table of contents › download › public › 2018 › security › agl... · introduction this...

92

Upload: others

Post on 29-Jun-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order
Page 2: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.4.3

1.5

1.6

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.7

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.9

1.9.1

1.9.2

1.9.3

1.10

1.10.1

1.10.2

1.11

1.12

1.12.1

1.12.2

TableofContents

Introduction

Revisions

Part1-Hardware

Part2-SecureBoot

Image

Communicationmodes

Consoles

Part3-Hypervisor

Part4-Kernel

General

Memory

Consoles

Debug

FileSystems

Part5-Platform

MandatoryAccessControl

SystemD

SystemBus

Systemservicesanddaemons

AppFramework

Utilities

Users

Part6-Application

Installation

Privilegemanagement

Signature

Services

Part7-Connectivity

Busandconnectors

Wireless

Cloud

Part8-Update(OTA)

FOTA

SOTA

Part9-Securedevelopment

Annexes

Allconfignotes

Alltodonotes

Page 3: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Introduction

Thisdocumentpresentsthedifferentattacksthatcanbeenvisagedonarecentcarinordertobeableto

createasetoftestsverifyingthesecurityofAutomotiveGradeLinux(AGL).Themoregeneralutilitybehind

this document is to protect the manufacturers, customers and third party from potential financial and

informationloss.Thisdocumentisfirstlybasedontheexistingsecurity-blueprint.

Forsecuritytobeeffective,theconceptsmustbesimple.Andbydefault,anythingthat isnot

allowedisforbidden.

Wewill cover topicsstarting fromthe lowest level (Hardware)upto thehighest levels(Connectivity and

Application).WewillmovequicklyonHardwareandConnectivitybecausethisisnotsupportedatourlevel.

Solutionsofconnectivityproblemsconcernupdatesandsecuredsettingswhilehardwaresecuringisrelated

tothemanufacturers.

Thedocumentisfilledwithtagstoeasilyidentifyimportantpoints:

Theconfigtagquicklyidentifiestheconfigurationsandtherecommendationstotake.

Thenotetagallowsyoutonotifysomeadditionaldetails.

Thetodotagshowsthepossibleimprovements.

Inannexesofthisdocument,youcanfindalltheconfigandtodonotes.

Hardeningterm

The termHardening refers to the tools, techniquesandprocesses required inorder to reduce theattack

surfaceonanembeddedsystem,suchasanembeddedcontrolunit(ECU)orothermanageddevices.The

target for all hardening activities is to prevent the execution of invalid binaries on the device, and to

preventcopyingofsecurityrelateddatafromthedevice.

Page 4: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

AGLsecurityoverview

AGLrootsarebasedonsecurityconcepts.Thoseconceptsareimplementedbythesecurityframeworkas

showninthispicture:

AcronymsandAbbreviations

Thefollowingtableliststhestrongesttermsutilizedwithinallthisdocument.

AcronymsorAbbreviations Description

AGL AutomotiveGradeLinux

ECU ElectronicControlUnit

IoT.Bzh Security-blueprint

Version5.0.0 4January2018

Page 5: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

References

security-blueprint.

http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html

[2017]-kernelsecurity.

https://www.kernel.org/doc/Documentation/security/

[2017]-Systemdintegrationandusermanagement.

http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf

[2017]-AGL-ApplicationFrameworkDocumentation.

http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf

[2017]-ImprovingVehicleCybersecurity.

https://access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf

[2016]-AGLframeworkoverview.

http://docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html

[2016]-SecureBoot-SecureSoftwareUpdates.

http://iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf

[2016]-LinuxAutomotiveSecurity.

http://iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf

[2016]-AutomotiveSecurityBestPractices.

https://www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf

[2016]-GattackingBluetoothSmartDevices.

http://gattack.io/whitepaper.pdf

[2015]-ComprehensiveExperimentalAnalysisofAutomotiveAttackSurfaces.

http://www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf

[2015]-SecurityinAutomotiveBusSystems.

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf

[2014]-IOActiveRemoteAttackSurface.

https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf

[2011]-ApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunications.

https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-

wp.pdf

[2011]-ComprehensiveExperimentalAnalysesofAutomotiveAttackSurfaces.

http://www.autosec.org/pubs/cars-usenixsec2011.pdf

[2010]-RelayAttacksonPassiveKeylessEntryandStartSystemsinModernCars.

https://eprint.iacr.org/2010/332.pdf

[2010]-Wifiattackswepwpa.

https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf

[2008]-SMACK.

http://schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf

IoT.Bzh Security-blueprint

Version5.0.0 5January2018

Page 6: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Documentrevisions

Meta Data

Title Security-blueprint

Description ThisdocumentdealswitheverythingrelatedtothesafetyofconnectedcarslinkedtotheAGLproject.

Keywords AGL,Security,Blueprint,Iotbzh

Language English

Published PublishedJanuary2018asanelectronicbook.

Updated FriJan12201816:46:36GMT+0100(CET)

Collection Open-source

Date Version Designation Author

7Jul2017

- sec-blueprint Githistory

6Dec2017

5.0.0 EE.rc3release-chaptersreorderingandaddnewparts:3,5,6,8,9

VincentNieutin[Iot.bzh]

IoT.Bzh Security-blueprint

Version5.0.0 6January2018

Page 7: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part1-Hardware

Abstract

Youwillfindinthisfirstparteverythingthatconcernsthehardwaresecurity.Thegoalistoprotectsystem

againstallattacksthataretryingtogainadditionalprivilegesbyrecoveringand/orchangingcryptographic

keysinordertoaltertheintegrityoftheboot.Weshouldalsopreventhardwaremodificationsinorderto

achievethisgoal.Wewillexposebelowsomeexamplesofpossibleconfigurations.

AcronymsandAbbreviations

Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.

AcronymsorAbbreviations Description

HSM HardwareSecurityModule

NVM Non-VolatileMemory

SHE SecureHardwareExtensions

Integrity

Theboardmust storehardcodedcryptographickeys inorder toverifyamongothers the integrityof the

bootloader.ManufacturerscanuseHSMandSHEtoenhancethesecurityoftheirboard.

Domain Object Recommendations

Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.

Hardware-Integrity-2 Board MustuseaHSM.

Hardware-Integrity-3 RTC Mustnotbealterable.

IoT.Bzh Security-blueprint

Version5.0.0 7January2018

Page 8: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Certificates

Domain Object Recommendations

Hardware-Certificate-1

System Shallallowstoringdedicatedcertificates.

Hardware-Certificate-2

ECU TheECUmustverifythecertificationauthorityhierarchy.

Hardware-Certificate-3

SystemAllowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.

Memory

Domain Object Recommendations

Hardware-Memory-1

ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusingcryptographickeys.

Hardware-Memory-2

Bootloader InternalNVMonly

Hardware-Module-3

- HSMmustbeusedtosecurekeys.

IoT.Bzh Security-blueprint

Version5.0.0 8January2018

Page 9: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part2-Secureboot

Abstract

Domain Improvement

Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).

BootHardening:Steps/requirementstoconfigurethebootsequence,inordertorestrictthedevicefrom

executinganythingotherthantheapprovedsoftwareimage.

Inthispart,wewillseeaseriesofsettingsthatwillallowustoimprovesecurityduringbootphase.Forthe

purposesofreferenceandexplanation,weareprovidingguidanceonhowtoconfigureanembeddeddevice

thatrunswitha3.10.17Linuxkernel.Iftheintegrityisnotcheckedorifacriticalerroroccurs,thesystem

mustbootonaverystablebackupimage.

Requirements: These requirementsmust bemet even if an alternative version of the Linux kernel is

chosen.

Recommendations:Detailedbestpracticesthatshouldbeappliedinordertosecureadevice.Although

theyarenotcurrently listedashard requirements, theymaybeupgraded to requirementsstatus in the

future.Inaddition,specificoperatorsmaychangesomeoftheserecommendationsintorequirementsbased

ontheirspecificneedsandobjectives.

Domain Improvement

Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".

Bootloader:ThebootloaderconsistsofthePrimarybootloaderresidinginOTPmemory,sboot,U-Boot

andSecure loaderresiding inexternal flash(NANDorSPI/NORflashmemory).TheCPUonpoweronor

resetexecutestheprimaryboot loader.TheOTPprimarybootloadermakesthenecessaryinitialsystem

configurationandthenloadsthesecondarybootloadersbootfromexternalflashmemorytorammemory.

The sboot then loads the U-Boot along with the Secure loader. U-Boot then verifies the Kernel/system

imageintegrity,thenloadstheKernel/systemimagebeforepassingcontroltoit.

AcronymsandAbbreviations

Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.

AcronymsorAbbreviations Description

FUSE FilesysteminUserSpacE

OTP One-Time-Programmable

DOCSIS DataOverCableServiceInterfaceSpecification

IoT.Bzh Security-blueprint

Version5.0.0 9January2018

Page 10: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 10January2018

Page 11: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Image

Imageselection

The boot process shall be uninterruptible and shall irrevocably boot the image as specified in the boot

environment.

InU-Bootsetthe"bootdelay"environmentvariableand/ordefineCONFIG_BOOTDELAYto-2.

Domain Variable/Configname Value

Boot-Image-Selection-1 CONFIG_BOOTDELAY -2

Boot-Image-Selection-2 bootdelay -2

Imageauthenticity

It shall not be possible to boot from an unverified image. The secure boot feature in U-Boot shall be

enabled. The secure boot feature is available from U-Boot 2013.07 version. To enable the secure boot

feature,enablethefollowingfeatures:

CONFIG_FIT:EnablessupportforFlatImageTree(FIT)uImageformat.

CONFIG_FIT_SIGNATURE:EnablessignatureverificationofFITimages.

CONFIG_RSA:EnablesRSAalgorithmusedforFITimageverification.

CONFIG_OF_CONTROL:EnablesFlattenedDeviceTree(FDT)configuration.

CONFIG_OF_SEPARATE:Enablesseparatebuildofu-Bootfromthedevicetree.

CONFIG_DEFAULT_DEVICE_TREE:SpecifiesthedefaultDeviceTreeusedfortherun-timeconfigurationofU-Boot.

Generate the U-Boot imagewith public keys to validate and load the image. It shall use RSA2048 and

SHA256forauthentication.

Domain Configname State

Boot-Image-Authenticity-1 CONFIG_FIT Enable

Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable

Boot-Image-Authenticity-3 CONFIG_RSA Enable

Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable

Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable

Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable

IoT.Bzh Security-blueprint

Version5.0.0 11January2018

Page 12: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Communicationmodes

DisableUSB,SerialandDOCSISSupport

TodisableUSBsupportinU-Boot,followingconfig'sshallnotbedefined:

CONFIG_CMD_USB:EnablesbasicUSBsupportandtheusbcommand.

CONFIG_USB_UHCI:Definesthelowlevelpart.

CONFIG_USB_KEYBOARD:EnablestheUSBKeyboard.

CONFIG_USB_STORAGE:EnablestheUSBstoragedevices.

CONFIG_USB_HOST_ETHER:EnablesUSBEthernetadaptersupport.

Inaddition,disableunnecessarycommunicationmodeslikeEthernet,Serialports,DOCSISinU-Bootand

sbootthatarenotnecessary.

LinuxKernelsupportforUSBshouldbecompiled-outifnotrequired.Ifitisneeded,theLinuxKernelshould

beconfiguredtoonlyenabletheminimumrequiredUSBdevices.User-initiatedUSB-filesystemsshouldbe

treated with special care.Whether or not the filesystems aremounted in userspace (FUSE), restricted

mountoptionsshouldbeobserved.

Domain Communicationmodes

State

Boot-Communication-1

USB DisabledandCompiled-outifnotrequired.

Boot-Communication-2

USB

Else,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.

Boot-Communication-3

Ethernet Disabled

Boot-Communication-4

U-bootandsbootDOCSIS

Disabled

Boot-Communication-5

Serialports Disabled

Domain Configname State

Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined

Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined

Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined

Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined

Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined

IoT.Bzh Security-blueprint

Version5.0.0 12January2018

Page 13: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

DisableallunusedNetworkInterfaces

Onlyusednetworkinterfacesshouldbeenabled.Wherepossible,servicesshouldalsobelimitedtothose

necessary.

Domain Communicationmodes

State

Boot-Communication-1

Network

interfaces

Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.

RemoveorDisableUnnecessaryServices,Ports,andDevices

Restricttheservices,portsanddevicestothoseused.

Domain Object Recommendations

Boot-Communication-1

Services,portsanddevices

Restricttheservices,portsanddevicestothoseused.

Disableflashaccess

Recommendation:

InU-Bootfollowingflashmemorycommandsshallbedisabled:

NAND:Supportfornandflashaccessavailablethroughdo_nandhastobedisabled.

Domain Commandname State

Boot-Communication-Flash-1 do_nand Disable

Similarlysbootshoulddisableflashaccesssupportthroughcommandlineifany.

IoT.Bzh Security-blueprint

Version5.0.0 13January2018

Page 14: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Consoles

Disableserialconsole

Serialconsoleoutputshallbedisabled.TodisableconsoleoutputinU-Boot,setthefollowingmacros:

Domain Configname Value

Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable

Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable

Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable

Domain Improvement

Boot-Consoles-1 Secureloader:Noreferenceearlier?

Andset"silent"environmentvariable.FortheSecureloader,disablethetracesbynotdefiningthebelow

macro:

Domain Environmentvariablename State

Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined

Forsbootproperconfigurationneedstobedonetodisabletheserialconsole.

IoT.Bzh Security-blueprint

Version5.0.0 14January2018

Page 15: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Immutableenvironmentvariables

InU-Boot,ensureKernelcommandline,bootcommands,bootdelayandotherenvironmentvariablesare

immutable.Thiswillpreventside-loadingofalternateimages,byrestrictingthebootselectiontoonlythe

imageinFLASH.

Theenvironmentvariablesshallbepartofthetextregion inU-Bootasdefaultenvironmentvariableand

notinnon-volatilememory.

Removeconfigurationoptionsrelatedtonon-volatilememory,suchas:

Domain Configname State

Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef

Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef

Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef

Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef

Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef

Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef

Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef

Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef

Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef

Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef

Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef

Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define

IoT.Bzh Security-blueprint

Version5.0.0 15January2018

Page 16: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

(Recommendation)Removalofmemorydumpcommands

InU-Boot,followingcommandsshallbedisabledtoavoidmemorydumps:

md:MemoryDisplaycommand.

mm:Memorymodifycommand-autoincrementingaddress.

nm:Memorymodifycommand-constantaddress.

mw:Memorywrite.

cp:Memorycopy.

mwc:Memorywritecyclic.

mdc:Memorydisplaycyclic.

mtest:Simpleramread/writetest.

loopw:Infinitewritelooponaddressrange.

Domain Commandname State

Boot-Consoles-MemDump-1 md Disabled

Boot-Consoles-MemDump-2 mm Disabled

Boot-Consoles-MemDump-3 nm Disabled

Boot-Consoles-MemDump-4 mw Disabled

Boot-Consoles-MemDump-5 cp Disabled

Boot-Consoles-MemDump-6 mwc Disabled

Boot-Consoles-MemDump-7 mdc Disabled

Boot-Consoles-MemDump-8 mtest Disabled

Boot-Consoles-MemDump-9 loopw Disabled

Similarly,memorydumpsupportshallbedisabledfromsboot.

IoT.Bzh Security-blueprint

Version5.0.0 16January2018

Page 17: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part3-Hypervisor

Definition: "A hypervisor or virtualmachinemonitor (VMM) is computer software, firmware or hardware

thatcreatesandrunsvirtualmachines".

Itmustincludeasignatureverification(possiblydelegated).

Domain Improvement

Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).

NativeorBare-metalhypervisors

These hypervisors run directly on the host's hardware to control the hardware and to manage guest

operatingsystems.Thosearetheoneswe'reinterestedin.

IoT.Bzh Security-blueprint

Version5.0.0 17January2018

Page 18: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part4-Kernel

Abstract

System Hardening: Best practices associated with the configuration of an embedded Linux based

operatingsystem.Thissectionincludesbothhardeningofthekernelitself,aswellasspecificconfigurations

and patches used to protect against known vulnerabilitieswithin the build and configuration of the root

filesystem.

At the Kernel level, wemust ensure that no console can be launched. It could be used to change the

behavior of the system or to have more information about it. Another aspect is the protection of the

memoryusedbytheKernel.

Thenextsub-sectionscontaininformationonvariouskernelconfigurationoptionstoenhancethesecurityin

the kernel (3.10.17) and also for applications compiled to take advantage of these security features.

Additionally,therearealsoconfigurationoptionsthatprotectfromknownvulnerableconfigurationoptions.

Here'sahighlevelsummaryofvariouskernelconfigurationsthatshallberequiredfordeployment.

IoT.Bzh Security-blueprint

Version5.0.0 18January2018

Page 19: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Generalconfiguration

MandatoryAccessControl

Kernelshouldcontrolsaccesswithlabelsandpolicy.

Domain Object Recommendations

Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.

Domain Improvement

Kernel-MAC-1 AddMACconfignote.

Disablekexec

Thispreventssomeonewhogetsroot fromsupplantingthekernel.Thiscanbeusedasawaytobypass

signedkernels.

Domain Configname Value

Kernel-General-kexec-1 CONFIG_KEXEC n

DisablekernelIPauto-configuration

ItispreferabletohaveanIPconfigurationperformedusingauser-spacetoolasthesetendtohavemore

validation.Wedonotwantthenetworkinterfacecomingupuntilthesystemhascomeupproperly.

Domain Configname Value

Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n

DisableSysctlsyscallsupport

Enablingthiswillresultincodebeingincludedthatishardtomaintainandnotwelltested.

IoT.Bzh Security-blueprint

Version5.0.0 19January2018

Page 20: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Domain Configname Value

Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n

DisableLegacyLinuxSupport

TherearesomeKernelConfigswhicharepresentonlytosupportlegacybinaries.Seealso"Consoles"part

inordertodisablingsupportforlegacybinaryformats.The uselibsystemcall,inparticular,hasnovalid

use inany libc6or uclibc system in recent times. This configuration is supported inLinux3.15and

greaterandthusshouldonlybedisabledforsuchversions.

Domain Configname Value

Kernel-General-LegacyLinux-1 CONFIG_USELIB n

Disablefirmwareauto-loadingusermodehelper

The firmware auto loadinghelper,which is a utility executedby the kernel on hotplug events requiring

firmware,needstobesetsetuid.Asaresultofthis,thehelperutilityisanattractivetargetforattackers

withcontrolofphysicalportsonthedevice.DisablingthisconfigurationthatissupportedinLinux3.9and

greater.

Domain Configname Value

Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n

EnableKernelPaniconOOPS

WhenfuzzingthekernelorattemptingkernelexploitsattackersarelikelytotriggerkernelOOPSes.Setting

thebehavioronOOPStoPANICcanimpedetheirprogress.

This configuration is supported in Linux 3.5 and greater and thus should only be enabled for such

versions.

Domain Configname Value

Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y

IoT.Bzh Security-blueprint

Version5.0.0 20January2018

Page 21: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 21January2018

Page 22: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Disablesocketmonitoringinterface

These monitors can be used to inspect shared file descriptors on Unix Domain sockets or traffic on

'localhost'whichisotherwiseassumedtobeconfidential.

The CONFIG_PACKET_DIAG configuration is supported in Linux 3.7 and greater and thus should only be

disabledforsuchversions.

TheCONFIG_UNIX_DIAGconfigurationissupportedinLinux3.3andgreaterandthusshouldonlybedisabled

forsuchversions.

Domain Configname Value

Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n

Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n

DisableBPFJIT

TheBPFJITcanbeusedtocreatekernel-payloadsfromfirewalltablerules.

ThisconfigurationforissupportedinLinux3.16andgreaterandthusshouldonlybedisabledforsuch

versions.

Domain Configname Value

Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n

EnableEnforcedModuleSigning

Thekernelshouldneverallowanunprivilegeduser theability to loadspecifickernelmodules,sincethat

wouldprovideafacilitytounexpectedlyextendtheavailableattacksurface.

Toprotectagainstevenprivilegedusers,systemsmayneed toeitherdisablemodule loadingentirely,or

provide signed modules (e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from

havingrootloadarbitrarykernelcodeviathemoduleloaderinterface.

This configuration is supported in Linux 3.7 and greater and thus should only be enabled for such

versions.

Domain Configname Value

Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y

IoT.Bzh Security-blueprint

Version5.0.0 22January2018

Page 23: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 23January2018

Page 24: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

DisableallUSB,PCMCIA(andotherhotplugbus)driversthataren'tneeded

Toreducetheattacksurface,thedriverenumeration,probe,andoperationhappeninthekernel.Thedriver

dataisparsedbythekernel,soanylogicbugsinthesedriverscanbecomekernelexploits.

Domain Object State

Kernel-General-Drivers-1 USB Disabled

Kernel-General-Drivers-2 PCMCIA Disabled

Kernel-General-Drivers-3 Otherhotplugbus Disabled

PositionIndependentExecutables

Domain Improvement

Kernel-General-IndependentExec-1 Kernelor/andplatformpart?

Domain compilerandlinkeroptions State

Kernel-General-IndependentExec-1 -pie-fpic Enable

Produceapositionindependentexecutableontargetswhichsupportsit.

PreventOverwriteAttacks

-z,relrolinkingoptionhelpsduringprogramload,severalELFmemorysectionsneedtobewrittenbythe

linker,butcanbeturnedread-onlybeforeturningovercontroltotheprogram.ThispreventssomeGlobal

OffsetTableGOToverwriteattacks,orinthedtorssectionoftheELFbinary.

Domain compilerandlinkeroptions State

Kernel-General-OverwriteAttacks-1 -z,relro Enable

Kernel-General-OverwriteAttacks-2 -z,now Enable

Duringprogramload,alldynamicsymbolsareresolved,allowingforthecompleteGOTtobemarkedread-

only (due to -zrelro above). This preventsGOToverwrite attacks. For very large application, this can

incursomeperformancelossduringinitialloadwhilesymbolsareresolved,butthisshouldn'tbeanissue

fordaemons.

IoT.Bzh Security-blueprint

Version5.0.0 24January2018

Page 25: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 25January2018

Page 26: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Librarylinking

Domain Improvement

Kernel-General-LibraryLinking-1 Keepthispart?

It is recommended that dynamic linking should generally not be allowed. This will avoid the user from

replacing a library with malicious library. All libraries should be linked statically, but this is difficult to

implement.

Domain compilerandlinkeroptions State

Kernel-General-LibraryLinking-1 -static Enable

IoT.Bzh Security-blueprint

Version5.0.0 26January2018

Page 27: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Memory

Restrictaccesstokernelmemory

The/dev/kmemfileinLinuxsystemsisdirectlymappedtokernelvirtualmemory.Thiscanbedisastrousif

anattackergainsrootaccess,astheattackerwouldhavedirectaccesstokernelvirtualmemory.

Todisablethe/dev/kmemfile,whichisveryinfrequentlyusedbyapplications,thefollowingkerneloption

shouldbesetinthecompile-timekernelconfiguration:

Domain Configname Value

Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n

Incaseapplications inuserspaceneed /dev/kmemsupport, it shouldbeavailableonly forauthenticated

applications.

Disableaccesstoakernelcoredump

This kernel configuration disables access to a kernel core dump from user space. If enabled, it gives

attackersausefulviewintokernelmemory.

Domain Configname Value

Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n

Disableswap

Ifnotdisabled,attackerscanenableswapatruntime,addpressureto thememorysubsystemandthen

scourthepageswrittentoswapforusefulinformation.

Domain Configname Value

Kernel-Memory-Swap-1 CONFIG_SWAP n

IoT.Bzh Security-blueprint

Version5.0.0 27January2018

Page 28: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Disable"LoadAllSymbols"

There is a /proc/kallsyms filewhich exposes the kernelmemory space address ofmany kernel symbols

(functions, variables, etc...). This information is useful to attackers in identifying kernel

versions/configurationsandinpreparingpayloadsfortheexploitsofkernelspace.

BothKALLSYMS_ALLandKALLSYMSshallbedisabled;

Domain Configname Value

Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n

Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n

Stackprotection

Topreventstack-smashing,similartothestackprotectorusedforELFprogramsinuser-space,thekernel

canprotectitsinternalstacksaswell.

This configuration is supported in Linux 3.11 and greater and thus should only be enabled for such

versions.

Thisconfigurationalsorequiresbuildingthekernelwiththegcccompiler4.2orgreater.

Domain Configname Value

Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y

Otherdefensesincludethingslikeshadowstacks.

Disableaccessto/dev/mem

The/dev/memfile inLinuxsystems isdirectlymapped tophysicalmemory.Thiscanbedisastrous ifan

attacker gains root access, as the attacker would have direct access to physical memory through this

convenientdevicefile.Itmaynotalwaysbepossibletodisablesuchfile,assomeapplicationsmightneed

suchsupport.Inthatcase,thenthisdevicefileshouldbeavailableonlyforauthenticatedapplications.

This configuration is supported in Linux 4.0 and greater and thus should only be disabled for such

versions.

Domain Configname Value

Kernel-Memory-Access-1 CONFIG_DEVMEM n

IoT.Bzh Security-blueprint

Version5.0.0 28January2018

Page 29: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 29January2018

Page 30: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Disablecross-memoryattach

Disabletheprocessvm*vsyscallswhichallowoneprocesstopeek/pokethevirtualmemoryofanother.

This configuration is supported in Linux 3.5 and greater and thus should only be disabled for such

versions.

Domain Configname Value

Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n

StackSmashingAttacks

Domain compilerandlinkeroptions State

Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable

Emitextracodetocheckforbufferoverflows,suchasstacksmashingattacks.

DetectBufferOverflows

Domain compilerandlinkeroptions Value

Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2

Helpsdetectsomebufferoverflowerrors.

IoT.Bzh Security-blueprint

Version5.0.0 30January2018

Page 31: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Serial

Disableserialconsole

Theserialconsoleshouldbedisabledtopreventanattackerfromaccessingthispowerfulinterface.

Domain Configname Value

Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n

Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n

Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n

Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n

Bake-inthekernelcommand-line

Thekernelcommand-lineisusedtocontrolmanyaspectsofthebootingkernel,andispronetotampering

astheyarepassedinRAMwithlittletonoreversevalidationontheseparameters.Topreventthistypeof

attack,thekernelshallbeconfiguredtoignorecommandslinearguments,andusepre-configured(compile

time)optionsinstead.

Set the kernel command line in the CONFIG_CMDLINE KConfig item and then pass no arguments from the

bootloader.

Domain Configname Value

Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y

Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"

Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y

Itisrecommendedthatanyper-devicesettings(e.g:MACaddresses,serialnumbers,etc.)bestoredand

accessedfromread-onlymemory(orfiles),andthatanysuchparametersbeverified(signaturechecking)

priortotheiruse.

DisableKGDB

The Linux kernel supports KGDB over USB and console ports. Thesemechanisms are controlled by the

kgdbdbgpand kgdbockernelcommand-lineparameters.Itisimportanttoensurethatnoshippingproduct

containsakernelwithKGDBcompiled-in.

Domain Configname Value

IoT.Bzh Security-blueprint

Version5.0.0 31January2018

Page 32: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Kernel-Consoles-KDBG-1 CONFIG_KGDB n

Disablemagicsysrqsupport

On a few architectures, you can access a powerful debugger interface from the keyboard. The same

powerful interface can be present on the serial console (responding to serial break) of Linux on other

architectures.Disabletoavoidpotentiallyexposingthispowerfulbackdoor.

Domain Configname Value

Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n

DisablesupportforbinaryformatsotherthanELF

Thiswillmakepossibletoplugwrapper-drivenbinaryformatsintothekernel.Itenablessupportforbinary

formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in

discoveringattackvectors.

Domain Configname Value

Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n

IoT.Bzh Security-blueprint

Version5.0.0 32January2018

Page 33: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Debug

Nodebuggersshallbepresentonthefilesystem.This includes,but isnot limitedto,theGNUDebugger

client/server (commonly known in their short form names such as the gdb and gdbserver executable

binariesrespectively),theLLDBnextgenerationdebuggerortheTCF(TargetCommunicationsFramework)

agnosticframework.Includingthesebinariesaspartofthefilesystemwillfacilitateanattacker'sabilityto

reverse engineer and debug (either locally or remotely) any process that is currently executing on the

device.

Kerneldebugsymbols

Debugsymbolsshouldalwaysberemovedfromproductionkernelsastheyprovidealotofinformationto

attackers.

Domain Configname Value

Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n

These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to

disablethosealso.IfCONFIG_DEBUG_INFOcannotbedisabled,thenenablingCONFIG_DEBUG_INFO_REDUCEDissecond

best.

DisableKprobes

Kprobesenablesyoutodynamicallybreakintoanykernelroutineandcollectdebuggingandperformance

informationnon-disruptively.Youcantrapatalmostanykernelcodeaddress,specifyingahandlerroutine

tobeinvokedwhenthebreakpointishit.

Domain Configname Value

Kernel-Debug-Kprobes-1 CONFIG_KPROBES n

DisableTracing

FTraceenablesthekerneltotraceeverykernelfunction.Providingkerneltracefunctionalitywouldassistan

attackerindiscoveringattackvectors.

Domain Configname Value

Kernel-Debug-Tracing-1 CONFIG_FTRACE n

IoT.Bzh Security-blueprint

Version5.0.0 33January2018

Page 34: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

DisableProfiling

ProfilingandOProfileenablesprofilingthewholesystem,includethekernel,kernelmodules,libraries,and

applications.Providingprofilingfunctionalitywouldassistanattackerindiscoveringattackvectors.

Domain Configname Value

Kernel-Debug-Profiling-1 CONFIG_OPROFILE n

Kernel-Debug-Profiling-2 CONFIG_PROFILING n

DisableOOPSprintonBUG()

The output from OOPS print can be helpful in Return Oriented Programming (ROP) when trying to

determinetheeffectivenessofanexploit.

Domain Configname Value

Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n

DisableKernelDebugging

Therearedevelopment-onlybranchesofcodeinthekernelenabledbythe DEBUG_KERNELconf.Thisshould

bedisabledtocompile-outthesebranches.

Domain Configname Value

Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n

Kernel-Debug-Dev-2 CONFIG_EMBEDDED n

Insomekernelversions,disablingthisrequiresalsodisabling CONFIG_EMBEDDED,and CONFIG_EXPERT.Disabling

CONFIG_EXPERTmakesitimpossibletodisable COREDUMP, DEBUG_BUGVERBOSE, NAMESPACES, KALLSYMSand BUG.In

whichcaseitisbettertoleavethisenabledthanenabletheothers.

IoT.Bzh Security-blueprint

Version5.0.0 34January2018

Page 35: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Disablethekerneldebugfilesystem

Thekerneldebugfilesystempresentsalotofusefulinformationandmeansofmanipulationofthekernelto

anattacker.

Domain Configname Value

Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n

DisableBUG()support

ThekernelwilldisplaybacktraceandregisterinformationforBUGsandWARNsinkernelspace,makingit

easierforattackerstodevelopexploits.

Domain Configname Value

Kernel-Debug-BUG-1 CONFIG_BUG n

Disablecoredumps

Coredumpsprovidealotofdebuginformationforhackers.Sodisablingcoredumpsarerecommendedin

productionbuilds.

This configuration is supported in Linux 3.7 and greater and thus should only be disabled for such

versions.

Domain Configname Value

Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n

IoT.Bzh Security-blueprint

Version5.0.0 35January2018

Page 36: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

KernelAddressDisplayRestriction

Whenattackers try todevelop"runanywhere"exploits forkernelvulnerabilities, they frequentlyneed to

knowthelocationofinternalkernelstructures.Bytreatingkerneladdressesassensitiveinformation,those

locationsarenotvisibletoregularlocalusers.

/proc/sys/kernel/kptr_restrictissetto"1"toblockthereportingofknownkerneladdressleaks.

Domain Filename Value

Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1

Additionally, various files and directories should be readable only by the root user: /boot/vmlinuz* ,

/boot/System.map*,/sys/kernel/debug/,/proc/slabinfo

Domain FileorDirectoriename State

Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser

Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser

Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser

Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser

DMESGRestrictions

Whenattackers try todevelop"runanywhere"exploits forvulnerabilities, they frequentlywilluse dmesg

output.Bytreatingdmesgoutputassensitiveinformation,thisoutputisnotavailabletotheattacker.

/proc/sys/kernel/dmesg_restrictcanbesetto"1"totreatdmesgoutputassensitive.

Domain Filename Value

Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1

Enable the below compiler and linker options when building user-space applications to avoid stack

smashing,bufferoverflowattacks.

IoT.Bzh Security-blueprint

Version5.0.0 36January2018

Page 37: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Disable/proc/config.gz

Itisextremelyimportanttonotexposethekernelconfigurationusedonaproductiondevicetoapotential

attacker.Withaccesstothekernelconfig,itcouldbepossibleforanattackertobuildacustomkernelfor

thedevicethatmaydisablecriticalsecurityfeatures.

Domain Configname Value

Kernel-Debug-Config-1 CONFIG_IKCONFIG n

IoT.Bzh Security-blueprint

Version5.0.0 37January2018

Page 38: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

FileSystem

Disableallfilesystemsnotneeded

To reduce the attack surface, file systemdata is parsed by the kernel, so any logic bugs in file system

driverscanbecomekernelexploits.

DisableNFSfilesystem

NFSFileSystemsareusefulduringdevelopmentphases,butthiscanbeaveryhelpfulwayforanattacker

togetfileswhenyouareinproductionmode,sowemustdisablethem.

Domain Configname Value

Kernel-FileSystems-NFS-1 CONFIG_NFSD n

Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n

IoT.Bzh Security-blueprint

Version5.0.0 38January2018

Page 39: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

PartitionMountOptions

Thereareseveralsecurityrestrictionsthatcanbesetonafilesystemwhenitismounted.Somecommon

securityoptionsinclude,butarenotlimitedto:

nosuid-Donotallowset-user-identifierorset-group-identifierbitstotakeeffect.

nodev-Donotinterpretcharacterorblockspecialdevicesonthefilesystem.

noexec-Donotallowexecutionofanybinariesonthemountedfilesystem.

ro-Mountfilesystemasread-only.

Thefollowingflagsshallbeusedformountingcommonfilesystems:

Domain Partition Value

Kernel-FileSystems-Mount-1

/boot nosuid,nodevandnoexec.

Kernel-FileSystems-Mount-2

/var&/tmp In/etc/fstaborvfstab,addnosuid,nodevandnoexec.

Kernel-FileSystems-Mount-3

Non-rootlocal Iftypeisext2orext3andmountpointnot'/',addnodev.

Kernel-FileSystems-Mount-4

Removablestorage

Addnosuid,nodevandnoexec.

Kernel-FileSystems-Mount-5

Temporarystorage

Addnosuid,nodevandnoexec.

Kernel-FileSystems-Mount-6

/dev/shm Addnosuid,nodevandnoexec.

Kernel-FileSystems-Mount-7

/dev Addnosuidandnoexec.

If CONFIG_DEVTMPFS_MOUNTisset,thenthekernelwillmount/devandwillnotapplythe nosuid, noexec

options. Either disable CONFIG_DEVTMPFS_MOUNT or add a remountwith noexec and nosuid options to

systemstartup.

Domain Configname StateorValue

Kernel-FileSystems-Mount-1

CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwithnoexecandnosuidtosystemstartup.

IoT.Bzh Security-blueprint

Version5.0.0 39January2018

Page 40: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part5-Platform

Abstract

ThispartfocusesontheAGLplatformincludingalltoolsandtechniquesusedtoupgradethesecurityand

downgrade the danger. Itmust be possible to apply the two fundamental principleswritten at the very

beginningofthedocument.Firstofall,securitymanagementmustremainsimple.Youmustalsoprohibit

everythingbydefault,andthendefineasetofauthorizationrules.Ascasestodealwith,wemust:

ImplementaMACforprocessesandfiles.

Limitcommunicationbetweenapplications(SystemBusandSystemDpart).

Prohibitalltoolsusedduringdevelopmentmode(UtilitiesandServicespart).

Manageusercapabilities(Userspart).

Manageapplicationpermissionsandpolicies(AGLFwpart).

Thetoolsandconceptsusedtomeettheseneedsareonlyexamples.Anyothertoolthatmeetsthe

needcanbeused.

InAGL,as inmanyotherembeddedsystems,different securitymechanismssettle in the core layers to

ensure isolation and data privacy. While the Mandatory Access Control layer (SMACK) provides global

security and isolation, othermechanisms likeCynara are required to check application's permissions at

runtime. Applicative permissions (also called "privileges") may vary depending on the user and the

applicationbeingrun:anapplicationshouldhaveaccesstoagivenserviceonly if it isrunbytheproper

userandiftheappropriatepermissionsaregranted.

IoT.Bzh Security-blueprint

Version5.0.0 40January2018

Page 41: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

AcronymsandAbbreviations

Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.

AcronymsorAbbreviations Description

ACL AccessControlLists

alsa AdvancedLinuxSoundArchitecture

API ApplicationProgrammingInterface

AppFw ApplicationFramework

Cap Capabilities

DAC DiscretionaryAccessControl

DDOS DistributedDenialOfService

DOS DenialOfService

IPC Inter-ProcessCommunication

MAC MandatoryAccessControl

PAM PluggableAuthenticationModules

SMACK SimplifiedMandatoryAccessControlKernel

IoT.Bzh Security-blueprint

Version5.0.0 41January2018

Page 42: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

MandatoryAccessControl

WedecidedtoputtheMACprotectionontheplatformpartdespitethefactthatitappliestothekernel

too,sinceitsusewillbemainlyattheplatformlevel(exceptfloorpart).

MandatoryAccessControl(MAC)isaprotectionprovidedbytheLinuxkernelthatrequiresaLinuxSecurity

Module (LSM). AGL uses an LSM called SimplifiedMandatory Access Control Kernel (SMACK). This

protectioninvolvesthecreationofSMACK labelsaspartoftheextendedattributesSMACK labelstothe

fileextendedattributes.Andapolicyisalsocreatedtodefinethebehaviourofeachlabel.

Thekernelaccesscontrols isbasedon these labelsand thispolicy. If there isno rule,noaccesswillbe

grantedandasaconsequence,whatisnotexplicitlyauthorizedisforbidden.

TherearetwotypesofSMACKlabels:

ExecutionSMACK(Attachedtotheprocess):Defineshowfilesareaccessedandcreatedbythat

process.

FileAccessSMACK(Writtentotheextendedattributeofthefile):Defineswhichprocesscanaccess

thefile.

By default a process executes with its File Access SMACK label unless an Execution SMACK label is

defined.

AGL'sSMACKschemeisbasedontheTizen3Q2/2015.ItdividestheSystemintothefollowingdomains:

Floor.

System.

Applications,ServicesandUser.

SeeAGLsecurityframeworkreviewandSmackWhitePaperformoreinformation.

IoT.Bzh Security-blueprint

Version5.0.0 42January2018

Page 43: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Floor

The floor domain includes the base system services and any associated data and libraries. This data

remainsunchangedatruntime.Writingtofloorfilesordirectoriesisallowedonlyindevelopmentmodeor

duringsoftwareinstallationorupgrade.

Thefollowingtabledetailsthefloordomain:

Label Name ExecutionSMACK FileAccessSMACK

- Floor r-xforall Onlykernelandinternalkernelthread.

Hat ---forall rxonalldomains.

* Star rwxforall None

TheHat label isOnly forprivileged systemservices (currentlyonly systemd-journal).Useful for

backuporvirusscans.Nofilewiththislabelshouldexistexceptinthedebuglog.

TheStarlabelisusedfordevicefilesor/tmpAccessrestrictionmanagedviaDAC.Individualfiles

remainprotectedbytheirSMACKlabel.

Domain Labelname Recommendations

Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.

Kernel-MAC-Floor-2 * Usedfordevicefilesor/tmpAccessrestrictionviaDAC.

IoT.Bzh Security-blueprint

Version5.0.0 43January2018

Page 44: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

System

ThesystemdomainincludesareducedsetofcoresystemservicesoftheOSandanyassociateddata.This

datamaychangeatruntime.

Thefollowingtabledetailsthesystemdomain:

Label Name ExecutionSMACK FileAccessSMACK

System System None Privilegedprocesses

System::Run Run rwxatlforUserandSystemlabel None

System::Shared Shared rwxatlforsystemdomainr-xforUserlabel

None

System::Log Log rwaforSystemlabelxaforuserlabel None

System::Sub SubSystem SubsystemConfigfiles SubSystemonly

Domain Labelname Recommendations

Kernel-MAC-System-1

System Processshouldwriteonlytofilewithtransmuteattribute.

Kernel-MAC-System-2

System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwithw.

Kernel-MAC-System-3

System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.

Kernel-MAC-System-4

System::Log Somelimitationmayimposetoaddwtoenableappend.

Kernel-MAC-System-5

System::Sub IsolationofriskySubsystem.

IoT.Bzh Security-blueprint

Version5.0.0 44January2018

Page 45: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Applications,ServicesandUser

Theapplication,servicesanduserdomainincludescodethatprovidesservicestothesystemanduser,as

wellasanyassociateddata.AllcoderunningonthisdomainisunderCynaracontrol.

Thefollowingtabledetailstheapplication,servicesanduserdomain:

Label Name ExecutionSMACK FileAccessSMACK

User::Pkg::$AppID AppID rwx(forfilescreatedbytheApp).rxforfilesinstalledbyAppFw

$Appruntimeexecuting$App

User::Home Home rwx-tfromSystemlabelr-x-lfromApp None

User::App-Shared Shared rwxatfromSystemandUserdomainslabelof$User

None

Domain Labelname Recommendations

Kernel-MAC-System-1

User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwinrwxmode.

Kernel-MAC-System-2

User::Home

AppFwneedstocreateadirectoryin/home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessisUser::App-Sharedwithouttransmute.

Kernel-MAC-System-3

User::App-Shared SharedspacebetweenallApprunningforagivenuser.

IoT.Bzh Security-blueprint

Version5.0.0 45January2018

Page 46: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

SystemD

afm-system-daemonisusedto:

Manageusersandusersessions.

Setupapplicationsandservices(CGroups,namespaces,autostart,permissions).

Useoflibsystemdforitsprograms(eventmanagement,D-Businterface).

Domain Object Recommendations

Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.

Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.

Seesystemdintegrationandusermanagementformoreinformation.

Benefits

Removalofoneprivilegedprocess:afm-user-daemon

Accessanduseofhighlevelfeatures:

Socketactivation.

ManagementofusersandintegrationofPAM.

Dependencyresolutiontoservices.

Cgroupsandresourcecontrol.

Namespacescontainerization.

AutostartofrequiredAPI.

Permissionsandsecuritysettings.

Networkmanagement.

IoT.Bzh Security-blueprint

Version5.0.0 46January2018

Page 47: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

CGroups

ControlGroupsofferalotoffeatures,withthemostusefulonesyoucancontrol:Memoryusage,howmuch

CPUtimeisallocated,howmuchdeviceI/Oisallowedorwhichdevicescanbeaccessed.SystemD uses

CGroups toorganiseprocesses(eachservice isaCGroups,andallprocessesstartedby thatserviceuse

thatCGroups).Bydefault,SystemDautomaticallycreatesahierarchyofslice,scopeandserviceunitsto

provideaunifiedstructurefortheCGroupstree.Withthesystemctlcommand,youcanfurthermodifythis

structurebycreatingcustomslices.Currently,inAGL,thereare2slices(user.sliceandsystem.slice).

Namespaces

Userside

There are several ways of authenticating users (Key Radio Frequency, Phone, Gesture, ...). Each

authenticationprovidesdynamicallocationofuidstoauthenticatedusers.Uidsisusedtoensureprivacyof

usersandSMACKforapplicationsprivacy.

First, the user initiates authentication with PAM activation. PAM Standard offers highly configurable

authenticationwithmodulardesignlikefacerecognition,Voiceidentificationorwithapassword.Thenusers

shouldaccessidentityserviceswithservicesandapplications.

IoT.Bzh Security-blueprint

Version5.0.0 47January2018

Page 48: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

D-Bus

D-Busisawell-knownIPC(Inter-ProcessCommunication)protocol(anddaemon)thathelpsapplications

totalktoeachother.TheuseofD-Busisgreatbecauseitallowstoimplementdiscoveryandsignaling.

TheD-BussessionisbydefaultaddressedbyenvironmentvariableDBUS_SESSION_BUS_ADDRESS.Usingsystemd

variableDBUS_SESSION_BUS_ADDRESSisautomaticallysetforusersessions.D-Bususageislinkedtopermissions.

D-Bushasalreadyhadseveralsecurityissues(mostlyDoSissues),toallowapplicationstokeeptalkingto

eachother.Itisimportanttoprotectagainstthistypeofattacktokeepthesystemmorestable.

Domain Object Recommendations

Platform-DBus-1 Securitymodel UseD-BusasIPC.

Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE

IoT.Bzh Security-blueprint

Version5.0.0 48January2018

Page 49: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Systemservicesanddaemons

Domain Improvement

Platform-Services-1 SystemD?

Platform-Services-2 Securedaemon?

Tools

connman:Aninternetconnectionmanagerdesignedtobeslimandtouseasfewresourcesas

possible.Itisafullymodularsystemthatcanbeextended,throughplug-ins,tosupportallkindsof

wiredorwirelesstechnologies.

bluezisaBluetoothstack.ItsgoalistoprogramanimplementationoftheBluetoothwireless

standardsspecifications.Inadditiontothebasicstack,thebluez-utilsandbluez-firmwarepackages

containlowlevelutilitiessuchasdfutoolwhichcaninterrogatetheBluetoothadapterchipsetinorder

todeterminewhetheritsfirmwarecanbeupgraded.

gstreamerisapipeline-basedmultimediaframework.Itcanbeusedtobuildasystemthatreadsfiles

inoneformat,processesthem,andexportstheminanotherformat.

alsaisasoftwareframeworkandpartoftheLinuxkernelthatprovidesanAPIforsoundcarddevice

drivers.

Domain Toolname State

Platform-Utilities-1 connman Usedasaconnectionmanager.

Platform-Utilities-2 bluez UsedasaBluetoothmanager.

Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.

Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.

IoT.Bzh Security-blueprint

Version5.0.0 49January2018

Page 50: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Applicationframework/model(AppFw)

Theapplicationframeworkmanages:

Theapplicationsandservicesmanagement:Installing,Uninstalling,Listing,...

Thelifecycleofapplications:Start->(Pause,Resume)->Stop.

Eventsandsignalspropagation.

Privilegesgrantingandchecking.

APIforinteractionwithapplications.

Thesecuritymodelreferstothesecuritymodelusedtoensuresecurityandtothetoolsthatare

provided for implementing thatmodel. It's an implementationdetail that shouldnot impact the

layersabovetheapplicationframework.

ThesecuritymodelreferstohowDAC(DiscretionaryAccessControl),MAC (MandatoryAccess

Control)andCapabilitiesareusedbythesystemtoensuresecurityandprivacy.Italso includes

featuresofreportingusingauditfeaturesandbymanaginglogsandalerts.

TheAppFw uses the security model to ensure the security and the privacy of the applications that it

manages.Itmustbecompliantwiththeunderlyingsecuritymodel.Butitshouldhideittotheapplications.

Domain Object Recommendations

Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.

See AGL AppFw Privileges Management and AGL - Application Framework Documentation for more

information.

IoT.Bzh Security-blueprint

Version5.0.0 50January2018

Page 51: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Cynara

There'saneedforanothermechanismresponsibleforcheckingapplicativepermissions:CurrentlyinAGL,

thistaskdependsonapolicy-checkerservice(Cynara).

Storescomplexpoliciesindatabases.

"Soft"security(accessischeckedbytheframework).

CynarainteractwithD-Businordertodeliverthisinformation.

Domain Object Recommendations

Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.

Policies

Policyrules:

Aresimple-forpair[applicationcontext,privilege]thereisstraightanswer(singlePolicyType):

[ALLOW/DENY/...].

Nocodeisexecuted(noscript).

Canbeeasilycachedandmanaged.

Applicationcontext(describesidoftheuserandtheapplicationcredentials)Itisbuildof:

UIDoftheuserthatrunstheapplication.

SMACKlabelofapplication.

Holdingpolicies

Policiesarekeptinbuckets.Bucketsaresetofpolicieswhichhaveadditionalapropertyofdefaultanswer,

thedefaultanswerisyieldedifnopolicymatchessearchedkey.Bucketshavenameswhichmightbeused

inpolicies(fordirections).

IoT.Bzh Security-blueprint

Version5.0.0 51January2018

Page 52: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Utilities

busybox:Softwarethatprovidesseveralstripped-downUnixtoolsinasingleexecutablefile.Of

course,itwillbenecessarytousea"production"versionofbusyboxinordertoavoidallthetools

usefulonlyindevelopmentmode.

DomainTool

name State

Platform-Utilities-1

busyboxUsedtoprovideanumberoftools.Donotcompiledevelopmenttools.

Functionalitiestoexcludeinproductionmode

In production mode, a number of tools must be disabled to prevent an attacker from finding logs for

example.Thisisusefultolimitthevisiblesurfaceandthuscomplicatethefaultfindingprocess.Thetools

usedonlyindevelopmentmodearemarkedbyan'agl-devel'feature.Whenbuildinginproductionmode,

thesetoolswillnotbecompiled.

Domain Utilitynameandnormalpath State

Platform-Utilities-1 chgrpin/bin/chgrp Disabled

Platform-Utilities-2 chmodin/bin/chmod Disabled

Platform-Utilities-3 chownin/bin/chown Disabled

Platform-Utilities-4 dmesgin/bin/dmesg Disabled

Platform-Utilities-5 Dnsdomainnamein/bin/dnsdomainname Disabled

Platform-Utilities-6 dropbear,Remove"dropbear"from/etc/init.d/rcs Disabled

Platform-Utilities-7 Editorsin(vi)/bin/vi Disabled

Platform-Utilities-8 findin/bin/find Disabled

Platform-Utilities-9 gdbserverin/bin/gdbserver Disabled

Platform-Utilities-10 hexdumpin/bin/hexdump Disabled

Platform-Utilities-11 hostnamein/bin/hostname Disabled

Platform-Utilities-12 installin/bin/install Disabled

Platform-Utilities-13 iostatin/bin/iostat Disabled

Platform-Utilities-14 killallin/bin/killall Disabled

Platform-Utilities-15 klogdin/sbin/klogd Disabled

Platform-Utilities-16 loggerin/bin/logger Disabled

Platform-Utilities-17 lsmodin/sbin/lsmod Disabled

Platform-Utilities-18 pmapin/bin/pmap Disabled

Platform-Utilities-19 psin/bin/ps Disabled

IoT.Bzh Security-blueprint

Version5.0.0 52January2018

Page 53: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Platform-Utilities-20 psin/bin/ps Disabled

Platform-Utilities-21 rpmin/bin/rpm Disabled

Platform-Utilities-22 SSH Disabled

Platform-Utilities-23 stbhotplugin/sbin/stbhotplug Disabled

Platform-Utilities-24 stracein/bin/trace Disabled

Platform-Utilities-25 suin/bin/su Disabled

Platform-Utilities-26 syslogdin(logger)/bin/logger Disabled

Platform-Utilities-27 topin/bin/top Disabled

Platform-Utilities-28 UARTin/proc/tty/driver/ Disabled

Platform-Utilities-29 whichin/bin/which Disabled

Platform-Utilities-30 whoandwhoamiin/bin/whoami Disabled

Platform-Utilities-31 awk(busybox) Enabled

Platform-Utilities-32 cut(busybox) Enabled

Platform-Utilities-33 df(busybox) Enabled

Platform-Utilities-34 echo(busybox) Enabled

Platform-Utilities-35 fdisk(busybox) Enabled

Platform-Utilities-36 grep(busybox) Enabled

Platform-Utilities-37 mkdir(busybox) Enabled

Platform-Utilities-38 mount(vfat)(busybox) Enabled

Platform-Utilities-39 printf(busybox) Enabled

Platform-Utilities-40 sedin/bin/sed(busybox) Enabled

Platform-Utilities-41 tail(busybox) Enabled

Platform-Utilities-42 tee(busybox) Enabled

Platform-Utilities-43 test(busybox) Enabled

TheEnabledUnix/Linuxutilitiesaboveshallbepermittedastheyareoftenusedinthestart-upscripts

and for USB logging. If any of these utilities are not required by the device then those should be

removed.

IoT.Bzh Security-blueprint

Version5.0.0 53January2018

Page 54: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Users

Theuserpolicycangroupusersbyfunctionwithinthecar.Forexample,wecanconsideradriverandhis

passengers.Eachuserisassignedtoasinglegrouptosimplifythemanagementofspacesecurity.

RootAccess

Themainapplications, those thatprovide theprincipal functionality of theembeddeddevice, shouldnot

executewithrootidentityoranycapability.

Ifthemainapplicationisallowedtoexecuteatanycapability,thentheentiresystemisatthemercyofthe

saidapplication'sgoodbehaviour.Problemsarisewhenanapplicationiscompromisedandabletoexecute

commands which could consistently and persistently compromise the system by implanting rogue

applications.

ItissuggestedthatthemiddlewareandtheUIshouldruninacontextonauserwithnocapabilityandall

persistentresourcesshouldbemaintainedwithoutanycapability.

Oneway to ensure this is by implementing a server-client paradigm.Services providedby the system's

driverscanbesharedthisway.Theotheradvantageofthisapproachisthatmultipleapplicationscanshare

thesameresourcesatthesametime.

Domain Object Recommendations

Platform-Users-root-1

Mainapplication

Shouldnotexecuteasroot.

Platform-Users-root-2

UI Shouldruninacontextonauserwithnocapability.

Rootaccessshouldnotbeallowedforthefollowingutilities:

Domain Utilityname State

Platform-Users-root-3 login Notallowed

Platform-Users-root-4 su Notallowed

Platform-Users-root-5 ssh Notallowed

Platform-Users-root-6 scp Notallowed

Platform-Users-root-7 sftp Notallowed

Rootaccessshouldnotbeallowedfortheconsoledevice.Thedevelopmentenvironmentshouldallowusers

tologinwithpre-createduseraccounts.

Switchingtoelevatedprivilegesshallbeallowedinthedevelopmentenvironmentviasudo.

IoT.Bzh Security-blueprint

Version5.0.0 54January2018

Page 55: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 55January2018

Page 56: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Capabilities

Domain Improvement

Platform-Users-Capabilities-1 KernelorPlatform-user?

Platform-Users-Capabilities-2 Addconfignote.

ThegoalistorestrictfunctionalitythatwillnotbeusefulinAGL.TheyareintegratedintotheLSM. Each

privilegedtransactionisassociatedwithacapability.Thesecapabilitiesaredividedintothreegroups:

e:Effective:Thismeansthecapabilityis“activated”.

p:Permitted:Thismeansthecapabilitycanbeused/isallowed.

i:Inherited:Thecapabilityiskeptbychild/subprocessesuponexecve()forexample.

IoT.Bzh Security-blueprint

Version5.0.0 56January2018

Page 57: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part6-Application

Abstract

ApplicationHardening: Best practices to apply to the build and release of user space applications, in

ordertoreducethenumberofattacksurfacesusedbypotentialattackers.

ThetermofApplication(App)hasaverywidedefinitioninAGL.Almostanythingwhichisnotinthecore

Operating System (OS) is an Application. Applications can be included in the base software package

(image)orcanbeaddedatrun-time.

AcronymsandAbbreviations

Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.

AcronymsorAbbreviations Description

3GPP 3rdGenerationPartnershipProject

CASB CloudAccessSecurityBroker

DAST DynamicApplicationSecurityTesting

DPI DeepPacketInspection

IDS IntrusionDetectionSystems

IPS IntrusionPreventionSystems

IPSec InternetProtocolSecurity

LSM LinuxSecurityModule

MITM ManInTheMiddle

OSI OpenSystemsInterconnection

SATS StaticApplicationSecurityTesting

IoT.Bzh Security-blueprint

Version5.0.0 57January2018

Page 58: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Local

Domain Improvement

Application-Installation-1 TalkaboutAppFwofflinemode.

Installation

Applicationscanbedeliveredand installedwith thebase imageusingaspecialoffline-modeprovidedby

theAppFw.Appscanalsobeinstalledatruntime.

Duringearlyrelease,defaultAppsareinstalledontheimageatfirstboot.

Domain Object Recommendations

Application-Installation-1

AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.

Application-Installation-2

Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.

IoT.Bzh Security-blueprint

Version5.0.0 58January2018

Page 59: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Local

PrivilegeManagement

ApplicationprivilegesaremanagedbyCynaraandthesecuritymanagerintheAppFw.Formoredetails,

pleaserefertotheAppFwdocumentationinPlatformpart.

IoT.Bzh Security-blueprint

Version5.0.0 59January2018

Page 60: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

AppSignature

Domain Improvement

Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).

IoT.Bzh Security-blueprint

Version5.0.0 60January2018

Page 61: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Services

Domain Improvement

Application-Services-1 Addcontent(Whichservices?).

Application-Services-2 AddBinder.

IoT.Bzh Security-blueprint

Version5.0.0 61January2018

Page 62: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part7-Connectivity

Abstract

ThispartshowsdifferentConnectivityattacksonthecar.

Domain Improvement

Connectivity-Abstract-1 Improveabstract.

IoT.Bzh Security-blueprint

Version5.0.0 62January2018

Page 63: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

AcronymsandAbbreviations

Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.

AcronymsorAbbreviations Description

ARP AddressResolutionProtocol

BLE BluetoothLowEnergy

CAN CarAreaNetwork

CCMP Counter-Mode/CBC-MacProtocol

EDGE EnhancedDataRatesforGSMEvolution-EvolutionofGPRS

GEA GPRSEncryptionAlgorithm

GPRS GeneralPacketRadioService(2,5G,2G+)

GSM GlobalSystemforMobileCommunications(2G)

HSPA HighSpeedPacketAccess(3G+)

IMEI InternationalMobileEquipmentIdentity

LIN LocalInterconnectNetwork

MOST MediaOrientedSystemTransport

NFC NearFieldCommunication

OBD On-BoardDiagnostics

PATS PassiveAnti-TheftSystem

PKE PassiveKeylessEntry

PSK Phase-ShiftKeying

RDS RadioDataSystem

RFID RadioFrequencyIdentification

RKE RemoteKeylessEntry

SDR SoftwareDefinedRadio

SSP SecureSimplePairing

TKIP TemporalKeyIntegrityProtocol

TPMS TirePressureMonitoringSystem

UMTS UniversalMobileTelecommunicationsSystem(3G)

USB UniversalSerialBus

WEP WiredEquivalentPrivacy

WPA WifiProtectedAccess

IoT.Bzh Security-blueprint

Version5.0.0 63January2018

Page 64: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Bus

WeonlyspeakabouttheCANbustotakeanexample,becausethedifferentattacksonbuslikeFlewRay,

ByteFlight,Most and Lin use retro engineering and the main argument to improve their security is to

encryptdatapackets.Wejustdescribethemabit:

CAN:ControllerAreaNetwork,developedintheearly1980s,isanevent-triggeredcontrollernetwork

forserialcommunicationwithdataratesuptooneMBit/s.CANmessagesareclassifiedovertheir

respectiveidentifier.CANcontrollerbroadcasttheirmessagestoallconnectednodesandallreceiving

nodesdecideindependentlyiftheyprocessthemessage.

FlewRay:Isadeterministicanderror-toleranthigh-speedbus.Withadatarateupto10MBit/s.

ByteFlight:Isusedforsafety-criticalapplicationsinmotorvehicleslikeair-bags.Byteflightrunsat

10Mbpsover2or3wiresplasticopticalfibers.

Most:MediaOrientedSystemTransport,isusedfortransmittingaudio,video,voice,andcontroldata

viafiberopticcables.Thespeedis,forthesynchronousway,upto24MBit/sandasynchronouswayup

to14MBit/s.MOSTmessagesincludealwaysaclearsenderandreceiveraddress.

LIN:LocalInterconnectNetwork,isasingle-wiresubnetworkforlow-cost,serialcommunication

betweensmartsensorsandactuatorswithtypicaldataratesupto20kBit/s.Itisintendedtobeused

fromtheyear2001oneverywhereinacar,wherethebandwidthandversatilityofaCANnetworkis

notrequired.

Domain Techname

Recommendations

Connectivity-BusAndConnector-Bus-1

CAN Implementhardwaresolutioninordertoprohibitsendingunwantedsignals.

SeeSecurityinAutomotiveBusSystemsformoreinformation.

Connectors

For the connectors, we supposed that they were disabled by default. For example, the USB must be

disabledtoavoidattackslikeBadUSB.Ifnot,configuretheKerneltoonlyenabletheminimumrequireUSB

devices.TheconnectorsusedtodiagnosethecarlikeOBD-IImustbedisabledoutsidegarages.

Domain Techname

Recommendations

Connectivity-BusAndConnector-Connectors-1

USBMustbedisabled.Ifnot,onlyenabletheminimumrequireUSBdevices.

Connectivity-BusAndConnector-Connectors-2

USBConfidentialdataexchangedwiththeECUoverUSBmustbesecure.

Connectivity-BusAndConnector-Connectors-3

USB USBBootonaECUmustbedisable.

Connectivity-BusAndConnector-Connectors-4

OBD-II Mustbedisabledoutsidegarages.

IoT.Bzh Security-blueprint

Version5.0.0 64January2018

Page 65: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 65January2018

Page 66: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Wireless

In thispart,we talkaboutpossible remoteattacksonacar,according to thedifferentareasofpossible

attacks. For each communication channels, we describe attacks and how to prevent them with some

recommendations. The main recommendation is to always follow the latest updates of these remote

communicationchannels.

Domain Object Recommendations

Connectivity-Wireless-1

Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.

Wewillseethefollowingparts:

Wifi

Bluetooth

Cellular

Radio

NFC

Domain Improvement

Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).

For existing automotive-specificmeans,we take examples of existing system attacks from the IOActive

document(ASurveyofRemoteAutomotiveAttackSurfaces)andfromtheETHdocument(RelayAttackson

PassiveKeylessEntryandStartSystemsinModernCars).

Telematics

PassiveAnti-TheftSystem(PATS)

TirePressureMonitoringSystem(TPMS)

RemoteKeylessEntry/Start(RKE)

PassiveKeylessEntry(PKE)

IoT.Bzh Security-blueprint

Version5.0.0 66January2018

Page 67: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Wifi

Attacks

Wecandifferentiateexistingattacksonwifiintwocategories:ThoseonWEPandthoseonWPA.

WEPattacks:

FMS:(Fluhrer,MantinandShamirattack)isa"StreamcipherattackonthewidelyusedRC4

streamcipher.TheattackallowsanattackertorecoverthekeyinanRC4encryptedstreamfroma

largenumberofmessagesinthatstream."

KoreK:"Allowstheattackertoreducethekeyspace".

PTW:(PyshkinTewsWeinmannattack).

Chopchop:FoundbyKoreK,"WeaknessoftheCRC32checksumandthelackofreplayprotection."

Fragmentation

WPAattacks:

BeckandTews:ExploitweaknessinTKIP."AllowtheattackertodecryptARPpacketsandto

injecttrafficintoanetwork,evenallowinghimtoperformaDoSoranARPpoisoning".

KRACK:(K)ey(R)einstallation(A)tta(ck)(jiraAGLSPEC-1017).

Recommendations

DonotuseWEP,PSKandTKIP.

UseWPA2withCCMP.

Shouldprotectdatasniffing.

Domain Technameorobject

Recommendations

Connectivity-Wireless-Wifi-1

WEP,PSK,TKIP Disabled

Connectivity-Wireless-Wifi-2

WPA2andAES-CCMP

Used

Connectivity-Wireless-Wifi-3

WPA2 Shouldprotectdatasniffing.

Connectivity-Wireless-Wifi-4

PSK Changingregularlythepassword.

Connectivity-Wireless-Wifi-5

Device Upgradedeasilyinsoftwareorfirmwaretohavethelastsecurityupdate.

SeeWifiattacksWEPWPAandBreakingwepandwpa(BeckandTews)formoreinformation.

IoT.Bzh Security-blueprint

Version5.0.0 67January2018

Page 68: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Bluetooth

Attacks

BluesnarfingattacksinvolveanattackercovertlygainingaccesstoyourBluetooth-enableddevicefor

thepurposeofretrievinginformation,includingaddresses,calendarinformationoreventhedevice's

InternationalMobileEquipmentIdentity.WiththeIMEI,anattackercouldrouteyourincomingcallsto

hiscellphone.

BluebuggingisaformofBluetoothattackoftencausedbyalackofawareness.Similarto

bluesnarfing,bluebuggingaccessesandusesallphonefeaturesbutislimitedbythetransmittingpower

ofclass2Bluetoothradios,normallycappingitsrangeat10-15meters.

Bluejackingisthesendingofunsolicitedmessages.

BLE:BluetoothLowEnergyattacks.

DoS:Drainadevice'sbatteryortemporarilyparalyzethephone.

Recommendations

NotallowingBluetoothpairingattemptswithoutthedriver'sfirstmanuallyplacingthevehicleinpairing

mode.

Monitoring.

UseBLEwithcaution.

Forv2.1andlaterdevicesusingSecureSimplePairing(SSP),avoidusingthe"JustWorks"association

model.Thedevicemustverifythatanauthenticatedlinkkeywasgeneratedduringpairing.

Domain Techname

Recommendations

Connectivity-Wireless-Bluetooth-1

BLE Usewithcaution.

Connectivity-Wireless-Bluetooth-2

Bluetooth Monitoring

Connectivity-Wireless-Bluetooth-3

SSP Avoidusingthe"JustWorks"associationmodel.

Connectivity-Wireless-Bluetooth-4

Visibility Configuredbydefaultasundiscoverable.Exceptwhenneeded.

Connectivity-Wireless-Bluetooth-5

Anti-scanning

Used,interalia,toslowdownbruteforceattacks.

SeeLowenergyandtheautomotivetransformation,GattackingBluetoothSmartDevices, Comprehensive

ExperimentalAnalysesofAutomotiveAttackSurfacesandWithLowEnergycomesLowSecurity formore

information.

IoT.Bzh Security-blueprint

Version5.0.0 68January2018

Page 69: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Cellular

Attacks

IMSI-Catcher: Is a telephone eavesdropping device used for interceptingmobile phone traffic and

tracking location data of mobile phone users. Essentially a "fake"mobile tower acting between the

target mobile phone and the service provider's real towers, it is considered a man-in-the-middle

(MITM)attack.

Lackofmutualauthentication(GPRS/EDGE)andencryptionwithGEA0.

FallbackfromUMTS/HSPAtoGPRS/EDGE(JammingagainstUMTS/HSPA).

4GDoSattack.

Recommendations

Checkantennalegitimacy.

Domain Techname Recommendations

Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid

Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.

SeeApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunicationsformoreinformation.

Radio

Attacks

Interceptionofdatawithlowcostmaterial(SDRwithhijackedDVB-T/DABforexample).

Recommendations

UsetheRadioDataSystem(RDS)onlytosendsignalsforaudiooutputandmetaconcerningradio.

Domain Techname Recommendations

Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.

IoT.Bzh Security-blueprint

Version5.0.0 69January2018

Page 70: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

NFC

Attacks

MITM:Relayandreplayattack.

Recommendations

Shouldimplementsprotectionagainstrelayandreplayattacks(Tokens,etc...).

Disableunneededandunapprovedservicesandprofiles.

NFCshouldbeuseencryptedlink(securechannel).AstandardkeyagreementprotocollikeDiffie-

HellmannbasedonRSAorEllipticCurvescouldbeappliedtoestablishasharedsecretbetweentwo

devices.

AutomotiveNFCdeviceshouldbecertifiedbyNFCforumentity:TheNFCForumCertificationMark

showsthatproductsmeetglobalinteroperabilitystandards.

NFCModifiedMillercodingispreferredoverNFCManchestercoding.

Domain Techname

Recommendations

Connectivity-Wireless-NFC-1

NFC Protectedagainstrelayandreplayattacks.

Connectivity-Wireless-NFC-2

Device Disableunneededandunapprovedservicesandprofiles.

IoT.Bzh Security-blueprint

Version5.0.0 70January2018

Page 71: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Cloud

Download

authentication:Authenticationisthesecurityprocessthatvalidatestheclaimedidentityofadevice,

entityorperson,relyingononeormorecharacteristicsboundtothatdevice,entityorperson.

Authorization:Parsesthenetworktoallowaccesstosomeorallnetwork functionalitybyproviding

rulesandallowingaccessordenyingaccessbasedonasubscriber'sprofileandservicespurchased.

Domain Object Recommendations

Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.

Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.

Infrastructure

DeepPacketInspection:DPIprovidestechniquestoanalyzethepayloadofeachpacket,addingan

extralayerofsecurity.DPIcandetectandneutralizeattacksthatwouldbemissedbyothersecurity

mechanisms.

ADoSprotectioninordertoavoidthattheInfrastructureisnomoreaccessibleforaperiodoftime.

ScanningtoolssuchasSATSandDASTassessmentsperformvulnerabilityscansonthesourcecode

anddataflowsonwebapplications.Manyofthesescanningtoolsrundifferentsecurityteststhatstress

applicationsundercertainattackscenariostodiscoversecurityissues.

IDS&IPS:IDSdetectandloginappropriate,incorrect,oranomalousactivity.IDScanbelocatedin

the telecommunications networks and/or within the host server or computer. Telecommunications

carriersbuildintrusiondetectioncapabilityinallnetworkconnectionstoroutersandservers,aswellas

offering it as a service to enterprise customers. Once IDS systems have identified an attack, IPS

ensures that malicious packets are blocked before they cause any harm to backend systems and

networks.IDStypicallyfunctionsviaoneormoreofthreesystems:

1. Patternmatching.

2. Anomalydetection.

3. Protocolbehavior.

IoT.Bzh Security-blueprint

Version5.0.0 71January2018

Page 72: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Domain Object Recommendations

Application-Cloud-Infrastructure-1

Packet ShouldimplementaDPI.

Application-Cloud-Infrastructure-2

DoS MustimplementaDoSprotection.

Application-Cloud-Infrastructure-3

Test ShouldimplementscanningtoolslikeSATSandDAST.

Application-Cloud-Infrastructure-4

Log Shouldimplementsecuritytools(IDSandIPS).

Application-Cloud-Infrastructure-5

Appintegrity

Applicationsmustbesignedbythecodesigningauthority.

Transport

Fordatatransport,itisnecessarytoencryptdataend-to-end.TopreventMITMattacks,nothirdparty

shouldbeabletointerprettransporteddata.Anotheraspectisthedataanonymizationinordertoprotect

theleakageofprivateinformationontheuseroranyotherthirdparty.

The use of standards such as IPSec provides "private and secure communications over IP networks,

throughtheuseofcryptographicsecurityservices,isasetofprotocolsusingalgorithmstotransportsecure

dataoveranIPnetwork.".Inaddition,IPSecoperatesatthenetworklayeroftheOSImodel,contraryto

previousstandardsthatoperateattheapplicationlayer.Thismakesitsapplicationindependentandmeans

thatusersdonotneedtoconfigureeachapplicationtoIPSecstandards.

IPSecprovidestheservicesbelow:

Confidentiality:Aservicethatmakesitimpossibletointerpretdataifitisnottherecipient.Itisthe

encryptionfunctionthatprovidesthisservicebytransformingintelligible(unencrypted)datainto

unintelligible(encrypted)data.

Authentication:Aservicethatensuresthatapieceofdatacomesfromwhereitissupposedtocome

from.

Integrity:Aservicethatconsistsinensuringthatdatahasnotbeentamperedwithaccidentallyor

fraudulently.

ReplayProtection:Aservicethatpreventsattacksbyre-sendingavalidinterceptedpackettothe

networkforthesameauthorization.Thisserviceisprovidedbythepresenceofasequencenumber.

Keymanagement:MechanismfornegotiatingthelengthofencryptionkeysbetweentwoIPSec

elementsandexchangeofthesekeys.

AnadditionalmeansofprotectionwouldbetodothemonitoringbetweenusersandthecloudasaCASB

willprovide.

Domain Object Recommendations

Application-Cloud-Transport-1

Integrity,confidentialityandlegitimacy

ShouldimplementIPSecstandards.

IoT.Bzh Security-blueprint

Version5.0.0 72January2018

Page 73: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

IoT.Bzh Security-blueprint

Version5.0.0 73January2018

Page 74: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part8-Update(OTA)

Abstract

Updatingapplicationsandfirmwareisessentialforthedevelopmentofnewfeaturesandevenmoretofix

security bugs. However, if a malicious third party manages to divert its first use, it could alter the

functioningof thesystemand/orapplications.Thesecurityof theupdates is thereforea criticalpoint to

evaluateinordertoguaranteetheintegrity,theconfidentialityandthelegitimacyofthetransmitteddata.

AcronymsandAbbreviations

Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.

AcronymsorAbbreviations Description

FOTA FirmwareOverTheAir

OTA OverTheAir

SOTA SoftwareOverTheAir

IoT.Bzh Security-blueprint

Version5.0.0 74January2018

Page 75: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

FirmwareOverTheAir

The firmwareupdate is critical since its alterationback to compromise theentire system. It is therefore

necessarytotakeappropriateprotectivemeasures.Theprincipleofverifyingchainintegrityfulfillsmuchof

AGL'ssecurity.Duringa firmwareupdate, it isnecessary toupdate thedifferentsignatures tocheck the

integrityofthesystem.

Thereisalsotheconstraintoftheupdatetime:Thesystemmuststartquicklyandtherefore,updateitself

asquickly.WeimaginethattheFOTAismainlyusedinthevehiclemaintenancesession(e.g.Garage).We

willthenusenomoreFOTAbutawiredupdate.Thereisa limittowhatcanbeupdatedwirelessly.This

maintenanceupdatecouldsolvetheseproblems.

FieldupgradescanbeachievedsecurelybyusingaSecureLoader.Thisloaderwillauthenticateanincoming

image(USB,Serial,Network)priortowritingittotheflashmemoryonthedevice.Itshouldnotbepossible

towrite to flash from bootloader (U-Boot). Note that because USB support is to be disabledwithin the

sboot/U-Bootcode,theboardspecificimplementationoftheSecureLoaderwillhavetomanagetheentire

USBinitialization,enumeration,andread/writeaccesstothemassstoragedevice.

Domain Object Recommendations

Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.

DifferentpossibletypeofFOTA:

Package-basedlikerpm,dpkg:

+Simple.

-Power-off.

-Dependency.

Fullfilesystemupdates:

+Robust.

-Tendsdevice-specific.

-Needrsyncorsimilar.

Atomicdifferential:

+Robust.

+Minimalbandwidthconsumption.

+Easyreusable.

-Physicallyonefilesystem(Corruption->unbootablesystem).

-Norollbacklogic.

IoT.Bzh Security-blueprint

Version5.0.0 75January2018

Page 76: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

SoftwareOverTheAir

SOTAismadepossiblebyAppFw(SeePlatformpart).Itwillbepossibletomanageinasimplewaythe

packets(i.g.Androidlike).

Domain Improvement

Update-SOTA-1 Parttocomplete.

IoT.Bzh Security-blueprint

Version5.0.0 76January2018

Page 77: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Part9-Securedevelopment

Inordertosavealotoftimeincodeauditing,developersmustfollowcodingguidelines.

Securebuild

Kernelbuild

Toolslike:

Codeoptimisation.

KernelDriverstestwithdocs.

Domain Improvement

SecureDev-SecureBuild-1 Addcontent.

App/Widgetsignatures

Domain Improvement

SecureDev-Signatures-1 Addcontent.

Codeaudit

These tools are used to check the correct implementation of functionalities and compliancewith related

goodpractices.

ContinuousCodeQuality.

Domain Improvement

SecureDev-CodeAudit-1 AddCVEanalyser.

SecureDev-CodeAudit-2 OSSTMM.

SATS

RATS(Maybetoold).

FlawFinder.

wikilist.

Mathematicalapproach.

IoT.Bzh Security-blueprint

Version5.0.0 77January2018

Page 78: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

It is necessary to verify that the application code does not use functions that are depreciated and

recognizedasunsecuredorcauseproblems.

DATS

wikilist.

IoT.Bzh Security-blueprint

Version5.0.0 78January2018

Page 79: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Annexes

The first part resumed all the configurations youmust implementwithout any explications since all the

explanationsaregivenasandwheninthedocument.

The second one allows to visualize all the todo notes in order to have a global vision of the possible

improvementsofthedocument.

IoT.Bzh Security-blueprint

Version5.0.0 79January2018

Page 80: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Confignotes

Domain Object Recommendations

Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.

Hardware-Integrity-2 Board MustuseaHSM.

Hardware-Integrity-3 RTC Mustnotbealterable.

Domain Object Recommendations

Hardware-Certificate-1

System Shallallowstoringdedicatedcertificates.

Hardware-Certificate-2

ECU TheECUmustverifythecertificationauthorityhierarchy.

Hardware-Certificate-3

SystemAllowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.

Domain Object Recommendations

Hardware-Memory-1

ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusingcryptographickeys.

Hardware-Memory-2

Bootloader InternalNVMonly

Hardware-Module-3

- HSMmustbeusedtosecurekeys.

Domain Variable/Configname Value

Boot-Image-Selection-1 CONFIG_BOOTDELAY -2

Boot-Image-Selection-2 bootdelay -2

Domain Configname State

Boot-Image-Authenticity-1 CONFIG_FIT Enable

Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable

Boot-Image-Authenticity-3 CONFIG_RSA Enable

Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable

Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable

Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable

Domain Communicationmodes

State

Boot-Communication-1

USB DisabledandCompiled-outifnotrequired.

IoT.Bzh Security-blueprint

Version5.0.0 80January2018

Page 81: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Boot-Communication-2

USBElse,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.

Boot-Communication-3

Ethernet Disabled

Boot-Communication-4

U-bootandsbootDOCSIS

Disabled

Boot-Communication-5

Serialports Disabled

Domain Configname State

Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined

Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined

Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined

Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined

Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined

Domain Communicationmodes

State

Boot-Communication-1

Network

interfaces

Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.

Domain Object Recommendations

Boot-Communication-1

Services,portsanddevices

Restricttheservices,portsanddevicestothoseused.

Domain Commandname State

Boot-Communication-Flash-1 do_nand Disable

Domain Configname Value

Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable

Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable

Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable

Domain Environmentvariablename State

Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined

Domain Configname State

Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef

Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef

Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef

Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef

IoT.Bzh Security-blueprint

Version5.0.0 81January2018

Page 82: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef

Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef

Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef

Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef

Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef

Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef

Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef

Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define

Domain Commandname State

Boot-Consoles-MemDump-1 md Disabled

Boot-Consoles-MemDump-2 mm Disabled

Boot-Consoles-MemDump-3 nm Disabled

Boot-Consoles-MemDump-4 mw Disabled

Boot-Consoles-MemDump-5 cp Disabled

Boot-Consoles-MemDump-6 mwc Disabled

Boot-Consoles-MemDump-7 mdc Disabled

Boot-Consoles-MemDump-8 mtest Disabled

Boot-Consoles-MemDump-9 loopw Disabled

Domain Object Recommendations

Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.

Domain Configname Value

Kernel-General-kexec-1 CONFIG_KEXEC n

Domain Configname Value

Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n

Domain Configname Value

Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n

Domain Configname Value

Kernel-General-LegacyLinux-1 CONFIG_USELIB n

Domain Configname Value

Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n

Domain Configname Value

Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y

Domain Configname Value

IoT.Bzh Security-blueprint

Version5.0.0 82January2018

Page 83: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n

Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n

Domain Configname Value

Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n

Domain Configname Value

Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y

Domain Object State

Kernel-General-Drivers-1 USB Disabled

Kernel-General-Drivers-2 PCMCIA Disabled

Kernel-General-Drivers-3 Otherhotplugbus Disabled

Domain compilerandlinkeroptions State

Kernel-General-IndependentExec-1 -pie-fpic Enable

Domain compilerandlinkeroptions State

Kernel-General-OverwriteAttacks-1 -z,relro Enable

Kernel-General-OverwriteAttacks-2 -z,now Enable

Domain compilerandlinkeroptions State

Kernel-General-LibraryLinking-1 -static Enable

Domain Configname Value

Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n

Domain Configname Value

Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n

Domain Configname Value

Kernel-Memory-Swap-1 CONFIG_SWAP n

Domain Configname Value

Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n

Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n

Domain Configname Value

Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y

Otherdefensesincludethingslikeshadowstacks.

Domain Configname Value

Kernel-Memory-Access-1 CONFIG_DEVMEM n

IoT.Bzh Security-blueprint

Version5.0.0 83January2018

Page 84: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Domain Configname Value

Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n

Domain compilerandlinkeroptions State

Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable

Domain compilerandlinkeroptions Value

Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2

Domain Configname Value

Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n

Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n

Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n

Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n

Domain Configname Value

Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y

Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"

Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y

Domain Configname Value

Kernel-Consoles-KDBG-1 CONFIG_KGDB n

Domain Configname Value

Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n

Domain Configname Value

Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n

Domain Configname Value

Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n

Domain Configname Value

Kernel-Debug-Kprobes-1 CONFIG_KPROBES n

Domain Configname Value

Kernel-Debug-Tracing-1 CONFIG_FTRACE n

Domain Configname Value

Kernel-Debug-Profiling-1 CONFIG_OPROFILE n

Kernel-Debug-Profiling-2 CONFIG_PROFILING n

Domain Configname Value

Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n

IoT.Bzh Security-blueprint

Version5.0.0 84January2018

Page 85: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Domain Configname Value

Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n

Kernel-Debug-Dev-2 CONFIG_EMBEDDED n

Domain Configname Value

Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n

Domain Configname Value

Kernel-Debug-BUG-1 CONFIG_BUG n

Domain Configname Value

Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n

Domain Filename Value

Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1

Domain FileorDirectoriename State

Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser

Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser

Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser

Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser

Domain Filename Value

Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1

Domain Configname Value

Kernel-Debug-Config-1 CONFIG_IKCONFIG n

Domain Configname Value

Kernel-FileSystems-NFS-1 CONFIG_NFSD n

Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n

Domain Partition Value

Kernel-FileSystems-Mount-1

/boot nosuid,nodevandnoexec.

Kernel-FileSystems-Mount-2

/var&/tmp In/etc/fstaborvfstab,addnosuid,nodevandnoexec.

Kernel-FileSystems-Mount-3

Non-rootlocal Iftypeisext2orext3andmountpointnot'/',addnodev.

Kernel-FileSystems-Mount-4

Removablestorage

Addnosuid,nodevandnoexec.

Kernel-FileSystems-Mount-5

Temporarystorage

Addnosuid,nodevandnoexec.

IoT.Bzh Security-blueprint

Version5.0.0 85January2018

Page 86: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Kernel-FileSystems-Mount-6

/dev/shm Addnosuid,nodevandnoexec.

Kernel-FileSystems-Mount-7

/dev Addnosuidandnoexec.

Domain Configname StateorValue

Kernel-FileSystems-Mount-1

CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwithnoexecandnosuidtosystemstartup.

Domain Labelname Recommendations

Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.

Kernel-MAC-Floor-2 * Usedfordevicefilesor/tmpAccessrestrictionviaDAC.

Domain Labelname Recommendations

Kernel-MAC-System-1

System Processshouldwriteonlytofilewithtransmuteattribute.

Kernel-MAC-System-2

System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwithw.

Kernel-MAC-System-3

System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.

Kernel-MAC-System-4

System::Log Somelimitationmayimposetoaddwtoenableappend.

Kernel-MAC-System-5

System::Sub IsolationofriskySubsystem.

Domain Labelname Recommendations

Kernel-MAC-System-1

User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwinrwxmode.

Kernel-MAC-System-2

User::Home

AppFwneedstocreateadirectoryin/home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessisUser::App-Sharedwithouttransmute.

Kernel-MAC-System-3

User::App-Shared SharedspacebetweenallApprunningforagivenuser.

Domain Object Recommendations

Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.

Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.

Domain Object Recommendations

Platform-DBus-1 Securitymodel UseD-BusasIPC.

Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE

Domain Toolname State

IoT.Bzh Security-blueprint

Version5.0.0 86January2018

Page 87: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Platform-Utilities-1 connman Usedasaconnectionmanager.

Platform-Utilities-2 bluez UsedasaBluetoothmanager.

Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.

Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.

Domain Object Recommendations

Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.

Domain Object Recommendations

Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.

DomainTool

name State

Platform-Utilities-1

busyboxUsedtoprovideanumberoftools.Donotcompiledevelopmenttools.

Domain Utilitynameandnormalpath State

Platform-Utilities-1 chgrpin/bin/chgrp Disabled

Platform-Utilities-2 chmodin/bin/chmod Disabled

Platform-Utilities-3 chownin/bin/chown Disabled

Platform-Utilities-4 dmesgin/bin/dmesg Disabled

Platform-Utilities-5 Dnsdomainnamein/bin/dnsdomainname Disabled

Platform-Utilities-6 dropbear,Remove"dropbear"from/etc/init.d/rcs Disabled

Platform-Utilities-7 Editorsin(vi)/bin/vi Disabled

Platform-Utilities-8 findin/bin/find Disabled

Platform-Utilities-9 gdbserverin/bin/gdbserver Disabled

Platform-Utilities-10 hexdumpin/bin/hexdump Disabled

Platform-Utilities-11 hostnamein/bin/hostname Disabled

Platform-Utilities-12 installin/bin/install Disabled

Platform-Utilities-13 iostatin/bin/iostat Disabled

Platform-Utilities-14 killallin/bin/killall Disabled

Platform-Utilities-15 klogdin/sbin/klogd Disabled

Platform-Utilities-16 loggerin/bin/logger Disabled

Platform-Utilities-17 lsmodin/sbin/lsmod Disabled

Platform-Utilities-18 pmapin/bin/pmap Disabled

Platform-Utilities-19 psin/bin/ps Disabled

Platform-Utilities-20 psin/bin/ps Disabled

Platform-Utilities-21 rpmin/bin/rpm Disabled

Platform-Utilities-22 SSH Disabled

Platform-Utilities-23 stbhotplugin/sbin/stbhotplug Disabled

IoT.Bzh Security-blueprint

Version5.0.0 87January2018

Page 88: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Platform-Utilities-24 stracein/bin/trace Disabled

Platform-Utilities-25 suin/bin/su Disabled

Platform-Utilities-26 syslogdin(logger)/bin/logger Disabled

Platform-Utilities-27 topin/bin/top Disabled

Platform-Utilities-28 UARTin/proc/tty/driver/ Disabled

Platform-Utilities-29 whichin/bin/which Disabled

Platform-Utilities-30 whoandwhoamiin/bin/whoami Disabled

Platform-Utilities-31 awk(busybox) Enabled

Platform-Utilities-32 cut(busybox) Enabled

Platform-Utilities-33 df(busybox) Enabled

Platform-Utilities-34 echo(busybox) Enabled

Platform-Utilities-35 fdisk(busybox) Enabled

Platform-Utilities-36 grep(busybox) Enabled

Platform-Utilities-37 mkdir(busybox) Enabled

Platform-Utilities-38 mount(vfat)(busybox) Enabled

Platform-Utilities-39 printf(busybox) Enabled

Platform-Utilities-40 sedin/bin/sed(busybox) Enabled

Platform-Utilities-41 tail(busybox) Enabled

Platform-Utilities-42 tee(busybox) Enabled

Platform-Utilities-43 test(busybox) Enabled

Domain Object Recommendations

Platform-Users-root-1

Mainapplication

Shouldnotexecuteasroot.

Platform-Users-root-2

UI Shouldruninacontextonauserwithnocapability.

Domain Utilityname State

Platform-Users-root-3 login Notallowed

Platform-Users-root-4 su Notallowed

Platform-Users-root-5 ssh Notallowed

Platform-Users-root-6 scp Notallowed

Platform-Users-root-7 sftp Notallowed

Domain Object Recommendations

Application-Installation-1

AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.

Application-Installation-2

Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.

IoT.Bzh Security-blueprint

Version5.0.0 88January2018

Page 89: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Domain Techname

Recommendations

Connectivity-BusAndConnector-Bus-1

CAN Implementhardwaresolutioninordertoprohibitsendingunwantedsignals.

Domain Techname

Recommendations

Connectivity-BusAndConnector-Connectors-1

USBMustbedisabled.Ifnot,onlyenabletheminimumrequireUSBdevices.

Connectivity-BusAndConnector-Connectors-2

USBConfidentialdataexchangedwiththeECUoverUSBmustbesecure.

Connectivity-BusAndConnector-Connectors-3

USB USBBootonaECUmustbedisable.

Connectivity-BusAndConnector-Connectors-4

OBD-II Mustbedisabledoutsidegarages.

Domain Object Recommendations

Connectivity-Wireless-1

Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.

Domain Technameorobject

Recommendations

Connectivity-Wireless-Wifi-1

WEP,PSK,TKIP Disabled

Connectivity-Wireless-Wifi-2

WPA2andAES-CCMP

Used

Connectivity-Wireless-Wifi-3

WPA2 Shouldprotectdatasniffing.

Connectivity-Wireless-Wifi-4

PSK Changingregularlythepassword.

Connectivity-Wireless-Wifi-5

Device Upgradedeasilyinsoftwareorfirmwaretohavethelastsecurityupdate.

Domain Techname

Recommendations

Connectivity-Wireless-Bluetooth-1

BLE Usewithcaution.

Connectivity-Wireless-Bluetooth-2

Bluetooth Monitoring

Connectivity-Wireless-Bluetooth-3

SSP Avoidusingthe"JustWorks"associationmodel.

Connectivity-Wireless-Bluetooth-4

Visibility Configuredbydefaultasundiscoverable.Exceptwhenneeded.

Connectivity-Wireless-Bluetooth-5

Anti-scanning

Used,interalia,toslowdownbruteforceattacks.

IoT.Bzh Security-blueprint

Version5.0.0 89January2018

Page 90: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Domain Techname Recommendations

Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid

Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.

Domain Techname Recommendations

Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.

Domain Techname

Recommendations

Connectivity-Wireless-NFC-1

NFC Protectedagainstrelayandreplayattacks.

Connectivity-Wireless-NFC-2

Device Disableunneededandunapprovedservicesandprofiles.

Domain Object Recommendations

Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.

Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.

Domain Object Recommendations

Application-Cloud-Infrastructure-1

Packet ShouldimplementaDPI.

Application-Cloud-Infrastructure-2

DoS MustimplementaDoSprotection.

Application-Cloud-Infrastructure-3

Test ShouldimplementscanningtoolslikeSATSandDAST.

Application-Cloud-Infrastructure-4

Log Shouldimplementsecuritytools(IDSandIPS).

Application-Cloud-Infrastructure-5

Appintegrity

Applicationsmustbesignedbythecodesigningauthority.

Domain Object Recommendations

Application-Cloud-Transport-1

Integrity,confidentialityandlegitimacy

ShouldimplementIPSecstandards.

Domain Object Recommendations

Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.

IoT.Bzh Security-blueprint

Version5.0.0 90January2018

Page 91: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Todonotes

Domain Improvement

Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).

Domain Improvement

Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".

Domain Improvement

Boot-Consoles-1 Secureloader:Noreferenceearlier?

Domain Improvement

Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).

Domain Improvement

Kernel-MAC-1 AddMACconfignote.

Domain Improvement

Kernel-General-IndependentExec-1 Kernelor/andplatformpart?

Domain Improvement

Kernel-General-LibraryLinking-1 Keepthispart?

Domain Improvement

Platform-Services-1 SystemD?

Platform-Services-2 Securedaemon?

Domain Improvement

Platform-Users-Capabilities-1 KernelorPlatform-user?

Platform-Users-Capabilities-2 Addconfignote.

Domain Improvement

Application-Installation-1 TalkaboutAppFwofflinemode.

Domain Improvement

Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).

Domain Improvement

Application-Services-1 Addcontent(Whichservices?).

Application-Services-2 AddBinder.

Domain Improvement

IoT.Bzh Security-blueprint

Version5.0.0 91January2018

Page 92: Table of Contents › download › public › 2018 › Security › AGL... · Introduction This document presents the different attacks that can be envisaged on a recent car in order

Connectivity-Abstract-1 Improveabstract.

Domain Improvement

Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).

Domain Improvement

Update-SOTA-1 Parttocomplete.

Domain Improvement

SecureDev-SecureBuild-1 Addcontent.

Domain Improvement

SecureDev-Signatures-1 Addcontent.

Domain Improvement

SecureDev-CodeAudit-1 AddCVEanalyser.

SecureDev-CodeAudit-2 OSSTMM.

IoT.Bzh Security-blueprint

Version5.0.0 92January2018