Innovating without compromising security

Victor Palau - VP of Commercial Engineering, Canonical

We are the company behind Ubuntu.

Canonical and Ubuntu Introduction

London

Boston Beijing

EMPLOYEES700+

COUNTRIES30+

FOUNDED2004

Canonical has been developing operating systems since 2004, and is now extending the Ubuntu OS on smart devices.

Ubuntu is an open-source operating system, currently established on server, cloud, desktop and thin client.

Taipei

Ubuntu: where are we now?

The world’s 3rd most popular PC OS90% of the Linux market

25,000,000 usersand still counting

This year we launched 3 Mobilesbq E4.5, bq E5 and MX4

#1 Guest OS in Public CloudsAWS, HP, Azure, Google Compute..

The great thing about the internet of things is that everything is connected

The scary thing about the internet of things is that everything is connected

DNS exploit

"Is it serious? Yes it definitely is, [..]Because whenever anybody gets access to your router, they can alter settings to direct traffic to places you don't want it to go

to."

Jonathan Wu, senior director of product management at Netgear

Netgear router owners would be prompted to update their firmware if:

● they logged into their router's admin settings, or ● they had the Netgear genie app installed on their computer, tablet or

smartphone.

Car exploits include ..

● Taking control of the car via hacking the entertainment system ● Drive the car to a ditch by hacking the radio system● Unlock your car remotely

Leaked trusted signing key

● Open source firmware for surveillance camera (GOOD!) ● Inside the source tree, there was a signing key trusted by Windows

(BAD!)● You could sign any software with it a make it look legit

What could we have done better..

● Keep it small and simple

complex systems are harder to secure, don’t carry unnecessary load

● Sandboxing

A hack to the radio should not be able to lead to a ditch

● Reuse

Basic components are shared across devices, a single issue can affect a large number, but also will harden faster

● Update ready

Jeep vs Tesla. Very similar hack. Tesla ship an Over The Air (OTA) update, Jeep had to recall 1.4M cars

some common principles

We have done it all beforeso why not apply it to IoT?

● Only what is needed in the phone (no more, no less)

● All apps in the phone are sandboxed

● Common rootfs images across phones, common “custom” image across locales, HW specifics in device image

● Canonical hosted OTA channels, including devel, release and stable

Introducing snappy Ubuntu Core

Ubuntu Core is small, secure, fastAll the goodness of Ubuntu in a device-centric rendition

Snappy transactional updates

Simpler application packaging

Rigorous security guarantees

Modular architecture for independent updates

Apps Apps Apps

Frameworks Frameworks Frameworks

Ubuntu core

Kernel and Hardware Capabilities List

Maximum security and integrity

Snappy uniquely combines best-in-business security

with ease of use

Apps isolated from one another and from the OS

Enforced by Canonical’s AppArmor security system

Digital signatures guarantee integrity

traditional ubuntu

kernel snap

snappy ubuntu

os snap

app snapapp snap

kernel config

os writable files

app writable area

app writable areaany package can

write to any file

read-only snaps

writable spaces per snap

filesystem

Awesome on devices

Vendors control their app distribution and updates directly

Shared frameworks extend the base operating system

Base operating system is free and built on the best of Ubuntu

The new Ubuntu for embedded products on ARM & x86

Minimum system requirements

Processor Architecture

Intel x86 or ARMv7/v8 (Cortex-A7 single core or above)

Memory

256MB+

Flash Storage

4GB System storage

Available Connectivity types

WiFi, Ethernet, USB, BT4.0 BLE, ..

Commercial product with snappy

Snappy Ubuntu Core is targeted to manufacturers of smart embedded devices that focus on differentiating their products via great hardware and services.

Who is snappy Ubuntu Core for

What does a snappy manufacturer look like?

They focus on differentiating features since they don't need to worry about building and maintaining a full OS system stack

They want proven and reliable methods to update devices in the market

They care deeply about security of their devices and user’s data

They leverage an existing community of developers and partners

Try snappy Ubuntu Core

ubuntu.com/snappy