The vulnerability of TCP/IP stacks to attacks, including buffer overflow, malformed packets and DOS attacks is a significant concern - Amazon's freeRTOS being a prime (sorry!) example. This is becoming an important issue as goverments load on the pressure onto organisations, including power and water utilities, where significant disruption to society could result from their infrastructure being hacked. So what do you do if you want a secure, and preferably cheap, TCP/IP stack for an embedded product? It seems to me you have a few choices including:
a) Use a free product such as LwIP. This should be relatively quick to implement and have a small footprint having been designed for embedded products. But are they robust and maintained and tested against new attacks?
b) Port the latest Linux or BSD stack. I expect this to be a major undertaking, especially if you don’t need to, or have the resources to, support IPv6 so extracting the IPv4 code might be a nightmare. This has the advantage that Linux and BSD TCP/IP stacks are so widely used that they get a lot of attention from both attackers and defenders and any vulnerabilities get quickly patched.
c) Buy a third party stack. But how can you be confident that they are any more secure, and remain so, than free versions? The vendors will no doubt have a long list of reasons why (only) they can be trusted because obviously they have a team of the world's foremost TCP/IP and cyber security experts who are continuously engaged in probing and testing their S/W with the most advanced techniques to reveal any possible weakness, whilst diligently monitoring CERT alerts (and extensive inside contacts in various national intelligence agencies including GCHQ, NSA etc.)
But in the real world? How do you know that the product isn’t something that was written by ‘old Fred the comms whizz’ 25 years ago and has now retired and nobody at the vendor dares to touch beyond updating the copyright dates in the header files occasionally? If they do have a large dedicated team, chances are they are engaged in porting to innumerable different MCU/platform targets with their idiosyncratic tools and peripherals with little if no time to consider security. Especially as 'security' is very nebulous and virtually impossible to prove (prior to being hacked), whereas being able to tick the box 'Paduak MCS150C as a supported target' is likely much higher up a product manager's list of priorities.
Whatever the source of the stack, there is the vexed problem of keeping the firmware in an embedded product up to date. Clearly, having a TCP/IP stack means a large part of the update problem (distribution) should be solved (or at least simplified) but the remaining issues of managing the updates remain, including keeping track of the revision state of all products in the field and interoperability with earlier versions. Using a simple stack like LwIP presumably avoids this issue because it isn’t updated (but of course your porting might have errors which need to be fixed).
If you use a widely used stack then you probably need to be able to update quickly when vulnerabilities are found, which means a lot of cost in tracking updates by the developers, and porting those into your own if necessary, and distributing and managing your new releases. On the other hand if you use a (relatively) unknown or obscure stack then it’s possible that attackers will miss your unique vulnerabilities. I expect that this ‘security by obscurity’ does protect many embedded products - from casual attacks at least. But if your customer happens to be a high value target, such as a utility company sufficiently attractive for an attacker to focus their efforts on your stack, the ‘obscurity’ protection may become minimal or non-existent.
There are many more issues of course. So what do you do? Is the security weakness of TCP/IP stacks exaggerated? Falling victim to a DOS attack is likely nowhere near as severe as a breach allowing control/access to the device. Many of the high profile vulnerabilities of many consumer devices such as routers seem to be due to backdoors for developer or maintenance access, rather than in stack code itself.
What if your customer wants evidence that your product is secure - beyond bedazzling them with your gold-plated ISOxxxx/CMM level X quality systems and processes? How much does it cost to get an embedded product tested by a third party to 'prove' that it is secure?
And how could you rely on a third party's evaluation? Given the nature of attacks, testing requires creative and innovative approaches to testing as well as rigorous and methodical testing. The latter no doubt could be certified to ISOxxxx (whatever standards developed by whatever committees) but that may add relatively little value to the former which requires individuals motivated to understand the mindset and techniques of attackers and constantly anticipate and investigate previously unknown or unused types of attack. These skills would be almost impossible to quantify in any sort of certificated form but are likely to be much more important than any size army of people with clipboards counting bytes, measuring stack depths, complexity metrics etc. etc.