[Owasp_embedded_application_security] Discussion

Timo Goosen timo.goosen at owasp.org
Thu Mar 19 14:12:22 UTC 2015


I'd like to see what you guys think about kernel hardening on embedded
Linux?



On Wed, Mar 18, 2015 at 11:46 PM, Aaron Guzman <aaron.guzman at owasp.org>
wrote:

>
> Big issue affecting embedded devices is:
> https://en.wikipedia.org/wiki/Year_2038_problem , the 2038 problem. Which
> will affect 32 bit platforms of the Linux kernel.
> Without the correct time the data collected is worthless as it cannot be
> stored according to the correct time. Cryptographic software will also not
> be able to function properly.
> Linus Torvalds is not planning on fixing the issue although the issue has
> been fixed on most of the BSD platforms if I can remember correctly.
>
>
> Very interesting. I have heard of this before but hadn’t thought to put
> this as a guideline or requirement. The issue becomes the supportability of
> the embedded device. Whether devices in manufacturing right now will or
> will not be supported in the year 2038. I believe most if not all devices
> are 32-bit?
>
>
> Another best practice perhaps to add to your list is to disable network
> related services that are not being used and if something has to run for
> example SSH, then it should be locked down as much as possible.
>
>
> I think this may be able to fit into hardening of Busybox in a detail
> section. What do you think?
>
> --
> Aaron G
> OWASP-LA Board Member
> Twitter: @scriptingxss
> Linkedin: http://lnkd.in/bds3MgN
>
> On Mar 18, 2015, at 3:51 AM, Timo Goosen <timo.goosen at owasp.org> wrote:
>
> I like the list of best practices that you posted.  Some ideas I'd like to
> add:
>
> Big issue affecting embedded devices is:
> https://en.wikipedia.org/wiki/Year_2038_problem , the 2038 problem. Which
> will affect 32 bit platforms of the Linux kernel.
> Without the correct time the data collected is worthless as it cannot be
> stored according to the correct time. Cryptographic software will also not
> be able to function properly.
> Linus Torvalds is not planning on fixing the issue although the issue has
> been fixed on most of the BSD platforms if I can remember correctly.
>
> Another best practice perhaps to add to your list is to disable network
> related services that are not being used and if something has to run for
> example SSH, then it should be locked down as much as possible.
>
> Regards.
> Timo.
>
> On Wed, Mar 18, 2015 at 12:17 AM, Aaron Guzman <aaron.guzman at owasp.org>
> wrote:
>
>> Hi Everyone,
>>
>>
>> Thanks to all who have joined within the last week. I have created a
>> google group to collaborate better.
>>
>> https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec
>>
>>
>> Below is a discussion I have started on the google group. If anyone is
>> interested in making additions, please fill free to reply on the google
>> group thread.
>>
>>
>> We want to start creating a list of best practices and top risks for
>> embedded technology. Whether we want to keep it at a list of 10 or more, I
>> think it is important that we collaborate and put our embedded experiences
>> together for a reference. It is
>>
>> I will start with my list of best practices
>>
>>
>> 1. Cryptographic Signing of firmware required for firmware updating
>> functions
>> 2.Verify SSL/TLS Certificates (SSL Pinning) during secure functions to
>> embedded devices. I.E. Firmware updates
>> 3.Modify Busybox to only libraries and functions that are being used.
>> (e.g. take out telnet, perl etc)
>> 4.Prevent the use of static passwords such as admin/admin or similar
>> variants for service passwords inside the firmware
>> 5.Private Keys and passwords should not be stored on the embedded device.
>> 6.Protection against memory-corruption vulnerabilities inside firmware
>> functions. (do not use dangerous C functions)
>> 7.Update kernel and packages on embedded images to prevent known
>> vulnerabilities
>>
>> Maybe one about testing embedded images for ODM backdoors? up for
>> discussion
>>
>>
>> Feel free to make additions and discussions around embedded security. I
>> would love to have a call in the coming weeks to flesh out and make a best
>> practice list mature.
>>
>>
>> thanks again!
>>
>> --
>> Aaron G
>> OWASP-LA Board Member
>> Twitter: @scriptingxss
>> Linkedin: http://lnkd.in/bds3MgN
>>
>>
>> _______________________________________________
>> Owasp_embedded_application_security mailing list
>> Owasp_embedded_application_security at lists.owasp.org
>>
>> https://lists.owasp.org/mailman/listinfo/owasp_embedded_application_security
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_embedded_application_security/attachments/20150319/14efab2a/attachment.html>


More information about the Owasp_embedded_application_security mailing list