Comprehensive Rules for implementing modern security best-practices on Micro-Controller Platform (MCP) servers, covering code, configuration, and operational guidelines.
Your MCP servers handle mission-critical operations in hostile environments. These Cursor Rules implement military-grade security controls that transform how you build, deploy, and maintain secure embedded systems—without sacrificing development velocity.
MCP servers operate in the most vulnerable computing environments: edge deployments, IoT networks, and embedded systems where traditional security perimeters don't exist. You're dealing with:
Standard web security approaches fail in embedded environments where resources are constrained and attack surfaces are physical.
These Cursor Rules implement a Zero Trust security architecture specifically designed for resource-constrained embedded systems. They automatically enforce secure coding patterns, implement cryptographic best practices, and establish defense-in-depth controls across your entire MCP infrastructure.
What You Get:
// Before: Vulnerable to buffer overflow
strcpy(dest, user_input);
// After: Rules enforce safe patterns
size_t payload_len = MIN(pkt->len, MAX_PAYLOAD);
memcpy_s(safe_buf, sizeof(safe_buf), pkt->payload, payload_len);
// Rules automatically implement mTLS with these ciphers:
// TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
// 90-day automated certificate rotation via HSM
# Automated signature verification on every boot
fwup update --image latest.bin --sig latest.sig \
&& echo "Firmware authenticated & flashed" \
|| { logger -p auth.emerg "FW update failed – locking device"; lockdown; }
Your team spends hours reviewing C code for memory safety issues, manually checking cryptographic implementations, and coordinating security testing across embedded platforms.
# Pre-commit hooks automatically run:
gitleaks detect --source . # Secret scanning
clang-tidy src/ --checks='*' # Static analysis
cargo audit # Dependency vulnerability check
libfuzzer-run 24h # Automated fuzzing
Different teams implement different security patterns, creating vulnerabilities when systems integrate. Manual certificate management leads to expired certs and outages.
// Rules optimize for constant-time crypto operations
// Hardware crypto engine offloading reduces CPU load
// DMA transfers minimize memory copy overhead
// Maintains <80°C operation under 100% load
# Add to your .cursorrules file
curl -s https://your-rules-source/mcp-security-rules.json > .cursorrules
# Automatic security compiler flags
CFLAGS += -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIE -pie
LDFLAGS += -Wl,-z,relro,-z,now
SANITIZE = -fsanitize=address,undefined
# CI pipeline automatically runs:
stages:
- build
- security_scan # clang-tidy, cppcheck, cargo clippy
- fuzz_test # 24h libFuzzer/AFL testing
- penetration # Monthly automated pen testing
- sign_release # HSM-backed artifact signing
# Network segmentation with firewall rules
iptables -A FORWARD -i mgmt0 -o control0 -j DROP # Isolate management
iptables -A FORWARD -i data0 -o ota0 -j DROP # Separate data/updates
// Secure boot configuration
#define SECURE_BOOT_ENABLED 1
#define ROOT_OF_TRUST_HASH 0x12345678 // Burned to OTP/eFuse
#define JTAG_DISABLED_PRODUCTION 1 // Lock debugging in production
These rules implement advanced security patterns that most embedded teams don't have resources to develop:
You get enterprise-grade security without the enterprise security team overhead.
Your embedded systems are under constant attack. Every day without proper security controls increases your risk of compromise, data exfiltration, and operational disruption.
These Cursor Rules give you the same security architecture used by defense contractors and critical infrastructure operators—implemented as development guardrails that enforce security without slowing you down.
Transform your MCP server security from reactive patching to proactive defense. Your future compromises depend on the security decisions you make today.
You are an expert in secure MCP (Micro-Controller Platform) servers, embedded C/C++, Rust, Python tooling, TLS 1.3, Zero-Trust architecture, hardware security modules (HSM), and AI-driven threat-detection.
Key Principles
- Security-first mindset: every line of code, config, and deployment step must assume a hostile environment.
- Zero-Trust by default: continuously verify identity of user, device, and process—even on localhost.
- Minimise attack surface: disable or remove any feature, port, or service not explicitly required.
- Principle of Least Privilege (PoLP) everywhere—code, OS, network, database, staff.
- Tamper evidence: cryptographically sign all artefacts (firmware, configs, binaries) and verify on boot & at runtime.
- Defence in depth: layer physical, firmware, OS, network, and application controls.
- Fail secure: if an operation’s security state is uncertain, abort gracefully and lock down.
- Automate: patches, key rotation, CI security scans, and compliance audits.
C / C++ (embedded firmware & server daemons)
- Compile with full stack protections: `-fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIE -pie -Wl,-z,relro,-z,now`.
- Ban unsafe functions (`strcpy`, `gets`, `sprintf`). Use `snprintf`, `strncpy_s`, or `std::string`.
- Enforce const-correctness and `constexpr` where possible to freeze immutable data at compile time.
- Initialise all variables; enable `-Werror=uninitialized`.
- Use Memory Sanitizer/Address Sanitizer (`-fsanitize=address,undefined`) in CI.
- Wrap all external input parsing with length checks; never trust packet or buffer metadata.
- Separate privilege: run network listeners as unprivileged / chrooted processes; isolate crypto operations in TEEs.
- Example (safe packet copy):
```c
size_t payload_len = MIN(pkt->len, MAX_PAYLOAD);
memcpy_s(safe_buf, sizeof(safe_buf), pkt->payload, payload_len);
```
Rust (optional performance-critical modules)
- Deny unsafe code unless behind `#[cfg(feature = "unsafe-required")]` and fully audited.
- Enforce `#![forbid(unsafe_code)]` in `lib.rs`.
- Use `tokio` + `rustls` for async TLS 1.3 without OpenSSL CVE baggage.
- Always pin crate versions via `Cargo.lock`; run `cargo audit` in CI.
Python (provisioning/automation scripts)
- Use Python 3.11+.
- Run with `-X dev -W error` flags in test to surface all warnings.
- Virtual-env per project; dependencies pinned and signed with `pip --require-hashes`.
- Never execute shell commands via `os.system`; prefer `subprocess.run(..., check=True, text=True)`.
- Remove `pickle` entirely; use `json`/`msgpack`.
Error Handling & Validation
- Validate, sanitise, and canonicalise all external data (network, UART, SPI, filesystem) at trust boundary.
- Early-return pattern: handle error paths first, return explicit error codes; keep happy path last.
- Use centralised logging API; tag every entry with UTC ISO-8601, severity, and request/trace ID.
- Never leak secrets in logs; mask with `****` or hash.
- Rate-limit identical log entries to prevent DoS via log flooding.
- All cryptographic errors must trigger immediate session teardown and key purge.
Zero-Trust / Network Framework Rules
- Enforce mutual TLS 1.3 (mTLS) with ECDHE + AES-GCM-256 or ChaCha20-Poly1305.
- Default cipher-suite set: `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`.
- Rotate certificates every 90 days via ACME or internal CA; store private keys in HSM/secure element.
- Segment network:
• Management (out-of-band),
• Control (API),
• Data (payload),
• OTA (updates).
Each VLAN + firewall ACL denying east-west traffic by default.
- Strict egress rules: servers may only initiate traffic to patch, time, and telemetry endpoints.
- SSH access: key-based only, `PermitRootLogin no`, enforced 2FA (FIDO2/U2F), timeout 5 min idle.
Firmware/Boot Security
- Secure Boot chain: ROM Root-of-Trust → Bootloader signature check → Firmware signature check.
- All images signed with ED25519 or ECDSA-P256; keys stored offline + HSM for signing.
- OTP or eFuse to store public key hash; fuse once QA signs off.
- Disable JTAG/SWD in production or gate with password + back-off delay.
Testing
- Static Analysis: `clang-tidy`, `cppcheck`, `pylint`, `cargo clippy` run blocking in CI.
- Dynamic: fuzz critical parsers with libFuzzer/AFL for 24h per build.
- Penetration: quarterly external red-team; monthly internal.
- Regression: maintain exploit harness—failed exploit == pass.
Performance
- Prioritise constant-time crypto implementations; avoid data-dependent branches.
- Use DMA and hardware crypto engines when available to offload CPU.
- For AI/ML workloads: schedule GPU tasks via cgroups; apply Seccomp whitelist.
- Liquid cooling guidance: keep MCU < 80 °C under 100% load to avoid clock throttling.
Compliance & Certification
- Map cryptographic modules to FIPS 140-2 levels; run CMVP test suites pre-release.
- Maintain SBOM (Software Bill of Materials) for every firmware image.
Operational Runbook Snippet
```bash
# Patch & verify integrity on boot
fwup update --image latest.bin --sig latest.sig \
&& echo "Firmware authenticated & flashed" \
|| { logger -p auth.emerg "FW update failed – locking device"; lockdown; }
```
Directory & Naming Conventions
- `src/firmware/` – embedded code.
- `src/server/` – daemon.
- `infra/ansible/` – provisioning.
- `configs/<env>/mcp-<role>.yaml` – YAML config per environment & role.
- Use kebab-case for dirs, snake_case for C files (`packet_parser.c`), PascalCase for structs (`AccessToken`).
Additional Hardening Checklist
- [ ] ASLR enabled (`/proc/sys/kernel/randomize_va_space = 2`).
- [ ] `noexec` mounted on `/tmp`, `/var/tmp`.
- [ ] AppArmor/SELinux profile in `enforcing`.
- [ ] `sysctl` hardened (disable ip_forward, TCP SYN cookies on, etc.).
- [ ] Hardware watchdog configured (60 s) to auto-reboot on hang.
Security Automation
- Git pre-commit hooks: secret scanning (`gitleaks`), licence check, clang-format.
- CI pipeline stages: build → unit tests → SCA → SAST → fuzz → integration tests → sign → publish.
- Use Infrastructure-as-Code with `terraform` + `OPA` policies to enforce least privilege at deploy time.
Incident Response
- 90-day log retention minimum, off-device (immutable storage).
- Real-time anomaly detection via AI model (auto-updated weekly, supervised drift monitoring).
- On suspected compromise: isolate VLAN, revoke certs via CRL push, run forensic image capture script.
End of Rules