1/21

Dominig ar FollSenior Software Architect

Intel Open Source

IoT Summit 2016, Berlin, DE dominig.arfoll@fridu.net

Attacking IoT, a viable business➢ Ransom model➢ Stall manufacturing➢ Immobilise expensive items (e.g. your car)➢ …

➢ Competitive advantage➢ Collecting R&D, manufacturing data➢ Disturbing production line

➢ Indirect➢ Cheap robot for DDoS➢ Easy entry point

3/21

Understanding the risks

DeveloperFix all possible weaknessesDeactivate possible users errorsLTS assumed for free

Back HatOnly need one security hole Can be help by careless usersGood long term business opportunitiesGood international network

4/21

Security fundamentalsMinimise surface of attackControl the code which is runProvide a bullet proof update modelTrack security patchesUse HW security helpers when availableLimit lateral movement in the systemDevelop and QA with security turned onDo not rely on human but on platform and tools

Security cannot be added after the fact

Do not rely on human➢ Security experts are out of reach➢ 9M Mobile Developers➢ 8M Web Developers➢ 0.5M Embedded Developers➢ How many Embedded Security Developers ?

➢ Human are unreliable➢ We do not have the time now➢ Oups, it’s too late to change it➢ No one is interested by our system➢ We are too small➢ ...

6/21

Concepts are Knownbut what about implementation?

EPIDID Management

EPIDID Management

TPMPrivate/Secure Store

TPMPrivate/Secure Store

UEFISecured Boot

UEFISecured Boot

Linux Kernel with up-to-date patchesLinux Kernel with up-to-date patches

SoC Specific drivers

Harden OS servicesHarden OS services

Mandatory Access ControlIntegrityName SpaceFirewallSafe updateEncryptionID/Key protection

API API

Untrusted Apps / MiddlewareUntrusted Apps / Middleware Full isolation

SigningRepo createDebugCustomizeSoC Drivers

SigningRepo createDebugCustomizeSoC Drivers

Default policiesDebugSample codeHowTo

Default policiesDebugSample codeHowTo

AppFWApp DebugApp Packaging

AppFWApp DebugApp Packaging

Tools-DocTools-Doc Software running onTargetSoftware running onTarget

7/21

Know who/what you trust➢ Trusted Boot : a MUST Have Feature

➢ Leverage hardware capabilities➢ Small series & developer key handling

➢ Application Installation➢ Verify integrity➢ Verify origin➢ Request User Consent [privacy & permissions]

➢ Update➢ Only signed updates with a trusted origin➢ Secured updates on compromised devices are a no-go option➢ Factory reset built-in from a trusted zone➢ Do not let back doors opened via containers➢ Strict control of custom drivers [in kernel mode everything is possible]

8/21

Layered Architecture➢ Client/UI (untrusted)

➢ Risk of code injection (HTML5/QML)➢ UI on external devices (Mobiles, Tablets)➢ Access to secure service APIs [REST/WS]

➢ Applications & Services (semi-trusted)➢ Unknown developers & Multi-source➢ High-grain protection by Linux DAC & MAC labels.➢ Run under control of Application Framework: need to provide a security manifest

➢ Platform & System services (trusted)➢ Message Services started by systemd➢ Service and API fine grain privilege protection➢ Part of baseline distribution and certified services only

9/21

Bullet proof update and IDUpdate is the only possible correctionl Must run safely on compromised devicesl Cannot assume a know starting point

Compromised ID / keys has no returnl Per device unique ID l Per device symmetric keysl Use HW ID protection (e.g. EPID)

Non reproducibilityl Breaking in one device cannot be extendedl Development I/O are disabledl Root password is unique (or better a key)l Password cannot be easily recalculated

10/21

A practical example (AGL)

Applicable to any Industrial IoT Linux

11/21

Service isolationRun services with UID<>0 SystemD is your friendl Create dedicated UID per servicel Use Linux MAC and Smack DAC to minimise open AccessDrop privilegesl Posix privilegesl MAC privilegesC-goupsl Reduce offending powerl RAM/CPU/IOName Spacel Limit access to private datal Limit access to connectivity

https://www.kernel.org/doc/Documentation/cgroups/cgroups.txthttps://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txthttp://man7.org/linux/man-pages/man7/namespaces.7.htmlhttps://en.wikipedia.org/wiki/Mandatory_access_controlhttps://en.wikipedia.org/wiki/Discretionary_access_control

12/21

Segregate Apps from OS➢ Application Manager

➢ One system daemon for application live cycle installs, update, delete➢ One user daemon per user for application start, stop, pause, resume➢ Create initial share secret between UI and Binder➢ Spawn and controls application processes: binder, UI, …

➢ Security Manager

➢ Responsible of privilege enforcement➢ Based on Cynara + WebSocket and D-Bus for Legacy)

➢ Application & Services Binders➢ Expose platform APIs to UI, Services, Applications➢ Loads services/application plugins :Audio, Canbus, Media Server…➢ One private binder per application/services [REST, WebSocket, Dbus]➢ Authenticate UI by oAuth token type➢ Secured by SMACK label + UID/GIDs➢ AppBinders runs under user $HOME

13/21

AGL2 Application Security

Agent-2 Car Environement

Agent-3 Engine

Agent-4 Remote Signal

CAN Bus-A

LIN Bus-A

Audio

CAN Bus-B

Cluster-Unit

...

Smart City

RVI

Cloud

Transport + Acess Control

Navigation Service

Carte handling

POI management

etc...

Log/Supervision Service

Carte handling

POI management

etc...

MultiMedia Service

Media Player

Radio Interface

etc...

Distributed Application Architecture

MAC Enforcement

Smack

Cgroups NameSpace Containers

Application Framwork Live Cycle ManagementSt

art,S

top,

Paus

e,In

stal

l,Rem

ove,

...

14/21

AGL2 AppFW logic

15/21

To write an App➢ Write back-end binding

➢ Adds the specialised API to the system➢ Accessible by Web Socket or slow legacy D-Bus➢ Run in its own security domain➢ Can be cascaded

➢ Write the Front end➢ Typically in HTML5, QML but open to any➢ Connect to back-end binding using REST with secured key (OAuth2)➢

➢ Package➢ Based on W3C widget➢ Feature allow to handle AGL specificities➢ Install via the AppFW

16/21

AGL2+ Distributed Architecture

Cluster

Carte handling

Localistion management

POI

CAN GPS

Geopositioning Virtual Signal

Multi ECU & Cloud Aware Architecture

Entertainement

CAN-BUS Virtual Signal

Gyro, AcelerometerCAN-BUS

LIN-BUS

Engine-CAN-BUS

ABS

Transport & ACL

Head Unix

Direction Indication

Cloud

Log Analytics

No-SQL Engine

Statistics & Analytics

Transport & ACL

My Car Portal

Paiement

Subcriptions

Preference

Preferences &

Custumisation

MongoDB Engine

Paiement Service

Cluster Virtual Signal

Transport & ACL

Navigation Service

Maintenance Portal

Know Bugs

Maintenances

Service Packs

17/21

AGL2++ Virtualised Architecture

Hardware

Trusted Zone

Hypervisor

Mor

e Pr

ivile

ges

Less

Priv

ilege

s

AGL Linux Kernel Guest Operating

Linux-RT/Microkernel Guest Operating

AGL Core Plateform Services

AGL Extra Middleware

AGL

App-

1

AGL

App-

2

AGL

App-

3

DomU Entertainment

Ap

p-1

Ap

p-2

AGL Mini Plateform Services

DomU Cluster

Trusted Apps

AGL Linux Supervisor

PK

I sa

fe S

tore

Inte

gre

ty c

on

tro

l

Re

sso

urc

es

Allo

c/P

orx

y

Em

erg

en

cy

Se

rvic

es

Trusted Boot

DOM0 controller

Virt GPU

Virt Audio

Virt GPU

Virt Audio

Dia

gn

isti

cs

Virtualized Secure Architecture

Container

18/21

Conclusion➢ Technologies are available

➢ Secure boot, Secure zone➢ Update over the air➢ Isolation and containment➢ Tools and training

➢ Management is not ready➢ Still perceived as a nice to have➢ Too risky to commit

➢ Engineering sees security as a brake to innovation➢ Requires a serious personal investment and paradigm shift➢ Complexity imposes to select a “Ready Made” solution

➢ AGL, Tizen, Snappy, ...➢ “Will add it later” attitude is common but a guaranteed model to failure

Questions

IoT Summit 2016, Berlin, DE dominig.arfoll@fridu.net

20/21

Container "A mixed blessing"Easy to usel Detach the App from the platforml Integrated App managementl Well knownNot very securel Unreliable introspectionl MAC has no power on the inside of a containerl Updating the platform does not update the l middlewarel Beside the Kernel each App provide its own version l of the OSl Each App restart requires a full passing of credentiall RAM and Flash footprint are uncontrollablel Far more secured with Clear Container but not applicable to low end SoC.Only I/O via networkl Well equipped for Rest APIl All other I/O requires driver level access or bespoke framework.

https://www.opencontainers.org/https://lwn.net/Articles/644675/

21/21

Security Check listControl which code you runl Secure bootl Integrityl Secure updateIsolate servicesl Drop root when possiblel Drop privilegesIsolate Appsl Apps are not the OSl Enforce – restrict access to standard APIIdentityl Enforce identity unicityl Use available HW protectionEncryptionl Network trafficl Local storage

Control image creationl No debug tool in productionl No default root passwordl No unrequired open portContinuous integrationl Automate static analysisl QA on secured imageHelp developerl Integrate security in Devel imagel Provide clear guide linel Isolate Apps from OSl Focus on standardised Middleware