katong CAN bus chuchu Flashcards
The principle of ____________ means that each user and each task should be given only the minimum level of access—or privileges—necessary to perform its function. This minimizes the risk of malicious activity or damage if an account or process is compromised.
- It aids in forensic analysis since it is useful to log activities to track who did what.
Principle: Least Privilege
Examples of roles that might be assigned privileges in a system (3)
“User,” “Administrator,” and “Factory”
Common Mistakes in Least Privilege Principle (3)
- Make a common task high privilege
- Give everyone the same password
- Make risky operations too easy (no confirmation)
True or False (and why)
Encryption Equal Security
False
- Encryption provides secrecy, but integrity is also required.
- Export controls may be invoked due to encryption.
- Security requirements (for firmware distribution):
- Symmetric key encryption of firmware is a bad idea.
- Public key encryption of firmware addresses secrecy
- Secure signature (Public Key Digest) works well
- Deploy security patches due to possible vulnerabilities in your code or third-party code (like libraries, OS, communications).
- Good practices for secure updates include:
- A bootloader that performs updates with a two-stage process.
- Bootloader checks image public key signatures.
- Consider limited date ranges for key validity.
- Consider hard-coding repository IP addresses.
Secure Update Principles
- attempts to attack system to look for problems
Penetration Testing (“pen test”)
other cybersecurity approaches (4)
- intrusion detection
- monitoring black hat sites
- using honeypot systems
- offering bug bounties (to encourage people to report vulnerabilities)
two categories of code analysis and list two general code quality tools mentioned for code analysis
Static and dynamic code analysis
- Coverity and PC-Lint.
potential problem with code analysis tools
False positives, which are warnings that are not actual vulnerabilities, can be a significant issue with code analysis tools.
___________ is a security-oriented review of source code, where others inspect the code to find and fix potential vulnerabilities before they can be exploited.
Provide an example.
Peer review
The Cert C 98 Coding Standard.
Security Mitigation and Validation
* Good Practices (6)
* Pitfalls (2)
Good practices
- encourage strong but usable passwords
- use fine-grain permissions
- be careful storing password information
- respect limitations of firewall approaches
- use secure update and secure boot
- use more than just penetration testing
Pitfalls:
- thinking security is easy
- using intuition instead of doing your homework
What does CAN in CAN bus stand for?
Who developed the CAN bus and when?
Controller Area Network.
The CAN bus was developed by Bosch in the 1980s.
List at least three characteristics of the CAN bus.
- Supports broadcast and multicast communication
- low cost
- deterministic resolution of the contention
- priority-based arbitration
What industries use the CAN bus standard?
Automotive, but also in automation, factory control, avionics, and medical equipment.
physical connection used by the CAN bus
Simple, two differential (copper) wire connection
