table of contents › download › public › 2018 › security › agl... · introduction this...
TRANSCRIPT
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3
1.5
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.9
1.9.1
1.9.2
1.9.3
1.10
1.10.1
1.10.2
1.11
1.12
1.12.1
1.12.2
TableofContents
Introduction
Revisions
Part1-Hardware
Part2-SecureBoot
Image
Communicationmodes
Consoles
Part3-Hypervisor
Part4-Kernel
General
Memory
Consoles
Debug
FileSystems
Part5-Platform
MandatoryAccessControl
SystemD
SystemBus
Systemservicesanddaemons
AppFramework
Utilities
Users
Part6-Application
Installation
Privilegemanagement
Signature
Services
Part7-Connectivity
Busandconnectors
Wireless
Cloud
Part8-Update(OTA)
FOTA
SOTA
Part9-Securedevelopment
Annexes
Allconfignotes
Alltodonotes
Introduction
Thisdocumentpresentsthedifferentattacksthatcanbeenvisagedonarecentcarinordertobeableto
createasetoftestsverifyingthesecurityofAutomotiveGradeLinux(AGL).Themoregeneralutilitybehind
this document is to protect the manufacturers, customers and third party from potential financial and
informationloss.Thisdocumentisfirstlybasedontheexistingsecurity-blueprint.
Forsecuritytobeeffective,theconceptsmustbesimple.Andbydefault,anythingthat isnot
allowedisforbidden.
Wewill cover topicsstarting fromthe lowest level (Hardware)upto thehighest levels(Connectivity and
Application).WewillmovequicklyonHardwareandConnectivitybecausethisisnotsupportedatourlevel.
Solutionsofconnectivityproblemsconcernupdatesandsecuredsettingswhilehardwaresecuringisrelated
tothemanufacturers.
Thedocumentisfilledwithtagstoeasilyidentifyimportantpoints:
Theconfigtagquicklyidentifiestheconfigurationsandtherecommendationstotake.
Thenotetagallowsyoutonotifysomeadditionaldetails.
Thetodotagshowsthepossibleimprovements.
Inannexesofthisdocument,youcanfindalltheconfigandtodonotes.
Hardeningterm
The termHardening refers to the tools, techniquesandprocesses required inorder to reduce theattack
surfaceonanembeddedsystem,suchasanembeddedcontrolunit(ECU)orothermanageddevices.The
target for all hardening activities is to prevent the execution of invalid binaries on the device, and to
preventcopyingofsecurityrelateddatafromthedevice.
AGLsecurityoverview
AGLrootsarebasedonsecurityconcepts.Thoseconceptsareimplementedbythesecurityframeworkas
showninthispicture:
AcronymsandAbbreviations
Thefollowingtableliststhestrongesttermsutilizedwithinallthisdocument.
AcronymsorAbbreviations Description
AGL AutomotiveGradeLinux
ECU ElectronicControlUnit
IoT.Bzh Security-blueprint
Version5.0.0 4January2018
References
security-blueprint.
http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html
[2017]-kernelsecurity.
https://www.kernel.org/doc/Documentation/security/
[2017]-Systemdintegrationandusermanagement.
http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf
[2017]-AGL-ApplicationFrameworkDocumentation.
http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf
[2017]-ImprovingVehicleCybersecurity.
https://access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf
[2016]-AGLframeworkoverview.
http://docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html
[2016]-SecureBoot-SecureSoftwareUpdates.
http://iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf
[2016]-LinuxAutomotiveSecurity.
http://iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf
[2016]-AutomotiveSecurityBestPractices.
https://www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf
[2016]-GattackingBluetoothSmartDevices.
http://gattack.io/whitepaper.pdf
[2015]-ComprehensiveExperimentalAnalysisofAutomotiveAttackSurfaces.
http://www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf
[2015]-SecurityinAutomotiveBusSystems.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf
[2014]-IOActiveRemoteAttackSurface.
https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf
[2011]-ApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunications.
https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-
wp.pdf
[2011]-ComprehensiveExperimentalAnalysesofAutomotiveAttackSurfaces.
http://www.autosec.org/pubs/cars-usenixsec2011.pdf
[2010]-RelayAttacksonPassiveKeylessEntryandStartSystemsinModernCars.
https://eprint.iacr.org/2010/332.pdf
[2010]-Wifiattackswepwpa.
https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf
[2008]-SMACK.
http://schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf
IoT.Bzh Security-blueprint
Version5.0.0 5January2018
Documentrevisions
Meta Data
Title Security-blueprint
Description ThisdocumentdealswitheverythingrelatedtothesafetyofconnectedcarslinkedtotheAGLproject.
Keywords AGL,Security,Blueprint,Iotbzh
Language English
Published PublishedJanuary2018asanelectronicbook.
Updated FriJan12201816:46:36GMT+0100(CET)
Collection Open-source
Date Version Designation Author
7Jul2017
- sec-blueprint Githistory
6Dec2017
5.0.0 EE.rc3release-chaptersreorderingandaddnewparts:3,5,6,8,9
VincentNieutin[Iot.bzh]
IoT.Bzh Security-blueprint
Version5.0.0 6January2018
Part1-Hardware
Abstract
Youwillfindinthisfirstparteverythingthatconcernsthehardwaresecurity.Thegoalistoprotectsystem
againstallattacksthataretryingtogainadditionalprivilegesbyrecoveringand/orchangingcryptographic
keysinordertoaltertheintegrityoftheboot.Weshouldalsopreventhardwaremodificationsinorderto
achievethisgoal.Wewillexposebelowsomeexamplesofpossibleconfigurations.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
HSM HardwareSecurityModule
NVM Non-VolatileMemory
SHE SecureHardwareExtensions
Integrity
Theboardmust storehardcodedcryptographickeys inorder toverifyamongothers the integrityof the
bootloader.ManufacturerscanuseHSMandSHEtoenhancethesecurityoftheirboard.
Domain Object Recommendations
Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.
Hardware-Integrity-2 Board MustuseaHSM.
Hardware-Integrity-3 RTC Mustnotbealterable.
IoT.Bzh Security-blueprint
Version5.0.0 7January2018
Certificates
Domain Object Recommendations
Hardware-Certificate-1
System Shallallowstoringdedicatedcertificates.
Hardware-Certificate-2
ECU TheECUmustverifythecertificationauthorityhierarchy.
Hardware-Certificate-3
SystemAllowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.
Memory
Domain Object Recommendations
Hardware-Memory-1
ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusingcryptographickeys.
Hardware-Memory-2
Bootloader InternalNVMonly
Hardware-Module-3
- HSMmustbeusedtosecurekeys.
IoT.Bzh Security-blueprint
Version5.0.0 8January2018
Part2-Secureboot
Abstract
Domain Improvement
Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).
BootHardening:Steps/requirementstoconfigurethebootsequence,inordertorestrictthedevicefrom
executinganythingotherthantheapprovedsoftwareimage.
Inthispart,wewillseeaseriesofsettingsthatwillallowustoimprovesecurityduringbootphase.Forthe
purposesofreferenceandexplanation,weareprovidingguidanceonhowtoconfigureanembeddeddevice
thatrunswitha3.10.17Linuxkernel.Iftheintegrityisnotcheckedorifacriticalerroroccurs,thesystem
mustbootonaverystablebackupimage.
Requirements: These requirementsmust bemet even if an alternative version of the Linux kernel is
chosen.
Recommendations:Detailedbestpracticesthatshouldbeappliedinordertosecureadevice.Although
theyarenotcurrently listedashard requirements, theymaybeupgraded to requirementsstatus in the
future.Inaddition,specificoperatorsmaychangesomeoftheserecommendationsintorequirementsbased
ontheirspecificneedsandobjectives.
Domain Improvement
Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".
Bootloader:ThebootloaderconsistsofthePrimarybootloaderresidinginOTPmemory,sboot,U-Boot
andSecure loaderresiding inexternal flash(NANDorSPI/NORflashmemory).TheCPUonpoweronor
resetexecutestheprimaryboot loader.TheOTPprimarybootloadermakesthenecessaryinitialsystem
configurationandthenloadsthesecondarybootloadersbootfromexternalflashmemorytorammemory.
The sboot then loads the U-Boot along with the Secure loader. U-Boot then verifies the Kernel/system
imageintegrity,thenloadstheKernel/systemimagebeforepassingcontroltoit.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
FUSE FilesysteminUserSpacE
OTP One-Time-Programmable
DOCSIS DataOverCableServiceInterfaceSpecification
IoT.Bzh Security-blueprint
Version5.0.0 9January2018
IoT.Bzh Security-blueprint
Version5.0.0 10January2018
Image
Imageselection
The boot process shall be uninterruptible and shall irrevocably boot the image as specified in the boot
environment.
InU-Bootsetthe"bootdelay"environmentvariableand/ordefineCONFIG_BOOTDELAYto-2.
Domain Variable/Configname Value
Boot-Image-Selection-1 CONFIG_BOOTDELAY -2
Boot-Image-Selection-2 bootdelay -2
Imageauthenticity
It shall not be possible to boot from an unverified image. The secure boot feature in U-Boot shall be
enabled. The secure boot feature is available from U-Boot 2013.07 version. To enable the secure boot
feature,enablethefollowingfeatures:
CONFIG_FIT:EnablessupportforFlatImageTree(FIT)uImageformat.
CONFIG_FIT_SIGNATURE:EnablessignatureverificationofFITimages.
CONFIG_RSA:EnablesRSAalgorithmusedforFITimageverification.
CONFIG_OF_CONTROL:EnablesFlattenedDeviceTree(FDT)configuration.
CONFIG_OF_SEPARATE:Enablesseparatebuildofu-Bootfromthedevicetree.
CONFIG_DEFAULT_DEVICE_TREE:SpecifiesthedefaultDeviceTreeusedfortherun-timeconfigurationofU-Boot.
Generate the U-Boot imagewith public keys to validate and load the image. It shall use RSA2048 and
SHA256forauthentication.
Domain Configname State
Boot-Image-Authenticity-1 CONFIG_FIT Enable
Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable
Boot-Image-Authenticity-3 CONFIG_RSA Enable
Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable
Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable
Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable
IoT.Bzh Security-blueprint
Version5.0.0 11January2018
Communicationmodes
DisableUSB,SerialandDOCSISSupport
TodisableUSBsupportinU-Boot,followingconfig'sshallnotbedefined:
CONFIG_CMD_USB:EnablesbasicUSBsupportandtheusbcommand.
CONFIG_USB_UHCI:Definesthelowlevelpart.
CONFIG_USB_KEYBOARD:EnablestheUSBKeyboard.
CONFIG_USB_STORAGE:EnablestheUSBstoragedevices.
CONFIG_USB_HOST_ETHER:EnablesUSBEthernetadaptersupport.
Inaddition,disableunnecessarycommunicationmodeslikeEthernet,Serialports,DOCSISinU-Bootand
sbootthatarenotnecessary.
LinuxKernelsupportforUSBshouldbecompiled-outifnotrequired.Ifitisneeded,theLinuxKernelshould
beconfiguredtoonlyenabletheminimumrequiredUSBdevices.User-initiatedUSB-filesystemsshouldbe
treated with special care.Whether or not the filesystems aremounted in userspace (FUSE), restricted
mountoptionsshouldbeobserved.
Domain Communicationmodes
State
Boot-Communication-1
USB DisabledandCompiled-outifnotrequired.
Boot-Communication-2
USB
Else,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.
Boot-Communication-3
Ethernet Disabled
Boot-Communication-4
U-bootandsbootDOCSIS
Disabled
Boot-Communication-5
Serialports Disabled
Domain Configname State
Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined
Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined
IoT.Bzh Security-blueprint
Version5.0.0 12January2018
DisableallunusedNetworkInterfaces
Onlyusednetworkinterfacesshouldbeenabled.Wherepossible,servicesshouldalsobelimitedtothose
necessary.
Domain Communicationmodes
State
Boot-Communication-1
Network
interfaces
Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.
RemoveorDisableUnnecessaryServices,Ports,andDevices
Restricttheservices,portsanddevicestothoseused.
Domain Object Recommendations
Boot-Communication-1
Services,portsanddevices
Restricttheservices,portsanddevicestothoseused.
Disableflashaccess
Recommendation:
InU-Bootfollowingflashmemorycommandsshallbedisabled:
NAND:Supportfornandflashaccessavailablethroughdo_nandhastobedisabled.
Domain Commandname State
Boot-Communication-Flash-1 do_nand Disable
Similarlysbootshoulddisableflashaccesssupportthroughcommandlineifany.
IoT.Bzh Security-blueprint
Version5.0.0 13January2018
Consoles
Disableserialconsole
Serialconsoleoutputshallbedisabled.TodisableconsoleoutputinU-Boot,setthefollowingmacros:
Domain Configname Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable
Domain Improvement
Boot-Consoles-1 Secureloader:Noreferenceearlier?
Andset"silent"environmentvariable.FortheSecureloader,disablethetracesbynotdefiningthebelow
macro:
Domain Environmentvariablename State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined
Forsbootproperconfigurationneedstobedonetodisabletheserialconsole.
IoT.Bzh Security-blueprint
Version5.0.0 14January2018
Immutableenvironmentvariables
InU-Boot,ensureKernelcommandline,bootcommands,bootdelayandotherenvironmentvariablesare
immutable.Thiswillpreventside-loadingofalternateimages,byrestrictingthebootselectiontoonlythe
imageinFLASH.
Theenvironmentvariablesshallbepartofthetextregion inU-Bootasdefaultenvironmentvariableand
notinnon-volatilememory.
Removeconfigurationoptionsrelatedtonon-volatilememory,suchas:
Domain Configname State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define
IoT.Bzh Security-blueprint
Version5.0.0 15January2018
(Recommendation)Removalofmemorydumpcommands
InU-Boot,followingcommandsshallbedisabledtoavoidmemorydumps:
md:MemoryDisplaycommand.
mm:Memorymodifycommand-autoincrementingaddress.
nm:Memorymodifycommand-constantaddress.
mw:Memorywrite.
cp:Memorycopy.
mwc:Memorywritecyclic.
mdc:Memorydisplaycyclic.
mtest:Simpleramread/writetest.
loopw:Infinitewritelooponaddressrange.
Domain Commandname State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled
Similarly,memorydumpsupportshallbedisabledfromsboot.
IoT.Bzh Security-blueprint
Version5.0.0 16January2018
Part3-Hypervisor
Definition: "A hypervisor or virtualmachinemonitor (VMM) is computer software, firmware or hardware
thatcreatesandrunsvirtualmachines".
Itmustincludeasignatureverification(possiblydelegated).
Domain Improvement
Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).
NativeorBare-metalhypervisors
These hypervisors run directly on the host's hardware to control the hardware and to manage guest
operatingsystems.Thosearetheoneswe'reinterestedin.
IoT.Bzh Security-blueprint
Version5.0.0 17January2018
Part4-Kernel
Abstract
System Hardening: Best practices associated with the configuration of an embedded Linux based
operatingsystem.Thissectionincludesbothhardeningofthekernelitself,aswellasspecificconfigurations
and patches used to protect against known vulnerabilitieswithin the build and configuration of the root
filesystem.
At the Kernel level, wemust ensure that no console can be launched. It could be used to change the
behavior of the system or to have more information about it. Another aspect is the protection of the
memoryusedbytheKernel.
Thenextsub-sectionscontaininformationonvariouskernelconfigurationoptionstoenhancethesecurityin
the kernel (3.10.17) and also for applications compiled to take advantage of these security features.
Additionally,therearealsoconfigurationoptionsthatprotectfromknownvulnerableconfigurationoptions.
Here'sahighlevelsummaryofvariouskernelconfigurationsthatshallberequiredfordeployment.
IoT.Bzh Security-blueprint
Version5.0.0 18January2018
Generalconfiguration
MandatoryAccessControl
Kernelshouldcontrolsaccesswithlabelsandpolicy.
Domain Object Recommendations
Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.
Domain Improvement
Kernel-MAC-1 AddMACconfignote.
Disablekexec
Thispreventssomeonewhogetsroot fromsupplantingthekernel.Thiscanbeusedasawaytobypass
signedkernels.
Domain Configname Value
Kernel-General-kexec-1 CONFIG_KEXEC n
DisablekernelIPauto-configuration
ItispreferabletohaveanIPconfigurationperformedusingauser-spacetoolasthesetendtohavemore
validation.Wedonotwantthenetworkinterfacecomingupuntilthesystemhascomeupproperly.
Domain Configname Value
Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n
DisableSysctlsyscallsupport
Enablingthiswillresultincodebeingincludedthatishardtomaintainandnotwelltested.
IoT.Bzh Security-blueprint
Version5.0.0 19January2018
Domain Configname Value
Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n
DisableLegacyLinuxSupport
TherearesomeKernelConfigswhicharepresentonlytosupportlegacybinaries.Seealso"Consoles"part
inordertodisablingsupportforlegacybinaryformats.The uselibsystemcall,inparticular,hasnovalid
use inany libc6or uclibc system in recent times. This configuration is supported inLinux3.15and
greaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-General-LegacyLinux-1 CONFIG_USELIB n
Disablefirmwareauto-loadingusermodehelper
The firmware auto loadinghelper,which is a utility executedby the kernel on hotplug events requiring
firmware,needstobesetsetuid.Asaresultofthis,thehelperutilityisanattractivetargetforattackers
withcontrolofphysicalportsonthedevice.DisablingthisconfigurationthatissupportedinLinux3.9and
greater.
Domain Configname Value
Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n
EnableKernelPaniconOOPS
WhenfuzzingthekernelorattemptingkernelexploitsattackersarelikelytotriggerkernelOOPSes.Setting
thebehavioronOOPStoPANICcanimpedetheirprogress.
This configuration is supported in Linux 3.5 and greater and thus should only be enabled for such
versions.
Domain Configname Value
Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y
IoT.Bzh Security-blueprint
Version5.0.0 20January2018
IoT.Bzh Security-blueprint
Version5.0.0 21January2018
Disablesocketmonitoringinterface
These monitors can be used to inspect shared file descriptors on Unix Domain sockets or traffic on
'localhost'whichisotherwiseassumedtobeconfidential.
The CONFIG_PACKET_DIAG configuration is supported in Linux 3.7 and greater and thus should only be
disabledforsuchversions.
TheCONFIG_UNIX_DIAGconfigurationissupportedinLinux3.3andgreaterandthusshouldonlybedisabled
forsuchversions.
Domain Configname Value
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n
DisableBPFJIT
TheBPFJITcanbeusedtocreatekernel-payloadsfromfirewalltablerules.
ThisconfigurationforissupportedinLinux3.16andgreaterandthusshouldonlybedisabledforsuch
versions.
Domain Configname Value
Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n
EnableEnforcedModuleSigning
Thekernelshouldneverallowanunprivilegeduser theability to loadspecifickernelmodules,sincethat
wouldprovideafacilitytounexpectedlyextendtheavailableattacksurface.
Toprotectagainstevenprivilegedusers,systemsmayneed toeitherdisablemodule loadingentirely,or
provide signed modules (e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from
havingrootloadarbitrarykernelcodeviathemoduleloaderinterface.
This configuration is supported in Linux 3.7 and greater and thus should only be enabled for such
versions.
Domain Configname Value
Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y
IoT.Bzh Security-blueprint
Version5.0.0 22January2018
IoT.Bzh Security-blueprint
Version5.0.0 23January2018
DisableallUSB,PCMCIA(andotherhotplugbus)driversthataren'tneeded
Toreducetheattacksurface,thedriverenumeration,probe,andoperationhappeninthekernel.Thedriver
dataisparsedbythekernel,soanylogicbugsinthesedriverscanbecomekernelexploits.
Domain Object State
Kernel-General-Drivers-1 USB Disabled
Kernel-General-Drivers-2 PCMCIA Disabled
Kernel-General-Drivers-3 Otherhotplugbus Disabled
PositionIndependentExecutables
Domain Improvement
Kernel-General-IndependentExec-1 Kernelor/andplatformpart?
Domain compilerandlinkeroptions State
Kernel-General-IndependentExec-1 -pie-fpic Enable
Produceapositionindependentexecutableontargetswhichsupportsit.
PreventOverwriteAttacks
-z,relrolinkingoptionhelpsduringprogramload,severalELFmemorysectionsneedtobewrittenbythe
linker,butcanbeturnedread-onlybeforeturningovercontroltotheprogram.ThispreventssomeGlobal
OffsetTableGOToverwriteattacks,orinthedtorssectionoftheELFbinary.
Domain compilerandlinkeroptions State
Kernel-General-OverwriteAttacks-1 -z,relro Enable
Kernel-General-OverwriteAttacks-2 -z,now Enable
Duringprogramload,alldynamicsymbolsareresolved,allowingforthecompleteGOTtobemarkedread-
only (due to -zrelro above). This preventsGOToverwrite attacks. For very large application, this can
incursomeperformancelossduringinitialloadwhilesymbolsareresolved,butthisshouldn'tbeanissue
fordaemons.
IoT.Bzh Security-blueprint
Version5.0.0 24January2018
IoT.Bzh Security-blueprint
Version5.0.0 25January2018
Librarylinking
Domain Improvement
Kernel-General-LibraryLinking-1 Keepthispart?
It is recommended that dynamic linking should generally not be allowed. This will avoid the user from
replacing a library with malicious library. All libraries should be linked statically, but this is difficult to
implement.
Domain compilerandlinkeroptions State
Kernel-General-LibraryLinking-1 -static Enable
IoT.Bzh Security-blueprint
Version5.0.0 26January2018
Memory
Restrictaccesstokernelmemory
The/dev/kmemfileinLinuxsystemsisdirectlymappedtokernelvirtualmemory.Thiscanbedisastrousif
anattackergainsrootaccess,astheattackerwouldhavedirectaccesstokernelvirtualmemory.
Todisablethe/dev/kmemfile,whichisveryinfrequentlyusedbyapplications,thefollowingkerneloption
shouldbesetinthecompile-timekernelconfiguration:
Domain Configname Value
Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n
Incaseapplications inuserspaceneed /dev/kmemsupport, it shouldbeavailableonly forauthenticated
applications.
Disableaccesstoakernelcoredump
This kernel configuration disables access to a kernel core dump from user space. If enabled, it gives
attackersausefulviewintokernelmemory.
Domain Configname Value
Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n
Disableswap
Ifnotdisabled,attackerscanenableswapatruntime,addpressureto thememorysubsystemandthen
scourthepageswrittentoswapforusefulinformation.
Domain Configname Value
Kernel-Memory-Swap-1 CONFIG_SWAP n
IoT.Bzh Security-blueprint
Version5.0.0 27January2018
Disable"LoadAllSymbols"
There is a /proc/kallsyms filewhich exposes the kernelmemory space address ofmany kernel symbols
(functions, variables, etc...). This information is useful to attackers in identifying kernel
versions/configurationsandinpreparingpayloadsfortheexploitsofkernelspace.
BothKALLSYMS_ALLandKALLSYMSshallbedisabled;
Domain Configname Value
Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n
Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n
Stackprotection
Topreventstack-smashing,similartothestackprotectorusedforELFprogramsinuser-space,thekernel
canprotectitsinternalstacksaswell.
This configuration is supported in Linux 3.11 and greater and thus should only be enabled for such
versions.
Thisconfigurationalsorequiresbuildingthekernelwiththegcccompiler4.2orgreater.
Domain Configname Value
Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y
Otherdefensesincludethingslikeshadowstacks.
Disableaccessto/dev/mem
The/dev/memfile inLinuxsystems isdirectlymapped tophysicalmemory.Thiscanbedisastrous ifan
attacker gains root access, as the attacker would have direct access to physical memory through this
convenientdevicefile.Itmaynotalwaysbepossibletodisablesuchfile,assomeapplicationsmightneed
suchsupport.Inthatcase,thenthisdevicefileshouldbeavailableonlyforauthenticatedapplications.
This configuration is supported in Linux 4.0 and greater and thus should only be disabled for such
versions.
Domain Configname Value
Kernel-Memory-Access-1 CONFIG_DEVMEM n
IoT.Bzh Security-blueprint
Version5.0.0 28January2018
IoT.Bzh Security-blueprint
Version5.0.0 29January2018
Disablecross-memoryattach
Disabletheprocessvm*vsyscallswhichallowoneprocesstopeek/pokethevirtualmemoryofanother.
This configuration is supported in Linux 3.5 and greater and thus should only be disabled for such
versions.
Domain Configname Value
Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n
StackSmashingAttacks
Domain compilerandlinkeroptions State
Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable
Emitextracodetocheckforbufferoverflows,suchasstacksmashingattacks.
DetectBufferOverflows
Domain compilerandlinkeroptions Value
Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2
Helpsdetectsomebufferoverflowerrors.
IoT.Bzh Security-blueprint
Version5.0.0 30January2018
Serial
Disableserialconsole
Theserialconsoleshouldbedisabledtopreventanattackerfromaccessingthispowerfulinterface.
Domain Configname Value
Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n
Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n
Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n
Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n
Bake-inthekernelcommand-line
Thekernelcommand-lineisusedtocontrolmanyaspectsofthebootingkernel,andispronetotampering
astheyarepassedinRAMwithlittletonoreversevalidationontheseparameters.Topreventthistypeof
attack,thekernelshallbeconfiguredtoignorecommandslinearguments,andusepre-configured(compile
time)optionsinstead.
Set the kernel command line in the CONFIG_CMDLINE KConfig item and then pass no arguments from the
bootloader.
Domain Configname Value
Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y
Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"
Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y
Itisrecommendedthatanyper-devicesettings(e.g:MACaddresses,serialnumbers,etc.)bestoredand
accessedfromread-onlymemory(orfiles),andthatanysuchparametersbeverified(signaturechecking)
priortotheiruse.
DisableKGDB
The Linux kernel supports KGDB over USB and console ports. Thesemechanisms are controlled by the
kgdbdbgpand kgdbockernelcommand-lineparameters.Itisimportanttoensurethatnoshippingproduct
containsakernelwithKGDBcompiled-in.
Domain Configname Value
IoT.Bzh Security-blueprint
Version5.0.0 31January2018
Kernel-Consoles-KDBG-1 CONFIG_KGDB n
Disablemagicsysrqsupport
On a few architectures, you can access a powerful debugger interface from the keyboard. The same
powerful interface can be present on the serial console (responding to serial break) of Linux on other
architectures.Disabletoavoidpotentiallyexposingthispowerfulbackdoor.
Domain Configname Value
Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n
DisablesupportforbinaryformatsotherthanELF
Thiswillmakepossibletoplugwrapper-drivenbinaryformatsintothekernel.Itenablessupportforbinary
formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in
discoveringattackvectors.
Domain Configname Value
Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n
IoT.Bzh Security-blueprint
Version5.0.0 32January2018
Debug
Nodebuggersshallbepresentonthefilesystem.This includes,but isnot limitedto,theGNUDebugger
client/server (commonly known in their short form names such as the gdb and gdbserver executable
binariesrespectively),theLLDBnextgenerationdebuggerortheTCF(TargetCommunicationsFramework)
agnosticframework.Includingthesebinariesaspartofthefilesystemwillfacilitateanattacker'sabilityto
reverse engineer and debug (either locally or remotely) any process that is currently executing on the
device.
Kerneldebugsymbols
Debugsymbolsshouldalwaysberemovedfromproductionkernelsastheyprovidealotofinformationto
attackers.
Domain Configname Value
Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n
These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to
disablethosealso.IfCONFIG_DEBUG_INFOcannotbedisabled,thenenablingCONFIG_DEBUG_INFO_REDUCEDissecond
best.
DisableKprobes
Kprobesenablesyoutodynamicallybreakintoanykernelroutineandcollectdebuggingandperformance
informationnon-disruptively.Youcantrapatalmostanykernelcodeaddress,specifyingahandlerroutine
tobeinvokedwhenthebreakpointishit.
Domain Configname Value
Kernel-Debug-Kprobes-1 CONFIG_KPROBES n
DisableTracing
FTraceenablesthekerneltotraceeverykernelfunction.Providingkerneltracefunctionalitywouldassistan
attackerindiscoveringattackvectors.
Domain Configname Value
Kernel-Debug-Tracing-1 CONFIG_FTRACE n
IoT.Bzh Security-blueprint
Version5.0.0 33January2018
DisableProfiling
ProfilingandOProfileenablesprofilingthewholesystem,includethekernel,kernelmodules,libraries,and
applications.Providingprofilingfunctionalitywouldassistanattackerindiscoveringattackvectors.
Domain Configname Value
Kernel-Debug-Profiling-1 CONFIG_OPROFILE n
Kernel-Debug-Profiling-2 CONFIG_PROFILING n
DisableOOPSprintonBUG()
The output from OOPS print can be helpful in Return Oriented Programming (ROP) when trying to
determinetheeffectivenessofanexploit.
Domain Configname Value
Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n
DisableKernelDebugging
Therearedevelopment-onlybranchesofcodeinthekernelenabledbythe DEBUG_KERNELconf.Thisshould
bedisabledtocompile-outthesebranches.
Domain Configname Value
Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n
Kernel-Debug-Dev-2 CONFIG_EMBEDDED n
Insomekernelversions,disablingthisrequiresalsodisabling CONFIG_EMBEDDED,and CONFIG_EXPERT.Disabling
CONFIG_EXPERTmakesitimpossibletodisable COREDUMP, DEBUG_BUGVERBOSE, NAMESPACES, KALLSYMSand BUG.In
whichcaseitisbettertoleavethisenabledthanenabletheothers.
IoT.Bzh Security-blueprint
Version5.0.0 34January2018
Disablethekerneldebugfilesystem
Thekerneldebugfilesystempresentsalotofusefulinformationandmeansofmanipulationofthekernelto
anattacker.
Domain Configname Value
Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n
DisableBUG()support
ThekernelwilldisplaybacktraceandregisterinformationforBUGsandWARNsinkernelspace,makingit
easierforattackerstodevelopexploits.
Domain Configname Value
Kernel-Debug-BUG-1 CONFIG_BUG n
Disablecoredumps
Coredumpsprovidealotofdebuginformationforhackers.Sodisablingcoredumpsarerecommendedin
productionbuilds.
This configuration is supported in Linux 3.7 and greater and thus should only be disabled for such
versions.
Domain Configname Value
Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n
IoT.Bzh Security-blueprint
Version5.0.0 35January2018
KernelAddressDisplayRestriction
Whenattackers try todevelop"runanywhere"exploits forkernelvulnerabilities, they frequentlyneed to
knowthelocationofinternalkernelstructures.Bytreatingkerneladdressesassensitiveinformation,those
locationsarenotvisibletoregularlocalusers.
/proc/sys/kernel/kptr_restrictissetto"1"toblockthereportingofknownkerneladdressleaks.
Domain Filename Value
Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1
Additionally, various files and directories should be readable only by the root user: /boot/vmlinuz* ,
/boot/System.map*,/sys/kernel/debug/,/proc/slabinfo
Domain FileorDirectoriename State
Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser
DMESGRestrictions
Whenattackers try todevelop"runanywhere"exploits forvulnerabilities, they frequentlywilluse dmesg
output.Bytreatingdmesgoutputassensitiveinformation,thisoutputisnotavailabletotheattacker.
/proc/sys/kernel/dmesg_restrictcanbesetto"1"totreatdmesgoutputassensitive.
Domain Filename Value
Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1
Enable the below compiler and linker options when building user-space applications to avoid stack
smashing,bufferoverflowattacks.
IoT.Bzh Security-blueprint
Version5.0.0 36January2018
Disable/proc/config.gz
Itisextremelyimportanttonotexposethekernelconfigurationusedonaproductiondevicetoapotential
attacker.Withaccesstothekernelconfig,itcouldbepossibleforanattackertobuildacustomkernelfor
thedevicethatmaydisablecriticalsecurityfeatures.
Domain Configname Value
Kernel-Debug-Config-1 CONFIG_IKCONFIG n
IoT.Bzh Security-blueprint
Version5.0.0 37January2018
FileSystem
Disableallfilesystemsnotneeded
To reduce the attack surface, file systemdata is parsed by the kernel, so any logic bugs in file system
driverscanbecomekernelexploits.
DisableNFSfilesystem
NFSFileSystemsareusefulduringdevelopmentphases,butthiscanbeaveryhelpfulwayforanattacker
togetfileswhenyouareinproductionmode,sowemustdisablethem.
Domain Configname Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n
IoT.Bzh Security-blueprint
Version5.0.0 38January2018
PartitionMountOptions
Thereareseveralsecurityrestrictionsthatcanbesetonafilesystemwhenitismounted.Somecommon
securityoptionsinclude,butarenotlimitedto:
nosuid-Donotallowset-user-identifierorset-group-identifierbitstotakeeffect.
nodev-Donotinterpretcharacterorblockspecialdevicesonthefilesystem.
noexec-Donotallowexecutionofanybinariesonthemountedfilesystem.
ro-Mountfilesystemasread-only.
Thefollowingflagsshallbeusedformountingcommonfilesystems:
Domain Partition Value
Kernel-FileSystems-Mount-1
/boot nosuid,nodevandnoexec.
Kernel-FileSystems-Mount-2
/var&/tmp In/etc/fstaborvfstab,addnosuid,nodevandnoexec.
Kernel-FileSystems-Mount-3
Non-rootlocal Iftypeisext2orext3andmountpointnot'/',addnodev.
Kernel-FileSystems-Mount-4
Removablestorage
Addnosuid,nodevandnoexec.
Kernel-FileSystems-Mount-5
Temporarystorage
Addnosuid,nodevandnoexec.
Kernel-FileSystems-Mount-6
/dev/shm Addnosuid,nodevandnoexec.
Kernel-FileSystems-Mount-7
/dev Addnosuidandnoexec.
If CONFIG_DEVTMPFS_MOUNTisset,thenthekernelwillmount/devandwillnotapplythe nosuid, noexec
options. Either disable CONFIG_DEVTMPFS_MOUNT or add a remountwith noexec and nosuid options to
systemstartup.
Domain Configname StateorValue
Kernel-FileSystems-Mount-1
CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwithnoexecandnosuidtosystemstartup.
IoT.Bzh Security-blueprint
Version5.0.0 39January2018
Part5-Platform
Abstract
ThispartfocusesontheAGLplatformincludingalltoolsandtechniquesusedtoupgradethesecurityand
downgrade the danger. Itmust be possible to apply the two fundamental principleswritten at the very
beginningofthedocument.Firstofall,securitymanagementmustremainsimple.Youmustalsoprohibit
everythingbydefault,andthendefineasetofauthorizationrules.Ascasestodealwith,wemust:
ImplementaMACforprocessesandfiles.
Limitcommunicationbetweenapplications(SystemBusandSystemDpart).
Prohibitalltoolsusedduringdevelopmentmode(UtilitiesandServicespart).
Manageusercapabilities(Userspart).
Manageapplicationpermissionsandpolicies(AGLFwpart).
Thetoolsandconceptsusedtomeettheseneedsareonlyexamples.Anyothertoolthatmeetsthe
needcanbeused.
InAGL,as inmanyotherembeddedsystems,different securitymechanismssettle in the core layers to
ensure isolation and data privacy. While the Mandatory Access Control layer (SMACK) provides global
security and isolation, othermechanisms likeCynara are required to check application's permissions at
runtime. Applicative permissions (also called "privileges") may vary depending on the user and the
applicationbeingrun:anapplicationshouldhaveaccesstoagivenserviceonly if it isrunbytheproper
userandiftheappropriatepermissionsaregranted.
IoT.Bzh Security-blueprint
Version5.0.0 40January2018
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
ACL AccessControlLists
alsa AdvancedLinuxSoundArchitecture
API ApplicationProgrammingInterface
AppFw ApplicationFramework
Cap Capabilities
DAC DiscretionaryAccessControl
DDOS DistributedDenialOfService
DOS DenialOfService
IPC Inter-ProcessCommunication
MAC MandatoryAccessControl
PAM PluggableAuthenticationModules
SMACK SimplifiedMandatoryAccessControlKernel
IoT.Bzh Security-blueprint
Version5.0.0 41January2018
MandatoryAccessControl
WedecidedtoputtheMACprotectionontheplatformpartdespitethefactthatitappliestothekernel
too,sinceitsusewillbemainlyattheplatformlevel(exceptfloorpart).
MandatoryAccessControl(MAC)isaprotectionprovidedbytheLinuxkernelthatrequiresaLinuxSecurity
Module (LSM). AGL uses an LSM called SimplifiedMandatory Access Control Kernel (SMACK). This
protectioninvolvesthecreationofSMACK labelsaspartoftheextendedattributesSMACK labelstothe
fileextendedattributes.Andapolicyisalsocreatedtodefinethebehaviourofeachlabel.
Thekernelaccesscontrols isbasedon these labelsand thispolicy. If there isno rule,noaccesswillbe
grantedandasaconsequence,whatisnotexplicitlyauthorizedisforbidden.
TherearetwotypesofSMACKlabels:
ExecutionSMACK(Attachedtotheprocess):Defineshowfilesareaccessedandcreatedbythat
process.
FileAccessSMACK(Writtentotheextendedattributeofthefile):Defineswhichprocesscanaccess
thefile.
By default a process executes with its File Access SMACK label unless an Execution SMACK label is
defined.
AGL'sSMACKschemeisbasedontheTizen3Q2/2015.ItdividestheSystemintothefollowingdomains:
Floor.
System.
Applications,ServicesandUser.
SeeAGLsecurityframeworkreviewandSmackWhitePaperformoreinformation.
IoT.Bzh Security-blueprint
Version5.0.0 42January2018
Floor
The floor domain includes the base system services and any associated data and libraries. This data
remainsunchangedatruntime.Writingtofloorfilesordirectoriesisallowedonlyindevelopmentmodeor
duringsoftwareinstallationorupgrade.
Thefollowingtabledetailsthefloordomain:
Label Name ExecutionSMACK FileAccessSMACK
- Floor r-xforall Onlykernelandinternalkernelthread.
Hat ---forall rxonalldomains.
* Star rwxforall None
TheHat label isOnly forprivileged systemservices (currentlyonly systemd-journal).Useful for
backuporvirusscans.Nofilewiththislabelshouldexistexceptinthedebuglog.
TheStarlabelisusedfordevicefilesor/tmpAccessrestrictionmanagedviaDAC.Individualfiles
remainprotectedbytheirSMACKlabel.
Domain Labelname Recommendations
Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.
Kernel-MAC-Floor-2 * Usedfordevicefilesor/tmpAccessrestrictionviaDAC.
IoT.Bzh Security-blueprint
Version5.0.0 43January2018
System
ThesystemdomainincludesareducedsetofcoresystemservicesoftheOSandanyassociateddata.This
datamaychangeatruntime.
Thefollowingtabledetailsthesystemdomain:
Label Name ExecutionSMACK FileAccessSMACK
System System None Privilegedprocesses
System::Run Run rwxatlforUserandSystemlabel None
System::Shared Shared rwxatlforsystemdomainr-xforUserlabel
None
System::Log Log rwaforSystemlabelxaforuserlabel None
System::Sub SubSystem SubsystemConfigfiles SubSystemonly
Domain Labelname Recommendations
Kernel-MAC-System-1
System Processshouldwriteonlytofilewithtransmuteattribute.
Kernel-MAC-System-2
System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwithw.
Kernel-MAC-System-3
System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.
Kernel-MAC-System-4
System::Log Somelimitationmayimposetoaddwtoenableappend.
Kernel-MAC-System-5
System::Sub IsolationofriskySubsystem.
IoT.Bzh Security-blueprint
Version5.0.0 44January2018
Applications,ServicesandUser
Theapplication,servicesanduserdomainincludescodethatprovidesservicestothesystemanduser,as
wellasanyassociateddata.AllcoderunningonthisdomainisunderCynaracontrol.
Thefollowingtabledetailstheapplication,servicesanduserdomain:
Label Name ExecutionSMACK FileAccessSMACK
User::Pkg::$AppID AppID rwx(forfilescreatedbytheApp).rxforfilesinstalledbyAppFw
$Appruntimeexecuting$App
User::Home Home rwx-tfromSystemlabelr-x-lfromApp None
User::App-Shared Shared rwxatfromSystemandUserdomainslabelof$User
None
Domain Labelname Recommendations
Kernel-MAC-System-1
User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwinrwxmode.
Kernel-MAC-System-2
User::Home
AppFwneedstocreateadirectoryin/home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessisUser::App-Sharedwithouttransmute.
Kernel-MAC-System-3
User::App-Shared SharedspacebetweenallApprunningforagivenuser.
IoT.Bzh Security-blueprint
Version5.0.0 45January2018
SystemD
afm-system-daemonisusedto:
Manageusersandusersessions.
Setupapplicationsandservices(CGroups,namespaces,autostart,permissions).
Useoflibsystemdforitsprograms(eventmanagement,D-Businterface).
Domain Object Recommendations
Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.
Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.
Seesystemdintegrationandusermanagementformoreinformation.
Benefits
Removalofoneprivilegedprocess:afm-user-daemon
Accessanduseofhighlevelfeatures:
Socketactivation.
ManagementofusersandintegrationofPAM.
Dependencyresolutiontoservices.
Cgroupsandresourcecontrol.
Namespacescontainerization.
AutostartofrequiredAPI.
Permissionsandsecuritysettings.
Networkmanagement.
IoT.Bzh Security-blueprint
Version5.0.0 46January2018
CGroups
ControlGroupsofferalotoffeatures,withthemostusefulonesyoucancontrol:Memoryusage,howmuch
CPUtimeisallocated,howmuchdeviceI/Oisallowedorwhichdevicescanbeaccessed.SystemD uses
CGroups toorganiseprocesses(eachservice isaCGroups,andallprocessesstartedby thatserviceuse
thatCGroups).Bydefault,SystemDautomaticallycreatesahierarchyofslice,scopeandserviceunitsto
provideaunifiedstructurefortheCGroupstree.Withthesystemctlcommand,youcanfurthermodifythis
structurebycreatingcustomslices.Currently,inAGL,thereare2slices(user.sliceandsystem.slice).
Namespaces
Userside
There are several ways of authenticating users (Key Radio Frequency, Phone, Gesture, ...). Each
authenticationprovidesdynamicallocationofuidstoauthenticatedusers.Uidsisusedtoensureprivacyof
usersandSMACKforapplicationsprivacy.
First, the user initiates authentication with PAM activation. PAM Standard offers highly configurable
authenticationwithmodulardesignlikefacerecognition,Voiceidentificationorwithapassword.Thenusers
shouldaccessidentityserviceswithservicesandapplications.
IoT.Bzh Security-blueprint
Version5.0.0 47January2018
D-Bus
D-Busisawell-knownIPC(Inter-ProcessCommunication)protocol(anddaemon)thathelpsapplications
totalktoeachother.TheuseofD-Busisgreatbecauseitallowstoimplementdiscoveryandsignaling.
TheD-BussessionisbydefaultaddressedbyenvironmentvariableDBUS_SESSION_BUS_ADDRESS.Usingsystemd
variableDBUS_SESSION_BUS_ADDRESSisautomaticallysetforusersessions.D-Bususageislinkedtopermissions.
D-Bushasalreadyhadseveralsecurityissues(mostlyDoSissues),toallowapplicationstokeeptalkingto
eachother.Itisimportanttoprotectagainstthistypeofattacktokeepthesystemmorestable.
Domain Object Recommendations
Platform-DBus-1 Securitymodel UseD-BusasIPC.
Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE
IoT.Bzh Security-blueprint
Version5.0.0 48January2018
Systemservicesanddaemons
Domain Improvement
Platform-Services-1 SystemD?
Platform-Services-2 Securedaemon?
Tools
connman:Aninternetconnectionmanagerdesignedtobeslimandtouseasfewresourcesas
possible.Itisafullymodularsystemthatcanbeextended,throughplug-ins,tosupportallkindsof
wiredorwirelesstechnologies.
bluezisaBluetoothstack.ItsgoalistoprogramanimplementationoftheBluetoothwireless
standardsspecifications.Inadditiontothebasicstack,thebluez-utilsandbluez-firmwarepackages
containlowlevelutilitiessuchasdfutoolwhichcaninterrogatetheBluetoothadapterchipsetinorder
todeterminewhetheritsfirmwarecanbeupgraded.
gstreamerisapipeline-basedmultimediaframework.Itcanbeusedtobuildasystemthatreadsfiles
inoneformat,processesthem,andexportstheminanotherformat.
alsaisasoftwareframeworkandpartoftheLinuxkernelthatprovidesanAPIforsoundcarddevice
drivers.
Domain Toolname State
Platform-Utilities-1 connman Usedasaconnectionmanager.
Platform-Utilities-2 bluez UsedasaBluetoothmanager.
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.
IoT.Bzh Security-blueprint
Version5.0.0 49January2018
Applicationframework/model(AppFw)
Theapplicationframeworkmanages:
Theapplicationsandservicesmanagement:Installing,Uninstalling,Listing,...
Thelifecycleofapplications:Start->(Pause,Resume)->Stop.
Eventsandsignalspropagation.
Privilegesgrantingandchecking.
APIforinteractionwithapplications.
Thesecuritymodelreferstothesecuritymodelusedtoensuresecurityandtothetoolsthatare
provided for implementing thatmodel. It's an implementationdetail that shouldnot impact the
layersabovetheapplicationframework.
ThesecuritymodelreferstohowDAC(DiscretionaryAccessControl),MAC (MandatoryAccess
Control)andCapabilitiesareusedbythesystemtoensuresecurityandprivacy.Italso includes
featuresofreportingusingauditfeaturesandbymanaginglogsandalerts.
TheAppFw uses the security model to ensure the security and the privacy of the applications that it
manages.Itmustbecompliantwiththeunderlyingsecuritymodel.Butitshouldhideittotheapplications.
Domain Object Recommendations
Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.
See AGL AppFw Privileges Management and AGL - Application Framework Documentation for more
information.
IoT.Bzh Security-blueprint
Version5.0.0 50January2018
Cynara
There'saneedforanothermechanismresponsibleforcheckingapplicativepermissions:CurrentlyinAGL,
thistaskdependsonapolicy-checkerservice(Cynara).
Storescomplexpoliciesindatabases.
"Soft"security(accessischeckedbytheframework).
CynarainteractwithD-Businordertodeliverthisinformation.
Domain Object Recommendations
Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.
Policies
Policyrules:
Aresimple-forpair[applicationcontext,privilege]thereisstraightanswer(singlePolicyType):
[ALLOW/DENY/...].
Nocodeisexecuted(noscript).
Canbeeasilycachedandmanaged.
Applicationcontext(describesidoftheuserandtheapplicationcredentials)Itisbuildof:
UIDoftheuserthatrunstheapplication.
SMACKlabelofapplication.
Holdingpolicies
Policiesarekeptinbuckets.Bucketsaresetofpolicieswhichhaveadditionalapropertyofdefaultanswer,
thedefaultanswerisyieldedifnopolicymatchessearchedkey.Bucketshavenameswhichmightbeused
inpolicies(fordirections).
IoT.Bzh Security-blueprint
Version5.0.0 51January2018
Utilities
busybox:Softwarethatprovidesseveralstripped-downUnixtoolsinasingleexecutablefile.Of
course,itwillbenecessarytousea"production"versionofbusyboxinordertoavoidallthetools
usefulonlyindevelopmentmode.
DomainTool
name State
Platform-Utilities-1
busyboxUsedtoprovideanumberoftools.Donotcompiledevelopmenttools.
Functionalitiestoexcludeinproductionmode
In production mode, a number of tools must be disabled to prevent an attacker from finding logs for
example.Thisisusefultolimitthevisiblesurfaceandthuscomplicatethefaultfindingprocess.Thetools
usedonlyindevelopmentmodearemarkedbyan'agl-devel'feature.Whenbuildinginproductionmode,
thesetoolswillnotbecompiled.
Domain Utilitynameandnormalpath State
Platform-Utilities-1 chgrpin/bin/chgrp Disabled
Platform-Utilities-2 chmodin/bin/chmod Disabled
Platform-Utilities-3 chownin/bin/chown Disabled
Platform-Utilities-4 dmesgin/bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainnamein/bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear,Remove"dropbear"from/etc/init.d/rcs Disabled
Platform-Utilities-7 Editorsin(vi)/bin/vi Disabled
Platform-Utilities-8 findin/bin/find Disabled
Platform-Utilities-9 gdbserverin/bin/gdbserver Disabled
Platform-Utilities-10 hexdumpin/bin/hexdump Disabled
Platform-Utilities-11 hostnamein/bin/hostname Disabled
Platform-Utilities-12 installin/bin/install Disabled
Platform-Utilities-13 iostatin/bin/iostat Disabled
Platform-Utilities-14 killallin/bin/killall Disabled
Platform-Utilities-15 klogdin/sbin/klogd Disabled
Platform-Utilities-16 loggerin/bin/logger Disabled
Platform-Utilities-17 lsmodin/sbin/lsmod Disabled
Platform-Utilities-18 pmapin/bin/pmap Disabled
Platform-Utilities-19 psin/bin/ps Disabled
IoT.Bzh Security-blueprint
Version5.0.0 52January2018
Platform-Utilities-20 psin/bin/ps Disabled
Platform-Utilities-21 rpmin/bin/rpm Disabled
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplugin/sbin/stbhotplug Disabled
Platform-Utilities-24 stracein/bin/trace Disabled
Platform-Utilities-25 suin/bin/su Disabled
Platform-Utilities-26 syslogdin(logger)/bin/logger Disabled
Platform-Utilities-27 topin/bin/top Disabled
Platform-Utilities-28 UARTin/proc/tty/driver/ Disabled
Platform-Utilities-29 whichin/bin/which Disabled
Platform-Utilities-30 whoandwhoamiin/bin/whoami Disabled
Platform-Utilities-31 awk(busybox) Enabled
Platform-Utilities-32 cut(busybox) Enabled
Platform-Utilities-33 df(busybox) Enabled
Platform-Utilities-34 echo(busybox) Enabled
Platform-Utilities-35 fdisk(busybox) Enabled
Platform-Utilities-36 grep(busybox) Enabled
Platform-Utilities-37 mkdir(busybox) Enabled
Platform-Utilities-38 mount(vfat)(busybox) Enabled
Platform-Utilities-39 printf(busybox) Enabled
Platform-Utilities-40 sedin/bin/sed(busybox) Enabled
Platform-Utilities-41 tail(busybox) Enabled
Platform-Utilities-42 tee(busybox) Enabled
Platform-Utilities-43 test(busybox) Enabled
TheEnabledUnix/Linuxutilitiesaboveshallbepermittedastheyareoftenusedinthestart-upscripts
and for USB logging. If any of these utilities are not required by the device then those should be
removed.
IoT.Bzh Security-blueprint
Version5.0.0 53January2018
Users
Theuserpolicycangroupusersbyfunctionwithinthecar.Forexample,wecanconsideradriverandhis
passengers.Eachuserisassignedtoasinglegrouptosimplifythemanagementofspacesecurity.
RootAccess
Themainapplications, those thatprovide theprincipal functionality of theembeddeddevice, shouldnot
executewithrootidentityoranycapability.
Ifthemainapplicationisallowedtoexecuteatanycapability,thentheentiresystemisatthemercyofthe
saidapplication'sgoodbehaviour.Problemsarisewhenanapplicationiscompromisedandabletoexecute
commands which could consistently and persistently compromise the system by implanting rogue
applications.
ItissuggestedthatthemiddlewareandtheUIshouldruninacontextonauserwithnocapabilityandall
persistentresourcesshouldbemaintainedwithoutanycapability.
Oneway to ensure this is by implementing a server-client paradigm.Services providedby the system's
driverscanbesharedthisway.Theotheradvantageofthisapproachisthatmultipleapplicationscanshare
thesameresourcesatthesametime.
Domain Object Recommendations
Platform-Users-root-1
Mainapplication
Shouldnotexecuteasroot.
Platform-Users-root-2
UI Shouldruninacontextonauserwithnocapability.
Rootaccessshouldnotbeallowedforthefollowingutilities:
Domain Utilityname State
Platform-Users-root-3 login Notallowed
Platform-Users-root-4 su Notallowed
Platform-Users-root-5 ssh Notallowed
Platform-Users-root-6 scp Notallowed
Platform-Users-root-7 sftp Notallowed
Rootaccessshouldnotbeallowedfortheconsoledevice.Thedevelopmentenvironmentshouldallowusers
tologinwithpre-createduseraccounts.
Switchingtoelevatedprivilegesshallbeallowedinthedevelopmentenvironmentviasudo.
IoT.Bzh Security-blueprint
Version5.0.0 54January2018
IoT.Bzh Security-blueprint
Version5.0.0 55January2018
Capabilities
Domain Improvement
Platform-Users-Capabilities-1 KernelorPlatform-user?
Platform-Users-Capabilities-2 Addconfignote.
ThegoalistorestrictfunctionalitythatwillnotbeusefulinAGL.TheyareintegratedintotheLSM. Each
privilegedtransactionisassociatedwithacapability.Thesecapabilitiesaredividedintothreegroups:
e:Effective:Thismeansthecapabilityis“activated”.
p:Permitted:Thismeansthecapabilitycanbeused/isallowed.
i:Inherited:Thecapabilityiskeptbychild/subprocessesuponexecve()forexample.
IoT.Bzh Security-blueprint
Version5.0.0 56January2018
Part6-Application
Abstract
ApplicationHardening: Best practices to apply to the build and release of user space applications, in
ordertoreducethenumberofattacksurfacesusedbypotentialattackers.
ThetermofApplication(App)hasaverywidedefinitioninAGL.Almostanythingwhichisnotinthecore
Operating System (OS) is an Application. Applications can be included in the base software package
(image)orcanbeaddedatrun-time.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
3GPP 3rdGenerationPartnershipProject
CASB CloudAccessSecurityBroker
DAST DynamicApplicationSecurityTesting
DPI DeepPacketInspection
IDS IntrusionDetectionSystems
IPS IntrusionPreventionSystems
IPSec InternetProtocolSecurity
LSM LinuxSecurityModule
MITM ManInTheMiddle
OSI OpenSystemsInterconnection
SATS StaticApplicationSecurityTesting
IoT.Bzh Security-blueprint
Version5.0.0 57January2018
Local
Domain Improvement
Application-Installation-1 TalkaboutAppFwofflinemode.
Installation
Applicationscanbedeliveredand installedwith thebase imageusingaspecialoffline-modeprovidedby
theAppFw.Appscanalsobeinstalledatruntime.
Duringearlyrelease,defaultAppsareinstalledontheimageatfirstboot.
Domain Object Recommendations
Application-Installation-1
AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.
Application-Installation-2
Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.
IoT.Bzh Security-blueprint
Version5.0.0 58January2018
Local
PrivilegeManagement
ApplicationprivilegesaremanagedbyCynaraandthesecuritymanagerintheAppFw.Formoredetails,
pleaserefertotheAppFwdocumentationinPlatformpart.
IoT.Bzh Security-blueprint
Version5.0.0 59January2018
AppSignature
Domain Improvement
Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).
IoT.Bzh Security-blueprint
Version5.0.0 60January2018
Services
Domain Improvement
Application-Services-1 Addcontent(Whichservices?).
Application-Services-2 AddBinder.
IoT.Bzh Security-blueprint
Version5.0.0 61January2018
Part7-Connectivity
Abstract
ThispartshowsdifferentConnectivityattacksonthecar.
Domain Improvement
Connectivity-Abstract-1 Improveabstract.
IoT.Bzh Security-blueprint
Version5.0.0 62January2018
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
ARP AddressResolutionProtocol
BLE BluetoothLowEnergy
CAN CarAreaNetwork
CCMP Counter-Mode/CBC-MacProtocol
EDGE EnhancedDataRatesforGSMEvolution-EvolutionofGPRS
GEA GPRSEncryptionAlgorithm
GPRS GeneralPacketRadioService(2,5G,2G+)
GSM GlobalSystemforMobileCommunications(2G)
HSPA HighSpeedPacketAccess(3G+)
IMEI InternationalMobileEquipmentIdentity
LIN LocalInterconnectNetwork
MOST MediaOrientedSystemTransport
NFC NearFieldCommunication
OBD On-BoardDiagnostics
PATS PassiveAnti-TheftSystem
PKE PassiveKeylessEntry
PSK Phase-ShiftKeying
RDS RadioDataSystem
RFID RadioFrequencyIdentification
RKE RemoteKeylessEntry
SDR SoftwareDefinedRadio
SSP SecureSimplePairing
TKIP TemporalKeyIntegrityProtocol
TPMS TirePressureMonitoringSystem
UMTS UniversalMobileTelecommunicationsSystem(3G)
USB UniversalSerialBus
WEP WiredEquivalentPrivacy
WPA WifiProtectedAccess
IoT.Bzh Security-blueprint
Version5.0.0 63January2018
Bus
WeonlyspeakabouttheCANbustotakeanexample,becausethedifferentattacksonbuslikeFlewRay,
ByteFlight,Most and Lin use retro engineering and the main argument to improve their security is to
encryptdatapackets.Wejustdescribethemabit:
CAN:ControllerAreaNetwork,developedintheearly1980s,isanevent-triggeredcontrollernetwork
forserialcommunicationwithdataratesuptooneMBit/s.CANmessagesareclassifiedovertheir
respectiveidentifier.CANcontrollerbroadcasttheirmessagestoallconnectednodesandallreceiving
nodesdecideindependentlyiftheyprocessthemessage.
FlewRay:Isadeterministicanderror-toleranthigh-speedbus.Withadatarateupto10MBit/s.
ByteFlight:Isusedforsafety-criticalapplicationsinmotorvehicleslikeair-bags.Byteflightrunsat
10Mbpsover2or3wiresplasticopticalfibers.
Most:MediaOrientedSystemTransport,isusedfortransmittingaudio,video,voice,andcontroldata
viafiberopticcables.Thespeedis,forthesynchronousway,upto24MBit/sandasynchronouswayup
to14MBit/s.MOSTmessagesincludealwaysaclearsenderandreceiveraddress.
LIN:LocalInterconnectNetwork,isasingle-wiresubnetworkforlow-cost,serialcommunication
betweensmartsensorsandactuatorswithtypicaldataratesupto20kBit/s.Itisintendedtobeused
fromtheyear2001oneverywhereinacar,wherethebandwidthandversatilityofaCANnetworkis
notrequired.
Domain Techname
Recommendations
Connectivity-BusAndConnector-Bus-1
CAN Implementhardwaresolutioninordertoprohibitsendingunwantedsignals.
SeeSecurityinAutomotiveBusSystemsformoreinformation.
Connectors
For the connectors, we supposed that they were disabled by default. For example, the USB must be
disabledtoavoidattackslikeBadUSB.Ifnot,configuretheKerneltoonlyenabletheminimumrequireUSB
devices.TheconnectorsusedtodiagnosethecarlikeOBD-IImustbedisabledoutsidegarages.
Domain Techname
Recommendations
Connectivity-BusAndConnector-Connectors-1
USBMustbedisabled.Ifnot,onlyenabletheminimumrequireUSBdevices.
Connectivity-BusAndConnector-Connectors-2
USBConfidentialdataexchangedwiththeECUoverUSBmustbesecure.
Connectivity-BusAndConnector-Connectors-3
USB USBBootonaECUmustbedisable.
Connectivity-BusAndConnector-Connectors-4
OBD-II Mustbedisabledoutsidegarages.
IoT.Bzh Security-blueprint
Version5.0.0 64January2018
IoT.Bzh Security-blueprint
Version5.0.0 65January2018
Wireless
In thispart,we talkaboutpossible remoteattacksonacar,according to thedifferentareasofpossible
attacks. For each communication channels, we describe attacks and how to prevent them with some
recommendations. The main recommendation is to always follow the latest updates of these remote
communicationchannels.
Domain Object Recommendations
Connectivity-Wireless-1
Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.
Wewillseethefollowingparts:
Wifi
Bluetooth
Cellular
Radio
NFC
Domain Improvement
Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).
For existing automotive-specificmeans,we take examples of existing system attacks from the IOActive
document(ASurveyofRemoteAutomotiveAttackSurfaces)andfromtheETHdocument(RelayAttackson
PassiveKeylessEntryandStartSystemsinModernCars).
Telematics
PassiveAnti-TheftSystem(PATS)
TirePressureMonitoringSystem(TPMS)
RemoteKeylessEntry/Start(RKE)
PassiveKeylessEntry(PKE)
IoT.Bzh Security-blueprint
Version5.0.0 66January2018
Wifi
Attacks
Wecandifferentiateexistingattacksonwifiintwocategories:ThoseonWEPandthoseonWPA.
WEPattacks:
FMS:(Fluhrer,MantinandShamirattack)isa"StreamcipherattackonthewidelyusedRC4
streamcipher.TheattackallowsanattackertorecoverthekeyinanRC4encryptedstreamfroma
largenumberofmessagesinthatstream."
KoreK:"Allowstheattackertoreducethekeyspace".
PTW:(PyshkinTewsWeinmannattack).
Chopchop:FoundbyKoreK,"WeaknessoftheCRC32checksumandthelackofreplayprotection."
Fragmentation
WPAattacks:
BeckandTews:ExploitweaknessinTKIP."AllowtheattackertodecryptARPpacketsandto
injecttrafficintoanetwork,evenallowinghimtoperformaDoSoranARPpoisoning".
KRACK:(K)ey(R)einstallation(A)tta(ck)(jiraAGLSPEC-1017).
Recommendations
DonotuseWEP,PSKandTKIP.
UseWPA2withCCMP.
Shouldprotectdatasniffing.
Domain Technameorobject
Recommendations
Connectivity-Wireless-Wifi-1
WEP,PSK,TKIP Disabled
Connectivity-Wireless-Wifi-2
WPA2andAES-CCMP
Used
Connectivity-Wireless-Wifi-3
WPA2 Shouldprotectdatasniffing.
Connectivity-Wireless-Wifi-4
PSK Changingregularlythepassword.
Connectivity-Wireless-Wifi-5
Device Upgradedeasilyinsoftwareorfirmwaretohavethelastsecurityupdate.
SeeWifiattacksWEPWPAandBreakingwepandwpa(BeckandTews)formoreinformation.
IoT.Bzh Security-blueprint
Version5.0.0 67January2018
Bluetooth
Attacks
BluesnarfingattacksinvolveanattackercovertlygainingaccesstoyourBluetooth-enableddevicefor
thepurposeofretrievinginformation,includingaddresses,calendarinformationoreventhedevice's
InternationalMobileEquipmentIdentity.WiththeIMEI,anattackercouldrouteyourincomingcallsto
hiscellphone.
BluebuggingisaformofBluetoothattackoftencausedbyalackofawareness.Similarto
bluesnarfing,bluebuggingaccessesandusesallphonefeaturesbutislimitedbythetransmittingpower
ofclass2Bluetoothradios,normallycappingitsrangeat10-15meters.
Bluejackingisthesendingofunsolicitedmessages.
BLE:BluetoothLowEnergyattacks.
DoS:Drainadevice'sbatteryortemporarilyparalyzethephone.
Recommendations
NotallowingBluetoothpairingattemptswithoutthedriver'sfirstmanuallyplacingthevehicleinpairing
mode.
Monitoring.
UseBLEwithcaution.
Forv2.1andlaterdevicesusingSecureSimplePairing(SSP),avoidusingthe"JustWorks"association
model.Thedevicemustverifythatanauthenticatedlinkkeywasgeneratedduringpairing.
Domain Techname
Recommendations
Connectivity-Wireless-Bluetooth-1
BLE Usewithcaution.
Connectivity-Wireless-Bluetooth-2
Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3
SSP Avoidusingthe"JustWorks"associationmodel.
Connectivity-Wireless-Bluetooth-4
Visibility Configuredbydefaultasundiscoverable.Exceptwhenneeded.
Connectivity-Wireless-Bluetooth-5
Anti-scanning
Used,interalia,toslowdownbruteforceattacks.
SeeLowenergyandtheautomotivetransformation,GattackingBluetoothSmartDevices, Comprehensive
ExperimentalAnalysesofAutomotiveAttackSurfacesandWithLowEnergycomesLowSecurity formore
information.
IoT.Bzh Security-blueprint
Version5.0.0 68January2018
Cellular
Attacks
IMSI-Catcher: Is a telephone eavesdropping device used for interceptingmobile phone traffic and
tracking location data of mobile phone users. Essentially a "fake"mobile tower acting between the
target mobile phone and the service provider's real towers, it is considered a man-in-the-middle
(MITM)attack.
Lackofmutualauthentication(GPRS/EDGE)andencryptionwithGEA0.
FallbackfromUMTS/HSPAtoGPRS/EDGE(JammingagainstUMTS/HSPA).
4GDoSattack.
Recommendations
Checkantennalegitimacy.
Domain Techname Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.
SeeApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunicationsformoreinformation.
Radio
Attacks
Interceptionofdatawithlowcostmaterial(SDRwithhijackedDVB-T/DABforexample).
Recommendations
UsetheRadioDataSystem(RDS)onlytosendsignalsforaudiooutputandmetaconcerningradio.
Domain Techname Recommendations
Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.
IoT.Bzh Security-blueprint
Version5.0.0 69January2018
NFC
Attacks
MITM:Relayandreplayattack.
Recommendations
Shouldimplementsprotectionagainstrelayandreplayattacks(Tokens,etc...).
Disableunneededandunapprovedservicesandprofiles.
NFCshouldbeuseencryptedlink(securechannel).AstandardkeyagreementprotocollikeDiffie-
HellmannbasedonRSAorEllipticCurvescouldbeappliedtoestablishasharedsecretbetweentwo
devices.
AutomotiveNFCdeviceshouldbecertifiedbyNFCforumentity:TheNFCForumCertificationMark
showsthatproductsmeetglobalinteroperabilitystandards.
NFCModifiedMillercodingispreferredoverNFCManchestercoding.
Domain Techname
Recommendations
Connectivity-Wireless-NFC-1
NFC Protectedagainstrelayandreplayattacks.
Connectivity-Wireless-NFC-2
Device Disableunneededandunapprovedservicesandprofiles.
IoT.Bzh Security-blueprint
Version5.0.0 70January2018
Cloud
Download
authentication:Authenticationisthesecurityprocessthatvalidatestheclaimedidentityofadevice,
entityorperson,relyingononeormorecharacteristicsboundtothatdevice,entityorperson.
Authorization:Parsesthenetworktoallowaccesstosomeorallnetwork functionalitybyproviding
rulesandallowingaccessordenyingaccessbasedonasubscriber'sprofileandservicespurchased.
Domain Object Recommendations
Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.
Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.
Infrastructure
DeepPacketInspection:DPIprovidestechniquestoanalyzethepayloadofeachpacket,addingan
extralayerofsecurity.DPIcandetectandneutralizeattacksthatwouldbemissedbyothersecurity
mechanisms.
ADoSprotectioninordertoavoidthattheInfrastructureisnomoreaccessibleforaperiodoftime.
ScanningtoolssuchasSATSandDASTassessmentsperformvulnerabilityscansonthesourcecode
anddataflowsonwebapplications.Manyofthesescanningtoolsrundifferentsecurityteststhatstress
applicationsundercertainattackscenariostodiscoversecurityissues.
IDS&IPS:IDSdetectandloginappropriate,incorrect,oranomalousactivity.IDScanbelocatedin
the telecommunications networks and/or within the host server or computer. Telecommunications
carriersbuildintrusiondetectioncapabilityinallnetworkconnectionstoroutersandservers,aswellas
offering it as a service to enterprise customers. Once IDS systems have identified an attack, IPS
ensures that malicious packets are blocked before they cause any harm to backend systems and
networks.IDStypicallyfunctionsviaoneormoreofthreesystems:
1. Patternmatching.
2. Anomalydetection.
3. Protocolbehavior.
IoT.Bzh Security-blueprint
Version5.0.0 71January2018
Domain Object Recommendations
Application-Cloud-Infrastructure-1
Packet ShouldimplementaDPI.
Application-Cloud-Infrastructure-2
DoS MustimplementaDoSprotection.
Application-Cloud-Infrastructure-3
Test ShouldimplementscanningtoolslikeSATSandDAST.
Application-Cloud-Infrastructure-4
Log Shouldimplementsecuritytools(IDSandIPS).
Application-Cloud-Infrastructure-5
Appintegrity
Applicationsmustbesignedbythecodesigningauthority.
Transport
Fordatatransport,itisnecessarytoencryptdataend-to-end.TopreventMITMattacks,nothirdparty
shouldbeabletointerprettransporteddata.Anotheraspectisthedataanonymizationinordertoprotect
theleakageofprivateinformationontheuseroranyotherthirdparty.
The use of standards such as IPSec provides "private and secure communications over IP networks,
throughtheuseofcryptographicsecurityservices,isasetofprotocolsusingalgorithmstotransportsecure
dataoveranIPnetwork.".Inaddition,IPSecoperatesatthenetworklayeroftheOSImodel,contraryto
previousstandardsthatoperateattheapplicationlayer.Thismakesitsapplicationindependentandmeans
thatusersdonotneedtoconfigureeachapplicationtoIPSecstandards.
IPSecprovidestheservicesbelow:
Confidentiality:Aservicethatmakesitimpossibletointerpretdataifitisnottherecipient.Itisthe
encryptionfunctionthatprovidesthisservicebytransformingintelligible(unencrypted)datainto
unintelligible(encrypted)data.
Authentication:Aservicethatensuresthatapieceofdatacomesfromwhereitissupposedtocome
from.
Integrity:Aservicethatconsistsinensuringthatdatahasnotbeentamperedwithaccidentallyor
fraudulently.
ReplayProtection:Aservicethatpreventsattacksbyre-sendingavalidinterceptedpackettothe
networkforthesameauthorization.Thisserviceisprovidedbythepresenceofasequencenumber.
Keymanagement:MechanismfornegotiatingthelengthofencryptionkeysbetweentwoIPSec
elementsandexchangeofthesekeys.
AnadditionalmeansofprotectionwouldbetodothemonitoringbetweenusersandthecloudasaCASB
willprovide.
Domain Object Recommendations
Application-Cloud-Transport-1
Integrity,confidentialityandlegitimacy
ShouldimplementIPSecstandards.
IoT.Bzh Security-blueprint
Version5.0.0 72January2018
IoT.Bzh Security-blueprint
Version5.0.0 73January2018
Part8-Update(OTA)
Abstract
Updatingapplicationsandfirmwareisessentialforthedevelopmentofnewfeaturesandevenmoretofix
security bugs. However, if a malicious third party manages to divert its first use, it could alter the
functioningof thesystemand/orapplications.Thesecurityof theupdates is thereforea criticalpoint to
evaluateinordertoguaranteetheintegrity,theconfidentialityandthelegitimacyofthetransmitteddata.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
FOTA FirmwareOverTheAir
OTA OverTheAir
SOTA SoftwareOverTheAir
IoT.Bzh Security-blueprint
Version5.0.0 74January2018
FirmwareOverTheAir
The firmwareupdate is critical since its alterationback to compromise theentire system. It is therefore
necessarytotakeappropriateprotectivemeasures.Theprincipleofverifyingchainintegrityfulfillsmuchof
AGL'ssecurity.Duringa firmwareupdate, it isnecessary toupdate thedifferentsignatures tocheck the
integrityofthesystem.
Thereisalsotheconstraintoftheupdatetime:Thesystemmuststartquicklyandtherefore,updateitself
asquickly.WeimaginethattheFOTAismainlyusedinthevehiclemaintenancesession(e.g.Garage).We
willthenusenomoreFOTAbutawiredupdate.Thereisa limittowhatcanbeupdatedwirelessly.This
maintenanceupdatecouldsolvetheseproblems.
FieldupgradescanbeachievedsecurelybyusingaSecureLoader.Thisloaderwillauthenticateanincoming
image(USB,Serial,Network)priortowritingittotheflashmemoryonthedevice.Itshouldnotbepossible
towrite to flash from bootloader (U-Boot). Note that because USB support is to be disabledwithin the
sboot/U-Bootcode,theboardspecificimplementationoftheSecureLoaderwillhavetomanagetheentire
USBinitialization,enumeration,andread/writeaccesstothemassstoragedevice.
Domain Object Recommendations
Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.
DifferentpossibletypeofFOTA:
Package-basedlikerpm,dpkg:
+Simple.
-Power-off.
-Dependency.
Fullfilesystemupdates:
+Robust.
-Tendsdevice-specific.
-Needrsyncorsimilar.
Atomicdifferential:
+Robust.
+Minimalbandwidthconsumption.
+Easyreusable.
-Physicallyonefilesystem(Corruption->unbootablesystem).
-Norollbacklogic.
IoT.Bzh Security-blueprint
Version5.0.0 75January2018
SoftwareOverTheAir
SOTAismadepossiblebyAppFw(SeePlatformpart).Itwillbepossibletomanageinasimplewaythe
packets(i.g.Androidlike).
Domain Improvement
Update-SOTA-1 Parttocomplete.
IoT.Bzh Security-blueprint
Version5.0.0 76January2018
Part9-Securedevelopment
Inordertosavealotoftimeincodeauditing,developersmustfollowcodingguidelines.
Securebuild
Kernelbuild
Toolslike:
Codeoptimisation.
KernelDriverstestwithdocs.
Domain Improvement
SecureDev-SecureBuild-1 Addcontent.
App/Widgetsignatures
Domain Improvement
SecureDev-Signatures-1 Addcontent.
Codeaudit
These tools are used to check the correct implementation of functionalities and compliancewith related
goodpractices.
ContinuousCodeQuality.
Domain Improvement
SecureDev-CodeAudit-1 AddCVEanalyser.
SecureDev-CodeAudit-2 OSSTMM.
SATS
RATS(Maybetoold).
FlawFinder.
wikilist.
Mathematicalapproach.
IoT.Bzh Security-blueprint
Version5.0.0 77January2018
It is necessary to verify that the application code does not use functions that are depreciated and
recognizedasunsecuredorcauseproblems.
DATS
wikilist.
IoT.Bzh Security-blueprint
Version5.0.0 78January2018
Annexes
The first part resumed all the configurations youmust implementwithout any explications since all the
explanationsaregivenasandwheninthedocument.
The second one allows to visualize all the todo notes in order to have a global vision of the possible
improvementsofthedocument.
IoT.Bzh Security-blueprint
Version5.0.0 79January2018
Confignotes
Domain Object Recommendations
Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.
Hardware-Integrity-2 Board MustuseaHSM.
Hardware-Integrity-3 RTC Mustnotbealterable.
Domain Object Recommendations
Hardware-Certificate-1
System Shallallowstoringdedicatedcertificates.
Hardware-Certificate-2
ECU TheECUmustverifythecertificationauthorityhierarchy.
Hardware-Certificate-3
SystemAllowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.
Domain Object Recommendations
Hardware-Memory-1
ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusingcryptographickeys.
Hardware-Memory-2
Bootloader InternalNVMonly
Hardware-Module-3
- HSMmustbeusedtosecurekeys.
Domain Variable/Configname Value
Boot-Image-Selection-1 CONFIG_BOOTDELAY -2
Boot-Image-Selection-2 bootdelay -2
Domain Configname State
Boot-Image-Authenticity-1 CONFIG_FIT Enable
Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable
Boot-Image-Authenticity-3 CONFIG_RSA Enable
Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable
Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable
Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable
Domain Communicationmodes
State
Boot-Communication-1
USB DisabledandCompiled-outifnotrequired.
IoT.Bzh Security-blueprint
Version5.0.0 80January2018
Boot-Communication-2
USBElse,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.
Boot-Communication-3
Ethernet Disabled
Boot-Communication-4
U-bootandsbootDOCSIS
Disabled
Boot-Communication-5
Serialports Disabled
Domain Configname State
Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined
Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined
Domain Communicationmodes
State
Boot-Communication-1
Network
interfaces
Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.
Domain Object Recommendations
Boot-Communication-1
Services,portsanddevices
Restricttheservices,portsanddevicestothoseused.
Domain Commandname State
Boot-Communication-Flash-1 do_nand Disable
Domain Configname Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable
Domain Environmentvariablename State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined
Domain Configname State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
IoT.Bzh Security-blueprint
Version5.0.0 81January2018
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define
Domain Commandname State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled
Domain Object Recommendations
Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.
Domain Configname Value
Kernel-General-kexec-1 CONFIG_KEXEC n
Domain Configname Value
Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n
Domain Configname Value
Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n
Domain Configname Value
Kernel-General-LegacyLinux-1 CONFIG_USELIB n
Domain Configname Value
Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n
Domain Configname Value
Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y
Domain Configname Value
IoT.Bzh Security-blueprint
Version5.0.0 82January2018
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n
Domain Configname Value
Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n
Domain Configname Value
Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y
Domain Object State
Kernel-General-Drivers-1 USB Disabled
Kernel-General-Drivers-2 PCMCIA Disabled
Kernel-General-Drivers-3 Otherhotplugbus Disabled
Domain compilerandlinkeroptions State
Kernel-General-IndependentExec-1 -pie-fpic Enable
Domain compilerandlinkeroptions State
Kernel-General-OverwriteAttacks-1 -z,relro Enable
Kernel-General-OverwriteAttacks-2 -z,now Enable
Domain compilerandlinkeroptions State
Kernel-General-LibraryLinking-1 -static Enable
Domain Configname Value
Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n
Domain Configname Value
Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n
Domain Configname Value
Kernel-Memory-Swap-1 CONFIG_SWAP n
Domain Configname Value
Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n
Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n
Domain Configname Value
Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y
Otherdefensesincludethingslikeshadowstacks.
Domain Configname Value
Kernel-Memory-Access-1 CONFIG_DEVMEM n
IoT.Bzh Security-blueprint
Version5.0.0 83January2018
Domain Configname Value
Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n
Domain compilerandlinkeroptions State
Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable
Domain compilerandlinkeroptions Value
Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2
Domain Configname Value
Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n
Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n
Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n
Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n
Domain Configname Value
Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y
Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"
Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y
Domain Configname Value
Kernel-Consoles-KDBG-1 CONFIG_KGDB n
Domain Configname Value
Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n
Domain Configname Value
Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n
Domain Configname Value
Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n
Domain Configname Value
Kernel-Debug-Kprobes-1 CONFIG_KPROBES n
Domain Configname Value
Kernel-Debug-Tracing-1 CONFIG_FTRACE n
Domain Configname Value
Kernel-Debug-Profiling-1 CONFIG_OPROFILE n
Kernel-Debug-Profiling-2 CONFIG_PROFILING n
Domain Configname Value
Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n
IoT.Bzh Security-blueprint
Version5.0.0 84January2018
Domain Configname Value
Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n
Kernel-Debug-Dev-2 CONFIG_EMBEDDED n
Domain Configname Value
Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n
Domain Configname Value
Kernel-Debug-BUG-1 CONFIG_BUG n
Domain Configname Value
Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n
Domain Filename Value
Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1
Domain FileorDirectoriename State
Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser
Domain Filename Value
Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1
Domain Configname Value
Kernel-Debug-Config-1 CONFIG_IKCONFIG n
Domain Configname Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n
Domain Partition Value
Kernel-FileSystems-Mount-1
/boot nosuid,nodevandnoexec.
Kernel-FileSystems-Mount-2
/var&/tmp In/etc/fstaborvfstab,addnosuid,nodevandnoexec.
Kernel-FileSystems-Mount-3
Non-rootlocal Iftypeisext2orext3andmountpointnot'/',addnodev.
Kernel-FileSystems-Mount-4
Removablestorage
Addnosuid,nodevandnoexec.
Kernel-FileSystems-Mount-5
Temporarystorage
Addnosuid,nodevandnoexec.
IoT.Bzh Security-blueprint
Version5.0.0 85January2018
Kernel-FileSystems-Mount-6
/dev/shm Addnosuid,nodevandnoexec.
Kernel-FileSystems-Mount-7
/dev Addnosuidandnoexec.
Domain Configname StateorValue
Kernel-FileSystems-Mount-1
CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwithnoexecandnosuidtosystemstartup.
Domain Labelname Recommendations
Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.
Kernel-MAC-Floor-2 * Usedfordevicefilesor/tmpAccessrestrictionviaDAC.
Domain Labelname Recommendations
Kernel-MAC-System-1
System Processshouldwriteonlytofilewithtransmuteattribute.
Kernel-MAC-System-2
System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwithw.
Kernel-MAC-System-3
System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.
Kernel-MAC-System-4
System::Log Somelimitationmayimposetoaddwtoenableappend.
Kernel-MAC-System-5
System::Sub IsolationofriskySubsystem.
Domain Labelname Recommendations
Kernel-MAC-System-1
User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwinrwxmode.
Kernel-MAC-System-2
User::Home
AppFwneedstocreateadirectoryin/home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessisUser::App-Sharedwithouttransmute.
Kernel-MAC-System-3
User::App-Shared SharedspacebetweenallApprunningforagivenuser.
Domain Object Recommendations
Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.
Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.
Domain Object Recommendations
Platform-DBus-1 Securitymodel UseD-BusasIPC.
Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE
Domain Toolname State
IoT.Bzh Security-blueprint
Version5.0.0 86January2018
Platform-Utilities-1 connman Usedasaconnectionmanager.
Platform-Utilities-2 bluez UsedasaBluetoothmanager.
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.
Domain Object Recommendations
Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.
Domain Object Recommendations
Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.
DomainTool
name State
Platform-Utilities-1
busyboxUsedtoprovideanumberoftools.Donotcompiledevelopmenttools.
Domain Utilitynameandnormalpath State
Platform-Utilities-1 chgrpin/bin/chgrp Disabled
Platform-Utilities-2 chmodin/bin/chmod Disabled
Platform-Utilities-3 chownin/bin/chown Disabled
Platform-Utilities-4 dmesgin/bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainnamein/bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear,Remove"dropbear"from/etc/init.d/rcs Disabled
Platform-Utilities-7 Editorsin(vi)/bin/vi Disabled
Platform-Utilities-8 findin/bin/find Disabled
Platform-Utilities-9 gdbserverin/bin/gdbserver Disabled
Platform-Utilities-10 hexdumpin/bin/hexdump Disabled
Platform-Utilities-11 hostnamein/bin/hostname Disabled
Platform-Utilities-12 installin/bin/install Disabled
Platform-Utilities-13 iostatin/bin/iostat Disabled
Platform-Utilities-14 killallin/bin/killall Disabled
Platform-Utilities-15 klogdin/sbin/klogd Disabled
Platform-Utilities-16 loggerin/bin/logger Disabled
Platform-Utilities-17 lsmodin/sbin/lsmod Disabled
Platform-Utilities-18 pmapin/bin/pmap Disabled
Platform-Utilities-19 psin/bin/ps Disabled
Platform-Utilities-20 psin/bin/ps Disabled
Platform-Utilities-21 rpmin/bin/rpm Disabled
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplugin/sbin/stbhotplug Disabled
IoT.Bzh Security-blueprint
Version5.0.0 87January2018
Platform-Utilities-24 stracein/bin/trace Disabled
Platform-Utilities-25 suin/bin/su Disabled
Platform-Utilities-26 syslogdin(logger)/bin/logger Disabled
Platform-Utilities-27 topin/bin/top Disabled
Platform-Utilities-28 UARTin/proc/tty/driver/ Disabled
Platform-Utilities-29 whichin/bin/which Disabled
Platform-Utilities-30 whoandwhoamiin/bin/whoami Disabled
Platform-Utilities-31 awk(busybox) Enabled
Platform-Utilities-32 cut(busybox) Enabled
Platform-Utilities-33 df(busybox) Enabled
Platform-Utilities-34 echo(busybox) Enabled
Platform-Utilities-35 fdisk(busybox) Enabled
Platform-Utilities-36 grep(busybox) Enabled
Platform-Utilities-37 mkdir(busybox) Enabled
Platform-Utilities-38 mount(vfat)(busybox) Enabled
Platform-Utilities-39 printf(busybox) Enabled
Platform-Utilities-40 sedin/bin/sed(busybox) Enabled
Platform-Utilities-41 tail(busybox) Enabled
Platform-Utilities-42 tee(busybox) Enabled
Platform-Utilities-43 test(busybox) Enabled
Domain Object Recommendations
Platform-Users-root-1
Mainapplication
Shouldnotexecuteasroot.
Platform-Users-root-2
UI Shouldruninacontextonauserwithnocapability.
Domain Utilityname State
Platform-Users-root-3 login Notallowed
Platform-Users-root-4 su Notallowed
Platform-Users-root-5 ssh Notallowed
Platform-Users-root-6 scp Notallowed
Platform-Users-root-7 sftp Notallowed
Domain Object Recommendations
Application-Installation-1
AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.
Application-Installation-2
Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.
IoT.Bzh Security-blueprint
Version5.0.0 88January2018
Domain Techname
Recommendations
Connectivity-BusAndConnector-Bus-1
CAN Implementhardwaresolutioninordertoprohibitsendingunwantedsignals.
Domain Techname
Recommendations
Connectivity-BusAndConnector-Connectors-1
USBMustbedisabled.Ifnot,onlyenabletheminimumrequireUSBdevices.
Connectivity-BusAndConnector-Connectors-2
USBConfidentialdataexchangedwiththeECUoverUSBmustbesecure.
Connectivity-BusAndConnector-Connectors-3
USB USBBootonaECUmustbedisable.
Connectivity-BusAndConnector-Connectors-4
OBD-II Mustbedisabledoutsidegarages.
Domain Object Recommendations
Connectivity-Wireless-1
Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.
Domain Technameorobject
Recommendations
Connectivity-Wireless-Wifi-1
WEP,PSK,TKIP Disabled
Connectivity-Wireless-Wifi-2
WPA2andAES-CCMP
Used
Connectivity-Wireless-Wifi-3
WPA2 Shouldprotectdatasniffing.
Connectivity-Wireless-Wifi-4
PSK Changingregularlythepassword.
Connectivity-Wireless-Wifi-5
Device Upgradedeasilyinsoftwareorfirmwaretohavethelastsecurityupdate.
Domain Techname
Recommendations
Connectivity-Wireless-Bluetooth-1
BLE Usewithcaution.
Connectivity-Wireless-Bluetooth-2
Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3
SSP Avoidusingthe"JustWorks"associationmodel.
Connectivity-Wireless-Bluetooth-4
Visibility Configuredbydefaultasundiscoverable.Exceptwhenneeded.
Connectivity-Wireless-Bluetooth-5
Anti-scanning
Used,interalia,toslowdownbruteforceattacks.
IoT.Bzh Security-blueprint
Version5.0.0 89January2018
Domain Techname Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.
Domain Techname Recommendations
Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.
Domain Techname
Recommendations
Connectivity-Wireless-NFC-1
NFC Protectedagainstrelayandreplayattacks.
Connectivity-Wireless-NFC-2
Device Disableunneededandunapprovedservicesandprofiles.
Domain Object Recommendations
Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.
Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.
Domain Object Recommendations
Application-Cloud-Infrastructure-1
Packet ShouldimplementaDPI.
Application-Cloud-Infrastructure-2
DoS MustimplementaDoSprotection.
Application-Cloud-Infrastructure-3
Test ShouldimplementscanningtoolslikeSATSandDAST.
Application-Cloud-Infrastructure-4
Log Shouldimplementsecuritytools(IDSandIPS).
Application-Cloud-Infrastructure-5
Appintegrity
Applicationsmustbesignedbythecodesigningauthority.
Domain Object Recommendations
Application-Cloud-Transport-1
Integrity,confidentialityandlegitimacy
ShouldimplementIPSecstandards.
Domain Object Recommendations
Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.
IoT.Bzh Security-blueprint
Version5.0.0 90January2018
Todonotes
Domain Improvement
Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).
Domain Improvement
Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".
Domain Improvement
Boot-Consoles-1 Secureloader:Noreferenceearlier?
Domain Improvement
Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).
Domain Improvement
Kernel-MAC-1 AddMACconfignote.
Domain Improvement
Kernel-General-IndependentExec-1 Kernelor/andplatformpart?
Domain Improvement
Kernel-General-LibraryLinking-1 Keepthispart?
Domain Improvement
Platform-Services-1 SystemD?
Platform-Services-2 Securedaemon?
Domain Improvement
Platform-Users-Capabilities-1 KernelorPlatform-user?
Platform-Users-Capabilities-2 Addconfignote.
Domain Improvement
Application-Installation-1 TalkaboutAppFwofflinemode.
Domain Improvement
Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).
Domain Improvement
Application-Services-1 Addcontent(Whichservices?).
Application-Services-2 AddBinder.
Domain Improvement
IoT.Bzh Security-blueprint
Version5.0.0 91January2018
Connectivity-Abstract-1 Improveabstract.
Domain Improvement
Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).
Domain Improvement
Update-SOTA-1 Parttocomplete.
Domain Improvement
SecureDev-SecureBuild-1 Addcontent.
Domain Improvement
SecureDev-Signatures-1 Addcontent.
Domain Improvement
SecureDev-CodeAudit-1 AddCVEanalyser.
SecureDev-CodeAudit-2 OSSTMM.
IoT.Bzh Security-blueprint
Version5.0.0 92January2018