Can Free Tools Test the Security of a Small Embedded System?

Security is an increasing concern for developers of many small embedded applications such as IoT Edge devices. Unfortunately the choice of tools suitable for testing security on such systems is limited. This is quite different to web-based, desktop and even embedded Linux application developers who are able to select security tools from a wide range of commercial and open-source providers, such as those included in the popular Kali Linux distribution. This paper considers if it is practical to use free or open-source tools to test security vulnerabilities of a small embedded system, based on an Arm Cortex-M MCU running a bare-metal application or a Real-Time Operating System (RTOS). It looks at readily available tools for threat modeling, static analysis, software reverse engineering and fuzz testing to determine how much work is required to use them on a project and whether it is worth the effort.