[Owasp_embedded_application_security] Discussion

Aaron Guzman aaron.guzman at owasp.org
Wed Mar 18 21:46:03 UTC 2015


> Big issue affecting embedded devices is: https://en.wikipedia.org/wiki/Year_2038_problem <https://en.wikipedia.org/wiki/Year_2038_problem> , the 2038 problem. Which will affect 32 bit platforms of the Linux kernel. 
> Without the correct time the data collected is worthless as it cannot be stored according to the correct time. Cryptographic software will also not be able to function properly.
> Linus Torvalds is not planning on fixing the issue although the issue has been fixed on most of the BSD platforms if I can remember correctly.

Very interesting. I have heard of this before but hadn’t thought to put this as a guideline or requirement. The issue becomes the supportability of the embedded device. Whether devices in manufacturing right now will or will not be supported in the year 2038. I believe most if not all devices are 32-bit?


> Another best practice perhaps to add to your list is to disable network related services that are not being used and if something has to run for example SSH, then it should be locked down as much as possible.

I think this may be able to fit into hardening of Busybox in a detail section. What do you think?

--
Aaron G
OWASP-LA Board Member
Twitter: @scriptingxss
Linkedin: http://lnkd.in/bds3MgN <http://lnkd.in/bds3MgN>
> On Mar 18, 2015, at 3:51 AM, Timo Goosen <timo.goosen at owasp.org> wrote:
> 
> I like the list of best practices that you posted.  Some ideas I'd like to add:
> 
> Big issue affecting embedded devices is: https://en.wikipedia.org/wiki/Year_2038_problem <https://en.wikipedia.org/wiki/Year_2038_problem> , the 2038 problem. Which will affect 32 bit platforms of the Linux kernel. 
> Without the correct time the data collected is worthless as it cannot be stored according to the correct time. Cryptographic software will also not be able to function properly.
> Linus Torvalds is not planning on fixing the issue although the issue has been fixed on most of the BSD platforms if I can remember correctly.
> 
> Another best practice perhaps to add to your list is to disable network related services that are not being used and if something has to run for example SSH, then it should be locked down as much as possible.
> 
> Regards.
> Timo.
> 
> On Wed, Mar 18, 2015 at 12:17 AM, Aaron Guzman <aaron.guzman at owasp.org <mailto:aaron.guzman at owasp.org>> wrote:
> Hi Everyone, 
> 
> 
> Thanks to all who have joined within the last week. I have created a google group to collaborate better. 
> 
> https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec <https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec>
> 
> 
> Below is a discussion I have started on the google group. If anyone is interested in making additions, please fill free to reply on the google group thread.
> 
> 
> We want to start creating a list of best practices and top risks for embedded technology. Whether we want to keep it at a list of 10 or more, I think it is important that we collaborate and put our embedded experiences together for a reference. It is
> 
> I will start with my list of best practices 
> 
> 
> 1. Cryptographic Signing of firmware required for firmware updating functions
> 2.Verify SSL/TLS Certificates (SSL Pinning) during secure functions to embedded devices. I.E. Firmware updates
> 3.Modify Busybox to only libraries and functions that are being used. (e.g. take out telnet, perl etc)
> 4.Prevent the use of static passwords such as admin/admin or similar variants for service passwords inside the firmware
> 5.Private Keys and passwords should not be stored on the embedded device.
> 6.Protection against memory-corruption vulnerabilities inside firmware functions. (do not use dangerous C functions)
> 7.Update kernel and packages on embedded images to prevent known vulnerabilities
> 
> Maybe one about testing embedded images for ODM backdoors? up for discussion
> 
> 
> Feel free to make additions and discussions around embedded security. I would love to have a call in the coming weeks to flesh out and make a best practice list mature.
> 
> 
> thanks again!
> 
> --
> Aaron G
> OWASP-LA Board Member
> Twitter: @scriptingxss
> Linkedin: http://lnkd.in/bds3MgN <http://lnkd.in/bds3MgN>
> 
> _______________________________________________
> Owasp_embedded_application_security mailing list
> Owasp_embedded_application_security at lists.owasp.org <mailto:Owasp_embedded_application_security at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp_embedded_application_security <https://lists.owasp.org/mailman/listinfo/owasp_embedded_application_security>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_embedded_application_security/attachments/20150318/21c2ecf8/attachment.html>


More information about the Owasp_embedded_application_security mailing list