Global training solutions for engineers creating the world's electronics
Menu

Find a Training Course

Embedded System Security for C/C++ Developers

Standard Level - Live Instructor-Led Training

4 days (In-Person) 8 hours per day or
5 sessions (Live Online) 6 hours per session

Security is an essential requirement for every connected system or device. New legislation such as the European Union Cyber Resilience Act (CRA) and Government-led programs such as the U.S. Cyber Trust Mark require a “Secure-by-design” approach for digital products. Their aim is to ensure goods purchased by consumers have an appropriate level of security that is maintained throughout the product lifetime. There are also similar security requirements for devices that are part of automotive or medical systems.

Embedded microcontrollers have been used for over 40 years to build digital products, across a huge range of applications. Historically, security was not a major concern for many of these products and the development teams may have had little or no security background. However, the increasing trend to connect devices to a network, both locally and across a wide area (such as the Internet), together with the need to follow a secure-by-design development process, requires additional skills. Initiatives such as the IoT Security Foundation's “Security Assurance Framework” and Arm's “Platform Security Architecture” (PSA) provide guidance to create secure applications but still expect developers to have sufficient security proficiency to understand and apply their recommendations.

This course provides a foundation in the security issues affecting microcontroller-based embedded systems and teaches approaches to identify and protect against security threats. Since many of these systems are developed using the C or C++ programming languages, it looks at how C/C++ should be written to avoid security vulnerabilities. It also considers alternative software and hardware-based solutions to ensure that every aspect of the embedded software application from booting, functional operation, data storage, communication and updates is secure. The relevant sections of the Arm PSA and IoTSF Security Assurance Framework are referenced throughout the course and explored in greater detail where appropriate. The course also provides an overview of emerging industry, national and international security standards and introduces techniques for testing security which will be required for certification.

The practical side of the training is based around carefully designed exercises, investigating security features and issues for a real embedded system, to reinforce and challenge the extent of learning. These comprise approximately 50% of class time using a dedicated development board, real-time debugging IDE and Saleae Logic analyser on the Doulos Board Farm. A Guacamole server enables you to run fully supervised investigations of security features and issues for a real embedded system, with live video monitoring of the hardware, from anywhere in the world via a suitable web browser. These practical workshops will reinforce and challenge the extent of your learning and comprise approximately 50% of class time.

If you have specific security application requirements, please contact the Doulos team to discuss your options.

You can find out more about the Doulos Board Farm in this video:  

"Embedded System Security for C/C++ Developers" is aimed at electronic hardware, software and system-on-chip engineers who need to gain a working knowledge of the software and hardware security issues affecting a microcontroller-based embedded system.

Note that this is not a course on the security issues affecting embedded Linux applications - those wishing to learn more about that topic are recommended to take the Doulos “Practical Embedded Linux Security” course. 

  • Identifying the main security threats and vulnerabilities for an embedded system
  • How to use common encryption and decryption standards for data-at-rest and data-in-motion
  • Key management and use of certificates for authentication
  • How to secure communication with TLS
  • Writing secure C code
  • How to use a coding standard with static analysis tools to identify security issues in C code
  • Using a Secure Software Development methodology and framework. The Arm Platform Security Architecture (PSA) and IoTSF Security Assurance Framework are used as examples, but the principles are common to other security frameworks and standards.
  • Embedded system hardware features for security
  • Overview of Security Regulations, Standards and Compliance
  • Approaches to test security of embedded applications
  • Secure Provisioning Process

Attendees should have:

  • Knowledge of the C or C++ programming language and embedded system architecture. In particular a basic level of familiarity with functions, variables, data types, operators, and statements. The Doulos C Programming for Embedded Systems or C++ Programming for Embedded Systems courses provide appropriate preparation for engineers who lack this experience.
  • Awareness of embedded system architecture (ideally Arm Cortex-M).
  • Experience of using embedded software development tools such as the Eclipse IDE and GDB debugger.

 

Please contact Doulos directly to discuss and assess your specific experience against the pre-requisites.

Doulos training materials are renowned for being the most comprehensive and user-friendly available. Their style, content and coverage are unique in the Embedded Systems training world, and have made them sought after resources in their own right. The materials include:

  • Fully indexed class notes creating a complete reference manual
  • Workbook full of practical examples and solutions to help you apply your knowledge

Introduction to Security

Why is security necessary • Regulatory Requirements • Vulnerabilities, Threats and Attacks • CVE and CWE • Embedded System Security Terminology • Security By Design • Embedded Security Frameworks • Arm PSA • PSA Security Model Goals • Overview of Secure Software Development Lifecycle

 

Hardware Vulnerabilities for C Code

Safe use of pointers • Memory allocation and corruption • Return Oriented Programming • Buffer overflow

 

Writing Secure C/C++ Code

String and format functions • Avoiding Buffer Overflow • Side Channel Timing Vulnerability • Integer security • Concurrency • TOCTOU • File I/O • Error Handling • Lab - Memory Overflow-based attacks

 

Secure Software Development Lifecycle

Secure Software Development Lifecycle and Processes • Business Requirements • Maturity Models • Threat modelling • STRIDE • Risk Analysis and Assessment • Common Vulnerability Scoring System • Attack Trees • Arm PSA Framework • Common Criteria • PSA Analysis Phase • Target of Evaluation • PSA Protection Profile • Security Functional Requirements • Platform Security Considerations • Lab – Creating a Threat Model

 

Introduction to Cryptography

Encryption and Decryption • Cryptographer's Threat Model • Shift Cipher • One-time Pad • Random Number Generators • Data Encryption Strategies

 

Symmetric Cryptography

Block Cipher Modes • Electronic Codebook Mode •Cipher Block Chaining Mode • Output Feedback Mode • Cipher Feedback Mode • Counter Mode • ChaCha20 • Padding Oracle Attack • Hash Functions • Message Authenticity & Integrity • HMAC & KMAC • AEAD Ciphers • Performance Comparisons
Lab - Message encryption/decryption

 

Cryptography in Action

Asymmetric Cryptography •RSA Operation • RSA and Diffie Hellman Key Exchange• Elliptic Curve DH • Key Derivation Function • Signatures • RSA Signature • PKCS #1 RSA Key • ECDSA and EdDSA Signatures • Attestation with Signatures • Certificate Signing and Verification • Trusted Domain • Certificate Revocation • Software Provisioning • OpenSSL Commands • PKCS Standards
Lab - Installing and using certificates

 

Transport Layer Security

Secure communications • Zero Trust Architecture • Transport Layer • IoT Protocol Stacks • MQTT • Secure Socket Layer • Transport Layer Security(TLS) • TLS Cipher Suites • Starting TLS 1.2 Session • TLS 1.3 Handshake • TLS Record Protocol • TLS in C/C++ Applications • Wireless Local Area Networks • Wi-Fi Handshaking • Wi-Fi Security Threats • Wi-Fi Protocols • Lab – Configuring TLS sockets for secure communications

 

Rules for Secure Coding

Vulnerability Management • CWE • Coding Standards • CERT C and MISRA-C • Rules and Recommendations • Risk Assessment • Other Coding Standards • Static Analysis • Lab – Detecting security vulnerabilities with static analysis tools

 

Secure Embedded System Software Architecture

Secure software architecture goals • Traditional guiding principles • Least privilege, trust and secure processes • Side channel & timing attacks • Double HMAC • Security though Isolation • Cortex-M Modes and Privilege • Run-Time Isolation with MPU • Microcontainer Isolation • TrustZone-M • Arm Platform Security Architecture (PSA) • Trusted Boot and Firmware Update • PSA Firmware Framework • PSA APIs • Trusted Firmware-M
Lab – Performing a side-channel timing attack

 

Secure Embedded System Hardware Architecture

Security Requirements • Unique ID • Secure Storage • Secure Storage Lifetime • Random Number Generators • Hardware Crypto Engine • Hardware Root-of-Trust • Attestation • Secure boot and update • Memory Isolation and Protection • TrustZone SAU and IDAU • Other HW Recommendations • Secure Elements • Trusted Platform Module (TPM) • Integrated Hardware Security Module (HSM) • Physical Unclonable Function (PUF) • Secure MCU Architecture • Cortex-M and TrustZone

 

Standards, Testing and Provisioning

Standards and Regulations • EU Cyber Resilience Act (CRA) • Security Regulation Compliance • ETSI EN 303 645 • Other Security Standards • SESIP – EN 17927 • PSA Certified • Security Testing Approaches • Unit Tests • Security Testing Tools • Penetration Testing • Disassembly • Protocol Fuzzing • Side Channel Power Analysis • Secure Provisioning Process

For on-site, team-based training, please contact Doulos about tailoring this course to suit your hardware and software environment.

Course Dates

Please Enquire for Pricing

10 Jun 2025 ONLINE EurAsia Enquire
14 Jul 2025 ONLINE Americas Enquire
16 Jul 2025 Munich, DE Enquire
11 Aug 2025 Ringwood, UK Enquire
26 Aug 2025 ONLINE EurAsia Enquire

Looking for team-based training, or other locations?

Complete an enquiry form and a Doulos representative will get back to you.

Enquiry FormPrice on request

Next dates for this course

View the full schedule
Contact Doulos

© Copyright 2005–2025 Doulos. All rights reserved.

Website by Igentics