SlideShare uma empresa Scribd logo

Modern IoT and Embedded Linux Deployment - Berlin

D
Djalal Harouni

Modern IoT and Embedded Linux Deployment and Security

Internet
1 de 44
Baixar para ler offline
Modern Deployment for Embedded Linux and IoT All Systems Go! 2017 October 21-22, Berlin Djalal Harouni @tixxdz tixxdz@gmail.com Modern Deployment for Embedded Linux and IoT - All Systems go! 2017, Berlin
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Agenda ● Background ● Embedded Linux and IoT Security ● Kernel Hardening and Kernel Self Protection Project ● Lightweight Containers ● systemd Sandbox Model ● Software Update Mechanisms ● Challenges
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux or Linux-based IoT devices ● Today, Linux is everywhere ● Most of us have at least 3 or 4 Linux based devices ● By IoT we mean Devices that run Linux, smart gateways, IoT devices connected to internet, etc
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux Apps ● Some Embedded Linux Apps look more like PC Apps ● Big-Data Science fields and IoT devices are driving Engineers and Programmers to do more Embedded Programming ● Javascript, node.js, golang, etc being used to deploy Apps Note: most of these developers are new or won’t care about lower layers. The lower layers or system layers are hard and expensive.
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Board + Yocto Layers Hardware Linux OS Root Filesystem (userspace) Apps Embedded Linux System Value Runtime (Yocto Layers) Runtime: ● Open Source ● +hardware +Apps == Use Case ● Defines the Security dimensions ● Large ● Can be updated
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Runtime ● Constitute most of the code: Complex ● Runs with higher privileges: Kernel and third party drivers run at CPU/hardware Privileged Mode Userspace runs at CPU user mode, with higher software privileges Apps on top are not sandboxed ● No planned Software Update mechanisms (or not perfect)
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime Analysis by Kees Cook on Ubuntu CVE tracker 2011-2016: Critical: 3 @ 5.3 years High: 59 @ 6.4 years Medium: 534 @ 5.6 years Low: 273 @ 5.6 years Source: https://outflux.net/blog/archives/2016/10/20/cve-2016-519 Note: Numbers from Ubuntu CVE, most of them were Patched
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime By Kees Cook: https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Android - Kernel Vulnerabilities User space <==> kernelspace is Abused or Misused. copy_from_user() - copy_to_user() “Since 2014, missing or invalid bounds checking has caused about 45% of Android's kernel vulnerabilities.” by Sami Tolvanen, Android Security Source: https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.htm L
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Vulnerabilities BrickerBot targets cameras, DVRs, and IoT with busybox telnet Pictures from https://arstechnica.com article
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Modern Deployment of Embedded Linux and IoT Or How to Secure your Linux-based IoT Devices Or How to keep your Devices alive
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and Kernel Self Protection Project KSPP Logo
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and KSPP Kernel Hardening ● Access Control and Linux Security Modules ● Protecting User Space Kernel Self Protection Project more than that ● Linux kernel ability to protect itself ● Reduce the kernel attack surface ● Managed by Kees Cook and lot of contributors: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Attacks and Exploits ● Use multiple bugs and vulnerabilities ● Need to know the target, memory layout, etc Objectives ● Eliminate or reduce exploitation targets and methods ● Eliminate or reduce information leaks ● Modify and Adopt some features from grsecurity/PaX patches
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_HARDENED_USERCOPY Performs extra size checks on user copy ● CONFIG_FORTIFY_SOURCE Checks string memory at compile time or runtime ● CONFIG_STRICT_KERNEL_RWX Make kernel text and rodata read-only. Kernel version of W^X ● CONFIG_STRICT_DEVMEM=y and CONFIG_IO_STRICT_DEVMEM=y restrict physical memory access. ● CONFIG_SECCOMP=y and CONFIG_SECCOMP_FILTER=y allows userspace to reduce the attack surface. ● STATIC_USERMODEHELPER=y Force all usermode helper calls through a single binary
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 Disallow allocating the first 32k of memory ● CONFIG_CPU_SW_DOMAIN_PAN=y Enable PXN/PAN Emulation, protect kernel from executing user space memory Guide: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Setti ngs
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Modernization of proc file system - Eliminate Information Leaks ● Each new /proc mount will be a total separate instance ● Ability to hide processes without PID Namespaces (saves resources) ● No Kernel data or other files in /proc. Only /proc/<pids>/ by Alexey Gladkov ● Reduce /proc burden on other Security and Linux features. Development branch: https://github.com/legionus/linux/commits/pidfs-v4 By Djalal Harouni, Alexey Gladkov and Feedback from Andy Lutomirski
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Automatic Module Loading Protection - Reduce kernel Attack Surface ● Will block auto-loading vulnerable drivers or modules The 11 year old DCCP double free vulnerability CVE-2017–6074 (Root exploit) kernel: Local privilege escalation in XFRM framework CVE-2017–7184 (Owned Ubuntu) ● Enabled by a global sysctl switch or a per-process tree flag ● Embedded Systems should reduce the ability to load modules at all. V4 https://lkml.org/lkml/2017/5/22/312, V5 soon. By Djalal Harouni, feedback from Andy Lutomirski, Kees Cook, Solar Designer and others.
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Generalize Yama Linux Security Module behaviour ● Yama blocks processes from controlling other processes (origin grsecurity) ● A sysctl flag is used to control Yama Future: ● Generalize Yama simple behaviour on other interfaces and system calls ● A global sysctl flag or a per-process tree flag for sandboxes ● No policy for easy integration with Yocto and Embedded devices
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Linux Containers or Lightweight Containers
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Why Containers on Embedded and IoT devices ? ● Modern Deployment workflow ● Isolation of Apps ● Allow Virtualization of some Resources with less overhead Examples: Resin OS - An Embedded Linux tailored for Containers Resin OS uses Yocto and supports many embedded devices and boards
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Linux Containers: ● A better develop and ship workflow ● Isolates Apps and their resources ● Sandbox mechanism Disadvantages for Embedded Linux: ● A Container format ? ● Uses lot of Linux Technologies ? ● Over-engineered ? (Contain hacks ?) ● Heavy, too much processes
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Containers Ecosystem Comparison Source: https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Solution for Embedded Linux ? systemd Portable Services/Apps or Lightweight Containers
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers Why systemd in Embedded Linux ? ● Resource management ? ● More than three Apps running ? ● Integrated Watchdog support ? ● Socket activation - run Apps on-demand ? ● Logging ? ● Easy Apps Sandboxing ? If no, maybe a simple init + minimal sandbox tool
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers In Embedded: systemd Contained App Portable App Portable App Portable App with its dependencies + Sandbox Mechanism Without systemd-nspawn
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers systemd portable Apps/Lightweight Containers: ● For now only Linux Mount Namespaces - cheap ● Network Namespaces used to disconnect / block network access Advantages: ● All Apps are able to work in Mount Namespaces ● No need to adapt or package your App using a specific format ● Avoids Container Managers complexity and hacks ● Avoids abusing other Linux features to workaround other misbehaviour
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model File system Sandbox: RootImage= Root filesystem of the App PrivateDevices= Private /dev without physical devices BindPaths=, BindReadOnlyPaths= Makes files available, make /dev watchdog available inside sandbox! User Privileges Sandbox: DynamicUser= Run Apps under different User (Unix UID/GID). The UID is allocated dynamically and released on stops. Allowing IoT devices to follow Android model: each App is executed under a different user. NoNewPrivileges= No new privileges through execve().
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Network Sandbox: PrivateNetwork= disconnect internet access IPAddressDeny= All traffic from and to this address/mask will be blocked. IPAddressAllow= The whitelist or permitted IP address/network mask list. To block raw packets AF_PACKET RestrictAddressFamilies=~AF_PACKET (blacklisting mode).
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Kernel attack surface reduction: RestrictNamespaces= Restrict Access to Linux namespaces ProtectKernelTunables= Blocks tuning Kernel parameter, /proc and /sys read-only. ProtectKernelModules= Blocks Apps from explicitly loading or unloading modules. SystemCallFilter= Seccomp system call filtering: “@reboot” Block all related reboot system calls. “@module” Block all kernel module system calls. “@mount” Block all file system mount and umount system calls. All this is Opt-IN
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● systemd needs to adapt It was intended to experienced service developers and SysVinit experts. Today users are more familiar with Containers and Apps. ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? ACCESS_INTERNET , PRIVILEGED_ACCESS_INTERNET ADMIN_SYSTEM_TIME , ADMIN_SYSTEM_TIME_ZONE ADMIN_SYSTEM_MANAGER , ADMIN_SYSTEM_NETWORK https://github.com/systemd/systemd/pull/6963
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? Seccomp policy mutation : “@privileged” , “@container”, “@basic” and “@default” groups + Linux Capabilities + Abstracted Permissions https://github.com/systemd/systemd/pull/6963 ● systemd needs better integration into Embedded and IoT devices ● More user friendly features
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update ● IoT Devices are exposed to Internet BrickerBot reports say that it damaged > 2.000.000 IoT devices No complex 0day vulnerability exploit Fix: it only needed a configuration Update to close telnet !? ● Robust Embedded and IoT have to support a Software Update Mechanisms Fix development bugs Fix known and unknown vulnerabilities
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Requirements: ● Secure: TLS, supports Image signing ● Atomic Update supports - Usually switch from A to B ● Ability to fall back on update failures ● Etc Mechanisms: ● Dual Root Partition: A/B ● Other approaches based on App/Container update: Resin OS
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Mechanisms: ● Dual Root Partition: A/B ● Two file system Images: Boot A There is an Update - Download delta A is a reference to B Write B switch boot ● Work in progress: casync to stream updates - block layer support ● Traditional tools: xdelta/VCDIFF
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Ready Solutions compatible with Yocto: ● Mender.io Open Source tool for updating your embedded devices safely and reliably New: ● rauc Safe and Secure Others: ● Resin OS updater
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges Adoption ? All this is already in Yocto!
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Thanks to Daniel Mack and Lennart Poettering
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Questions ? Feel free to contact me about topics: tixxdz@gmail.com Djalal Harouni

Recomendados

Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Anne Nicolas
 
Platform for a Connected World
Platform for a Connected WorldPlatform for a Connected World
Platform for a Connected World
All Things Open
 
Resin.io overview (2016 July)
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)
Balena
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
Patrick Chanezon
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015
Henry Huang
 
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
VMUG IT
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Qualcomm Developer Network
 
Docker opens the Doors for IoT
Docker opens the Doors for IoTDocker opens the Doors for IoT
Docker opens the Doors for IoT
Dieter Reuter
 

Recomendados

Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Anne Nicolas
 
Platform for a Connected World
Platform for a Connected WorldPlatform for a Connected World
Platform for a Connected World
All Things Open
 
Resin.io overview (2016 July)
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)
Balena
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
Patrick Chanezon
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015
Henry Huang
 
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
VMUG IT
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Qualcomm Developer Network
 
Docker opens the Doors for IoT
Docker opens the Doors for IoTDocker opens the Doors for IoT
Docker opens the Doors for IoT
Dieter Reuter
 
The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
Yoni Davidson
 
Kali Linux
Kali Linux Kali Linux
Kali Linux
aliabintouq
 
Kalilinux
KalilinuxKalilinux
Kalilinux
almuhairi2000
 
IstioD - From Microservices to Monolithic
IstioD - From Microservices to MonolithicIstioD - From Microservices to Monolithic
IstioD - From Microservices to Monolithic
All Things Open
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
smart_bit
 
Shamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linuxShamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linux
shamsaot
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
OpenDaylight
 
penetration test using Kali linux seminar report
penetration test using Kali linux seminar reportpenetration test using Kali linux seminar report
penetration test using Kali linux seminar report
AbhayNaik8
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Qualcomm Developer Network
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Leon Anavi
 
My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys
Laurent Guérin
 
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Codemotion
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko
 
Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con... Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con...
Synergetics Learning and Cloud Consulting
 
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStackCMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
Joe Arnold
 
Linux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvelLinux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvel
Emertxe Information Technologies Pvt Ltd
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
Jamie Coleman
 
Kali linux
Kali linuxKali linux
Kali linux
afraalfalasii
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
All Things Open
 
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
Docker, Inc.
 
Dedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SDedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/S
InfinIT - Innovationsnetværket for it
 

Mais conteúdo relacionado

Mais procurados

The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
Yoni Davidson
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
Jamie Coleman
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
All Things Open
 

Mais procurados (20)

The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
 
Kali Linux
Kali Linux Kali Linux
Kali Linux
 
Kalilinux
KalilinuxKalilinux
Kalilinux
 
IstioD - From Microservices to Monolithic
IstioD - From Microservices to MonolithicIstioD - From Microservices to Monolithic
IstioD - From Microservices to Monolithic
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Shamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linuxShamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linux
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
 
penetration test using Kali linux seminar report
penetration test using Kali linux seminar reportpenetration test using Kali linux seminar report
penetration test using Kali linux seminar report
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
 
My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys
 
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
 
Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con... Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con...
 
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStackCMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
 
Linux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvelLinux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvel
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
 
Kali linux
Kali linuxKali linux
Kali linux
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
 

Semelhante a Modern IoT and Embedded Linux Deployment - Berlin

Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Stéphanie Roger
 
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Yoshitake Kobayashi
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
Patrick Chanezon
 
Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation
webhostingguy
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
PranavPatil822557
 
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docxLinux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
croysierkathey
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
ICS
 

Semelhante a Modern IoT and Embedded Linux Deployment - Berlin (20)

LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
 
Dedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SDedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/S
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
ERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projectsERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projects
 
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
 
UniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtimeUniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtime
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
 
Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation
 
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
 
Survey of Container Build Tools
Survey of Container Build ToolsSurvey of Container Build Tools
Survey of Container Build Tools
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017
 
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docxLinux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
 
DockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon Hykes
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
 

Último

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 

Último (20)

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 

Modern IoT and Embedded Linux Deployment - Berlin

  • 1. Modern Deployment for Embedded Linux and IoT All Systems Go! 2017 October 21-22, Berlin Djalal Harouni @tixxdz tixxdz@gmail.com Modern Deployment for Embedded Linux and IoT - All Systems go! 2017, Berlin
  • 2. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Agenda ● Background ● Embedded Linux and IoT Security ● Kernel Hardening and Kernel Self Protection Project ● Lightweight Containers ● systemd Sandbox Model ● Software Update Mechanisms ● Challenges
  • 3. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background
  • 4. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux or Linux-based IoT devices ● Today, Linux is everywhere ● Most of us have at least 3 or 4 Linux based devices ● By IoT we mean Devices that run Linux, smart gateways, IoT devices connected to internet, etc
  • 5. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux Apps ● Some Embedded Linux Apps look more like PC Apps ● Big-Data Science fields and IoT devices are driving Engineers and Programmers to do more Embedded Programming ● Javascript, node.js, golang, etc being used to deploy Apps Note: most of these developers are new or won’t care about lower layers. The lower layers or system layers are hard and expensive.
  • 6. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security
  • 7. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Board + Yocto Layers Hardware Linux OS Root Filesystem (userspace) Apps Embedded Linux System Value Runtime (Yocto Layers) Runtime: ● Open Source ● +hardware +Apps == Use Case ● Defines the Security dimensions ● Large ● Can be updated
  • 8. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Runtime ● Constitute most of the code: Complex ● Runs with higher privileges: Kernel and third party drivers run at CPU/hardware Privileged Mode Userspace runs at CPU user mode, with higher software privileges Apps on top are not sandboxed ● No planned Software Update mechanisms (or not perfect)
  • 9. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime Analysis by Kees Cook on Ubuntu CVE tracker 2011-2016: Critical: 3 @ 5.3 years High: 59 @ 6.4 years Medium: 534 @ 5.6 years Low: 273 @ 5.6 years Source: https://outflux.net/blog/archives/2016/10/20/cve-2016-519 Note: Numbers from Ubuntu CVE, most of them were Patched
  • 10. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime By Kees Cook: https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
  • 11. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Android - Kernel Vulnerabilities User space <==> kernelspace is Abused or Misused. copy_from_user() - copy_to_user() “Since 2014, missing or invalid bounds checking has caused about 45% of Android's kernel vulnerabilities.” by Sami Tolvanen, Android Security Source: https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.htm L
  • 12. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Vulnerabilities BrickerBot targets cameras, DVRs, and IoT with busybox telnet Pictures from https://arstechnica.com article
  • 13. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Modern Deployment of Embedded Linux and IoT Or How to Secure your Linux-based IoT Devices Or How to keep your Devices alive
  • 14. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and Kernel Self Protection Project KSPP Logo
  • 15. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and KSPP Kernel Hardening ● Access Control and Linux Security Modules ● Protecting User Space Kernel Self Protection Project more than that ● Linux kernel ability to protect itself ● Reduce the kernel attack surface ● Managed by Kees Cook and lot of contributors: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
  • 16. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Attacks and Exploits ● Use multiple bugs and vulnerabilities ● Need to know the target, memory layout, etc Objectives ● Eliminate or reduce exploitation targets and methods ● Eliminate or reduce information leaks ● Modify and Adopt some features from grsecurity/PaX patches
  • 17. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_HARDENED_USERCOPY Performs extra size checks on user copy ● CONFIG_FORTIFY_SOURCE Checks string memory at compile time or runtime ● CONFIG_STRICT_KERNEL_RWX Make kernel text and rodata read-only. Kernel version of W^X ● CONFIG_STRICT_DEVMEM=y and CONFIG_IO_STRICT_DEVMEM=y restrict physical memory access. ● CONFIG_SECCOMP=y and CONFIG_SECCOMP_FILTER=y allows userspace to reduce the attack surface. ● STATIC_USERMODEHELPER=y Force all usermode helper calls through a single binary
  • 18. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 Disallow allocating the first 32k of memory ● CONFIG_CPU_SW_DOMAIN_PAN=y Enable PXN/PAN Emulation, protect kernel from executing user space memory Guide: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Setti ngs
  • 19. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Modernization of proc file system - Eliminate Information Leaks ● Each new /proc mount will be a total separate instance ● Ability to hide processes without PID Namespaces (saves resources) ● No Kernel data or other files in /proc. Only /proc/<pids>/ by Alexey Gladkov ● Reduce /proc burden on other Security and Linux features. Development branch: https://github.com/legionus/linux/commits/pidfs-v4 By Djalal Harouni, Alexey Gladkov and Feedback from Andy Lutomirski
  • 20. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Automatic Module Loading Protection - Reduce kernel Attack Surface ● Will block auto-loading vulnerable drivers or modules The 11 year old DCCP double free vulnerability CVE-2017–6074 (Root exploit) kernel: Local privilege escalation in XFRM framework CVE-2017–7184 (Owned Ubuntu) ● Enabled by a global sysctl switch or a per-process tree flag ● Embedded Systems should reduce the ability to load modules at all. V4 https://lkml.org/lkml/2017/5/22/312, V5 soon. By Djalal Harouni, feedback from Andy Lutomirski, Kees Cook, Solar Designer and others.
  • 21. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Generalize Yama Linux Security Module behaviour ● Yama blocks processes from controlling other processes (origin grsecurity) ● A sysctl flag is used to control Yama Future: ● Generalize Yama simple behaviour on other interfaces and system calls ● A global sysctl flag or a per-process tree flag for sandboxes ● No policy for easy integration with Yocto and Embedded devices
  • 22. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Linux Containers or Lightweight Containers
  • 23. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Why Containers on Embedded and IoT devices ? ● Modern Deployment workflow ● Isolation of Apps ● Allow Virtualization of some Resources with less overhead Examples: Resin OS - An Embedded Linux tailored for Containers Resin OS uses Yocto and supports many embedded devices and boards
  • 24. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Linux Containers: ● A better develop and ship workflow ● Isolates Apps and their resources ● Sandbox mechanism Disadvantages for Embedded Linux: ● A Container format ? ● Uses lot of Linux Technologies ? ● Over-engineered ? (Contain hacks ?) ● Heavy, too much processes
  • 25. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Containers Ecosystem Comparison Source: https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html
  • 26. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Solution for Embedded Linux ? systemd Portable Services/Apps or Lightweight Containers
  • 27. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers Why systemd in Embedded Linux ? ● Resource management ? ● More than three Apps running ? ● Integrated Watchdog support ? ● Socket activation - run Apps on-demand ? ● Logging ? ● Easy Apps Sandboxing ? If no, maybe a simple init + minimal sandbox tool
  • 28. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers In Embedded: systemd Contained App Portable App Portable App Portable App with its dependencies + Sandbox Mechanism Without systemd-nspawn
  • 29. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers systemd portable Apps/Lightweight Containers: ● For now only Linux Mount Namespaces - cheap ● Network Namespaces used to disconnect / block network access Advantages: ● All Apps are able to work in Mount Namespaces ● No need to adapt or package your App using a specific format ● Avoids Container Managers complexity and hacks ● Avoids abusing other Linux features to workaround other misbehaviour
  • 30. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model
  • 31. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model File system Sandbox: RootImage= Root filesystem of the App PrivateDevices= Private /dev without physical devices BindPaths=, BindReadOnlyPaths= Makes files available, make /dev watchdog available inside sandbox! User Privileges Sandbox: DynamicUser= Run Apps under different User (Unix UID/GID). The UID is allocated dynamically and released on stops. Allowing IoT devices to follow Android model: each App is executed under a different user. NoNewPrivileges= No new privileges through execve().
  • 32. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Network Sandbox: PrivateNetwork= disconnect internet access IPAddressDeny= All traffic from and to this address/mask will be blocked. IPAddressAllow= The whitelist or permitted IP address/network mask list. To block raw packets AF_PACKET RestrictAddressFamilies=~AF_PACKET (blacklisting mode).
  • 33. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Kernel attack surface reduction: RestrictNamespaces= Restrict Access to Linux namespaces ProtectKernelTunables= Blocks tuning Kernel parameter, /proc and /sys read-only. ProtectKernelModules= Blocks Apps from explicitly loading or unloading modules. SystemCallFilter= Seccomp system call filtering: “@reboot” Block all related reboot system calls. “@module” Block all kernel module system calls. “@mount” Block all file system mount and umount system calls. All this is Opt-IN
  • 34. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● systemd needs to adapt It was intended to experienced service developers and SysVinit experts. Today users are more familiar with Containers and Apps. ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? ACCESS_INTERNET , PRIVILEGED_ACCESS_INTERNET ADMIN_SYSTEM_TIME , ADMIN_SYSTEM_TIME_ZONE ADMIN_SYSTEM_MANAGER , ADMIN_SYSTEM_NETWORK https://github.com/systemd/systemd/pull/6963
  • 35. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? Seccomp policy mutation : “@privileged” , “@container”, “@basic” and “@default” groups + Linux Capabilities + Abstracted Permissions https://github.com/systemd/systemd/pull/6963 ● systemd needs better integration into Embedded and IoT devices ● More user friendly features
  • 36. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms
  • 37. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update ● IoT Devices are exposed to Internet BrickerBot reports say that it damaged > 2.000.000 IoT devices No complex 0day vulnerability exploit Fix: it only needed a configuration Update to close telnet !? ● Robust Embedded and IoT have to support a Software Update Mechanisms Fix development bugs Fix known and unknown vulnerabilities
  • 38. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Requirements: ● Secure: TLS, supports Image signing ● Atomic Update supports - Usually switch from A to B ● Ability to fall back on update failures ● Etc Mechanisms: ● Dual Root Partition: A/B ● Other approaches based on App/Container update: Resin OS
  • 39. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Mechanisms: ● Dual Root Partition: A/B ● Two file system Images: Boot A There is an Update - Download delta A is a reference to B Write B switch boot ● Work in progress: casync to stream updates - block layer support ● Traditional tools: xdelta/VCDIFF
  • 40. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Ready Solutions compatible with Yocto: ● Mender.io Open Source tool for updating your embedded devices safely and reliably New: ● rauc Safe and Secure Others: ● Resin OS updater
  • 41. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges
  • 42. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges Adoption ? All this is already in Yocto!
  • 43. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Thanks to Daniel Mack and Lennart Poettering
  • 44. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Questions ? Feel free to contact me about topics: tixxdz@gmail.com Djalal Harouni