Embedded Systems (ES) development has been historically focused on functionality rather than security, and today it still applies in many sectors and applications. However, there is an increasing number of security threats over ES, and a successful attack could have economical, physical or even human consequences, since many of them are used to control critical applications. A standardized and general accepted security testing framework is needed to provide guidance, common reporting forms, and the possibility to compare the results along the time. This can be achieved by introducing security metrics into the evaluation or assessment process. If carefully designed and chosen, metrics could provide a quantitative, repeatable and reproducible value that would reflect the level of security protection of the ES. This paper analyzes the features that a good security metric should exhibit, introduces a taxonomy for classifying them, and finally, it carries out a literature survey on security metrics for the security evaluation of ES. In this review, more than 500 metrics were collected and analyzed. Then, they were reduced to 169 metrics that have the potential to be applied to ES security evaluation. As expected, the 77.5 % of them is related exclusively to software, and only the 0.6 % of them addresses exclusively hardware security. This work aims to lay the foundations for constructing a security evaluation methodology that uses metrics to quantify the security level of an ES.
翻译:嵌入式系统(ES)的开发历来侧重于功能而不是安全,如今它仍然适用于许多部门和应用程序。然而,对ES的安全威胁越来越多,成功的袭击可能带来经济、物理甚至人文后果,因为其中许多用于控制关键应用程序。需要有一个标准化和普遍接受的安全测试框架来提供指导、通用报告格式,并能够随时比较结果。这可以通过在评估或评估过程中引入安全指标来实现。如果仔细设计和选择,衡量标准可以提供数量、可重复和可复制的价值,反映ES的安全保护水平。本文分析了良好的安全指标应展示的特征,为它们分类采用分类分类的分类方法,最后,它就ES的安全评价的安保衡量标准进行了文献调查。在这次审查中,收集并分析了500多条衡量标准。然后,将有可能应用于ES安全评价的169条衡量标准减少到169条标准。据预计,77.5%衡量标准可以反映ES的安全保护水平。本文分析了良好的安全指标应当展示的特征,为分类提供了一种分类方法,最后,对ES的安全衡量标准进行了文献调查,只有0.6 % 的安全评价是安全标准的基础。这一标准的基础。