 لنبدأ هذه المشاهدة التي ستكون عن مدينة التعاونة للمنزل المنزل والمنزل الأشياء بل المشاهدة ستكون عن مدينة التعاونة بشكل مدينة التوبيق ونتحدث عنها. هذا هو الأجنب. سنبقى أباكراون ثم تتحدث عن المنزل المنزل والمنزل الأشياء ستتحدث عن المنزل الأشياء مع المنزل المنزل والمنزل الأشياء ستت Rodriguez for this topic we will discuss some kernel hardening and kernel self-protection projects. لديك أجهزة معدان المايكات ثم تتحدث عن المنزل المنزل السيمدي المنزل المنزل المنزل بشكل مدينة التعاونة كنا نتخيل المنزل الشياء المنزل المنزل نقاتها بالمعلوم والمشاهدة اليوم لدينا لينيكس جميعا لدينا at least three or four devices at home running Linux هناك الكثير من أيضا IoT باستخدام Linux وفي هذا الموضوع عندما نتحدث عن IoT نحن نقول لدينا IoT باستخدام Linux باستخدام smart gateways باستخدام internet باستخدام Linux نراه في التحديد اليوم لدينا لينيكس جميعا لدينا IoT باستخدام Linux يبدو بشكل أسرع يبدو بشكل أسرع مثل موضوعات لدينا نراه في تحديد أيضا باستخدام الكثير من الموضوع وكل هذه الموضوع يجب أن نرى كثير من الموضوع يجب أن يكون كثير من الموضوع لدينا لدينا لينيكس جميعا وكل هذه الموضوع يعني أن يوجد أكثر من الموضوع من هذا الموضوع لدينا لينيكس باستخدام لدينا لدينا لينيكس جبازكيب لا يستخدمون جيس يستخدمون جولنج most of the apps develop there and rarely use C or something C is only used for a system service or something most of the apps are based on GoLang or Node.js or javascript this is the last tendency from the last months and the important note that we did notice is that most of the properties here don't really care about the low level of the embedded system usually they lack a bit of the background on these devices or systems but also the low layer of the system is too complex so if you have like this is a typical embedded Linux system image so you have the apps where each vendor has its value there and you have the one time which is basically if you make your embedded Linux based on Yocto I guess everyone who deal with embedded Linux knows at least Yocto so if you are using Yocto you basically have the hardware and then you have some layers that define your embedded systems or basically you can define the Linux kernel which version which configuration and then you have your user space root apps and then you can have on top your app and basically this is the the one time is usually too complex for most of apps developers that develop on javascript or Node.js so for everyone this layer is really too complex and that layer it's complex but also they use it because it's open source so anyone can just plug in that one time and he can just have like an embedded system however as I said it's too complex because it's constitute most of the code so basically you have a big big bill of code the code base that's ones with higher privileges the kernel ones the kernel ones with the higher privileges CPU, hardware on ARM you have the privileged levels so basically the kernel ones in x86 you have the rings the hardware CPU are called rings where there are different rings where the kernel the operating system and the user space are separated in ARM you have the privileged level and basically on ARM the kernel ones on privileged level one which is the higher hardware privilege you have the user space that runs at privileged level zero and on top you have most of the apps that are developed that are deployed they also run with higher user privilege with software privileges so my experience most of these apps are not sandboxed and they run with higher privileges and the other bad thing is there are no planned software updates mechanism most of the vendors or most of the constructors they just use a hack or you can say a local software to update the the embedded system but usually that's not perfect so it can't resist to the future so this is an example of the bugs and vulnerabilities lifetime so this is this analysis was done by casecook it was on Ubuntu server of course not on embedded Linux systems it was on Ubuntu it was done by casecook and it shows the lifetime of vulnerabilities from where they were introduced to where they were fixed or patched so we have critical vulnerabilities there were like three it took them like five years to discover critical vulnerabilities these critical vulnerabilities allow at least to compromise the full system we have like you can see the figures so we have we have high vulnerabilities which like six years we have medium vulnerabilities also five years and low and one important thing here is these vulnerabilities mostly they were patched so they are fixed but on embedded systems on IoT devices most likely these vulnerabilities if they are there if they are there most likely they will never be patched so this is another figure also casecook analyst so you can see that basically this was done from the kernel 2.6 to 4.8 and you can see the figures from high vulnerabilities to medium to low so in embedded devices IoT vendors or even in Android there are a lot of types of vulnerabilities and most of the vulnerabilities that always come even in when you have like if you have a special software and your vendor is developing special drivers for you usually one of the vulnerabilities that always come is when you transfer data from between the user space and the kernel space so there are drivers which have to call from user space to kernel space to transfer back and forth the data and even in Android there's this statement from Sami which is and he says that since 2014 the missing or invalid bounds or checking has cost about 45% of Android kernel vulnerabilities and this is only the kernel so in Android more and I guess most of these vulnerabilities or bugs were in third vendor maybe in the kernel but also in third vendor drivers also we have user space vulnerabilities or bugs or whatever so yesterday I talked about BotNetWars from DrewMosli he did he did go through all these details basically he did speak about also the brick bot which targets IoT devices from cameras to anything and this bot basically just doesn't use any Zoday exploit this bot just connects to 10 net port and tries like devices that have default password and just props there and according to the source they said that this bot had affected more than 2 million devices and if you can see the figures basically it just tries to erase the disk and make your device useless so for this that's why our topic when we speak about model deployment of embedded Linux basically in this topic in this context we mean how to secure your Linux and of course to keep it alive so first we will start by the kernel there's this project there's the kernel hardening and there's the kernel self-protection project the kernel self-protection is a new project it's managed by case cook basically the kernel hardening where you have to apply some access control some other basically tries to kill attacks exportations and it tries to make the kernel bit smart so it can protect itself there's the link if you are interested to check the project usually in the kernel when when there's a sophisticated attack usually they try to use multiple bugs and vulnerabilities to explore so they share multiple vulnerabilities and exploit to get root access but to achieve that they also need to know the target the memory layout what's running what's protection they need to be together information so the objective of the kernel self-protection project is to reduce these exportation techniques to reduce the attack surface and most of this comes of course from gear security packs patches and it was adopted and modified and the app streamed so first we will see a bit of kernel configuration that can be easily activated and make sure to protect your embedded Linux or your IoT device so as I said before there is that the user space kernel space transfer that's most of third parted vendors abuse or misuse and this presentation about and this configuration which was added recently into the kernel allows to perform extra size so the kernel before used to check the user space but there were not that much checks from the kernel and now if you activate this configuration and there are some misuses by the driver or something most likely your device will bug because this configuration allows also to check bugs or misuses of the kernel transfer between user space and kernel space there's also config config 45 source which allows to also harden some strings and memory functions there's the config strict kernel read write execute and basically this allows to protect the kernel memory which is like the only write either write or execute not both there are other configuration you can all see them so the config which is basically you can use to protect your kernel from the references which can be used to exploit so someone from user space can just map a zero address and he can just put some shell code there and the kernel if he tries to execute that so there are all these protections will allow you to protect your embedded Linux IoT and we have all this but there are more so you can link it above and you can just activate all these options so right now we are also working part of the kernel self-protection project we are working on modernization modernization of prok-fi system basically most of Linux users know the prok-fi system the prok-fi system is like a virtual-fi system which is an interface between from the kernel to allow you to check kernel data check kernel data check a lot of information about your system but right now the implementation the internal implementation is not that optimal so it doesn't allow to improve security right now we are working to improve prok so to allow multiple separate instances of prok-fi system right now in the kernel when you mount a prok-fi system inside the same pin name usually it's just a mirror so it's not a total different prok-fi system we are trying to improve that and basically we did even achieve like a prok-fi system without the kernel files so only prok and the processes so you can just read the processes inside prok and there will be no kernel files or kernel data which basically prevents information leaks that can be used by exploits we did implement this and it also can be used by sandbox it's in discussion but maybe I think it will get in so we also have automatic module loading protection basically the kernel the Linux kernel supports two module loading operations there is the explicit one and there is the automatic one the explicit one is only one you tell the kernel please load this module and the automatic one is when the kernel loads a module on your behalf so we don't know we just request a feature that is not supported and the kernel automatically loads it and that's a nice feature Linux of course because it allows to save a lot of use cases and users don't bother with that but also attackers will abuse this and there was this venerability that was like the DCCP venerability that has like 11 years old that can allow you to route exploit there is also the X framework which is an IP framework to do IP sec which was used to exploit Ubuntu on security context context we are working on automatic module loading protection basically to prevent this so if you set a flag or to your inside or sandbox this will prevent the kernel from loading any extra modules especially venerables one or the ones that you don't trust in most most importantly in embedded Linux usually you should not allow loading extra modules at all or only modules that you trust so this batch is I think version 5 is coming soon and I think we had a lot of feedbacks and thanks to the viewer of course so we are also working on the YAMA Linux security module basically just to try to generalize its behavior with its protects processes from accessing the memory or controlling other processes so let's come back to Linux containers and LightWide containers so first why containers on embedded Linux most importantly containers are a bit too heavy but they allow to solve a lot of cases like they allow modern deployment workflow which is easy they allow isolation of apps and they allow also to do some host virtualization there is an example there is if you have been using resign OS by the resign guys basically they are using containers to deploy embedded Linux devices this is typical image of embedded Linux containers you can see that Linux containers basically they just use Linux kernel features the thing for embedded Linux is that most of the container managers they have they define a runtime format which is a bit heavy for your embedded Linux some of them are like over engineered they have some features some hacks to hide some other work runs or some other misbehavior and they have too much processes so this is this picture is I took this picture from the chorus website and basically you can just do a combination here between containers and you can see that each container tries to spawn another process and another system D another system D spawn again rocket and you see rocket may spawn and spawn other stuff same for Docker so all this is a bit heavy so the solution is maybe in system D but let's see first why you should use system D in embedded Linux otherwise you may not need it at all so if you are using if you use versus management if you have at least more than 3 or 4 apps if you want easy watch dog integration if you need socket activation most likely than you need at least system D and even more importantly if you need a mechanism than you can use otherwise you can just go with the simple init and that's it so to continue the talk about system D in embedded Linux the picture that we have is that we can just allow system D to just spawn like a container app that's it so without and spawn without anything right now in system D there's already support for that so we only use there are different technologies to like we don't use most of it we only use mount namespaces to just give an application a view of its file system and mount namespaces are really cheap so they don't cost that much we have bit support for network namespace but just to send box application and to disconnect internet access I think one of the use case that may come is that we integrate network namespace so most embedded systems do need some network configuration they can use the IP tool without using any extra solution so all this is that this this has the adventure that you don't have to adapt or use a container directly in your embedded system and if you are already running system D you can just take full advantage of it directly so we don't need any extra complexity from container managers so I think Liana did gave a talk yesterday about the system D sandbox model so basically you can now in system D just have like apps contained with root image so basically you can just have a root file system for your app and these can be deployed private devices this is already this can be on top of root image so if you don't want to give access to your app inside the embedded system if you don't want to give it access to real hardware or devices most of the apps or most of the embedded the system some watchdog access you can use the bind path features so you can bind the watchdog and make it accessible inside your sandbox so your app can be sandboxed but can also talk to watchdog recently there was a new nice feature to in system D to support dynamic users so everyone knows that's Android apps in Android most of the app can run with different user ID so with dynamic user this allows to emulate a bit of that's how behavior where each app can run with different user ID we have network sandboxes you can all check them into our documentation and we have also features to restrict kernel attack surface however all these features are opt in and basically it's a bit difficult to specify especially if we are coming from javascript users going developers so I think that system D in the first was intended to experience the service developers a CSV expert but now most of the users are also like apps users containers and I think that system D needs to adapt so basically I think that we need to introduce a new runtime or something and we need to wifi they want to to to we want to to use a network and and we need to port and to and to to to to be be civilization can do admin system time zone we can do admin system manager all access the system d managers we can just block apps to from accessing system d blankets and we are also discussing a new sandboxjince on set comp where we will organize basically apps on what's the behavior of the app الاشكارات الشرطة ونفتحها لاستوى لناه حتى If you want to take the container apps to the system, whether you need some basic access to the system or maybe you need privileged access. And we need to abstract that so it will make it more useful to our users. And the other feature, I think that we need to improve system integration into embedded and IoT device. Because it's a bit big, I have to say that. الثلاثة موضوع is software update mechanism so as I have said the IoT devices are now exposed there was the brickboard as I said didn't even use a zero day VINRBZ so even if you don't protect that simple thing maybe you you have first to start with this protecting your tenant to protecting your ports before applying more complex security features and it did had like 2 million IoT devices of course robust IoT devices need a robust software update mechanism there are several requirements they were already discussed in previous talks the most robust mechanism is usually the dual boot partition when you have two partition and boot from this and switch from the other one right now we we have the CSNK tool that may help to stream updates it has also support for block layers liana has a talk after that so we will discuss it more with there are also traditional tool like xdelta where you can just build on top of there but they are most basic tools there are also really solutions that are compatible from with yokto they are the Mender solution to do software updates they are the new tool I hope that they get this feeling right sorry and that there is also the design OS updater that is part of the design OS system the challenges is adoptions how we can adopt this and thanks to Daniel Mark and Diana Potting for some input and that's it about your new security model for system D do you intend that there's some kind of baseline option which implies a bunch of the other settings which can then be selectively of written by specifying those settings anyway or about your new security model for system D if you go a couple of slides back you've got these new admin things no no this is still in discussion so I'm trying to understand what you meant do you mean these as some kind of security preset which simply implies a lot of the other options using a suitable default value which you can then later override by specifying such options yeah yeah maybe so we are seeing in discussion but maybe it will be that yeah okay what's the outlook on your PAD FS patches when it's going to get in so we are seeing where the PAD FS are like on top of the there's already a branch I think yeah so the PID FS are on top of my patches we have already update but there's right now I was planning a new version but there's a bug between the kernel and dracot dracot to boot the kernel so I think just after the this conference we will submit another another version of the patches and I we have like a lot of feedback from case cook and and delete moski and I think that most of the guys did agree on the patches so I think that's just a matter of time I can say so thank you