Rijnard van Tonder (MEng).

Threat Modeling and Threat Mitigation of Embedded Device Software

Topic

Exploitation of software vulnerabilities are largely responsible for the compromise of devices, whether servers, personal computers, or embedded devices. Embedded devices in particular introduce unique challenges in terms of securing software. Software developers often neglect secure programming practices when it comes to embedded devices, and instead rely implicitly on security by obscurity. The notion that “someone will never try to do that” drive developers to focus on a rapid software release cycle without giving due attention to the security implications of the software.

While vulnerability research and discovery is prevalent in fully-fledged operating systems, embedded system security has yet to receive the attention it warrants. The increased ubiquity of embedded devices in the last 5 years have spurred security researchers to explore new ways of compromising embedded devices — and that to great (and concerning) effect. For example, it has been demonstrated that IP phones could be compromised, giving the ability to listen in on office conversations.

This research is concerned with modeling and mitigating threats posed by embedded device software, specifically focused on set-top box devices. In this context, a company may issue a set-top box with the intention of restricting access to certain parts of the set-top box’s software-driven operation. Preserving the integrity of the conditional access model on these devices is critical to its intended purpose. By probing for vulnerabilities, and evaluating the threats thereof, this research should provide some valuable insights relevant to embedded security.

Personal

I’m interested in all areas of InfoSec (read “I like breaking things”), whether it be Web App Security, Mobile Security, System Security, etc. I also enjoy learning new programming languages and their internals. I’m an advocate of functional programming. When my fingers are detached from a keyboard, I sometimes find them playing the piano. Good food puts a smile on my face :)

My contact details: rvantonder@ml.sun.ac.za