Security Guidelines =================== Security best practices for the Nexus Embedded Platform. .. contents:: Table of Contents :local: :depth: 3 Overview -------- Security is critical in embedded systems. This guide covers: * **Input Validation**: Prevent injection attacks * **Memory Safety**: Prevent buffer overflows * **Cryptography**: Secure data and communications * **Access Control**: Protect sensitive resources * **Secure Boot**: Verify firmware integrity * **Update Security**: Secure firmware updates Secure Coding Practices ----------------------- Input Validation ~~~~~~~~~~~~~~~~ **Always Validate Inputs** .. code-block:: c /* Bad: No validation */ void process_data(uint8_t* buffer, size_t length) { memcpy(internal_buffer, buffer, length); /* Overflow! */ } /* Good: Validate inputs */ hal_status_t process_data(const uint8_t* buffer, size_t length) { if (buffer == NULL) { return HAL_ERROR_PARAM; } if (length == 0 || length > MAX_BUFFER_SIZE) { return HAL_ERROR_PARAM; } memcpy(internal_buffer, buffer, length); return HAL_OK; } **Range Checking** .. code-block:: c /* Validate array indices */ hal_status_t set_value(size_t index, uint32_t value) { if (index >= ARRAY_SIZE) { return HAL_ERROR_PARAM; } array[index] = value; return HAL_OK; } **Integer Overflow Checks** .. code-block:: c /* Check for overflow before allocation */ void* safe_alloc(size_t count, size_t size) { if (count > 0 && size > SIZE_MAX / count) { return NULL; /* Would overflow */ } return malloc(count * size); } Buffer Overflow Prevention ~~~~~~~~~~~~~~~~~~~~~~~~~~ **Use Safe String Functions** .. code-block:: c /* Bad: Unsafe string copy */ void copy_string_unsafe(char* dest, const char* src) { strcpy(dest, src); /* Buffer overflow risk! */ } /* Good: Safe string copy */ void copy_string_safe(char* dest, size_t dest_size, const char* src) { if (dest == NULL || src == NULL || dest_size == 0) { return; } strncpy(dest, src, dest_size - 1); dest[dest_size - 1] = '\0'; } **Bounds Checking** .. code-block:: c /* Always check buffer bounds */ hal_status_t write_buffer(uint8_t* buffer, size_t buffer_size, const uint8_t* data, size_t data_size) { if (buffer == NULL || data == NULL) { return HAL_ERROR_PARAM; } if (data_size > buffer_size) { return HAL_ERROR_NO_MEMORY; } memcpy(buffer, data, data_size); return HAL_OK; } Memory Safety ------------- Pointer Safety ~~~~~~~~~~~~~~ **Null Pointer Checks** .. code-block:: c /* Always check pointers */ hal_status_t process_config(const config_t* config) { if (config == NULL) { return HAL_ERROR_PARAM; } /* Use config */ return HAL_OK; } **Avoid Use-After-Free** .. code-block:: c /* Bad: Use after free */ void bad_example(void) { uint8_t* buffer = malloc(256); free(buffer); buffer[0] = 0; /* Use after free! */ } /* Good: Clear pointer after free */ void good_example(void) { uint8_t* buffer = malloc(256); free(buffer); buffer = NULL; /* Prevent use after free */ } **Double-Free Prevention** .. code-block:: c /* Safe free macro */ #define SAFE_FREE(ptr) \ do { \ if (ptr != NULL) { \ free(ptr); \ ptr = NULL; \ } \ } while(0) Stack Protection ~~~~~~~~~~~~~~~~ **Stack Canaries** .. code-block:: c #define STACK_CANARY 0xDEADBEEF void protected_function(void) { uint32_t canary = STACK_CANARY; /* Function code */ /* Check canary */ if (canary != STACK_CANARY) { /* Stack overflow detected */ handle_security_violation(); } } Cryptography ------------ Random Number Generation ~~~~~~~~~~~~~~~~~~~~~~~~ **Use Hardware RNG** .. code-block:: c /* Use hardware random number generator */ uint32_t get_random(void) { /* Enable RNG clock */ RCC->AHB2ENR |= RCC_AHB2ENR_RNGEN; /* Enable RNG */ RNG->CR |= RNG_CR_RNGEN; /* Wait for random data */ while (!(RNG->SR & RNG_SR_DRDY)); return RNG->DR; } **Seed PRNG Properly** .. code-block:: c /* Seed with hardware RNG */ void seed_prng(void) { uint32_t seed = get_random(); srand(seed); } Encryption ~~~~~~~~~~ **AES Encryption** .. code-block:: c /* Encrypt data with AES */ hal_status_t encrypt_data(const uint8_t* plaintext, size_t length, const uint8_t* key, uint8_t* ciphertext) { if (plaintext == NULL || key == NULL || ciphertext == NULL) { return HAL_ERROR_PARAM; } /* Initialize AES */ aes_context_t ctx; aes_init(&ctx, key, AES_KEY_SIZE_256); /* Encrypt */ aes_encrypt(&ctx, plaintext, ciphertext, length); /* Clear sensitive data */ memset(&ctx, 0, sizeof(ctx)); return HAL_OK; } Secure Storage -------------- Key Storage ~~~~~~~~~~~ **Never Hardcode Keys** .. code-block:: c /* Bad: Hardcoded key */ const uint8_t encryption_key[] = { 0x01, 0x02, 0x03, /* ... */ }; /* Good: Load from secure storage */ hal_status_t load_encryption_key(uint8_t* key, size_t key_size) { return secure_storage_read(KEY_ID, key, key_size); } **Clear Sensitive Data** .. code-block:: c /* Clear sensitive data after use */ void process_password(const char* password) { /* Use password */ authenticate(password); /* Clear from memory */ memset((void*)password, 0, strlen(password)); } Secure Boot ----------- Firmware Verification ~~~~~~~~~~~~~~~~~~~~~ **Verify Signature** .. code-block:: c /* Verify firmware signature */ bool verify_firmware(const uint8_t* firmware, size_t length, const uint8_t* signature) { uint8_t hash[32]; /* Calculate firmware hash */ sha256(firmware, length, hash); /* Verify signature */ return rsa_verify(hash, sizeof(hash), signature, public_key); } **Secure Boot Flow** .. code-block:: c void secure_boot(void) { /* Read firmware */ uint8_t* firmware = (uint8_t*)FIRMWARE_ADDRESS; size_t length = get_firmware_length(); /* Read signature */ uint8_t* signature = (uint8_t*)SIGNATURE_ADDRESS; /* Verify firmware */ if (!verify_firmware(firmware, length, signature)) { /* Verification failed */ enter_recovery_mode(); return; } /* Jump to application */ jump_to_application(FIRMWARE_ADDRESS); } Secure Communication -------------------- TLS/SSL ~~~~~~~ **Use TLS for Network Communication** .. code-block:: c /* Establish secure connection */ hal_status_t connect_secure(const char* host, uint16_t port) { tls_context_t ctx; /* Initialize TLS */ tls_init(&ctx); /* Set CA certificate */ tls_set_ca_cert(&ctx, ca_cert, ca_cert_len); /* Connect */ if (tls_connect(&ctx, host, port) != TLS_OK) { return HAL_ERROR; } return HAL_OK; } Access Control -------------- Privilege Separation ~~~~~~~~~~~~~~~~~~~~ **Use MPU for Memory Protection** .. code-block:: c /* Configure MPU region */ void configure_mpu(void) { /* Disable MPU */ MPU->CTRL = 0; /* Configure region 0: Flash (read-only) */ MPU->RBAR = FLASH_BASE | MPU_RBAR_VALID_Msk | 0; MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_SIZE_512KB | MPU_RASR_AP_RO_RO; /* Configure region 1: RAM (read-write) */ MPU->RBAR = RAM_BASE | MPU_RBAR_VALID_Msk | 1; MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_SIZE_128KB | MPU_RASR_AP_RW_RW; /* Enable MPU */ MPU->CTRL = MPU_CTRL_ENABLE_Msk; } Security Checklist ------------------ Development Checklist ~~~~~~~~~~~~~~~~~~~~~ ☐ All inputs validated ☐ Buffer bounds checked ☐ No hardcoded secrets ☐ Sensitive data cleared after use ☐ Secure random number generation ☐ Encryption for sensitive data ☐ Firmware signature verification ☐ TLS for network communication ☐ Memory protection enabled ☐ Stack protection enabled Code Review Checklist ~~~~~~~~~~~~~~~~~~~~~ ☐ No buffer overflows ☐ No integer overflows ☐ No format string vulnerabilities ☐ No SQL injection (if applicable) ☐ No command injection ☐ Proper error handling ☐ No information leakage ☐ Secure defaults See Also -------- * :doc:`coding_standards` - Coding standards * :doc:`code_review_guidelines` - Code review * :doc:`testing` - Security testing Summary ------- Key security practices: * **Validate all inputs** * **Prevent buffer overflows** * **Use cryptography correctly** * **Protect sensitive data** * **Verify firmware integrity** * **Use secure communication** * **Implement access control** Security must be considered throughout the development lifecycle.