HCC Embedded has developed a modular software manager for encryption, designed to provide embedded systems with the foundation for handling security algorithms.
By developing the software using a formal process and providing access to its functions through a uniform interface, HCC aims to minimize the security issues an embedded or IoT system will have. Dave Hughes, CEO, strongly contrasts the approach his company takes versus what he calls the “code then test” methods used for a surprising amount of security-related software. He cited the Heartbleed bug as a prime example of how badly things can go wrong if developers do not follow a clearly defined, V-based method used for systems that need to meet the requirements of safety standards such as IEC 61508.
“If you look at the cost to the industry of Heartbleed it must be enormous. Some 500,000 servers were affected. Some companies had board meetings to work out why they we exposed to this problem,” Hughes said.
David Brook, director of marketing at HCC, claimed: “The techniques we use would have caught the source code that caused Heartbleed.”
Brook added that the fix-after-production mentality of enterprise software is unworkable for many embedded systems where a high degree of trust is required, such as medical and smart meters. “Recalls will be seriously problematic for these guys.”
HCC delivers the Embedded Encryption Manager with a full MISRA compliance report and a test suite that includes 100 per cent MC-DC coverage, the same kind of coverage analysis used in high assurance-level safety software.
The company designed the Embedded Encryption Manager to be portable and all the algorithms it encapsulates are accessed by reference. Designed for use in situations where access to data in system memory needs to be protected or to secure communications channels, the Encryption Manager can be used with HCC’s TLS implementation and has verified software implementations of the AES, 3DES, DSS, EDH, MD5, RSA, SHA1, and SHA256 algorithms.
The software includes hooks to allow hardware-specific optimization to be implemented, along with the verification suite to ensure that the hardware optimizations are handled correctly.