Investigating Embedded Software Composition of DER Systems - Software Composition Analysis
| Thesis type | Master Thesis |
| Supervisor | Marius Biebel |
| Starting date | As soon as possible |
| Skills | LaTeX, Git, JSON, Any programming language |
| Language | English (preferred), German |
| Industry cooperation | not possible |
| Publish date |
Problem and context
Embedded microcontroller suppliers provide documentation, tooling, development boards, and Software Development Kits (SDKs) alongside their microcontrollers to enable their customers to develop products with their components. These SDKs often utilize Real-Time Operating Systems (RTOSs) that include libraries optimized for their hardware to directly utilize peripherals such as ADCs, DACs, GPIOs, or PWMs, as well as integrate hardware acceleration for encoding or cryptographic acceleration.
With the emerging Cyber Resilience Act (CRA) in the EU and similar regulations in other countries, the requirements for software products are increasing. Consequently, products with digital elements are required to document the libraries and components utilized in their products in a machine-readable Software Bill of Materials (SBOM) to easily scan them for vulnerabilities. This also applies to embedded devices used in Distributed Energy Resources (DER).
Goals
The goal of this thesis is to investigate the software composition of SDKs provided by microcontroller suppliers and evaluate how they can be managed to ensure compliance with the upcoming EU Cyber Resilience Act (CRA).
Specifically, the thesis can focus on a number of sub-topics, including, but not limited to:
- Downstream Patch Lag & Vulnerability Propagation: Investigating the timeline and delay between security patches released in upstream libraries (e.g., mbed TLS, lwIP, FreeRTOS) and their integration into downstream vendor SDKs (e.g., NXP MCUXpresso, STM32Cube, TI SimpleLink).
- SBOM Generation & Accuracy: Evaluating the availability and quality of automated tools to generate Software Bills of Materials (SBOMs), and comparing design-time SBOMs (documented libraries) with compile-time SBOMs (what is actually built into the binary).
- SCA Tool Efficacy on Embedded Software: Benchmarking popular Software Composition Analysis (SCA) scanners (e.g., Trivy, Syft, ORT) to see how effectively they detect dependencies and vulnerabilities in custom-structured microcontroller SDKs.
Potential Methodologies:
- Conducting comparative case studies across major MCU vendors (NXP, STMicroelectronics, Texas Instruments, Infineon) widely used in the power/grid sector.
- Compile SBOMs for the SDKs of the vendors and investigate vulnerabilities that are detected by scanning it and their exploitability in the SDK and in projects utilizing them.
- Performing source-code/AST diffing between upstream libraries and vendor-modified SDK codebases to trace proprietary modifications.
Literature
- Jumping over Proprietary Gaps - Assessing security features in MCUs for Smart Inverters
- A Comprehensive Review of Cybersecurity in Inverter-Based Smart Power System Amid the Boom of Renewable Energy
- Destabilizing Power Grid and Energy Market by Cyberattacks on Smart Inverters
- Cybersecurity of Smart Inverters in the Smart Grid: A Survey