INCIBE-CERT

Memory corruption vulnerabilities are critical flaws in programs that occur when software improperly manipulates memory. These failures can allow a program to write data to unintended memory locations or access areas of memory that are out of range. An attacker controlling this data could trigger unexpected behavior on the system, such as causing the program to crash or, in the worst case, gaining full control over the affected system. In part, this is because initially computer systems were not designed with security in mind, so the memory addresses used by programs and operating systems were static and predictable. This meant that every time a program was run, memory locations, such as the stack, heap,  and shared libraries, were always in the same direction. This predictability made it easier for attackers to exploit memory vulnerabilities, such as buffer overflows and libc return-back attacks, as they could anticipate exactly where the data or code they wanted to manipulate to execute malicious code would be located. In this article, we will look at how the ASLR technique helps combat these vulnerabilities.

Today, one of the most critical, but least known, procedures in industrial security is the secure development. This article gathers all the best practices for the creation of specific applications and equipment for industrial environments in a secure manner. Security aspects that must take into account both the work done during the design (confidentiality of the company and customers, workers' security...), and the security that the designed product itself must present throughout its life cycle (vulnerability management, access control, input/output management...).The aim of this article is to address the good practices of secure development, from the perspective of industrial cybersecurity. Although traditional best practices can be applicable to these environments, the fundamental aspects of safety and availability generate different approaches, mainly in aspects related to memory and resource management, update and patch management cycles, etc.

This article aims to present a brief example guide for an implementation of the new standard in a supplier's facilities.Going through the critical points of the standard, a generic use case will be followed to exemplify how a vehicle manufacturer can adapt its processes to comply with the new standard in an efficient and effective way.By presenting an overview of the standard and production processes, the aim is to provide a brief guide to serve as a starting point and help avoid common failures in industrial environments when faced with new regulations, such as redundancy of effort, inefficiency in resource management and deficiencies in the application of safety measures.