Threat Models

Threat modeling is the process of identifying and mitigating potential threats and risks to your system in order to reduce its vulnerability to compromise and attack. A good threat model considers each threat during the design phase of a system to ensure that appropriate countermeasures are built into the system.

Threats and risks to embedded systems might include system takeover by remote control or critical data extraction to render a system inoperable. A design that takes these risks into account reduces the attack surface and limits the damage that can be done in the case of an attack.

Example of how to mitigate against a specific threat

Denial-of-service (DoS) can intentionally render a service or device unavailable. For example, a smurf attack is a type of distributed DOS attack that involves an attacker sending a series of broadcast Internet Control Message Protocol (ICMP) packets with a spoofed return address to a network. Many nodes on the network receive the broadcast ICMP request, and then respond in turn to the spoofed return address, which in this case is the target of the DOS attack.

In this way, a single request from the attacker is amplified by the nodes on the network, resulting in a massive flood of responses from many systems. Your system could be participating in the attack on someone else's system even though you are not intentionally attacking it. The system being spoofed is left vulnerable to denial of service, depending on the number of responses that it receives.

To mitigate against this specific vulnerability, use the sysctl utility to disable a response to broadcast pings from your system. It may not slow down or thwart the attacker; however, it would deny amplification of attacker's broadcast requests from your node and opt you out of participating in the attack.

# sysctl -w net.inet.icmp.bmcastecho=0

Threat modeling for embedded systems

Mitigating the risks associated with embedded systems connecting to other systems should include at least the following countermeasures:

Vulnerabilities for embedded systems

The following table lists some of the known classes of embedded systems vulnerabilities:

Class Example
Removable media Exploited firmware update paths
Intermodule communication intercepts Insufficient authorization
Man-in-the-middle attacks Buffer overflows and unsafe use of functions like strcpy()
Third party applications and malware Improper application sandboxing and OS level privileges
Compromised back-end More traditional attack