,
and implementation
7
Remediation: use well-identified coding patterns, create
consistent API contracts, identify unclean code, etc.
5. 5© 2015 Rogue Wave Software, Inc. All Rights Reserved. 5
Resource management errors
CWE-399: Improper management of system resources
Vulnerabilities countdown
6
Remediation: examine assumptions, add C++ wrappers to
prevent misused/dangling resources, perform fuzz testing, etc.
Improper access control
CWE-284: Software does not restrict or incorrect restricts access to a resource from
unauthorized actor
5
Remediation: manage privileges carefully, compartmentalize
system, use principle of least privilege, etc.
6. 6© 2015 Rogue Wave Software, Inc. All Rights Reserved. 6
Vulnerabilities countdown
Improper input validation
CWE-20: Incorrect or missing validation on input that can affect program’s control
flow or data flow
4
Remediation: assume all data is malicious, check data on both
client and server side, use same character encodings, etc.
Information exposure
CWE-200: Intentional or unintentional disclosure of information to an actor not
explicitly authorized
3
Remediation: perform weakness analysis, compartmentalize
system, perform fuzz testing, etc.
7. 7© 2015 Rogue Wave Software, Inc. All Rights Reserved. 7
Vulnerabilities countdown
Access control
CWE-264: Weaknesses related to the management of permissions, privileges, or
other security features
2
Remediation: perform weakness analysis, examine the
granting of access controls, etc.
Memory buffer problems
CWE-119: Software can read or write to locations outside of the boundaries of the
memory buffer
1
Remediation: examine all buffer access, use static code
analysis, perform fuzz testing, etc.
8. 8© 2015 Rogue Wave Software, Inc. All Rights Reserved. 8
summary
9. 9© 2015 Rogue Wave Software, Inc. All Rights Reserved. 9
These vulnerabilities account for
nearly 90% of all vulnerabilities
in embedded software.
Awareness of the top ten is
essential to protecting your
systems.
By the numbers
87.5%
10. 10© 2015 Rogue Wave Software, Inc. All Rights Reserved. 10
Top four best practices
Clean design
Methodical process
Good tools
Careful analysis
1
2
3
4
11. 11© 2015 Rogue Wave Software, Inc. All Rights Reserved. 11
For details on all vulnerabilities and fixes:
White paper:
http://www.roguewave.com/resources/white-papers/top-
automotive-security-vulnerabilities
Webinar:
http://www.roguewave.com/events/on-demand-
webinars/top-automotive-vulnerabilities-2015
Blog:
http://blog.klocwork.com
www.roguewave.com