Embedded devices are suffering from an increasing number of cyberattacks across all industries and products. This trend continues although many developers are already using static code analysis in addition to dynamic testing. In this paper, we identify possible reasons for this trend and propose techniques to address the underlying issues so that the attack resilience of embedded software can be increased. Specifically, we provide guidance on:
- Which vulnerabilities can and cannot be found by static code analysis
- How to control analysis context and setup to find more vulnerabilities
- How to support root cause analysis and reduce false positives in library code
We also discuss how to anticipate unforeseen vulnerabilities in software and hardware.
Our findings are based on a study of over 60 CVEs from industrial and open source embedded software. Among them are the FreeRTOS vulnerabilities from 2018, of which approximately 80% could have been prevented with advanced use of static code analysis.
This paper was presented at Embedded World Conference 2021.