Question

I want to identify instructions in a code which are vulnerable to tampering.

The code would be running on an IoT device with the identification of instructions from either the source code or just the executable(with no source code).

Does anyone know about some tools or techniques?

In a nutshell, how to automatically locate security-sensitive code?

 I do not have to use a tool to protect but devise a technique of my own to protect my code statements(written in C Language) which are vulnerable. Especially Anti-debugging statements. Are there any heuristics to find out the vulnerable statements in the code... like authentication points and Debugging checks?

Answer 1

The software running on a device is no different than one running on a web server or a local PC.

You can look at all the individual components in your setup that might expose a vulnerability.

It contains:

1. The device (often running C or C++ code)
2. The connection to the cloud (like, https or a messaging service)
3. The API to the cloud (often a RESTful API)
4. The software on the cloud itself

You can go through these ones by one and identify what might be wrong. As a rule of thumb, you can always try to find the spot where an outside connection is made.

Following those four steps

1. Check if the code can be tempered with before an outside connection is made. If your code is compiled and makes an outside connection, try to find an alternative that you can validate.
2. Check certificates, messaging protocols etc. Makes sure all connections are following safety standards.
3. Make sure your API follows proper RESTful security measures.
4. Validate the software in the cloud, check certificates and use something like OATH.

Last, check services like https://www.checkmarx.com/