The course is taught in English and it aims at presenting the most significant aspects of security of Embedded Systems (ES), covering both hardware and software security issues related to embedded devices, including their most common weakness, vulnerabilities, attacks and possible mitigations and remediations. The course mixes lectures and hands-on-experiences, with a particular emphasis on the open-source security-oriented platform SEcube™. The course includes a final project, in which students, clustered in teams, are asked to face some hot topics in Embedded Systems security and to presents detailed reports on them. The course is enriched by presentations of relevant case studies from industrial testimonials and researchers.

Having successfully completed the course, the participant will: • Get familiar with the basic concepts of security • Get familiar with the most significant aspects of security of Embedded Systems in terms of: o System Security o Secure Programming o Hardware and Hardware-based Security • For each field, get familiar with its main o Vulnerabilities o Attacks o Countermeasures • Get significant hands-on experiences on: o the open-source security-oriented platform SEcube™ o static code analysis tools.

Attendees are assumed to be familiar with the basic concepts of: • C and C++ programming languages • Assembly programming languages • Computer Architectures • Digital System Design.

NOTE: For students with previous acquired experiences in Cybersecurity, alternative topics and teaching materials will be provided while overlapping aspects are encountered. • Introduction to Cybersecurity and Cybersecurity for Embedded Systems: [3 h] o Security – An Introduction o Cybersecurity – Definition & relevance o Security Pillars o Vulnerabilities o Attacks • Basics of Cryptography: [4.5 h] o Introduction to cryptography and classical ciphers o Symmetric encryption and block ciphers o Asymmetric encryption & Key Exchange o Hash functions o Key Management Systems • Introduction to Software Security: [1.5 h] o Malicious execution and malwares: definition o Isolation and access control • System Security: [7.5 h] o Concept of OS Security o Memory Management & Protection o CPU privilege levels o Trusted Execution Environment (TEE) o Root of Trusts • Secure Programming: [7.5 h] o Common Weaknesses and Vulnerabilities (CWE, CVE)  Memory Vulnerabilities  Structured Output Generation Vulnerabilities  Race Condition Vulnerabilities  API Vulnerabilities  Information Leakage o Common coding standards  MISRA  CERT • Hardware Security: [6 h] o Introduction & Taxonomy o Side-Channel Attacks o Fault Attacks o Test-infrastructure-based Attacks o Invasive Attacks o Hardware Trojans • Hardware-based security: [3 h] o Introduction & Basic concepts o Implementations • Hardware Trust [3 h] o Introduction & Basic Concepts o Hardware Counterfeiting o True Random Number Generators (TRNG) o Physically Unclonable Functions (PUF) • Cybersecurity Governance and Standards [3 h] • Presentations of relevant case studies from industrial testimonials and researchers [6 h]

• The course includes: o Lectures [45 h] o Hands-on sessions [15 h] • Students are asked to cluster into groups of 2 or 3 people, each: o The group composition is freely proposed by the students; o Each student is rented a development kit for the SEcube™ platform; • Concerning the final project, each group is requested to deliver: o Technical documentation related to the specs and implementation details, including, where applicable, the produced codes and its static analysis results o Oral presentation.

• Copies of the teaching materials used for both the lectures and the Labs; • User and programming manuals of the open-source security-oriented platform SEcube™;

Modalità di esame: Prova orale obbligatoria; Elaborato progettuale in gruppo;

The final evaluation includes three contributions:  Oral exam (40%)  Final project: o Documentation & presentation (30%) o Technical evaluation (30%)

Modalità di esame: Prova orale obbligatoria; Elaborato progettuale in gruppo;

The final evaluation includes three contributions:  Oral exam (40%)  Final project: o Documentation & presentation (30%) o Technical evaluation (30%)