[Dshield] Embedded Systems Security Best Practices

Tom dshield at oitc.com
Sat Jan 17 22:38:57 GMT 2009

At 5:03 PM -0500 1/17/09, Jon Kibler wrote:
>Hash: SHA1
>I have spent most of the day wading through various web sites looking
>for best practices for embedded systems security, particularly for
>hardening embedded Linux systems. There seems to be a dearth of real
>What I have been able to find is:
>   -- some NIST practices that are technology specific (such as RFID);
>   -- some consultants trying to sell documents of their best practices;
>   -- some really weak articles in industry trade pubs;
>   -- some "reprint for sale" academic articles (mostly IEEE);
>   -- a book ("Practical Embedded Security: Building Secure
>Resource-Constrained Systems") that seem to be rather high level, and
>programming and network oriented, rather than systems hardening
>   -- a couple of other books, that also seem to be networking and
>programmer, or theoritical oriented.
>What I am looking for specifically is:
>   -- Hardening and security best practices for embedded Linux,
>   -- Hardening and security best practices for non-Intel embedded
>processors (e.g., ARM, Blackfin, Coldfire, MIPS, PPC, Xscale, etc.).
>Does anyone have any recommendations for embedded systems security best
>practices guidelines/manuals/books/documentation?


I find this as a good starting point:


Here are some linux links.  It really doesn't matter whether is linux 
on intel or linux on arm, ppc, etc.


Hope this helps,

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com

Never argue with an idiot: a bystander can't tell the difference. - Mark Twain

More information about the Dshield mailing list