table of contents...introduction this document presents the different attacks that can be envisaged...
TRANSCRIPT
1.1
1.2
1.3
1.3.1
1.3.2
1.3.3
1.4
1.5
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.8
1.8.1
1.8.2
1.8.3
1.9
1.9.1
1.9.2
1.10
1.11
1.11.1
1.11.2
TableofContents
Introduction
Part1-Hardware
Part2-SecureBoot
Image
Communicationmodes
Consoles
Part3-Hypervisor
Part4-Kernel
General
Memory
Consoles
Debug
FileSystems
Part5-Platform
MandatoryAccessControl
SystemD
SystemBus
Systemservicesanddaemons
AppFramework
Utilities
Users
Part6-Application
Installation
Privilegemanagement
Signature
Services
Part7-Connectivity
Busandconnectors
Wireless
Cloud
Part8-Update(OTA)
FOTA
SOTA
Part9-Securedevelopment
Annexes
Allconfignotes
Alltodonotes
Introduction
This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of testsverifying the security of Automotive Grade Linux (AGL). The more general utility behind this document is to protect themanufacturers, customers and third party from potential financial and information loss. This document is firstly based on theexistingsecurity-blueprint.
Forsecuritytobeeffective,theconceptsmustbesimple.Andbydefault,anythingthatisnotallowedisforbidden.
Wewillcovertopicsstartingfromthelowestlevel(Hardware)uptothehighestlevels(ConnectivityandApplication).Wewillmove quickly onHardware andConnectivity because this is not supported at our level. Solutions of connectivity problemsconcernupdatesandsecuredsettingswhilehardwaresecuringisrelatedtothemanufacturers.
Thedocumentisfilledwithtagstoeasilyidentifyimportantpoints:
Theconfigtagquicklyidentifiestheconfigurationsandtherecommendationstotake.
Thenotetagallowsyoutonotifysomeadditionaldetails.
Thetodotagshowsthepossibleimprovements.
Inannexesofthisdocument,youcanfindalltheconfigandtodonotes.
HardeningtermThetermHardeningreferstothetools,techniquesandprocessesrequiredinordertoreducetheattacksurfaceonanembeddedsystem,suchasanembeddedcontrolunit(ECU)orothermanageddevices.Thetargetforallhardeningactivitiesistopreventtheexecutionofinvalidbinariesonthedevice,andtopreventcopyingofsecurityrelateddatafromthedevice.
AGLsecurityoverview
AGLrootsarebasedonsecurityconcepts.Thoseconceptsareimplementedbythesecurityframeworkasshowninthispicture:
AcronymsandAbbreviations
Thefollowingtableliststhestrongesttermsutilizedwithinallthisdocument.
AcronymsorAbbreviations Description
AGL AutomotiveGradeLinux
ECU ElectronicControlUnit
IoT.Bzh Security-blueprint
Version4.99.4 4December2017
References
security-blueprint.http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html
[2017]-kernelsecurity.https://www.kernel.org/doc/Documentation/security/
[2017]-Systemdintegrationandusermanagement.http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf
[2017]-AGL-ApplicationFrameworkDocumentation.http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf
[2017]-ImprovingVehicleCybersecurity.https://access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf
[2016]-AGLframeworkoverview.http://docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html
[2016]-SecureBoot-SecureSoftwareUpdates.http://iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf
[2016]-LinuxAutomotiveSecurity.http://iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf
[2016]-AutomotiveSecurityBestPractices.https://www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf
[2016]-GattackingBluetoothSmartDevices.http://gattack.io/whitepaper.pdf
[2015]-ComprehensiveExperimentalAnalysisofAutomotiveAttackSurfaces.http://www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf
[2015]-SecurityinAutomotiveBusSystems.http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf
[2014]-IOActiveRemoteAttackSurface.https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf
[2011]-ApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunications.https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf
[2011]-ComprehensiveExperimentalAnalysesofAutomotiveAttackSurfaces.http://www.autosec.org/pubs/cars-usenixsec2011.pdf
[2010]-RelayAttacksonPassiveKeylessEntryandStartSystemsinModernCars.https://eprint.iacr.org/2010/332.pdf
[2010]-Wifiattackswepwpa.https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf
[2008]-SMACK.http://schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf
IoT.Bzh Security-blueprint
Version4.99.4 5December2017
Part1-Hardware
Abstract
Youwillfindinthisfirstparteverythingthatconcernsthehardwaresecurity.Thegoalistoprotectsystemagainstallattacksthataretryingtogainadditionalprivilegesbyrecoveringand/orchangingcryptographickeysinordertoaltertheintegrityoftheboot.Weshouldalsopreventhardwaremodificationsinordertoachievethisgoal.Wewillexposebelowsomeexamplesofpossibleconfigurations.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
HSM HardwareSecurityModule
NVM Non-VolatileMemory
SHE SecureHardwareExtensions
Integrity
Theboardmuststorehardcodedcryptographickeysinordertoverifyamongotherstheintegrityofthebootloader.ManufacturerscanuseHSMandSHEtoenhancethesecurityoftheirboard.
Domain Object Recommendations
Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.
Hardware-Integrity-2 Board MustuseaHSM.
Hardware-Integrity-3 RTC Mustnotbealterable.
IoT.Bzh Security-blueprint
Version4.99.4 6December2017
Certificates
Domain Object Recommendations
Hardware-Certificate-1
System Shallallowstoringdedicatedcertificates.
Hardware-Certificate-2
ECU TheECUmustverifythecertificationauthorityhierarchy.
Hardware-Certificate-3
System Allowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.
Memory
Domain Object Recommendations
Hardware-Memory-1 ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusing
cryptographickeys.
Hardware-Memory-2 Bootloader InternalNVMonly
Hardware-Module-3 - HSMmustbeusedtosecurekeys.
IoT.Bzh Security-blueprint
Version4.99.4 7December2017
Part2-Secureboot
Abstract
Domain Improvement
Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).
BootHardening:Steps/requirementstoconfigurethebootsequence,inordertorestrictthedevicefromexecutinganythingotherthantheapprovedsoftwareimage.
Inthispart,wewillseeaseriesofsettingsthatwillallowustoimprovesecurityduringbootphase.Forthepurposesofreferenceandexplanation,weareprovidingguidanceonhowtoconfigureanembeddeddevicethatrunswitha3.10.17Linuxkernel.Iftheintegrityisnotcheckedorifacriticalerroroccurs,thesystemmustbootonaverystablebackupimage.
Requirements:TheserequirementsmustbemetevenifanalternativeversionoftheLinuxkernelischosen.
Recommendations:Detailedbestpractices that shouldbeapplied inorder tosecureadevice.Although theyarenotcurrentlylistedashardrequirements,theymaybeupgradedtorequirementsstatusinthefuture.Inaddition,specificoperatorsmaychangesomeoftheserecommendationsintorequirementsbasedontheirspecificneedsandobjectives.
Domain Improvement
Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".
Boot loader:Theboot loader consistsof thePrimaryboot loader residing inOTPmemory, sboot,U-Boot andSecure loaderresidinginexternalflash(NANDorSPI/NORflashmemory).TheCPUonpoweronorresetexecutestheprimarybootloader.TheOTPprimarybootloadermakesthenecessaryinitialsystemconfigurationandthenloadsthesecondarybootloadersbootfromexternalflashmemorytorammemory.ThesbootthenloadstheU-BootalongwiththeSecureloader.U-BootthenverifiestheKernel/systemimageintegrity,thenloadstheKernel/systemimagebeforepassingcontroltoit.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
FUSE FilesysteminUserSpacE
OTP One-Time-Programmable
DOCSIS DataOverCableServiceInterfaceSpecification
IoT.Bzh Security-blueprint
Version4.99.4 8December2017
Image
Imageselection
Thebootprocessshallbeuninterruptibleandshallirrevocablyboottheimageasspecifiedinthebootenvironment.
InU-Bootsetthe"bootdelay"environmentvariableand/ordefine CONFIG_BOOTDELAYto-2.
Domain Variable/ Configname Value
Boot-Image-Selection-1 CONFIG_BOOTDELAY -2
Boot-Image-Selection-2 bootdelay -2
Imageauthenticity
Itshallnotbepossible tobootfromanunverified image.Thesecurebootfeature inU-Bootshallbeenabled.ThesecurebootfeatureisavailablefromU-Boot2013.07version.Toenablethesecurebootfeature,enablethefollowingfeatures:
CONFIG_FIT:EnablessupportforFlatImageTree(FIT)uImageformat.
CONFIG_FIT_SIGNATURE:EnablessignatureverificationofFITimages.
CONFIG_RSA:EnablesRSAalgorithmusedforFITimageverification.
CONFIG_OF_CONTROL:EnablesFlattenedDeviceTree(FDT)configuration.
CONFIG_OF_SEPARATE:Enablesseparatebuildofu-Bootfromthedevicetree.
CONFIG_DEFAULT_DEVICE_TREE:SpecifiesthedefaultDeviceTreeusedfortherun-timeconfigurationofU-Boot.
GeneratetheU-Bootimagewithpublickeystovalidateandloadtheimage.ItshalluseRSA2048andSHA256forauthentication.
Domain Configname State
Boot-Image-Authenticity-1 CONFIG_FIT Enable
Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable
Boot-Image-Authenticity-3 CONFIG_RSA Enable
Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable
Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable
Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable
IoT.Bzh Security-blueprint
Version4.99.4 9December2017
Communicationmodes
DisableUSB,SerialandDOCSISSupport
TodisableUSBsupportinU-Boot,followingconfig'sshallnotbedefined:
CONFIG_CMD_USB:EnablesbasicUSBsupportandtheusbcommand.
CONFIG_USB_UHCI:Definesthelowlevelpart.
CONFIG_USB_KEYBOARD:EnablestheUSBKeyboard.
CONFIG_USB_STORAGE:EnablestheUSBstoragedevices.
CONFIG_USB_HOST_ETHER:EnablesUSBEthernetadaptersupport.
In addition, disable unnecessary communicationmodes like Ethernet, Serial ports,DOCSIS inU-Boot and sboot that are notnecessary.
LinuxKernelsupportforUSBshouldbecompiled-outifnotrequired.Ifitisneeded,theLinuxKernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevices.User-initiatedUSB-filesystemsshouldbetreatedwithspecialcare.Whetherornotthefilesystemsaremountedinuserspace(FUSE),restrictedmountoptionsshouldbeobserved.
Domain Communicationmodes State
Boot-Communication-1
USB DisabledandCompiled-outifnotrequired.
Boot-Communication-2
USBElse,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.
Boot-Communication-3
Ethernet Disabled
Boot-Communication-4
U-bootandsboot DOCSIS Disabled
Boot-Communication-5
Serialports Disabled
Domain Configname State
Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined
Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined
IoT.Bzh Security-blueprint
Version4.99.4 10December2017
DisableallNetworkInterfaces
Preferablynonetworkinterfaceisallowed,butifrequired,thentheenabledservicesshouldberestrictedtoonlythoseused.
Domain Communicationmodes State
Boot-Communication-1
Network
interfaces
Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.
RemoveorDisableUnnecessaryServices,Ports,andDevicesRestrictthe services, portsand devicestothoseused.
Domain Object Recommendations
Boot-Communication-1
Services, portsanddevices
Restrictthe services, portsand devicestothoseused.
DisableflashaccessRecommendation:
InU-Bootfollowingflashmemorycommandsshallbedisabled:
NAND:Supportfornandflashaccessavailablethrough do_nandhastobedisabled.
Domain Commandname State
Boot-Communication-Flash-1 do_nand Disable
Similarlysbootshoulddisableflashaccesssupportthroughcommandlineifany.
IoT.Bzh Security-blueprint
Version4.99.4 11December2017
Consoles
Disableserialconsole
Serialconsoleoutputshallbedisabled.TodisableconsoleoutputinU-Boot,setthefollowingmacros:
Domain Configname Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable
Domain Improvement
Boot-Consoles-1 Secureloader:Noreferenceearlier?
Andset"silent"environmentvariable.FortheSecureloader,disablethetracesbynotdefiningthebelowmacro:
Domain Environmentvariablename State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined
Forsbootproperconfigurationneedstobedonetodisabletheserialconsole.
IoT.Bzh Security-blueprint
Version4.99.4 12December2017
Immutableenvironmentvariables
InU-Boot,ensureKernelcommandline,bootcommands,bootdelayandotherenvironmentvariablesareimmutable.Thiswillpreventside-loadingofalternateimages,byrestrictingthebootselectiontoonlytheimageinFLASH.
The environment variables shall be part of the text region inU-Boot as default environment variable and not in non-volatilememory.
Removeconfigurationoptionsrelatedtonon-volatilememory,suchas:
Domain Configname State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define
IoT.Bzh Security-blueprint
Version4.99.4 13December2017
(Recommendation)Removalofmemorydumpcommands
InU-Boot,followingcommandsshallbedisabledtoavoidmemorydumps:
md:MemoryDisplaycommand.
mm:Memorymodifycommand-autoincrementingaddress.
nm:Memorymodifycommand-constantaddress.
mw:Memorywrite.
cp:Memorycopy.
mwc:Memorywritecyclic.
mdc:Memorydisplaycyclic.
mtest:Simpleramread/writetest.
loopw:Infinitewritelooponaddressrange.
Domain Commandname State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled
Similarly,memorydumpsupportshallbedisabledfromsboot.
IoT.Bzh Security-blueprint
Version4.99.4 14December2017
Part3-Hypervisor
Definition:"Ahypervisororvirtualmachinemonitor(VMM)iscomputersoftware,firmwareorhardwarethatcreatesandrunsvirtualmachines".
Itmustincludeasignatureverification(possiblydelegated).
Domain Improvement
Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).
NativeorBare-metalhypervisors
Thesehypervisorsrundirectlyonthehost'shardwaretocontrolthehardwareandtomanageguestoperatingsystems.Thosearetheoneswe'reinterestedin.
IoT.Bzh Security-blueprint
Version4.99.4 15December2017
Part4-Kernel
Abstract
SystemHardening:BestpracticesassociatedwiththeconfigurationofanembeddedLinuxbasedoperatingsystem.Thissectionincludes both hardening of the kernel itself, as well as specific configurations and patches used to protect against knownvulnerabilitieswithinthebuildandconfigurationoftherootfilesystem.
AttheKernellevel,wemustensurethatnoconsolecanbelaunched.Itcouldbeusedtochangethebehaviorofthesystemortohavemoreinformationaboutit.AnotheraspectistheprotectionofthememoryusedbytheKernel.
Thenextsub-sectionscontaininformationonvariouskernelconfigurationoptionstoenhancethesecurityinthekernel(3.10.17)andalsoforapplicationscompiledtotakeadvantageofthesesecurityfeatures.Additionally,therearealsoconfigurationoptionsthatprotectfromknownvulnerableconfigurationoptions.Here'sahighlevelsummaryofvariouskernelconfigurationsthatshallberequiredfordeployment.
IoT.Bzh Security-blueprint
Version4.99.4 16December2017
Generalconfiguration
MandatoryAccessControl
Kernelshouldcontrolsaccesswithlabelsandpolicy.
Domain Object Recommendations
Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.
Domain Improvement
Kernel-MAC-1 AddMACconfignote.
Disablekexec
Thispreventssomeonewhogetsrootfromsupplantingthekernel.Thiscanbeusedasawaytobypasssignedkernels.
Domain Configname Value
Kernel-General-kexec-1 CONFIG_KEXEC n
DisablekernelIPauto-configurationItispreferabletohaveanIPconfigurationperformedusingauser-spacetoolasthesetendtohavemorevalidation.Wedonotwantthenetworkinterfacecomingupuntilthesystemhascomeupproperly.
Domain Configname Value
Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n
DisableSysctlsyscallsupportEnablingthiswillresultincodebeingincludedthatishardtomaintainandnotwelltested.
IoT.Bzh Security-blueprint
Version4.99.4 17December2017
Domain Configname Value
Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n
DisableLegacyLinuxSupport
TherearesomeKernelConfigswhicharepresentonlytosupportlegacybinaries.Seealso"Consoles"partinordertodisablingsupportforlegacybinaryformats.The uselibsystemcall,inparticular,hasnovaliduseinany libc6or uclibcsysteminrecenttimes.ThisconfigurationissupportedinLinux3.15andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-General-LegacyLinux-1 CONFIG_USELIB n
Disablefirmwareauto-loadingusermodehelperThefirmwareautoloadinghelper,whichisautilityexecutedbythekernelon hotplugeventsrequiringfirmware,needstobeset setuid.Asaresultofthis,thehelperutilityisanattractivetargetforattackerswithcontrolofphysicalportsonthedevice.DisablingthisconfigurationthatissupportedinLinux3.9andgreater.
Domain Configname Value
Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n
EnableKernelPaniconOOPS
When fuzzing the kernel or attempting kernel exploits attackers are likely to trigger kernelOOPSes. Setting the behavior onOOPStoPANICcanimpedetheirprogress.
ThisconfigurationissupportedinLinux3.5andgreaterandthusshouldonlybeenabledforsuchversions.
Domain Configname Value
Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y
IoT.Bzh Security-blueprint
Version4.99.4 18December2017
Disablesocketmonitoringinterface
ThesemonitorscanbeusedtoinspectsharedfiledescriptorsonUnixDomainsocketsortrafficon'localhost'whichisotherwiseassumedtobeconfidential.
The CONFIG_PACKET_DIAG configuration is supported inLinux 3.7 and greater and thus should only be disabled for suchversions.
The CONFIG_UNIX_DIAGconfigurationissupportedinLinux3.3andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n
DisableBPFJIT
TheBPFJITcanbeusedtocreatekernel-payloadsfromfirewalltablerules.
ThisconfigurationforissupportedinLinux3.16andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n
EnableEnforcedModuleSigningThekernelshouldneverallowanunprivilegedusertheabilitytoloadspecifickernelmodules,sincethatwouldprovideafacilitytounexpectedlyextendtheavailableattacksurface.
Toprotectagainstevenprivilegedusers,systemsmayneedtoeitherdisablemoduleloadingentirely,orprovidesignedmodules(e.g.CONFIG_MODULE_SIG_FORCE,ordm-cryptwithLoadPin),tokeepfromhavingrootloadarbitrarykernelcodeviathemoduleloaderinterface.
ThisconfigurationissupportedinLinux3.7andgreaterandthusshouldonlybeenabledforsuchversions.
Domain Configname Value
Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y
IoT.Bzh Security-blueprint
Version4.99.4 19December2017
DisableallUSB,PCMCIA(andother hotplugbus)driversthataren'tneeded
Toreducetheattacksurface,thedriverenumeration,probe,andoperationhappeninthekernel.Thedriverdataisparsedbythekernel,soanylogicbugsinthesedriverscanbecomekernelexploits.
Domain Object State
Kernel-General-Drivers-1 USB Disabled
Kernel-General-Drivers-2 PCMCIA Disabled
Kernel-General-Drivers-3 Other hotplugbus Disabled
PositionIndependentExecutables
Domain compilerand linkeroptions State
Kernel-General-IndependentExec-1 -pie-fpic Enable
Produceapositionindependentexecutableontargetswhichsupportsit.
PreventOverwriteAttacks-z,relrolinkingoptionhelpsduringprogramload,severalELFmemorysectionsneedtobewrittenbythelinker,butcanbeturnedread-onlybeforeturningovercontroltotheprogram.ThispreventssomeGlobalOffsetTableGOToverwriteattacks,orinthedtorssectionoftheELFbinary.
Domain compilerand linkeroptions State
Kernel-General-OverwriteAttacks-1 -z,relro Enable
Kernel-General-OverwriteAttacks-2 -z,now Enable
During program load, all dynamic symbols are resolved, allowing for the completeGOT to bemarked read-only (due to -zrelro above).This preventsGOToverwrite attacks.For very large application, this can incur someperformance loss duringinitialloadwhilesymbolsareresolved,butthisshouldn'tbeanissuefordaemons.
IoT.Bzh Security-blueprint
Version4.99.4 20December2017
Librarylinking
Itisrecommendedthatdynamiclinkingshouldgenerallynotbeallowed.Thiswillavoidtheuserfromreplacingalibrarywithmaliciouslibrary.Alllibrariesshouldbelinkedstatically,butthisisdifficulttoimplement.
Domain compilerand linkeroptions State
Kernel-General-LibraryLinking-1 -static Enable
IoT.Bzh Security-blueprint
Version4.99.4 21December2017
Memory
Restrictaccesstokernelmemory
The/dev/kmemfileinLinuxsystemsisdirectlymappedtokernelvirtualmemory.Thiscanbedisastrousifanattackergainsrootaccess,astheattackerwouldhavedirectaccesstokernelvirtualmemory.
Todisablethe/dev/kmemfile,whichisveryinfrequentlyusedbyapplications,thefollowingkerneloptionshouldbesetinthecompile-timekernelconfiguration:
Domain Configname Value
Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n
Incaseapplicationsinuserspaceneed/dev/kmemsupport,itshouldbeavailableonlyforauthenticatedapplications.
Disableaccesstoakernelcoredump
Thiskernelconfigurationdisablesaccesstoakernelcoredumpfromuserspace.Ifenabled,itgivesattackersausefulviewintokernelmemory.
Domain Configname Value
Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n
DisableswapIfnotdisabled,attackerscanenableswapatruntime,addpressuretothememorysubsystemandthenscourthepageswrittentoswapforusefulinformation.
Domain Configname Value
Kernel-Memory-Swap-1 CONFIG_SWAP n
IoT.Bzh Security-blueprint
Version4.99.4 22December2017
Disable"LoadAllSymbols"
There is a /proc/kallsyms filewhich exposes the kernelmemory space address ofmany kernel symbols (functions, variables,etc...). This information is useful to attackers in identifying kernel versions/configurations and in preparing payloads for theexploitsofkernelspace.
Both KALLSYMS_ALLand KALLSYMSshallbedisabled;
Domain Configname Value
Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n
Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n
Stackprotection
Topreventstack-smashing,similartothestackprotectorusedforELFprogramsinuser-space,thekernelcanprotectitsinternalstacksaswell.
ThisconfigurationissupportedinLinux3.11andgreaterandthusshouldonlybeenabledforsuchversions.
Thisconfigurationalsorequiresbuildingthekernelwiththegcccompiler4.2orgreater.
Domain Configname Value
Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y
Otherdefensesincludethingslikeshadowstacks.
Disableaccessto/dev/memThe /dev/mem file in Linux systems is directlymapped to physicalmemory. This can be disastrous if an attacker gains rootaccess,as theattackerwouldhavedirectaccess tophysicalmemory through thisconvenientdevice file. Itmaynotalwaysbepossibletodisablesuchfile,assomeapplicationsmightneedsuchsupport.Inthatcase,thenthisdevicefileshouldbeavailableonlyforauthenticatedapplications.
ThisconfigurationissupportedinLinux4.0andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-Memory-Access-1 CONFIG_DEVMEM n
IoT.Bzh Security-blueprint
Version4.99.4 23December2017
Disablecross-memoryattach
Disabletheprocessvm*vsyscallswhichallowoneprocesstopeek/pokethevirtualmemoryofanother.
ThisconfigurationissupportedinLinux3.5andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n
StackSmashingAttacks
Domain compilerand linkeroptions State
Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable
Emitextracodetocheckforbufferoverflows,suchasstacksmashingattacks.
DetectBufferOverflows
Domain compilerand linkeroptions Value
Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2
Helpsdetectsomebufferoverflowerrors.
IoT.Bzh Security-blueprint
Version4.99.4 24December2017
Serial
Disableserialconsole
Theserialconsoleshouldbedisabledtopreventanattackerfromaccessingthispowerfulinterface.
Domain Configname Value
Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n
Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n
Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n
Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n
Bake-inthekernelcommand-lineThekernelcommand-lineisusedtocontrolmanyaspectsofthebootingkernel,andispronetotamperingastheyarepassedinRAMwith little tono reversevalidationon theseparameters.Toprevent this typeof attack, thekernel shallbeconfigured toignorecommandslinearguments,andusepre-configured(compiletime)optionsinstead.
Setthekernelcommandlineinthe CONFIG_CMDLINEKConfigitemandthenpassnoargumentsfromthebootloader.
Domain Configname Value
Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y
Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"
Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y
Itisrecommendedthatanyper-devicesettings(e.g:MACaddresses,serialnumbers,etc.)bestoredandaccessedfromread-onlymemory(orfiles),andthatanysuchparametersbeverified(signaturechecking)priortotheiruse.
DisableKGDBTheLinuxkernelsupportsKGDBoverUSBandconsoleports.Thesemechanismsarecontrolledbythe kgdbdbgpand kgdbockernelcommand-lineparameters.ItisimportanttoensurethatnoshippingproductcontainsakernelwithKGDBcompiled-in.
Domain Configname Value
Kernel-Consoles-KDBG-1 CONFIG_KGDB n
IoT.Bzh Security-blueprint
Version4.99.4 25December2017
Disablemagicsysrqsupport
Ona fewarchitectures,youcanaccessapowerfuldebugger interface from thekeyboard.The samepowerful interfacecanbepresentontheserialconsole(respondingtoserialbreak)ofLinuxonotherarchitectures.Disable toavoidpotentiallyexposingthispowerfulbackdoor.
Domain Configname Value
Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n
DisablesupportforbinaryformatsotherthanELFThiswillmakepossible toplugwrapper-drivenbinaryformats into thekernel. Itenablessupportforbinaryformatsother thanELF.Providingtheabilitytousealternateinterpreterswouldassistanattackerindiscoveringattackvectors.
Domain Configname Value
Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n
IoT.Bzh Security-blueprint
Version4.99.4 26December2017
Debug
Nodebuggersshallbepresentonthefilesystem.Thisincludes,butisnotlimitedto,theGNUDebuggerclient/server(commonlyknownintheirshortformnamessuchasthe gdband gdbserverexecutablebinariesrespectively),the LLDBnextgenerationdebugger or the TCF (Target Communications Framework) agnostic framework. Including these binaries as part of the filesystemwillfacilitateanattacker'sabilitytoreverseengineeranddebug(eitherlocallyorremotely)anyprocessthatiscurrentlyexecutingonthedevice.
Kerneldebugsymbols
Debugsymbolsshouldalwaysberemovedfromproductionkernelsastheyprovidealotofinformationtoattackers.
Domain Configname Value
Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n
These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. IfCONFIG_DEBUG_INFOcannotbedisabled,thenenabling CONFIG_DEBUG_INFO_REDUCEDissecondbest.
DisableKprobesKprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively.Youcantrapatalmostanykernelcodeaddress,specifyingahandlerroutinetobeinvokedwhenthebreakpointishit.
Domain Configname Value
Kernel-Debug-Kprobes-1 CONFIG_KPROBES n
DisableTracing
FTrace enables the kernel to trace every kernel function. Providing kernel trace functionality would assist an attacker indiscoveringattackvectors.
Domain Configname Value
Kernel-Debug-Tracing-1 CONFIG_FTRACE n
DisableProfiling
IoT.Bzh Security-blueprint
Version4.99.4 27December2017
DisableProfiling
Profiling and OProfile enables profiling the whole system, include the kernel, kernel modules, libraries, and applications.Providingprofilingfunctionalitywouldassistanattackerindiscoveringattackvectors.
Domain Configname Value
Kernel-Debug-Profiling-1 CONFIG_OPROFILE n
Kernel-Debug-Profiling-2 CONFIG_PROFILING n
DisableOOPSprintonBUG()
TheoutputfromOOPSprintcanbehelpfulinReturnOrientedProgramming(ROP)whentryingtodeterminetheeffectivenessofanexploit.
Domain Configname Value
Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n
DisableKernelDebuggingThere are development-only branches of code in the kernel enabled by the DEBUG_KERNEL conf. This should be disabled tocompile-outthesebranches.
Domain Configname Value
Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n
Kernel-Debug-Dev-2 CONFIG_EMBEDDED n
In some kernel versions, disabling this requires also disabling CONFIG_EMBEDDED , and CONFIG_EXPERT . DisablingCONFIG_EXPERTmakesitimpossibletodisable COREDUMP, DEBUG_BUGVERBOSE, NAMESPACES, KALLSYMSand BUG.Inwhichcaseitisbettertoleavethisenabledthanenabletheothers.
IoT.Bzh Security-blueprint
Version4.99.4 28December2017
Disablethekerneldebugfilesystem
Thekerneldebugfilesystempresentsalotofusefulinformationandmeansofmanipulationofthekerneltoanattacker.
Domain Configname Value
Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n
DisableBUG()supportThekernelwilldisplaybacktraceandregisterinformationforBUGsandWARNsinkernelspace,makingiteasierforattackerstodevelopexploits.
Domain Configname Value
Kernel-Debug-BUG-1 CONFIG_BUG n
Disablecoredumps
Coredumpsprovidealotofdebuginformationforhackers.Sodisablingcoredumpsarerecommendedinproductionbuilds.
ThisconfigurationissupportedinLinux3.7andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n
IoT.Bzh Security-blueprint
Version4.99.4 29December2017
KernelAddressDisplayRestriction
Whenattackers try todevelop"runanywhere"exploits forkernelvulnerabilities, they frequentlyneed toknow the locationofinternal kernel structures.By treatingkernel addresses as sensitive information, those locations arenot visible to regular localusers.
/proc/sys/kernel/kptr_restrictissetto"1"toblockthereportingofknownkerneladdressleaks.
Domain Filename Value
Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1
Additionally, various files and directories should be readable only by the root user: /boot/vmlinuz* , /boot/System.map* ,/sys/kernel/debug/, /proc/slabinfo
Domain Fileor Directoriename State
Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser
DMESGRestrictionsWhenattackers try todevelop"runanywhere"exploits forvulnerabilities, theyfrequentlywilluse dmesg output.Bytreatingdmesgoutputassensitiveinformation,thisoutputisnotavailabletotheattacker.
/proc/sys/kernel/dmesg_restrictcanbesetto"1"totreatdmesgoutputassensitive.
Domain Filename Value
Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1
Enable thebelowcompiler and linkeroptionswhenbuildinguser-space applications to avoid stack smashing,bufferoverflowattacks.
IoT.Bzh Security-blueprint
Version4.99.4 30December2017
Disable/proc/config.gz
Itisextremelyimportanttonotexposethekernelconfigurationusedonaproductiondevicetoapotentialattacker.Withaccesstothekernelconfig, it couldbepossible foranattacker tobuildacustomkernel for thedevice thatmaydisablecritical securityfeatures.
Domain Configname Value
Kernel-Debug-Config-1 CONFIG_IKCONFIG n
IoT.Bzh Security-blueprint
Version4.99.4 31December2017
FileSystem
Disableallfilesystemsnotneeded
Toreducetheattacksurface,filesystemdataisparsedbythekernel,soanylogicbugsinfilesystemdriverscanbecomekernelexploits.
DisableNFSfilesystem
NFSFileSystemsareusefulduringdevelopmentphases,butthiscanbeaveryhelpfulwayforanattackertogetfileswhenyouareinproductionmode,sowemustdisablethem.
Domain Configname Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n
IoT.Bzh Security-blueprint
Version4.99.4 32December2017
PartitionMountOptions
Thereareseveralsecurityrestrictionsthatcanbesetonafilesystemwhenitismounted.Somecommonsecurityoptionsinclude,butarenotlimitedto:
nosuid-Donotallowset-user-identifierorset-group-identifierbitstotakeeffect.
nodev-Donotinterpretcharacterorblockspecialdevicesonthefilesystem.
noexec-Donotallowexecutionofanybinariesonthemountedfilesystem.
ro-Mountfilesystemasread-only.
Thefollowingflagsshallbeusedformountingcommonfilesystems:
Domain Partition Value
Kernel-FileSystems-Mount-1
/boot nosuid, nodevand noexec.
Kernel-FileSystems-Mount-2 /var& /tmp In /etc/fstabor vfstab,add nosuid, nodevand
noexec.
Kernel-FileSystems-Mount-3 Non-rootlocal Iftypeis ext2or ext3andmountpointnot'/',add
nodev.
Kernel-FileSystems-Mount-4
Removablestorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-5
Temporarystorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-6
/dev/shm Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-7
/dev Add nosuidand noexec.
If CONFIG_DEVTMPFS_MOUNTisset,thenthekernelwillmount/devandwillnotapplythe nosuid, noexecoptions.Eitherdisable CONFIG_DEVTMPFS_MOUNToraddaremountwith noexecand nosuidoptionstosystemstartup.
Domain Configname Stateor Value
Kernel-FileSystems-Mount-1
CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwith noexecand nosuidtosystemstartup.
IoT.Bzh Security-blueprint
Version4.99.4 33December2017
Part5-Platform
Abstract
ThispartfocusesontheAGLplatformincludingalltoolsandtechniquesusedtoupgradethesecurityanddowngradethedanger.Itmustbepossibletoapplythetwofundamentalprincipleswrittenattheverybeginningofthedocument.Firstofall,securitymanagementmustremainsimple.Youmustalsoprohibiteverythingbydefault,andthendefineasetofauthorizationrules.Ascasestodealwith,wemust:
ImplementaMACforprocessesandfiles.Limitcommunicationbetweenapplications(SystemBusandSystemDpart).Prohibitalltoolsusedduringdevelopmentmode(UtilitiesandServicespart).Manageusercapabilities(Userspart).Manageapplicationpermissionsandpolicies(AGLFwpart).
Thetoolsandconceptsusedtomeettheseneedsareonlyexamples.Anyothertoolthatmeetstheneedcanbeused.
InAGL,asinmanyotherembeddedsystems,differentsecuritymechanismssettleinthecorelayerstoensureisolationanddataprivacy.While theMandatoryAccess Control layer (SMACK) provides global security and isolation, othermechanisms likeCynaraarerequired tocheckapplication'spermissionsat runtime.Applicativepermissions(alsocalled"privileges")mayvarydependingontheuserandtheapplicationbeingrun:anapplicationshouldhaveaccesstoagivenserviceonlyifitisrunbytheproperuserandiftheappropriatepermissionsaregranted.
IoT.Bzh Security-blueprint
Version4.99.4 34December2017
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
ACL AccessControlLists
alsa AdvancedLinuxSoundArchitecture
API ApplicationProgrammingInterface
AppFw ApplicationFramework
Cap Capabilities
DAC DiscretionaryAccessControl
DDOS DistributedDenialOfService
DOS DenialOfService
IPC Inter-ProcessCommunication
MAC MandatoryAccessControl
PAM PluggableAuthenticationModules
SMACK SimplifiedMandatoryAccessControlKernel
IoT.Bzh Security-blueprint
Version4.99.4 35December2017
MandatoryAccessControl
WedecidedtoputtheMACprotectionontheplatformpartdespitethefactthatitappliestothekerneltoo,sinceitsusewillbemainlyattheplatformlevel(exceptfloorpart).
MandatoryAccessControl(MAC)isaprotectionprovidedbytheLinuxkernelthatrequiresaLinuxSecurityModule(LSM).AGL uses anLSM calledSimplifiedMandatoryAccessControlKernel (SMACK). This protection involves the creation ofSMACKlabelsaspartoftheextendedattributesSMACKlabelstothefileextendedattributes.Andapolicyisalsocreatedtodefinethebehaviourofeachlabel.
The kernel access controls is based on these labels and this policy. If there is no rule, no access will be granted and as aconsequence,whatisnotexplicitlyauthorizedisforbidden.
TherearetwotypesofSMACKlabels:
ExecutionSMACK(Attachedtotheprocess):Defineshowfilesareaccessedandcreatedbythatprocess.FileAccessSMACK(Writtentotheextendedattributeofthefile):Defineswhichprocesscanaccessthefile.
BydefaultaprocessexecuteswithitsFileAccessSMACKlabelunlessanExecutionSMACKlabelisdefined.
AGL'sSMACKschemeisbasedontheTizen3Q2/2015.ItdividestheSystemintothefollowingdomains:
Floor.System.Applications,ServicesandUser.
SeeAGLsecurityframeworkreviewandSmackWhitePaperformoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 36December2017
Floor
Thefloordomainincludesthebasesystemservicesandanyassociateddataandlibraries.Thisdataremainsunchangedatruntime.Writingtofloorfilesordirectoriesisallowedonlyindevelopmentmodeorduringsoftwareinstallationorupgrade.
Thefollowingtabledetailsthefloordomain:
Label Name ExecutionSMACK FileAccessSMACK
- Floor r-xforall Onlykernelandinternalkernelthread.
Hat ---forall rxonalldomains.
* Star rwxforall None
TheHatlabelisOnlyforprivilegedsystemservices(currentlyonlysystemd-journal).Usefulforbackuporvirusscans.Nofilewiththislabelshouldexistexceptinthedebuglog.
TheStarlabelisusedfordevicefilesor /tmpAccessrestrictionmanagedviaDAC.IndividualfilesremainprotectedbytheirSMACKlabel.
Domain Labelname Recommendations
Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.
Kernel-MAC-Floor-2 * Usedfordevicefilesor /tmpAccessrestrictionviaDAC.
IoT.Bzh Security-blueprint
Version4.99.4 37December2017
System
Thesystemdomainincludesareducedsetofcoresystemservicesof theOSandanyassociateddata.Thisdatamaychangeatruntime.
Thefollowingtabledetailsthesystemdomain:
Label Name ExecutionSMACK FileAccessSMACK
System System None Privilegedprocesses
System::Run Run rwxatlforUserandSystemlabel None
System::Shared Shared rwxatlforsystemdomain r-xforUserlabel None
System::Log Log rwaforSystemlabel xaforuserlabel None
System::Sub SubSystem SubsystemConfigfiles SubSystemonly
Domain Labelname Recommendations
Kernel-MAC-System-1
System Processshouldwriteonlytofilewithtransmuteattribute.
Kernel-MAC-System-2
System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwith w.
Kernel-MAC-System-3
System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.
Kernel-MAC-System-4
System::Log Somelimitationmayimposetoadd wtoenableappend.
Kernel-MAC-System-5
System::Sub IsolationofriskySubsystem.
IoT.Bzh Security-blueprint
Version4.99.4 38December2017
Applications,ServicesandUser
Theapplication,servicesanduserdomainincludescodethatprovidesservicestothesystemanduser,aswellasanyassociateddata.AllcoderunningonthisdomainisunderCynaracontrol.
Thefollowingtabledetailstheapplication,servicesanduserdomain:
Label Name ExecutionSMACK FileAccessSMACK
User::Pkg::$AppID AppID rwx(forfilescreatedbytheApp). rxforfilesinstalledbyAppFw
$Appruntimeexecuting$App
User::Home Home rwx-tfromSystemlabel r-x-lfromApp None
User::App-Shared Shared rwxatfromSystemandUserdomainslabelof$User None
Domain Labelname Recommendations
Kernel-MAC-System-1
User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwin rwxmode.
Kernel-MAC-System-2
User::Home
AppFwneedstocreateadirectoryin /home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessis User::App-Sharedwithouttransmute.
Kernel-MAC-System-3
User::App-Shared SharedspacebetweenallApprunningforagivenuser.
IoT.Bzh Security-blueprint
Version4.99.4 39December2017
SystemD
afm-system-daemonisusedto:
Manageusersandusersessions.Setupapplicationsandservices(CGroups,namespaces,autostart,permissions).Useof libsystemdforitsprograms(eventmanagement,D-Businterface).
Domain Object Recommendations
Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.
Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.
Seesystemdintegrationandusermanagementformoreinformation.
BenefitsRemovalofoneprivilegedprocess:afm-user-daemonAccessanduseofhighlevelfeatures:
Socketactivation.ManagementofusersandintegrationofPAM.Dependencyresolutiontoservices.Cgroupsandresourcecontrol.Namespacescontainerization.AutostartofrequiredAPI.Permissionsandsecuritysettings.Networkmanagement.
IoT.Bzh Security-blueprint
Version4.99.4 40December2017
CGroups
Control Groups offer a lot of features, with the most useful ones you can control: Memory usage, how much CPU time isallocated,howmuchdeviceI/Oisallowedorwhichdevicescanbeaccessed.SystemDusesCGroupstoorganiseprocesses(eachserviceisaCGroups,andallprocessesstartedbythatserviceusethatCGroups).Bydefault,SystemDautomaticallycreatesahierarchyofslice,scopeandserviceunitstoprovideaunifiedstructurefortheCGroupstree.Withthe systemctlcommand,youcanfurthermodifythisstructurebycreatingcustomslices.Currently,inAGL,thereare2slices(user.sliceandsystem.slice).
Namespaces
Userside
Thereareseveralwaysofauthenticatingusers(KeyRadioFrequency,Phone,Gesture,...).Eachauthenticationprovidesdynamicallocationofuidstoauthenticatedusers.UidsisusedtoensureprivacyofusersandSMACKforapplicationsprivacy.
First, the user initiates authentication with PAM activation. PAM Standard offers highly configurable authentication withmodulardesign like face recognition,Voice identificationorwithapassword.Thenusers shouldaccess identity serviceswithservicesandapplications.
IoT.Bzh Security-blueprint
Version4.99.4 41December2017
D-Bus
D-Busisawell-knownIPC(Inter-ProcessCommunication)protocol(anddaemon)thathelpsapplicationstotalktoeachother.TheuseofD-Busisgreatbecauseitallowstoimplementdiscoveryandsignaling.
The D-Bus session is by default addressed by environment variable DBUS_SESSION_BUS_ADDRESS . Using systemd variableDBUS_SESSION_BUS_ADDRESSisautomaticallysetforusersessions.D-Bususageislinkedtopermissions.
D-Bus has already had several security issues (mostlyDoS issues), to allow applications to keep talking to each other. It isimportanttoprotectagainstthistypeofattacktokeepthesystemmorestable.
Domain Object Recommendations
Platform-DBus-1 Securitymodel UseD-BusasIPC.
Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE
IoT.Bzh Security-blueprint
Version4.99.4 42December2017
Systemservicesanddaemons
Domain Improvement
Platform-Services-1 SystemD?
Platform-Services-2 Securedaemon?
Tools
connman:Aninternetconnectionmanagerdesignedtobeslimandtouseasfewresourcesaspossible.Itisafullymodularsystemthatcanbeextended,throughplug-ins,tosupportallkindsofwiredorwirelesstechnologies.bluezisaBluetoothstack.ItsgoalistoprogramanimplementationoftheBluetoothwirelessstandardsspecifications.Inadditiontothebasicstack,the bluez-utilsand bluez-firmwarepackagescontainlowlevelutilitiessuchas dfutoolwhichcaninterrogatetheBluetoothadapterchipsetinordertodeterminewhetheritsfirmwarecanbeupgraded.gstreamerisapipeline-basedmultimediaframework.Itcanbeusedtobuildasystemthatreadsfilesinoneformat,processesthem,andexportstheminanotherformat.alsaisasoftwareframeworkandpartoftheLinuxkernelthatprovidesanAPIforsoundcarddevicedrivers.
Domain Toolname State
Platform-Utilities-1 connman Usedasaconnectionmanager.
Platform-Utilities-2 bluez UsedasaBluetoothmanager.
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.
IoT.Bzh Security-blueprint
Version4.99.4 43December2017
Applicationframework/model(AppFw)
Theapplicationframeworkmanages:
Theapplicationsandservicesmanagement:Installing,Uninstalling,Listing,...Thelifecycleofapplications:Start->(Pause,Resume)->Stop.Eventsandsignalspropagation.Privilegesgrantingandchecking.APIforinteractionwithapplications.
The security model refers to the security model used to ensure security and to the tools that are provided forimplementing that model. It's an implementation detail that should not impact the layers above the applicationframework.
The security model refers to howDAC (Discretionary Access Control),MAC (Mandatory Access Control) andCapabilitiesareusedby thesystemtoensuresecurityandprivacy. Italso includes featuresof reportingusingauditfeaturesandbymanaginglogsandalerts.
TheAppFw uses the security model to ensure the security and the privacy of the applications that it manages. It must becompliantwiththeunderlyingsecuritymodel.Butitshouldhideittotheapplications.
Domain Object Recommendations
Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.
SeeAGLAppFwPrivilegesManagementandAGL-ApplicationFrameworkDocumentationformoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 44December2017
Cynara
There'saneedforanothermechanismresponsibleforcheckingapplicativepermissions:CurrentlyinAGL,thistaskdependsonapolicy-checkerservice(Cynara).
Storescomplexpoliciesindatabases."Soft"security(accessischeckedbytheframework).
CynarainteractwithD-Businordertodeliverthisinformation.
Domain Object Recommendations
Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.
Policies
Policyrules:
Aresimple-forpair[applicationcontext,privilege]thereisstraightanswer(singlePolicyType):[ALLOW/DENY/...].Nocodeisexecuted(noscript).Canbeeasilycachedandmanaged.
Applicationcontext(describesidoftheuserandtheapplicationcredentials)Itisbuildof:
UIDoftheuserthatrunstheapplication.SMACKlabelofapplication.
Holdingpolicies
Policiesarekeptinbuckets.Bucketsaresetofpolicieswhichhaveadditionalapropertyofdefaultanswer,thedefaultanswerisyieldedifnopolicymatchessearchedkey.Bucketshavenameswhichmightbeusedinpolicies(fordirections).
IoT.Bzh Security-blueprint
Version4.99.4 45December2017
Utilities
busybox:Softwarethatprovidesseveralstripped-downUnixtoolsinasingleexecutablefile.Ofcourse,itwillbenecessarytousea"production"versionofbusyboxinordertoavoidallthetoolsusefulonlyindevelopmentmode.
Domain Toolname State
Platform-Utilities-1 busybox Usedtoprovideanumberoftools.Donotcompiledevelopmenttools.
Functionalitiestoexcludeinproductionmode
Inproductionmode,anumberoftoolsmustbedisabledtopreventanattackerfromfindinglogsforexample.Thisisusefultolimitthevisiblesurfaceandthuscomplicatethefaultfindingprocess.Thetoolsusedonlyindevelopmentmodearemarkedbyan'agl-devel'feature.Whenbuildinginproductionmode,thesetoolswillnotbecompiled.
Domain Utilitynameandnormal path State
Platform-Utilities-1 chgrpin /bin/chgrp Disabled
Platform-Utilities-2 chmodin /bin/chmod Disabled
Platform-Utilities-3 chownin /bin/chown Disabled
Platform-Utilities-4 dmesgin /bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainnamein /bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear,Remove"dropbear"from /etc/init.d/rcs Disabled
Platform-Utilities-7 Editorsin(vi) /bin/vi Disabled
Platform-Utilities-8 findin /bin/find Disabled
Platform-Utilities-9 gdbserverin /bin/gdbserver Disabled
Platform-Utilities-10 hexdumpin /bin/hexdump Disabled
Platform-Utilities-11 hostnamein /bin/hostname Disabled
Platform-Utilities-12 installin /bin/install Disabled
Platform-Utilities-13 iostatin /bin/iostat Disabled
Platform-Utilities-14 killallin /bin/killall Disabled
Platform-Utilities-15 klogdin /sbin/klogd Disabled
Platform-Utilities-16 loggerin /bin/logger Disabled
Platform-Utilities-17 lsmodin /sbin/lsmod Disabled
Platform-Utilities-18 pmapin /bin/pmap Disabled
Platform-Utilities-19 psin /bin/ps Disabled
Platform-Utilities-20 psin /bin/ps Disabled
Platform-Utilities-21 rpmin /bin/rpm Disabled
IoT.Bzh Security-blueprint
Version4.99.4 46December2017
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplugin /sbin/stbhotplug Disabled
Platform-Utilities-24 stracein /bin/trace Disabled
Platform-Utilities-25 suin /bin/su Disabled
Platform-Utilities-26 syslogdin(logger) /bin/logger Disabled
Platform-Utilities-27 topin /bin/top Disabled
Platform-Utilities-28 UARTin /proc/tty/driver/ Disabled
Platform-Utilities-29 whichin /bin/which Disabled
Platform-Utilities-30 whoand whoamiin /bin/whoami Disabled
Platform-Utilities-31 awk(busybox) Enabled
Platform-Utilities-32 cut(busybox) Enabled
Platform-Utilities-33 df(busybox) Enabled
Platform-Utilities-34 echo(busybox) Enabled
Platform-Utilities-35 fdisk(busybox) Enabled
Platform-Utilities-36 grep(busybox) Enabled
Platform-Utilities-37 mkdir(busybox) Enabled
Platform-Utilities-38 mount(vfat)(busybox) Enabled
Platform-Utilities-39 printf(busybox) Enabled
Platform-Utilities-40 sedin /bin/sed(busybox) Enabled
Platform-Utilities-41 tail(busybox) Enabled
Platform-Utilities-42 tee(busybox) Enabled
Platform-Utilities-43 test(busybox) Enabled
TheEnabledUnix/Linuxutilitiesaboveshallbepermittedastheyareoftenusedinthestart-upscriptsandforUSBlogging.Ifanyoftheseutilitiesarenotrequiredbythedevicethenthoseshouldberemoved.
IoT.Bzh Security-blueprint
Version4.99.4 47December2017
Users
Theuserpolicycangroupusersbyfunctionwithinthecar.Forexample,wecanconsideradriverandhispassengers.Eachuserisassignedtoasinglegrouptosimplifythemanagementofspacesecurity.
RootAccess
Themainapplications,thosethatprovidetheprincipalfunctionalityoftheembeddeddevice,shouldnotexecutewithrootidentityoranycapability.
Ifthemainapplicationisallowedtoexecuteatanycapability,thentheentiresystemisatthemercyofthesaidapplication'sgoodbehaviour. Problems arise when an application is compromised and able to execute commandswhich could consistently andpersistentlycompromisethesystembyimplantingrogueapplications.
It issuggestedthat themiddlewareandtheUIshouldruninacontextonauserwithnocapabilityandallpersistentresourcesshouldbemaintainedwithoutanycapability.
Onewaytoensurethisisbyimplementingaserver-clientparadigm.Servicesprovidedbythesystem'sdriverscanbesharedthisway.Theotheradvantageofthisapproachisthatmultipleapplicationscansharethesameresourcesatthesametime.
Domain Object Recommendations
Platform-Users-root-1 Mainapplication Shouldnotexecuteasroot.
Platform-Users-root-2 UI Shouldruninacontextonauserwithnocapability.
Rootaccessshouldnotbeallowedforthefollowingutilities:
Domain Utilityname State
Platform-Users-root-3 login Notallowed
Platform-Users-root-4 su Notallowed
Platform-Users-root-5 ssh Notallowed
Platform-Users-root-6 scp Notallowed
Platform-Users-root-7 sftp Notallowed
Rootaccessshouldnotbeallowedfor theconsoledevice.Thedevelopmentenvironmentshouldallowusers to loginwithpre-createduseraccounts.
Switchingtoelevatedprivilegesshallbeallowedinthedevelopmentenvironmentvia sudo.
IoT.Bzh Security-blueprint
Version4.99.4 48December2017
Capabilities
Domain Improvement
Platform-Users-Capabilities-1 KernelorPlatform-user?
Platform-Users-Capabilities-2 Addconfignote.
ThegoalistorestrictfunctionalitythatwillnotbeusefulinAGL.TheyareintegratedintotheLSM.Eachprivilegedtransactionisassociatedwithacapability.Thesecapabilitiesaredividedintothreegroups:
e:Effective:Thismeansthecapabilityis“activated”.p:Permitted:Thismeansthecapabilitycanbeused/isallowed.i:Inherited:Thecapabilityiskeptbychild/subprocessesuponexecve()forexample.
IoT.Bzh Security-blueprint
Version4.99.4 49December2017
Part6-Application
Abstract
ApplicationHardening:Bestpracticestoapplytothebuildandreleaseofuserspaceapplications,inordertoreducethenumberofattacksurfacesusedbypotentialattackers.
ThetermofApplication(App)hasaverywidedefinitioninAGL.AlmostanythingwhichisnotinthecoreOperatingSystem(OS)isanApplication.Applicationscanbeincludedinthebasesoftwarepackage(image)orcanbeaddedatrun-time.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
3GPP 3rdGenerationPartnershipProject
CASB CloudAccessSecurityBroker
DAST DynamicApplicationSecurityTesting
DPI DeepPacketInspection
IDS IntrusionDetectionSystems
IPS IntrusionPreventionSystems
IPSec InternetProtocolSecurity
LSM LinuxSecurityModule
MITM ManInTheMiddle
OSI OpenSystemsInterconnection
SATS StaticApplicationSecurityTesting
IoT.Bzh Security-blueprint
Version4.99.4 50December2017
Local
Domain Improvement
Application-Installation-1 TalkaboutAppFwofflinemode.
Installation
Applicationscanbedeliveredandinstalledwiththebaseimageusingaspecialoffline-modeprovidedbytheAppFw.Appscanalsobeinstalledatruntime.
Duringearlyrelease,defaultAppsareinstalledontheimageatfirstboot.
Domain Object Recommendations
Application-Installation-1 AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.
Application-Installation-2 Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.
IoT.Bzh Security-blueprint
Version4.99.4 51December2017
Local
PrivilegeManagement
Application privileges aremanaged byCynara and the securitymanager in theAppFw. Formore details, please refer to theAppFwdocumentationinPlatformpart.
IoT.Bzh Security-blueprint
Version4.99.4 52December2017
AppSignature
Domain Improvement
Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).
IoT.Bzh Security-blueprint
Version4.99.4 53December2017
Services
Domain Improvement
Application-Services-1 Addcontent(Whichservices?).
Application-Services-2 AddBinder.
IoT.Bzh Security-blueprint
Version4.99.4 54December2017
Part7-Connectivity
Abstract
ThispartshowsdifferentConnectivityattacksonthecar.
Domain Improvement
Connectivity-Abstract-1 Improveabstract.
IoT.Bzh Security-blueprint
Version4.99.4 55December2017
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
ARP AddressResolutionProtocol
BLE BluetoothLowEnergy
CAN CarAreaNetwork
CCMP Counter-Mode/CBC-MacProtocol
EDGE EnhancedDataRatesforGSMEvolution-EvolutionofGPRS
GEA GPRSEncryptionAlgorithm
GPRS GeneralPacketRadioService(2,5G,2G+)
GSM GlobalSystemforMobileCommunications(2G)
HSPA HighSpeedPacketAccess(3G+)
IMEI InternationalMobileEquipmentIdentity
LIN LocalInterconnectNetwork
MOST MediaOrientedSystemTransport
NFC NearFieldCommunication
OBD On-BoardDiagnostics
PATS PassiveAnti-TheftSystem
PKE PassiveKeylessEntry
PSK Phase-ShiftKeying
RDS RadioDataSystem
RFID RadioFrequencyIdentification
RKE RemoteKeylessEntry
SDR SoftwareDefinedRadio
SSP SecureSimplePairing
TKIP TemporalKeyIntegrityProtocol
TPMS TirePressureMonitoringSystem
UMTS UniversalMobileTelecommunicationsSystem(3G)
USB UniversalSerialBus
WEP WiredEquivalentPrivacy
WPA WifiProtectedAccess
IoT.Bzh Security-blueprint
Version4.99.4 56December2017
Bus
WeonlyspeakabouttheCANbustotakeanexample,becausethedifferentattacksonbuslikeFlewRay,ByteFlight,MostandLinuseretroengineeringandthemainargumenttoimprovetheirsecurityistoencryptdatapackets.Wejustdescribethemabit:
CAN:ControllerAreaNetwork,developedintheearly1980s,isanevent-triggeredcontrollernetworkforserialcommunicationwithdataratesuptooneMBit/s.CANmessagesareclassifiedovertheirrespectiveidentifier.CANcontrollerbroadcasttheirmessagestoallconnectednodesandallreceivingnodesdecideindependentlyiftheyprocessthemessage.FlewRay:Isadeterministicanderror-toleranthigh-speedbus.Withadatarateupto10MBit/s.ByteFlight:Isusedforsafety-criticalapplicationsinmotorvehicleslikeair-bags.Byteflightrunsat10Mbpsover2or3wiresplasticopticalfibers.Most:MediaOrientedSystemTransport,isusedfortransmittingaudio,video,voice,andcontroldataviafiberopticcables.Thespeedis,forthesynchronousway,upto24MBit/sandasynchronouswayupto14MBit/s.MOSTmessagesincludealwaysaclearsenderandreceiveraddress.LIN:LocalInterconnectNetwork,isasingle-wiresubnetworkforlow-cost,serialcommunicationbetweensmartsensorsandactuatorswithtypicaldataratesupto20kBit/s.Itisintendedtobeusedfromtheyear2001oneverywhereinacar,wherethebandwidthandversatilityofaCANnetworkisnotrequired.
Domain Techname Recommendations
Connectivity-BusAndConnector-Bus-1 CAN Implementhardwaresolutioninordertoprohibitsending
unwantedsignals.
SeeSecurityinAutomotiveBusSystemsformoreinformation.
Connectors
Fortheconnectors,wesupposedthattheyweredisabledbydefault.Forexample,theUSBmustbedisabledtoavoidattackslikeBadUSB.Ifnot,configuretheKerneltoonlyenabletheminimumrequireUSBdevices.TheconnectorsusedtodiagnosethecarlikeOBD-IImustbedisabledoutsidegarages.
Domain Techname Recommendations
Connectivity-BusAndConnector-Connectors-1 USB Mustbedisabled.Ifnot,onlyenabletheminimumrequire
USBdevices.
Connectivity-BusAndConnector-Connectors-2 USB ConfidentialdataexchangedwiththeECUoverUSBmust
besecure.
Connectivity-BusAndConnector-Connectors-3 USB USBBootonaECUmustbedisable.
Connectivity-BusAndConnector-Connectors-4 OBD-II Mustbedisabledoutsidegarages.
IoT.Bzh Security-blueprint
Version4.99.4 57December2017
Wireless
In this part, we talk about possible remote attacks on a car, according to the different areas of possible attacks. For eachcommunicationchannels,wedescribeattacksandhowtopreventthemwithsomerecommendations.Themainrecommendationistoalwaysfollowthelatestupdatesoftheseremotecommunicationchannels.
Domain Object Recommendations
Connectivity-Wireless-1 Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.
Wewillseethefollowingparts:
Wifi
Bluetooth
Cellular
Radio
NFC
Domain Improvement
Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).
Forexistingautomotive-specificmeans,wetakeexamplesofexistingsystemattacksfromtheIOActivedocument(ASurveyofRemoteAutomotiveAttackSurfaces)andfromtheETHdocument(RelayAttacksonPassiveKeylessEntryandStartSystemsinModernCars).
Telematics
PassiveAnti-TheftSystem(PATS)
TirePressureMonitoringSystem(TPMS)
RemoteKeylessEntry/Start(RKE)
PassiveKeylessEntry(PKE)
IoT.Bzh Security-blueprint
Version4.99.4 58December2017
Wifi
Attacks
Wecandifferentiateexistingattacksonwifiintwocategories:ThoseonWEPandthoseonWPA.
WEPattacks:
FMS:(Fluhrer,MantinandShamirattack)isa"StreamcipherattackonthewidelyusedRC4streamcipher.TheattackallowsanattackertorecoverthekeyinanRC4encryptedstreamfromalargenumberofmessagesinthatstream."KoreK:"Allowstheattackertoreducethekeyspace".PTW:(PyshkinTewsWeinmannattack).Chopchop:FoundbyKoreK,"WeaknessoftheCRC32checksumandthelackofreplayprotection."Fragmentation
WPAattacks:
BeckandTews:ExploitweaknessinTKIP."AllowtheattackertodecryptARPpacketsandtoinjecttrafficintoanetwork,evenallowinghimtoperformaDoSoranARPpoisoning".KRACK:(K)ey(R)einstallation(A)tta(ck)(jiraAGLSPEC-1017).
Recommendations
DonotuseWEP,PSKandTKIP.
UseWPA2withCCMP.
Shouldprotectdatasniffing.
Domain Technameorobject Recommendations
Connectivity-Wireless-Wifi-1 WEP,PSK,TKIP Disabled
Connectivity-Wireless-Wifi-2
WPA2andAES-CCMP Used
Connectivity-Wireless-Wifi-3 WPA2 Shouldprotectdatasniffing.
Connectivity-Wireless-Wifi-4 PSK Changingregularlythepassword.
Connectivity-Wireless-Wifi-5 Device Upgradedeasilyinsoftwareorfirmwaretohavethelast
securityupdate.
SeeWifiattacksWEPWPAandBreakingwepandwpa(BeckandTews)formoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 59December2017
Bluetooth
Attacks
BluesnarfingattacksinvolveanattackercovertlygainingaccesstoyourBluetooth-enableddeviceforthepurposeofretrievinginformation,includingaddresses,calendarinformationoreventhedevice'sInternationalMobileEquipmentIdentity.WiththeIMEI,anattackercouldrouteyourincomingcallstohiscellphone.BluebuggingisaformofBluetoothattackoftencausedbyalackofawareness.Similartobluesnarfing,bluebuggingaccessesandusesallphonefeaturesbutislimitedbythetransmittingpowerofclass2Bluetoothradios,normallycappingitsrangeat10-15meters.Bluejackingisthesendingofunsolicitedmessages.BLE:BluetoothLowEnergyattacks.DoS:Drainadevice'sbatteryortemporarilyparalyzethephone.
Recommendations
NotallowingBluetoothpairingattemptswithoutthedriver'sfirstmanuallyplacingthevehicleinpairingmode.Monitoring.UseBLEwithcaution.Forv2.1andlaterdevicesusingSecureSimplePairing(SSP),avoidusingthe"JustWorks"associationmodel.Thedevicemustverifythatanauthenticatedlinkkeywasgeneratedduringpairing.
Domain Techname Recommendations
Connectivity-Wireless-Bluetooth-1 BLE Usewithcaution.
Connectivity-Wireless-Bluetooth-2 Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3 SSP Avoidusingthe"JustWorks"associationmodel.
Connectivity-Wireless-Bluetooth-4 Visibility Configuredbydefaultasundiscoverable.Exceptwhen
needed.
Connectivity-Wireless-Bluetooth-5
Anti-scanning Used,interalia,toslowdownbruteforceattacks.
SeeLowenergyandtheautomotivetransformation,GattackingBluetoothSmartDevices,ComprehensiveExperimentalAnalysesofAutomotiveAttackSurfacesandWithLowEnergycomesLowSecurityformoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 60December2017
Cellular
Attacks
IMSI-Catcher:Isatelephoneeavesdroppingdeviceusedforinterceptingmobilephonetrafficandtrackinglocationdataofmobilephoneusers.Essentiallya"fake"mobiletoweractingbetweenthetargetmobilephoneandtheserviceprovider'srealtowers,itisconsideredaman-in-the-middle(MITM)attack.
Lackofmutualauthentication(GPRS/EDGE)andencryptionwithGEA0.
FallbackfromUMTS/HSPAtoGPRS/EDGE(JammingagainstUMTS/HSPA).
4GDoSattack.
Recommendations
Checkantennalegitimacy.
Domain Techname Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.
SeeApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunicationsformoreinformation.
Radio
Attacks
Interceptionofdatawithlowcostmaterial(SDRwithhijackedDVB-T/DABforexample).
Recommendations
UsetheRadioDataSystem(RDS)onlytosendsignalsforaudiooutputandmetaconcerningradio.
Domain Techname Recommendations
Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.
IoT.Bzh Security-blueprint
Version4.99.4 61December2017
NFC
Attacks
MITM:Relayandreplayattack.
Recommendations
Shouldimplementsprotectionagainstrelayandreplayattacks(Tokens,etc...).Disableunneededandunapprovedservicesandprofiles.NFCshouldbeuseencryptedlink(securechannel).AstandardkeyagreementprotocollikeDiffie-HellmannbasedonRSAorEllipticCurvescouldbeappliedtoestablishasharedsecretbetweentwodevices.AutomotiveNFCdeviceshouldbecertifiedbyNFCforumentity:TheNFCForumCertificationMarkshowsthatproductsmeetglobalinteroperabilitystandards.NFCModifiedMillercodingispreferredoverNFCManchestercoding.
Domain Techname Recommendations
Connectivity-Wireless-NFC-1 NFC Protectedagainstrelayandreplayattacks.
Connectivity-Wireless-NFC-2 Device Disableunneededandunapprovedservicesandprofiles.
IoT.Bzh Security-blueprint
Version4.99.4 62December2017
Cloud
Download
authentication:Authenticationisthesecurityprocessthatvalidatestheclaimedidentityofadevice,entityorperson,relyingononeormorecharacteristicsboundtothatdevice,entityorperson.
Authorization: Parses the network to allow access to some or all network functionality by providing rules and allowingaccessordenyingaccessbasedonasubscriber'sprofileandservicespurchased.
Domain Object Recommendations
Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.
Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.
InfrastructureDeepPacketInspection:DPIprovidestechniquestoanalyzethepayloadofeachpacket,addinganextralayerofsecurity.DPIcandetectandneutralizeattacksthatwouldbemissedbyothersecuritymechanisms.
ADoSprotectioninordertoavoidthattheInfrastructureisnomoreaccessibleforaperiodoftime.
ScanningtoolssuchasSATSandDASTassessmentsperformvulnerabilityscansonthesourcecodeanddataflowsonwebapplications.Manyofthesescanningtoolsrundifferentsecurityteststhatstressapplicationsundercertainattackscenariostodiscoversecurityissues.
IDS & IPS: IDS detect and log inappropriate, incorrect, or anomalous activity. IDS can be located in thetelecommunications networks and/or within the host server or computer. Telecommunications carriers build intrusiondetection capability in all network connections to routers and servers, as well as offering it as a service to enterprisecustomers.OnceIDSsystemshaveidentifiedanattack,IPSensuresthatmaliciouspacketsareblockedbeforetheycauseanyharmtobackendsystemsandnetworks.IDStypicallyfunctionsviaoneormoreofthreesystems:
1. Patternmatching.2. Anomalydetection.3. Protocolbehavior.
IoT.Bzh Security-blueprint
Version4.99.4 63December2017
Domain Object Recommendations
Application-Cloud-Infrastructure-1 Packet ShouldimplementaDPI.
Application-Cloud-Infrastructure-2 DoS MustimplementaDoSprotection.
Application-Cloud-Infrastructure-3 Test ShouldimplementscanningtoolslikeSATSandDAST.
Application-Cloud-Infrastructure-4 Log Shouldimplementsecuritytools(IDSandIPS).
Application-Cloud-Infrastructure-5
Appintegrity
Applicationsmustbesignedbythecodesigningauthority.
Transport
For data transport, it is necessary to encrypt data end-to-end. To preventMITM attacks, no third party should be able tointerprettransporteddata.Anotheraspectisthedataanonymizationinordertoprotecttheleakageofprivateinformationontheuseroranyotherthirdparty.
The use of standards such as IPSec provides "private and secure communications over IP networks, through the use ofcryptographicsecurityservices,isasetofprotocolsusingalgorithmstotransportsecuredataoveranIPnetwork.".Inaddition,IPSecoperatesatthenetworklayeroftheOSImodel,contrarytopreviousstandardsthatoperateattheapplicationlayer.ThismakesitsapplicationindependentandmeansthatusersdonotneedtoconfigureeachapplicationtoIPSecstandards.
IPSecprovidestheservicesbelow:
Confidentiality:Aservicethatmakesitimpossibletointerpretdataifitisnottherecipient.Itistheencryptionfunctionthatprovidesthisservicebytransformingintelligible(unencrypted)dataintounintelligible(encrypted)data.Authentication:Aservicethatensuresthatapieceofdatacomesfromwhereitissupposedtocomefrom.Integrity:Aservicethatconsistsinensuringthatdatahasnotbeentamperedwithaccidentallyorfraudulently.ReplayProtection:Aservicethatpreventsattacksbyre-sendingavalidinterceptedpackettothenetworkforthesameauthorization.Thisserviceisprovidedbythepresenceofasequencenumber.Keymanagement:MechanismfornegotiatingthelengthofencryptionkeysbetweentwoIPSecelementsandexchangeofthesekeys.
AnadditionalmeansofprotectionwouldbetodothemonitoringbetweenusersandthecloudasaCASBwillprovide.
Domain Object Recommendations
Application-Cloud-Transport-1 Integrity,confidentialityandlegitimacy ShouldimplementIPSecstandards.
IoT.Bzh Security-blueprint
Version4.99.4 64December2017
Part8-Update(OTA)
Abstract
Updatingapplicationsandfirmwareisessentialforthedevelopmentofnewfeaturesandevenmoretofixsecuritybugs.However,if amalicious third partymanages to divert its first use, it could alter the functioning of the system and/or applications. Thesecurity of the updates is therefore a critical point to evaluate in order to guarantee the integrity, the confidentiality and thelegitimacyofthetransmitteddata.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
FOTA FirmwareOverTheAir
OTA OverTheAir
SOTA SoftwareOverTheAir
IoT.Bzh Security-blueprint
Version4.99.4 65December2017
FirmwareOverTheAir
The firmware update is critical since its alteration back to compromise the entire system. It is therefore necessary to takeappropriateprotectivemeasures.Theprincipleofverifyingchain integrity fulfillsmuchofAGL's security.During a firmwareupdate,itisnecessarytoupdatethedifferentsignaturestochecktheintegrityofthesystem.
Thereisalsotheconstraintoftheupdatetime:Thesystemmuststartquicklyandtherefore,updateitselfasquickly.Weimaginethat theFOTA ismainlyused in thevehiclemaintenancesession(e.g.Garage).Wewill thenusenomoreFOTAbutawiredupdate.Thereisalimittowhatcanbeupdatedwirelessly.Thismaintenanceupdatecouldsolvetheseproblems.
FieldupgradescanbeachievedsecurelybyusingaSecureLoader.Thisloaderwillauthenticateanincomingimage(USB,Serial,Network)prior towriting it to theflashmemoryon thedevice. Itshouldnotbepossible towrite toflashfrombootloader (U-Boot).NotethatbecauseUSBsupportistobedisabledwithinthesboot/U-Bootcode,theboardspecificimplementationoftheSecureLoaderwillhavetomanagetheentireUSBinitialization,enumeration,andread/writeaccesstothemassstoragedevice.
Domain Object Recommendations
Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.
DifferentpossibletypeofFOTA:
Package-basedlikerpm,dpkg:
+Simple.-Power-off.-Dependency.
Fullfilesystemupdates:
+Robust.-Tendsdevice-specific.-Needrsyncorsimilar.
Atomicdifferential:
+Robust.+Minimalbandwidthconsumption.+Easyreusable.-Physicallyonefilesystem(Corruption->unbootablesystem).-Norollbacklogic.
IoT.Bzh Security-blueprint
Version4.99.4 66December2017
SoftwareOverTheAir
SOTAismadepossiblebyAppFw(SeePlatformpart).Itwillbepossibletomanageinasimplewaythepackets(i.g.Androidlike).
Domain Improvement
Update-SOTA-1 Parttocomplete.
IoT.Bzh Security-blueprint
Version4.99.4 67December2017
Part9-Securedevelopment
Inordertosavealotoftimeincodeauditing,developersmustfollowcodingguidelines.
Securebuild
Kernelbuild
Toolslike:
Codeoptimisation.KernelDriverstestwithdocs.
Domain Improvement
SecureDev-SecureBuild-1 Addcontent.
App/Widgetsignatures
Domain Improvement
SecureDev-Signatures-1 Addcontent.
CodeauditThesetoolsareusedtocheckthecorrectimplementationoffunctionalitiesandcompliancewithrelatedgoodpractices.
ContinuousCodeQuality.
Domain Improvement
SecureDev-CodeAudit-1 AddCVEanalyser.
SecureDev-CodeAudit-2 OSSTMM.
SATS
RATS(Maybetoold).FlawFinder.
wikilist.
Mathematicalapproach.
IoT.Bzh Security-blueprint
Version4.99.4 68December2017
Itisnecessarytoverifythattheapplicationcodedoesnotusefunctionsthataredepreciatedandrecognizedasunsecuredorcauseproblems.
DATS
wikilist.
IoT.Bzh Security-blueprint
Version4.99.4 69December2017
Annexes
Thefirstpartresumedalltheconfigurationsyoumustimplementwithoutanyexplicationssincealltheexplanationsaregivenasandwheninthedocument.
The second one allows to visualize all the todo notes in order to have a global vision of the possible improvements of thedocument.
IoT.Bzh Security-blueprint
Version4.99.4 70December2017
Confignotes
Domain Object Recommendations
Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.
Hardware-Integrity-2 Board MustuseaHSM.
Hardware-Integrity-3 RTC Mustnotbealterable.
Domain Object Recommendations
Hardware-Certificate-1
System Shallallowstoringdedicatedcertificates.
Hardware-Certificate-2
ECU TheECUmustverifythecertificationauthorityhierarchy.
Hardware-Certificate-3
System Allowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.
Domain Object Recommendations
Hardware-Memory-1 ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusing
cryptographickeys.
Hardware-Memory-2 Bootloader InternalNVMonly
Hardware-Module-3 - HSMmustbeusedtosecurekeys.
Domain Variable/ Configname Value
Boot-Image-Selection-1 CONFIG_BOOTDELAY -2
Boot-Image-Selection-2 bootdelay -2
Domain Configname State
Boot-Image-Authenticity-1 CONFIG_FIT Enable
Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable
Boot-Image-Authenticity-3 CONFIG_RSA Enable
Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable
Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable
Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable
Domain Communicationmodes State
Boot-Communication-1
USB DisabledandCompiled-outifnotrequired.
Boot-
IoT.Bzh Security-blueprint
Version4.99.4 71December2017
Boot-Communication-2
USBElse,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.
Boot-Communication-3
Ethernet Disabled
Boot-Communication-4
U-bootandsboot DOCSIS Disabled
Boot-Communication-5
Serialports Disabled
Domain Configname State
Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined
Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined
Domain Communicationmodes State
Boot-Communication-1
Network
interfaces
Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.
Domain Object Recommendations
Boot-Communication-1
Services, portsanddevices
Restrictthe services, portsand devicestothoseused.
Domain Commandname State
Boot-Communication-Flash-1 do_nand Disable
Domain Configname Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable
Domain Environmentvariablename State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined
Domain Configname State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
IoT.Bzh Security-blueprint
Version4.99.4 72December2017
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define
Domain Commandname State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled
Domain Object Recommendations
Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.
Domain Configname Value
Kernel-General-kexec-1 CONFIG_KEXEC n
Domain Configname Value
Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n
Domain Configname Value
Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n
Domain Configname Value
Kernel-General-LegacyLinux-1 CONFIG_USELIB n
Domain Configname Value
Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n
Domain Configname Value
Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y
Domain Configname Value
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
IoT.Bzh Security-blueprint
Version4.99.4 73December2017
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n
Domain Configname Value
Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n
Domain Configname Value
Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y
Domain Object State
Kernel-General-Drivers-1 USB Disabled
Kernel-General-Drivers-2 PCMCIA Disabled
Kernel-General-Drivers-3 Other hotplugbus Disabled
Domain compilerand linkeroptions State
Kernel-General-IndependentExec-1 -pie-fpic Enable
Domain compilerand linkeroptions State
Kernel-General-OverwriteAttacks-1 -z,relro Enable
Kernel-General-OverwriteAttacks-2 -z,now Enable
Domain compilerand linkeroptions State
Kernel-General-LibraryLinking-1 -static Enable
Domain Configname Value
Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n
Domain Configname Value
Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n
Domain Configname Value
Kernel-Memory-Swap-1 CONFIG_SWAP n
Domain Configname Value
Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n
Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n
Domain Configname Value
Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y
Domain Configname Value
Kernel-Memory-Access-1 CONFIG_DEVMEM n
Domain Configname Value
IoT.Bzh Security-blueprint
Version4.99.4 74December2017
Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n
Domain compilerand linkeroptions State
Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable
Domain compilerand linkeroptions Value
Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2
Domain Configname Value
Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n
Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n
Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n
Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n
Domain Configname Value
Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y
Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"
Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y
Domain Configname Value
Kernel-Consoles-KDBG-1 CONFIG_KGDB n
Domain Configname Value
Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n
Domain Configname Value
Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n
Domain Configname Value
Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n
Domain Configname Value
Kernel-Debug-Kprobes-1 CONFIG_KPROBES n
Domain Configname Value
Kernel-Debug-Tracing-1 CONFIG_FTRACE n
Domain Configname Value
Kernel-Debug-Profiling-1 CONFIG_OPROFILE n
Kernel-Debug-Profiling-2 CONFIG_PROFILING n
Domain Configname Value
Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n
IoT.Bzh Security-blueprint
Version4.99.4 75December2017
Domain Configname Value
Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n
Kernel-Debug-Dev-2 CONFIG_EMBEDDED n
Domain Configname Value
Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n
Domain Configname Value
Kernel-Debug-BUG-1 CONFIG_BUG n
Domain Configname Value
Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n
Domain Filename Value
Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1
Domain Fileor Directoriename State
Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser
Domain Filename Value
Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1
Domain Configname Value
Kernel-Debug-Config-1 CONFIG_IKCONFIG n
Domain Configname Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n
Domain Partition Value
Kernel-FileSystems-Mount-1
/boot nosuid, nodevand noexec.
Kernel-FileSystems-Mount-2 /var& /tmp In /etc/fstabor vfstab,add nosuid, nodevand
noexec.
Kernel-FileSystems-Mount-3 Non-rootlocal Iftypeis ext2or ext3andmountpointnot'/',add
nodev.
Kernel-FileSystems-Mount-4
Removablestorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-5
Temporarystorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-6
/dev/shm Add nosuid, nodevand noexec.
IoT.Bzh Security-blueprint
Version4.99.4 76December2017
Mount-6/dev/shm Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-7
/dev Add nosuidand noexec.
Domain Configname Stateor Value
Kernel-FileSystems-Mount-1
CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwith noexecand nosuidtosystemstartup.
Domain Labelname Recommendations
Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.
Kernel-MAC-Floor-2 * Usedfordevicefilesor /tmpAccessrestrictionviaDAC.
Domain Labelname Recommendations
Kernel-MAC-System-1
System Processshouldwriteonlytofilewithtransmuteattribute.
Kernel-MAC-System-2
System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwith w.
Kernel-MAC-System-3
System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.
Kernel-MAC-System-4
System::Log Somelimitationmayimposetoadd wtoenableappend.
Kernel-MAC-System-5
System::Sub IsolationofriskySubsystem.
Domain Labelname Recommendations
Kernel-MAC-System-1
User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwin rwxmode.
Kernel-MAC-System-2
User::Home
AppFwneedstocreateadirectoryin /home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessis User::App-Sharedwithouttransmute.
Kernel-MAC-System-3
User::App-Shared SharedspacebetweenallApprunningforagivenuser.
Domain Object Recommendations
Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.
Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.
Domain Object Recommendations
Platform-DBus-1 Securitymodel UseD-BusasIPC.
Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE
Domain Toolname State
Platform-Utilities-1 connman Usedasaconnectionmanager.
Platform-Utilities-2 bluez UsedasaBluetoothmanager.
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
IoT.Bzh Security-blueprint
Version4.99.4 77December2017
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.
Domain Object Recommendations
Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.
Domain Object Recommendations
Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.
Domain Toolname State
Platform-Utilities-1 busybox Usedtoprovideanumberoftools.Donotcompiledevelopmenttools.
Domain Utilitynameandnormal path State
Platform-Utilities-1 chgrpin /bin/chgrp Disabled
Platform-Utilities-2 chmodin /bin/chmod Disabled
Platform-Utilities-3 chownin /bin/chown Disabled
Platform-Utilities-4 dmesgin /bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainnamein /bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear,Remove"dropbear"from /etc/init.d/rcs Disabled
Platform-Utilities-7 Editorsin(vi) /bin/vi Disabled
Platform-Utilities-8 findin /bin/find Disabled
Platform-Utilities-9 gdbserverin /bin/gdbserver Disabled
Platform-Utilities-10 hexdumpin /bin/hexdump Disabled
Platform-Utilities-11 hostnamein /bin/hostname Disabled
Platform-Utilities-12 installin /bin/install Disabled
Platform-Utilities-13 iostatin /bin/iostat Disabled
Platform-Utilities-14 killallin /bin/killall Disabled
Platform-Utilities-15 klogdin /sbin/klogd Disabled
Platform-Utilities-16 loggerin /bin/logger Disabled
Platform-Utilities-17 lsmodin /sbin/lsmod Disabled
Platform-Utilities-18 pmapin /bin/pmap Disabled
Platform-Utilities-19 psin /bin/ps Disabled
Platform-Utilities-20 psin /bin/ps Disabled
Platform-Utilities-21 rpmin /bin/rpm Disabled
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplugin /sbin/stbhotplug Disabled
Platform-Utilities-24 stracein /bin/trace Disabled
Platform-Utilities-25 suin /bin/su Disabled
Platform-Utilities-26 syslogdin(logger) /bin/logger Disabled
IoT.Bzh Security-blueprint
Version4.99.4 78December2017
Platform-Utilities-26 syslogdin(logger) /bin/logger Disabled
Platform-Utilities-27 topin /bin/top Disabled
Platform-Utilities-28 UARTin /proc/tty/driver/ Disabled
Platform-Utilities-29 whichin /bin/which Disabled
Platform-Utilities-30 whoand whoamiin /bin/whoami Disabled
Platform-Utilities-31 awk(busybox) Enabled
Platform-Utilities-32 cut(busybox) Enabled
Platform-Utilities-33 df(busybox) Enabled
Platform-Utilities-34 echo(busybox) Enabled
Platform-Utilities-35 fdisk(busybox) Enabled
Platform-Utilities-36 grep(busybox) Enabled
Platform-Utilities-37 mkdir(busybox) Enabled
Platform-Utilities-38 mount(vfat)(busybox) Enabled
Platform-Utilities-39 printf(busybox) Enabled
Platform-Utilities-40 sedin /bin/sed(busybox) Enabled
Platform-Utilities-41 tail(busybox) Enabled
Platform-Utilities-42 tee(busybox) Enabled
Platform-Utilities-43 test(busybox) Enabled
Domain Object Recommendations
Platform-Users-root-1 Mainapplication Shouldnotexecuteasroot.
Platform-Users-root-2 UI Shouldruninacontextonauserwithnocapability.
Domain Utilityname State
Platform-Users-root-3 login Notallowed
Platform-Users-root-4 su Notallowed
Platform-Users-root-5 ssh Notallowed
Platform-Users-root-6 scp Notallowed
Platform-Users-root-7 sftp Notallowed
Domain Object Recommendations
Application-Installation-1 AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.
Application-Installation-2 Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.
Domain Techname Recommendations
Connectivity-BusAndConnector-Bus-1 CAN Implementhardwaresolutioninordertoprohibitsending
unwantedsignals.
Tech
IoT.Bzh Security-blueprint
Version4.99.4 79December2017
Domain name Recommendations
Connectivity-BusAndConnector-
Connectors-1 USB
Mustbedisabled.Ifnot,onlyenabletheminimumrequire
USBdevices.
Connectivity-BusAndConnector-Connectors-2 USB ConfidentialdataexchangedwiththeECUoverUSBmust
besecure.
Connectivity-BusAndConnector-Connectors-3 USB USBBootonaECUmustbedisable.
Connectivity-BusAndConnector-Connectors-4 OBD-II Mustbedisabledoutsidegarages.
Domain Object Recommendations
Connectivity-Wireless-1 Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.
Domain Technameorobject Recommendations
Connectivity-Wireless-Wifi-1 WEP,PSK,TKIP Disabled
Connectivity-Wireless-Wifi-2
WPA2andAES-CCMP Used
Connectivity-Wireless-Wifi-3 WPA2 Shouldprotectdatasniffing.
Connectivity-Wireless-Wifi-4 PSK Changingregularlythepassword.
Connectivity-Wireless-Wifi-5 Device Upgradedeasilyinsoftwareorfirmwaretohavethelast
securityupdate.
Domain Techname Recommendations
Connectivity-Wireless-Bluetooth-1 BLE Usewithcaution.
Connectivity-Wireless-Bluetooth-2 Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3 SSP Avoidusingthe"JustWorks"associationmodel.
Connectivity-Wireless-Bluetooth-4 Visibility Configuredbydefaultasundiscoverable.Exceptwhen
needed.
Connectivity-Wireless-Bluetooth-5
Anti-scanning Used,interalia,toslowdownbruteforceattacks.
Domain Techname Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.
Domain Techname Recommendations
Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.
IoT.Bzh Security-blueprint
Version4.99.4 80December2017
Domain Techname Recommendations
Connectivity-Wireless-NFC-1 NFC Protectedagainstrelayandreplayattacks.
Connectivity-Wireless-NFC-2 Device Disableunneededandunapprovedservicesandprofiles.
Domain Object Recommendations
Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.
Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.
Domain Object Recommendations
Application-Cloud-Infrastructure-1 Packet ShouldimplementaDPI.
Application-Cloud-Infrastructure-2 DoS MustimplementaDoSprotection.
Application-Cloud-Infrastructure-3 Test ShouldimplementscanningtoolslikeSATSandDAST.
Application-Cloud-Infrastructure-4 Log Shouldimplementsecuritytools(IDSandIPS).
Application-Cloud-Infrastructure-5
Appintegrity
Applicationsmustbesignedbythecodesigningauthority.
Domain Object Recommendations
Application-Cloud-Transport-1 Integrity,confidentialityandlegitimacy ShouldimplementIPSecstandards.
Domain Object Recommendations
Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.
IoT.Bzh Security-blueprint
Version4.99.4 81December2017
Todonotes
Domain Improvement
Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).
Domain Improvement
Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".
Domain Improvement
Boot-Consoles-1 Secureloader:Noreferenceearlier?
Domain Improvement
Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).
Domain Improvement
Kernel-MAC-1 AddMACconfignote.
Domain Improvement
Platform-Services-1 SystemD?
Platform-Services-2 Securedaemon?
Domain Improvement
Platform-Users-Capabilities-1 KernelorPlatform-user?
Platform-Users-Capabilities-2 Addconfignote.
Domain Improvement
Application-Installation-1 TalkaboutAppFwofflinemode.
Domain Improvement
Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).
Domain Improvement
Application-Services-1 Addcontent(Whichservices?).
Application-Services-2 AddBinder.
Domain Improvement
Connectivity-Abstract-1 Improveabstract.
Domain Improvement
Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).
Domain Improvement
IoT.Bzh Security-blueprint
Version4.99.4 82December2017
Update-SOTA-1 Parttocomplete.
Domain Improvement
SecureDev-SecureBuild-1 Addcontent.
Domain Improvement
SecureDev-Signatures-1 Addcontent.
Domain Improvement
SecureDev-CodeAudit-1 AddCVEanalyser.
SecureDev-CodeAudit-2 OSSTMM.
IoT.Bzh Security-blueprint
Version4.99.4 83December2017