awesome embedded and iot security init
This commit is contained in:
Peter Weidenbach
commit
f854dba337
|
|
@ -0,0 +1,2 @@
|
|||
* text=auto
|
||||
readme.md merge=union
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
.project
|
||||
.yo-rc.json
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
language: node_js
|
||||
node_js:
|
||||
- 'node'
|
||||
# git:
|
||||
# depth: false
|
||||
|
|
@ -0,0 +1,74 @@
|
|||
# Contributor Covenant Code of Conduct
|
||||
|
||||
## Our Pledge
|
||||
|
||||
In the interest of fostering an open and welcoming environment, we as
|
||||
contributors and maintainers pledge to making participation in our project and
|
||||
our community a harassment-free experience for everyone, regardless of age, body
|
||||
size, disability, ethnicity, gender identity and expression, level of experience,
|
||||
nationality, personal appearance, race, religion, or sexual identity and
|
||||
orientation.
|
||||
|
||||
## Our Standards
|
||||
|
||||
Examples of behavior that contributes to creating a positive environment
|
||||
include:
|
||||
|
||||
* Using welcoming and inclusive language
|
||||
* Being respectful of differing viewpoints and experiences
|
||||
* Gracefully accepting constructive criticism
|
||||
* Focusing on what is best for the community
|
||||
* Showing empathy towards other community members
|
||||
|
||||
Examples of unacceptable behavior by participants include:
|
||||
|
||||
* The use of sexualized language or imagery and unwelcome sexual attention or
|
||||
advances
|
||||
* Trolling, insulting/derogatory comments, and personal or political attacks
|
||||
* Public or private harassment
|
||||
* Publishing others' private information, such as a physical or electronic
|
||||
address, without explicit permission
|
||||
* Other conduct which could reasonably be considered inappropriate in a
|
||||
professional setting
|
||||
|
||||
## Our Responsibilities
|
||||
|
||||
Project maintainers are responsible for clarifying the standards of acceptable
|
||||
behavior and are expected to take appropriate and fair corrective action in
|
||||
response to any instances of unacceptable behavior.
|
||||
|
||||
Project maintainers have the right and responsibility to remove, edit, or
|
||||
reject comments, commits, code, wiki edits, issues, and other contributions
|
||||
that are not aligned to this Code of Conduct, or to ban temporarily or
|
||||
permanently any contributor for other behaviors that they deem inappropriate,
|
||||
threatening, offensive, or harmful.
|
||||
|
||||
## Scope
|
||||
|
||||
This Code of Conduct applies both within project spaces and in public spaces
|
||||
when an individual is representing the project or its community. Examples of
|
||||
representing a project or community include using an official project e-mail
|
||||
address, posting via an official social media account, or acting as an appointed
|
||||
representative at an online or offline event. Representation of a project may be
|
||||
further defined and clarified by project maintainers.
|
||||
|
||||
## Enforcement
|
||||
|
||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
||||
reported by contacting the project team at firmware-security@fkie.fraunhofer.de. All
|
||||
complaints will be reviewed and investigated and will result in a response that
|
||||
is deemed necessary and appropriate to the circumstances. The project team is
|
||||
obligated to maintain confidentiality with regard to the reporter of an incident.
|
||||
Further details of specific enforcement policies may be posted separately.
|
||||
|
||||
Project maintainers who do not follow or enforce the Code of Conduct in good
|
||||
faith may face temporary or permanent repercussions as determined by other
|
||||
members of the project's leadership.
|
||||
|
||||
## Attribution
|
||||
|
||||
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
|
||||
available at [http://contributor-covenant.org/version/1/4][version]
|
||||
|
||||
[homepage]: http://contributor-covenant.org
|
||||
[version]: http://contributor-covenant.org/version/1/4/
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# Contribution Guidelines
|
||||
|
||||
Please note that this project is released with a
|
||||
[Contributor Code of Conduct](code-of-conduct.md). By participating in this
|
||||
project you agree to abide by its terms.
|
||||
|
||||
## Making Changes
|
||||
|
||||
You want something to be added? Just make a pull request or open an issue.
|
||||
You want something to be removed? Open an issue and explain why something should be removed.
|
||||
|
||||
Thank you for your suggestions!
|
||||
|
||||
|
||||
## Updating your PR
|
||||
|
||||
A lot of times, making a PR adhere to the standards above can be difficult.
|
||||
If the maintainers notice anything that we'd like changed, we'll ask you to
|
||||
edit your PR before we merge it. There's no need to open a new PR, just edit
|
||||
the existing one. If you're not sure how to do that,
|
||||
[here is a guide](https://github.com/RichardLitt/knowledge/blob/master/github/amending-a-commit-guide.md)
|
||||
on the different ways you can update your PR so that we can merge it.
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
"scripts": {
|
||||
"test": "awesome-lint"
|
||||
},
|
||||
"devDependencies": {
|
||||
"awesome-lint": "*"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,95 @@
|
|||
# Awesome Embedded and IoT Security [](https://awesome.re)
|
||||
|
||||
> A curated list of resources about embedded and IoT security. The list contains software and hardware tools, books, research papers and more.
|
||||
|
||||
|
||||
## Contents
|
||||
|
||||
- [Software Tools](#software-tools)
|
||||
- [Analysis Frameworks](#analysis-frameworks)
|
||||
- [Analysis Tools](#analysis-tools)
|
||||
- [Extraction Tools](#extraction-tools)
|
||||
- [Hardware Tools](#hardware-tools)
|
||||
- [Books](#books)
|
||||
- [Research Papers](#research-papers)
|
||||
- [Case Studies](#case-studies)
|
||||
- [Websites](#websites)
|
||||
- [Conferences](#conferences)
|
||||
|
||||
## Software Tools
|
||||
Software Tools for analyzing embedded firmware images.
|
||||
|
||||
### Analysis Frameworks
|
||||
|
||||
- [FACT - The Firmware Analysis and Comparison Tool](https://fkie-cad.github.io/FACT_core/) - Full featured static analysis framework including extraction of firmware, analysis utilizing different plug-ins and comparison of different firmware versions.
|
||||
- [EXPLIoT](https://gitlab.com/expliot_framework/expliot) - Pentest framework like Metasploit but specialized for IoT.
|
||||
|
||||
### Analysis Tools
|
||||
|
||||
- [Binwalk](https://github.com/ReFirmLabs/binwalk) - Searches a binary for "interesting" stuff.
|
||||
- [Firmadyne](https://github.com/firmadyne/firmadyne) - Tries to emulate and pentest a firmware.
|
||||
- [firmwalker](https://github.com/craigz28/firmwalker) - Searches extracted firmware images for interesting files and information.
|
||||
- [Trommel](https://github.com/CERTCC/trommel) - Searches extracted firmware images for interesting files and information.
|
||||
|
||||
### Extraction Tools
|
||||
|
||||
- [Binwalk](https://github.com/ReFirmLabs/binwalk) - Extracts arbitrary files utilizing a carving approach.
|
||||
- [FACT Extractor](https://github.com/fkie-cad/fact_extractor) - Detects container format automatically and executes the corresponding extraction tool.
|
||||
- [Firmware Mod Kit](https://github.com/rampageX/firmware-mod-kit/wiki) - Extraction tools for several container formats.
|
||||
|
||||
## Hardware Tools
|
||||
|
||||
- [Bus Blaster](http://dangerousprototypes.com/docs/Bus_Blaster) - Detects and interacts with hardware debug ports like UART and JTAG.
|
||||
- [Bus Pirate](http://dangerousprototypes.com/docs/Bus_Pirate) - Detects and interacts with hardware debug ports like UART and JTAG.
|
||||
- [JTAGULATOR](http://www.grandideastudio.com/jtagulator/) - Detects JTAG Pinouts.
|
||||
|
||||
|
||||
## Books
|
||||
|
||||
- 2019, Aditya Gupta: [The IoT Hacker's Handbook: A Practical Guide to Hacking the Internet of Things](https://www.apress.com/us/book/9781484242995)
|
||||
|
||||
## Research Papers
|
||||
|
||||
- 2018, Muench et al: [What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices](http://www.eurecom.fr/en/publication/5417/download/sec-publi-5417.pdf)
|
||||
- 2017, nsr: [Avatar 2: Towards an open source binary firmware analysis framework](https://media.ccc.de/v/34c3-9195-avatar)
|
||||
- 2017, Costin et al: [Towards Automated Classification of Firmware Images and Identification of Embedded Devices](http://s3.eurecom.fr/docs/ifip17_costin.pdf)
|
||||
- 2016, Kammerstetter et al: [Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation](http://www.seclab.tuwien.ac.at/papers/kammerstetter_secuware2016_peripheralCache.pdf)
|
||||
- 2016, Chen et al: [Towards Automated Dynamic Analysis for Linux-based Embedded Firmware](https://www.dcddcc.com/docs/2016_paper_firmadyne.pdf)
|
||||
- 2016, Costin et al: [Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces](http://s3.eurecom.fr/docs/asiaccs16_costin.pdf)
|
||||
- 2015, Gascon et al: [PULSAR: Stateful Black-Box Fuzzing of Proprietary Network Protocols](https://www.sec.cs.tu-bs.de/pubs/2015-securecomm.pdf)
|
||||
- 2015, Shoshitaishvili et al:[Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](https://seclab.cs.ucsb.edu/media/uploads/papers/firmalice.pdf)
|
||||
- 2015, Papp et al: [Embedded Systems Security: Threats, Vulnerabilities, and Attack Taxonomy](http://www.cse.psu.edu/~pdm12/cse597g-f15/readings/cse597g-embedded_systems.pdf)
|
||||
- 2014, Zaddach et al: [Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares](http://www.eurecom.fr/en/publication/4158/download/rs-publi-4158.pdf)
|
||||
- 2014, Alimi et al: [Analysis of embedded applications by evolutionary fuzzing](http://ieeexplore.ieee.org/document/6903734/)
|
||||
- 2014, Costin et al: [A Large-Scale Analysis of the Security of Embedded Firmware
|
||||
s](http://www.s3.eurecom.fr/docs/usenixsec14_costin.pdf)
|
||||
- 2013, Davidson et al: [FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution](https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_davidson.pdf)
|
||||
|
||||
### Case Studies
|
||||
|
||||
Case Studies are a good start to learn how to find a vulnerabilities in embedded firmware.
|
||||
|
||||
- [Hacking the DSP-W215, Again](http://www.devttys0.com/2014/05/hacking-the-dspw215-again/)
|
||||
- [Multiple vulnerabilities found in the Dlink DWR-932B](https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html)
|
||||
- [Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol](https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html)
|
||||
- [PWN Xerox Printers (...again)](https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf)
|
||||
|
||||
## Websites
|
||||
|
||||
- [OWASP Embedded Application Security](https://www.owasp.org/index.php/OWASP_Embedded_Application_Security)
|
||||
- [OWASP Internet of Things Project](https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project)
|
||||
|
||||
## Conferences
|
||||
|
||||
- [Hardwear.io](https://hardwear.io/)
|
||||
|
||||
## Contribute
|
||||
|
||||
Contributions welcome! Read the [contribution guidelines](contributing.md) first.
|
||||
|
||||
## License
|
||||
|
||||
[](https://creativecommons.org/publicdomain/zero/1.0)
|
||||
|
||||
To the extent possible under law, Fraunhofer FKIE has waived all copyright and
|
||||
related or neighboring rights to this work.
|
||||
Loading…
Reference in New Issue