Home / Cyber / Tiny Targets, Big Cyber Risks: Securing Embedded Systems in a Hostile World

Tiny Targets, Big Cyber Risks: Securing Embedded Systems in a Hostile World

Embedded systems, the silent heroes of modern technology, quietly perform dedicated functions within larger systems, seamlessly integrating into our daily lives. These systems, a blend of hardware and software, cater to diverse needs, from powering smart appliances to steering critical infrastructure. However, with connectivity comes vulnerability, and embedded systems are no exception. In this comprehensive exploration, we unravel the intricacies of embedded system security, dissecting threats, vulnerabilities, and best practices to fortify these digital fortresses against potential breaches.

Understanding Embedded Systems:

Embedded systems are the unsung heroes of modern technology, silently powering critical functions in aerospace and defense. Concealed within the depths of machinery and devices, these systems perform dedicated functions, often receiving input from sensors or data sources rather than direct user interaction.

At their core, embedded systems consist of hardware and software components engineered to fulfill specific functions within a larger system or device. Typically, these systems operate autonomously, responding to external stimuli without direct human intervention.

Embedded systems are ubiquitous, seamlessly integrated into industrial machinery, vehicles, satellites, and more, playing a vital role in ensuring safety, efficiency, and reliability. In aerospace and defense, embedded systems are the backbone of essential operations, facilitating navigation, communication, surveillance, and control.

For more thorough treatment please visit:  Cybersecurity for Embedded Devices: A Guide to Threats, Vulnerabilities and Solutions

Threat Landsape

From firmware exploits to hardware attacks, the spectrum of threats is vast. Malware: An attacker can try to infect an embedded device with a malicious software (malware). There are different types of malware. A common characteristic is that they all have unwanted, potentially harmful functionality that they add to the infected system.

Embedded systems are confronted with a diverse range of cyber threats, including:

  1. Malware: A malware that infects an embedded device may modify the behaviour of the device, which may have consequences beyond the cyber domain. Malicious software poses a significant risk to embedded systems by disrupting operations, compromising data integrity, and potentially rendering the system unusable.
  2. Hardware Attacks: Physical tampering with the device opens avenues for attackers to install malicious firmware or extract sensitive information, compromising system security.
  3. Denial-of-Service (DoS) Attacks: These attacks flood the system with an overwhelming volume of traffic, rendering it inaccessible to legitimate users and disrupting normal operations.
  4. Zero-Day Exploits: Exploits targeting vulnerabilities unknown to developers pose a serious threat, as they can be exploited by attackers before a patch or mitigation strategy is developed and deployed.

Software Security: Fortifying the Digital Ramparts

Software vulnerabilities, a ubiquitous challenge, pave the way for cyber intrusions into embedded systems. Code injection attacks, epitomized by buffer overflows and improper input validation, exploit weaknesses in software defenses. Cryptographic attacks and brute-force searches target encryption protocols and authentication mechanisms, probing for weak points. Network-based attacks, including control hijacking and eavesdropping, leverage connectivity to infiltrate systems, highlighting the importance of robust network security measures.

Understanding Embedded System Vulnerabilities

In today’s interconnected world, embedded systems play a crucial role in powering a wide array of devices, from consumer electronics to mission-critical machinery. However, their significance comes with a price: they are prime targets for cyberattacks due to their monetary value, potential to cause harm, and increasing connectivity.

Embedded systems, tailored for specific tasks, exhibit a unique vulnerability landscape. The monetary value of data and the interconnected nature of modern embedded systems make them attractive targets for cybercriminals. Cyberattacks on embedded systems range from disabling anti-theft mechanisms in vehicles to compromising control systems and accessing sensitive information on smartphones.

Like computers, many embedded systems have security vulnerabilities that can provide a way for a threat actor to gain access to the system. Typically, there is a time lag between the discovery of a specific vulnerability—such as a CVE, misconfiguration, or weak or missing encryption—and the availability and application of a patch or other remediation. Meanwhile, vulnerable systems are at risk.

Embedded systems are susceptible to various exploits, including firmware hacks on consumer electronics. Manufacturers often overlook firmware protection, leaving devices vulnerable to unauthorized access and manipulation. Additionally, outdated firmware can harbor bugs and vulnerabilities, as seen in the case of Meltdown and Spectre.

Software vulnerabilities and attacks

Today majority of software attacks comprise of code injection attacks. The malicious code can be introduced remotely via the network. Some of the attacks include stack-based buffer overflows, heap-based buffer overflows, exploitation of double-free vulnerability, integer errors, and the exploitation of format string vulnerabilities. The  most common types of software vulnerabilities in embedded systems are as follows:

Vulnerabilities serve as the gateway for these threats to infiltrate an embedded system:

  1. Software Bugs: Coding errors introduce vulnerabilities that attackers can exploit, compromising the system’s security.
  2. Weak Encryption: Inadequate encryption implementations fail to adequately protect data, making it susceptible to interception and compromise.
  3. Unsecured Communication Protocols: Lack of encryption on communication channels exposes transmitted data to interception, enabling eavesdropping and unauthorized access.
  4. Supply Chain Risks: Malicious actors exploit weaknesses in the manufacturing process to introduce vulnerabilities into the system, creating opportunities for infiltration and compromise.

Third-party hardware and software components may introduce vulnerabilities, while software attacks like buffer overflows and improper input validation can compromise system integrity. Additionally, reliance on third-party components poses a grave risk, as outdated firmware exposes systems to exploits like Meltdown and Spectre, threatening the integrity of critical operations.

Buffer overflow ; Buffer overflow attacks occur when a threat actor writes data or code to a memory buffer, overruns the buffer’s limits and starts overwriting adjacent memory addresses. If the application uses the new data or new executable code, the threat actor may be able to take control of the system or cause it to crash.

A lot of embedded devices required third-party hardware and software components to function. Often these components are used without being tested for any security flaws and vulnerabilities. An out-of-date firmware is typically ridden with bugs and potentially exploitable vulnerabilities. Even though it can be especially hard to periodically update firmware on a small, embedded device, it’s not something that can be ignored.

Improper input validation
If an embedded system requires user input, a malicious user or process may provide unexpected input that causes an application to crash, consume too many resources, reveal confidential data or execute a malicious command. The unexpected input could be a negative value, no input at all, a path name outside of a restricted directory, or special characters that change the flow of the program.

Improper authentication

Authentication proves users and processes are who they say they are. Improper authentication may allow a threat actor to bypass authentication, repeatedly try to guess a password, use stolen credentials or change a password with a weak password-recovery mechanism.

Improper restriction of operations within the bounds of a memory buffer

If the programming language or the embedded OS do not restrict a program from directly accessing memory locations that are outside the intended boundary of the memory buffer, a threat actor may be able to take control of the system or cause it to crash, much like a buffer overflow attack.

In 2018, ethical hackers found Meltdown and Spectre hardware vulnerabilities that affect all Intel x86 and some AMD processors. Both vulnerabilities mess up isolation between user applications, giving applications access to sensitive data and expanding the attack surface. Both Linux and Windows developers have issued patches for their operating systems that partially protect devices from Meltdown and Spectre. However, lots of devices (especially old ones) running on vulnerable processors are still unprotected.

Cryptographic attacks: Cryptographic attacks exploit the weakness in the cryptographic protocol information to perform security attacks, such as breaking into a system by guessing the password. The number of malicious attacks always increases with the amount of software code.

Brute-force search attacks: Weak cryptography and weak authentication methods can be broken by brute force search attacks. Those involve exhaustive key search attacks against cryptographic algorithms such as ciphers and MAC functions, and dictionary attacks against password-based authentication schemes. In both cases, brute force attacks are feasible only if the search space is sufficiently small Normal use: This refers to the attack that exploit an unprotected device or protocol through normal usage.

Cyber adversaries target these systems for various reasons, ranging from data theft to disrupting critical operations. Consumer electronics, such as GPS devices and Wi-Fi routers, often fall prey to exploits due to lax firmware protection. In contrast, mission-critical systems, like those in military aircraft, face threats with far-reaching consequences, demanding robust security measures.

Hardware Attacks: Unveiling the Achilles Heel

Hardware attacks, a clandestine menace, strike at the heart of embedded systems. Memory and bus attacks exploit physical vulnerabilities, enabling unauthorized access to sensitive data.

Memory and bus attacks: If the hardware is physically available and insufficiently protected, it may be possible just to read the contents of memory directly from an external programmable readonly memory (PROM) or external RAM memory chip, or by probing the connecting bus. It is generally good practice, and not that difficult, to encrypt and authenticate all static data such as firmware stored in PROMs.

Cold Boot Attack is a memory attack where the memory (a bank of DRAM chips, for example), is chilled, quickly removed, and read on another system controlled by the attacker. The cold chips
hold remnants of the data even during the short interval where they are unpowered. Thus, it is best not to store critical secrets such as cryptographic keys in off-chip memory. In cases where higher levels of security are justified, external volatile memory may be encrypted.

Side-Channel Analysis Attacks in Embedded System Devices: – Side-channel analysis attacks exploit a device under attack hardware characteristics leakage (power dissipation, computation time, electromagnetic emission etc.) to extract information about the processed data and use them to deduce sensitive information (cryptographic keys, messages etc.). An attacker does not tamper with the device under attack in any way and needs only make appropriate observations to mount a successful attack. Such observation can be done remotely or physically through appropriate tools. Depending on the observed leakage, the most widely used SCAs are microarchitectural/cache, timing, power dissipation, electromagnetic emission attacks.

Network-Based Attacks:

A lot of the gadgets and machines powered by embedded devices are also connected to the internet. This means that hackers can gain unauthorized access to them, and run any malicious code. This type of attack exploits network infrastructure vulnerabilities and can also be performed remotely. Using these vulnerabilities, hackers can listen for, intercept, and modify traffic transmitted by embedded systems. Control hijacking attacks and man-in-the-middle (MITM) attacks are common methods used to intercept and alter data transmitted by these systems.

Control hijacking attacks: These types of attacks divert the normal control flow of the programs running on the embedded device, which typically results in executing code injected by the attacker.

An MITM attack is used to intercept or alter data transmitted by an embedded system. To execute it, hackers change the connection parameters of two devices in order to place a third one between them. If hackers can obtain or alter the cryptographic keys used by both devices, they can eavesdrop in a way that’s very hard to detect as it causes no disruption in the network. An MITM attack can be prevented or stopped by encrypting transmitted data and using the Internet Protocol Security (IPsec) to securely transmit keys and data.

Injecting crafted packets or input: Injection of crafted packets is an attack method against protocols used by embedded devices. A similar type of attack is the manipulation of the input to a program running on an embedded device. Both packet and input crafting attacks exploit parsing vulnerabilities in protocol implementations or other programs. In addition, replaying previously observed packets or packet fragments can be considered as a special form of packet crafting, which can be an effective method to cause protocol failures.

Eavesdropping: While packet crafting is an active attack, eavesdropping (or sniffing) is a passive attack method whereby an attacker only observes the messages sent and received by an embedded device. Those messages may contain sensitive information that is weakly protected or not protected at all by cryptographic means. In addition, eavesdropped information can be used in packet crafting attacks (e.g. in replay type of attacks)

Reverse engineering: Often, an attacker can obtain sensitive information (e.g., an access credential) by analysing the software (firmware or application) in an embedded device. This process is called reverse engineering. By using reverse engineering techniques, the attacker can find vulnerabilities in the code (e.g., input parsing errors) that may be exploited by other attack methods.

Embedded system security

Embedded system security is a vital cybersecurity discipline dedicated to thwarting unauthorized access and exploitation of embedded systems, offering a comprehensive suite of tools, methodologies, and best practices to fortify both the software and hardware components of these devices.

The cornerstone of embedded security lies in the CIA triad, where confidentiality shields critical system information from unauthorized disclosure, integrity ensures the preservation of system operations against tampering, and availability safeguards mission-critical objectives from disruption.

However, due to the inherent constraints of small hardware modules in embedded systems, integrating robust security measures poses significant design challenges. Collaborating closely with systems design teams, cybersecurity specialists strive to implement essential security mechanisms to mitigate the potential damage caused by cyberattacks. Despite the pressing need for standardized security protocols in embedded systems, such frameworks remain underdeveloped. Efforts within the automotive industry, as evidenced by initiatives like SAE J3061 and UNECE WP.29 Regulation on Cyber Security and Software Update Processes, signal progress towards addressing this gap and enhancing cybersecurity in embedded systems, particularly in smart vehicles.

End-to-End Security: Safeguarding Every Layer

Taking into account that embedded systems are components of extremely expensive and valuable machines, the possibility to hack these systems lures lots of hackers. That’s why securing embedded systems is extremely important.

Securing embedded systems requires a multi-faceted approach, encompassing hardware, software, and network security. Trusted execution environments and secure boot mechanisms fortify hardware defenses, while microkernel operating systems minimize attack surfaces. Software best practices, including input validation and data encryption, mitigate software vulnerabilities, safeguarding against code injection and cryptographic attacks. Network security measures, such as TLS encryption and intrusion detection systems, shield against network-based threats, ensuring end-to-end security across the digital landscape.

Software security best practices

Adopt secure coding practices and leverage static code analysis tools to proactively detect and address potential vulnerabilities in embedded system software. Ensure that software remains current by regularly applying the latest security patches to mitigate emerging threats and vulnerabilities effectively. Reduce the system’s attack surface by eliminating unnecessary functionality, thereby minimizing the potential entry points for malicious attacks and enhancing overall security posture.

The following best practices should be kept in mind when building embedded software:

  • Use secure boot:

When an embedded device boots, the boot image gets verified using cryptographic algorithms. This ensures that the boot sequence is correct, and that the software (firmware and any other relevant data) has not been tampered with.

  • Use a microkernel OS

A microkernel OS is much smaller than a traditional OS, containing a subset of its features. The kernel space is tiny, and a lot of user services (like file system management etc.) are kept in a separate space, known as the userspace. Since there’s less code and operations being run in the kernel space, the attack surface is significantly reduced.

  • Use properly packaged software applications

Any-and-all software applications should be self-contained, and properly packaged. E.g. if an application requires a third-party dependency, it should not be installed globally on the operating system. Rather, it should be part of the application package/container.

  • Validate all inputs

Any-and-all data received from external and/or untrusted sources should be properly sanitized and validated, before being passed to critical software and/or hardware components.

If an application fetches data from an external API integration, and toggles some setting based on it, the received data should be rigorously validated before the setting is changed.

  • Protect data at rest:

All the sensitive software, data, configuration files, secure keys, and passwords etc. that are being stored on an embedded device, should be protected. This is usually done via encryption. The private keys used to encrypt the data must be stored in dedicated, purpose-built security hardware.

Start at the hardware

No matter how robust your software security may be, if your hardware is lacking, you will be susceptible to attack. On-chip security techniques can allow secure boot, and efficient management of cryptographic functions and secrets.

Hardware security is equally important. Employ tamper-resistant hardware components wherever feasible to enhance the security of embedded systems. Integrate secure boot mechanisms and hardware cryptography to fortify protection against unauthorized access and malicious attacks. Safeguard encryption keys and other critical data by securely storing them, thereby reducing the risk of compromise and ensuring the integrity of the system’s security measures.

  • Secure Boot: This technology verifies the integrity of firmware before allowing it to run, preventing unauthorized code execution.
  • Tamper Detection: Mechanisms that detect physical tampering with the device can alert security personnel and potentially disable the system.
  • Secure Hardware Cryptography: Dedicated hardware modules can perform encryption and decryption tasks more securely than software solutions.

Hardware security best practices are fundamental for ensuring the integrity and resilience of embedded systems. A secure embedded system incorporates several key elements:

  1. Trusted Execution Environment (TEE): A TEE establishes hardware-level isolation for critical security operations. By segregating user authentication and other sensitive functions into a dedicated area, a TEE enhances protection against unauthorized access and data breaches.
  2. Appropriately Partitioned Hardware Resources: Segregating different hardware components such as processors, caches, memory, and network interfaces is essential. This partitioning ensures that each component operates independently, mitigating the risk of errors in one area propagating to affect others, thus enhancing system reliability and security.
  3. Executable Space Protection (ESP): ESP is a crucial practice involving the designation of specific memory regions as non-executable. By marking these regions as such, any attempt to execute code within them triggers an exception. This proactive measure effectively prevents the execution of unauthorized code, bolstering system security against potential exploits and attacks.

Some hardware components can also enable the operating system to offer various security features like system-call-anomaly detection, file system encryption, and access control policies.

Network Security

In an ideal scenario, network security is ensured through robust authentication and encryption mechanisms, such as Transport Layer Security (TLS), to authenticate and encrypt all network communications. The adoption of a Public Key Infrastructure (PKI) enables both remote endpoint devices (clients) and servers to validate each other’s identities, ensuring that only authorized communications from properly enrolled systems are accepted. Furthermore, establishing a strong hardware root of trust enhances security by providing a unique identity for each device, with device-specific keys linked to the hardware and certified within the user’s PKI framework.

Multilayered Security

To fortify the security posture of embedded intelligent systems, industry experts advocate for a stepped, multilayered approach to security. Layered defense-security architectures, like those incorporating managed security services, firewalls, or intrusion detection and prevention systems (IDPS), are pivotal in mitigating vulnerabilities and thwarting threat actors. This “strength-in-depth” strategy entails deploying redundant countermeasures across various layers, ensuring that a single layer’s compromise does not lead to a breach. As articulated by Wind River Security’s Thompson, relying solely on a singular security layer is insufficient, given the evolving threat landscape. By implementing multiple security layers, known as defense-in-depth, organizations can effectively broaden their protection against diverse threats and vulnerabilities. This approach not only complicates attackers’ efforts but also grants developers valuable time to address emerging threats and vulnerabilities promptly, bolstering the resilience of embedded systems over time.

Military Embedded System Security: Defending the Frontlines

In the realm of military operations, embedded systems play a pivotal role in safeguarding national security. These systems, deployed in hostile environments, demand unwavering resilience against cyber threats. From intelligence sensors to electronic warfare systems, every component must adhere to stringent security protocols. The convergence of open-system architectures and cybersecurity technologies offers a promising avenue for bolstering military embedded system security, ensuring mission success amidst evolving threats.

Military embedded systems play a crucial role in field operations, requiring robust security measures to safeguard against sophisticated cyber threats. These systems are distinguished by their ruggedness, tight integration, and adherence to rigorous certification and verification processes, setting them apart from conventional enterprise systems. Often utilizing interfaces like MIL-STD-1553, they are designed for reliability and resilience in challenging environments.

The Department of Defense (DoD) faces increasing cyber threats targeting its systems, including embedded computing utilized in critical functions. Attacks on military equipment, such as the Trusted Aircraft Information Download Station on the F-15 fighter jet, underscore the vulnerability of embedded systems to malicious activities. These devices, responsible for collecting vital flight data, are potential targets for disruption, highlighting the urgent need for enhanced security measures.

While domestic incidents like CAN bus hacking underscore the importance of embedded systems security, the stakes are significantly higher in military operations where lives are on the line. Military embedded systems often handle classified, mission-critical, and top-secret data, necessitating protection from interception or compromise at all costs.

To address evolving threats and meet specialized operational requirements, developers are turning to open-systems architectures (OSA). By adopting nonproprietary standards, OSAs facilitate interoperability and enable seamless technology upgrades across diverse platforms. However, integrating security measures into OSA frameworks poses challenges, as it may potentially compromise the openness and flexibility inherent in these architectures.

In response, the DoD has mandated the adoption of OSA in electronic systems, emphasizing the importance of balancing security with interoperability and innovation. As military embedded systems continue to evolve, ensuring their resilience against cyber threats remains a top priority, necessitating collaborative efforts to enhance security while preserving the flexibility and efficiency of open-systems architectures.

Engineers predominantly prioritize functional capabilities over stringent security needs, necessitating adaptable methodologies that align with mission objectives and concept of operations (CONOPS). Balancing performance optimization with security implementation further complicates system design, demanding solutions that minimize impacts on size, weight, power consumption, usability, and cost. Given the diverse range of military embedded systems, customized security approaches are essential, tailored to specific CONOPS and operational contexts. Secure embedded devices leverage robust encryption standards like Advanced Encryption Standard (AES) 256-bit to safeguard sensitive data, often adopting a multi-layered encryption strategy to fortify defenses against potential exploits. As security concerns escalate, the demand for secure real-time operating systems and embedded computing software rises, prompting innovative engineering approaches to meet stringent security requirements within size and power constraints. Procurement departments prioritize sourcing products from secure, domestic environments to mitigate battlefield security risks, while encryption standards like transport layer security offer additional application-level protection. Formal specification of hardware interfaces emerges as a critical aspect, ensuring manageability amid the increasing complexity of embedded systems.

Military embedded systems face even higher security risks due to the sensitive nature of the data they handle and the potential consequences of a successful attack. Here are some additional considerations:

  • Rigorous Testing: Military systems undergo extensive vulnerability testing to identify and address potential security flaws.
  • Information Assurance: Classified data requires robust security measures to prevent unauthorized access, modification, or disclosure.
  • Supply Chain Security: Military systems often rely on complex supply chains. Vetting suppliers and securing the manufacturing process are crucial.

Tools for Embedded System Security: Armory for the Digital Age

Equipped with an arsenal of specialized tools, cybersecurity professionals defend embedded systems against evolving threats. From bus blasters for hardware debugging to firmware analysis frameworks like FACT, these tools enable comprehensive security assessments and penetration testing. Open-source exploitation frameworks like Routersploit empower researchers to uncover vulnerabilities, facilitating proactive threat mitigation. As embedded systems evolve, so too must the tools and techniques employed to safeguard them, ensuring resilience in the face of emerging cyber threats.

Several tools can aid in securing embedded systems:

  • Static Code Analysis Tools: These tools scan code for vulnerabilities and security flaws.
  • Security Scanners: These tools scan systems for known vulnerabilities and misconfigurations.
  • Secure Development Lifecycle (SDL) Frameworks: These frameworks provide a structured approach to building secure systems.
  1. Bus Blaster: This high-speed debugging platform enables interaction with hardware debug ports, facilitating efficient debugging and monitoring of embedded systems.
  2. Saleae: Ideal for decoding various protocols such as Serial, SPI, and I2C, Saleae offers protocol analyzers that can be tailored to specific needs or even built from scratch by the community.
  3. Hydrabus: A versatile open-source hardware tool designed for debugging, hacking, and penetration testing of embedded hardware, Hydrabus offers a multi-tool approach to enhancing system security.
  4. Exploit: As an open-source IoT security testing and exploitation framework, Exploit provides a comprehensive suite of tools and resources for identifying and addressing vulnerabilities in embedded devices.
  5. FACT (The Firmware Analysis and Comparison Tool): This framework automates firmware security analysis, streamlining the process of identifying and mitigating security risks associated with embedded firmware.
  6. Routersploit: Specifically tailored for embedded devices, Routersploit is an open-source exploitation framework designed to identify and exploit vulnerabilities in embedded systems, bolstering security measures.
  7. Firmadyne: Offering emulation and dynamic analysis capabilities for Linux-based embedded firmware, Firmadyne provides a powerful toolkit for assessing security risks and implementing robust security measures.

The Final Word: A Continuous Journey

Securing embedded systems is an ongoing process. By understanding the threats, vulnerabilities, and best practices, developers and users can build robust defenses against cyberattacks. As technology evolves, so too must our approach to security. By remaining vigilant and adapting our strategies, we can ensure that these tiny systems remain secure and continue to power the technology that shapes our world.

As embedded systems continue to evolve and become more interconnected, the need for robust security measures becomes paramount.  By implementing comprehensive security strategies and leveraging cutting-edge tools, organizations can safeguard embedded systems against cyber threats and ensure their reliability and integrity in diverse environments.

By understanding the diverse threat landscape and implementing robust security measures, we can fortify these digital bastions against potential breaches. With vigilance, innovation, and collaboration, we can ensure that embedded systems continue to empower and enrich our lives, securely navigating the complexities of the digital age.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References and Resources also include:

https://www.apriorit.com/dev-blog/690-embedded-systems-attacks#:~:text=A%20vulnerability%20in%20embedded%20system,potentially%20lead%20to%20human%20harm.

https://blackberry.qnx.com/en/ultimate-guides/embedded-system-security#:~:text=Embedded%20systems%20security%20is%20a,all%20types%20of%20malicious%20behavior.

https://militaryembedded.com/cyber/cybersecurity/securing-military-embedded-systems-is-a-giant-challenge

https://www.ll.mit.edu/sites/default/files/page/doc/2018-05/22_1_9_Vai.pdf

https://www.securecodewarrior.com/blog/embedded-systems-security

 

About Rajesh Uppal

Check Also

Nation-Backed Cyber Attacks: The Global Threat Posed by Russia, China, North Korea, and Iran

In today’s interconnected world, cyberspace has become the new battleground for global dominance. Nation-states are …

error: Content is protected !!