table of contents...introduction this document presents the different attacks that can be envisaged...
TRANSCRIPT
![Page 1: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/1.jpg)
![Page 2: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/2.jpg)
1.1
1.2
1.3
1.3.1
1.3.2
1.3.3
1.4
1.5
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.8
1.8.1
1.8.2
1.8.3
1.9
1.9.1
1.9.2
1.10
1.11
1.11.1
1.11.2
TableofContents
Introduction
Part1-Hardware
Part2-SecureBoot
Image
Communicationmodes
Consoles
Part3-Hypervisor
Part4-Kernel
General
Memory
Consoles
Debug
FileSystems
Part5-Platform
MandatoryAccessControl
SystemD
SystemBus
Systemservicesanddaemons
AppFramework
Utilities
Users
Part6-Application
Installation
Privilegemanagement
Signature
Services
Part7-Connectivity
Busandconnectors
Wireless
Cloud
Part8-Update(OTA)
FOTA
SOTA
Part9-Securedevelopment
Annexes
Allconfignotes
Alltodonotes
![Page 3: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/3.jpg)
Introduction
This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of testsverifying the security of Automotive Grade Linux (AGL). The more general utility behind this document is to protect themanufacturers, customers and third party from potential financial and information loss. This document is firstly based on theexistingsecurity-blueprint.
Forsecuritytobeeffective,theconceptsmustbesimple.Andbydefault,anythingthatisnotallowedisforbidden.
Wewillcovertopicsstartingfromthelowestlevel(Hardware)uptothehighestlevels(ConnectivityandApplication).Wewillmove quickly onHardware andConnectivity because this is not supported at our level. Solutions of connectivity problemsconcernupdatesandsecuredsettingswhilehardwaresecuringisrelatedtothemanufacturers.
Thedocumentisfilledwithtagstoeasilyidentifyimportantpoints:
Theconfigtagquicklyidentifiestheconfigurationsandtherecommendationstotake.
Thenotetagallowsyoutonotifysomeadditionaldetails.
Thetodotagshowsthepossibleimprovements.
Inannexesofthisdocument,youcanfindalltheconfigandtodonotes.
HardeningtermThetermHardeningreferstothetools,techniquesandprocessesrequiredinordertoreducetheattacksurfaceonanembeddedsystem,suchasanembeddedcontrolunit(ECU)orothermanageddevices.Thetargetforallhardeningactivitiesistopreventtheexecutionofinvalidbinariesonthedevice,andtopreventcopyingofsecurityrelateddatafromthedevice.
![Page 4: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/4.jpg)
AGLsecurityoverview
AGLrootsarebasedonsecurityconcepts.Thoseconceptsareimplementedbythesecurityframeworkasshowninthispicture:
AcronymsandAbbreviations
Thefollowingtableliststhestrongesttermsutilizedwithinallthisdocument.
AcronymsorAbbreviations Description
AGL AutomotiveGradeLinux
ECU ElectronicControlUnit
IoT.Bzh Security-blueprint
Version4.99.4 4December2017
![Page 5: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/5.jpg)
References
security-blueprint.http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html
[2017]-kernelsecurity.https://www.kernel.org/doc/Documentation/security/
[2017]-Systemdintegrationandusermanagement.http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf
[2017]-AGL-ApplicationFrameworkDocumentation.http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf
[2017]-ImprovingVehicleCybersecurity.https://access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf
[2016]-AGLframeworkoverview.http://docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html
[2016]-SecureBoot-SecureSoftwareUpdates.http://iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf
[2016]-LinuxAutomotiveSecurity.http://iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf
[2016]-AutomotiveSecurityBestPractices.https://www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf
[2016]-GattackingBluetoothSmartDevices.http://gattack.io/whitepaper.pdf
[2015]-ComprehensiveExperimentalAnalysisofAutomotiveAttackSurfaces.http://www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf
[2015]-SecurityinAutomotiveBusSystems.http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf
[2014]-IOActiveRemoteAttackSurface.https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf
[2011]-ApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunications.https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf
[2011]-ComprehensiveExperimentalAnalysesofAutomotiveAttackSurfaces.http://www.autosec.org/pubs/cars-usenixsec2011.pdf
[2010]-RelayAttacksonPassiveKeylessEntryandStartSystemsinModernCars.https://eprint.iacr.org/2010/332.pdf
[2010]-Wifiattackswepwpa.https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf
[2008]-SMACK.http://schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf
IoT.Bzh Security-blueprint
Version4.99.4 5December2017
![Page 6: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/6.jpg)
Part1-Hardware
Abstract
Youwillfindinthisfirstparteverythingthatconcernsthehardwaresecurity.Thegoalistoprotectsystemagainstallattacksthataretryingtogainadditionalprivilegesbyrecoveringand/orchangingcryptographickeysinordertoaltertheintegrityoftheboot.Weshouldalsopreventhardwaremodificationsinordertoachievethisgoal.Wewillexposebelowsomeexamplesofpossibleconfigurations.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
HSM HardwareSecurityModule
NVM Non-VolatileMemory
SHE SecureHardwareExtensions
Integrity
Theboardmuststorehardcodedcryptographickeysinordertoverifyamongotherstheintegrityofthebootloader.ManufacturerscanuseHSMandSHEtoenhancethesecurityoftheirboard.
Domain Object Recommendations
Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.
Hardware-Integrity-2 Board MustuseaHSM.
Hardware-Integrity-3 RTC Mustnotbealterable.
IoT.Bzh Security-blueprint
Version4.99.4 6December2017
![Page 7: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/7.jpg)
Certificates
Domain Object Recommendations
Hardware-Certificate-1
System Shallallowstoringdedicatedcertificates.
Hardware-Certificate-2
ECU TheECUmustverifythecertificationauthorityhierarchy.
Hardware-Certificate-3
System Allowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.
Memory
Domain Object Recommendations
Hardware-Memory-1 ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusing
cryptographickeys.
Hardware-Memory-2 Bootloader InternalNVMonly
Hardware-Module-3 - HSMmustbeusedtosecurekeys.
IoT.Bzh Security-blueprint
Version4.99.4 7December2017
![Page 8: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/8.jpg)
Part2-Secureboot
Abstract
Domain Improvement
Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).
BootHardening:Steps/requirementstoconfigurethebootsequence,inordertorestrictthedevicefromexecutinganythingotherthantheapprovedsoftwareimage.
Inthispart,wewillseeaseriesofsettingsthatwillallowustoimprovesecurityduringbootphase.Forthepurposesofreferenceandexplanation,weareprovidingguidanceonhowtoconfigureanembeddeddevicethatrunswitha3.10.17Linuxkernel.Iftheintegrityisnotcheckedorifacriticalerroroccurs,thesystemmustbootonaverystablebackupimage.
Requirements:TheserequirementsmustbemetevenifanalternativeversionoftheLinuxkernelischosen.
Recommendations:Detailedbestpractices that shouldbeapplied inorder tosecureadevice.Although theyarenotcurrentlylistedashardrequirements,theymaybeupgradedtorequirementsstatusinthefuture.Inaddition,specificoperatorsmaychangesomeoftheserecommendationsintorequirementsbasedontheirspecificneedsandobjectives.
Domain Improvement
Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".
Boot loader:Theboot loader consistsof thePrimaryboot loader residing inOTPmemory, sboot,U-Boot andSecure loaderresidinginexternalflash(NANDorSPI/NORflashmemory).TheCPUonpoweronorresetexecutestheprimarybootloader.TheOTPprimarybootloadermakesthenecessaryinitialsystemconfigurationandthenloadsthesecondarybootloadersbootfromexternalflashmemorytorammemory.ThesbootthenloadstheU-BootalongwiththeSecureloader.U-BootthenverifiestheKernel/systemimageintegrity,thenloadstheKernel/systemimagebeforepassingcontroltoit.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
FUSE FilesysteminUserSpacE
OTP One-Time-Programmable
DOCSIS DataOverCableServiceInterfaceSpecification
IoT.Bzh Security-blueprint
Version4.99.4 8December2017
![Page 9: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/9.jpg)
Image
Imageselection
Thebootprocessshallbeuninterruptibleandshallirrevocablyboottheimageasspecifiedinthebootenvironment.
InU-Bootsetthe"bootdelay"environmentvariableand/ordefine CONFIG_BOOTDELAYto-2.
Domain Variable/ Configname Value
Boot-Image-Selection-1 CONFIG_BOOTDELAY -2
Boot-Image-Selection-2 bootdelay -2
Imageauthenticity
Itshallnotbepossible tobootfromanunverified image.Thesecurebootfeature inU-Bootshallbeenabled.ThesecurebootfeatureisavailablefromU-Boot2013.07version.Toenablethesecurebootfeature,enablethefollowingfeatures:
CONFIG_FIT:EnablessupportforFlatImageTree(FIT)uImageformat.
CONFIG_FIT_SIGNATURE:EnablessignatureverificationofFITimages.
CONFIG_RSA:EnablesRSAalgorithmusedforFITimageverification.
CONFIG_OF_CONTROL:EnablesFlattenedDeviceTree(FDT)configuration.
CONFIG_OF_SEPARATE:Enablesseparatebuildofu-Bootfromthedevicetree.
CONFIG_DEFAULT_DEVICE_TREE:SpecifiesthedefaultDeviceTreeusedfortherun-timeconfigurationofU-Boot.
GeneratetheU-Bootimagewithpublickeystovalidateandloadtheimage.ItshalluseRSA2048andSHA256forauthentication.
Domain Configname State
Boot-Image-Authenticity-1 CONFIG_FIT Enable
Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable
Boot-Image-Authenticity-3 CONFIG_RSA Enable
Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable
Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable
Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable
IoT.Bzh Security-blueprint
Version4.99.4 9December2017
![Page 10: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/10.jpg)
Communicationmodes
DisableUSB,SerialandDOCSISSupport
TodisableUSBsupportinU-Boot,followingconfig'sshallnotbedefined:
CONFIG_CMD_USB:EnablesbasicUSBsupportandtheusbcommand.
CONFIG_USB_UHCI:Definesthelowlevelpart.
CONFIG_USB_KEYBOARD:EnablestheUSBKeyboard.
CONFIG_USB_STORAGE:EnablestheUSBstoragedevices.
CONFIG_USB_HOST_ETHER:EnablesUSBEthernetadaptersupport.
In addition, disable unnecessary communicationmodes like Ethernet, Serial ports,DOCSIS inU-Boot and sboot that are notnecessary.
LinuxKernelsupportforUSBshouldbecompiled-outifnotrequired.Ifitisneeded,theLinuxKernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevices.User-initiatedUSB-filesystemsshouldbetreatedwithspecialcare.Whetherornotthefilesystemsaremountedinuserspace(FUSE),restrictedmountoptionsshouldbeobserved.
Domain Communicationmodes State
Boot-Communication-1
USB DisabledandCompiled-outifnotrequired.
Boot-Communication-2
USBElse,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.
Boot-Communication-3
Ethernet Disabled
Boot-Communication-4
U-bootandsboot DOCSIS Disabled
Boot-Communication-5
Serialports Disabled
Domain Configname State
Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined
Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined
IoT.Bzh Security-blueprint
Version4.99.4 10December2017
![Page 11: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/11.jpg)
DisableallNetworkInterfaces
Preferablynonetworkinterfaceisallowed,butifrequired,thentheenabledservicesshouldberestrictedtoonlythoseused.
Domain Communicationmodes State
Boot-Communication-1
Network
interfaces
Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.
RemoveorDisableUnnecessaryServices,Ports,andDevicesRestrictthe services, portsand devicestothoseused.
Domain Object Recommendations
Boot-Communication-1
Services, portsanddevices
Restrictthe services, portsand devicestothoseused.
DisableflashaccessRecommendation:
InU-Bootfollowingflashmemorycommandsshallbedisabled:
NAND:Supportfornandflashaccessavailablethrough do_nandhastobedisabled.
Domain Commandname State
Boot-Communication-Flash-1 do_nand Disable
Similarlysbootshoulddisableflashaccesssupportthroughcommandlineifany.
IoT.Bzh Security-blueprint
Version4.99.4 11December2017
![Page 12: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/12.jpg)
Consoles
Disableserialconsole
Serialconsoleoutputshallbedisabled.TodisableconsoleoutputinU-Boot,setthefollowingmacros:
Domain Configname Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable
Domain Improvement
Boot-Consoles-1 Secureloader:Noreferenceearlier?
Andset"silent"environmentvariable.FortheSecureloader,disablethetracesbynotdefiningthebelowmacro:
Domain Environmentvariablename State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined
Forsbootproperconfigurationneedstobedonetodisabletheserialconsole.
IoT.Bzh Security-blueprint
Version4.99.4 12December2017
![Page 13: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/13.jpg)
Immutableenvironmentvariables
InU-Boot,ensureKernelcommandline,bootcommands,bootdelayandotherenvironmentvariablesareimmutable.Thiswillpreventside-loadingofalternateimages,byrestrictingthebootselectiontoonlytheimageinFLASH.
The environment variables shall be part of the text region inU-Boot as default environment variable and not in non-volatilememory.
Removeconfigurationoptionsrelatedtonon-volatilememory,suchas:
Domain Configname State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define
IoT.Bzh Security-blueprint
Version4.99.4 13December2017
![Page 14: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/14.jpg)
(Recommendation)Removalofmemorydumpcommands
InU-Boot,followingcommandsshallbedisabledtoavoidmemorydumps:
md:MemoryDisplaycommand.
mm:Memorymodifycommand-autoincrementingaddress.
nm:Memorymodifycommand-constantaddress.
mw:Memorywrite.
cp:Memorycopy.
mwc:Memorywritecyclic.
mdc:Memorydisplaycyclic.
mtest:Simpleramread/writetest.
loopw:Infinitewritelooponaddressrange.
Domain Commandname State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled
Similarly,memorydumpsupportshallbedisabledfromsboot.
IoT.Bzh Security-blueprint
Version4.99.4 14December2017
![Page 15: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/15.jpg)
Part3-Hypervisor
Definition:"Ahypervisororvirtualmachinemonitor(VMM)iscomputersoftware,firmwareorhardwarethatcreatesandrunsvirtualmachines".
Itmustincludeasignatureverification(possiblydelegated).
Domain Improvement
Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).
NativeorBare-metalhypervisors
Thesehypervisorsrundirectlyonthehost'shardwaretocontrolthehardwareandtomanageguestoperatingsystems.Thosearetheoneswe'reinterestedin.
IoT.Bzh Security-blueprint
Version4.99.4 15December2017
![Page 16: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/16.jpg)
Part4-Kernel
Abstract
SystemHardening:BestpracticesassociatedwiththeconfigurationofanembeddedLinuxbasedoperatingsystem.Thissectionincludes both hardening of the kernel itself, as well as specific configurations and patches used to protect against knownvulnerabilitieswithinthebuildandconfigurationoftherootfilesystem.
AttheKernellevel,wemustensurethatnoconsolecanbelaunched.Itcouldbeusedtochangethebehaviorofthesystemortohavemoreinformationaboutit.AnotheraspectistheprotectionofthememoryusedbytheKernel.
Thenextsub-sectionscontaininformationonvariouskernelconfigurationoptionstoenhancethesecurityinthekernel(3.10.17)andalsoforapplicationscompiledtotakeadvantageofthesesecurityfeatures.Additionally,therearealsoconfigurationoptionsthatprotectfromknownvulnerableconfigurationoptions.Here'sahighlevelsummaryofvariouskernelconfigurationsthatshallberequiredfordeployment.
IoT.Bzh Security-blueprint
Version4.99.4 16December2017
![Page 17: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/17.jpg)
Generalconfiguration
MandatoryAccessControl
Kernelshouldcontrolsaccesswithlabelsandpolicy.
Domain Object Recommendations
Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.
Domain Improvement
Kernel-MAC-1 AddMACconfignote.
Disablekexec
Thispreventssomeonewhogetsrootfromsupplantingthekernel.Thiscanbeusedasawaytobypasssignedkernels.
Domain Configname Value
Kernel-General-kexec-1 CONFIG_KEXEC n
DisablekernelIPauto-configurationItispreferabletohaveanIPconfigurationperformedusingauser-spacetoolasthesetendtohavemorevalidation.Wedonotwantthenetworkinterfacecomingupuntilthesystemhascomeupproperly.
Domain Configname Value
Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n
DisableSysctlsyscallsupportEnablingthiswillresultincodebeingincludedthatishardtomaintainandnotwelltested.
IoT.Bzh Security-blueprint
Version4.99.4 17December2017
![Page 18: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/18.jpg)
Domain Configname Value
Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n
DisableLegacyLinuxSupport
TherearesomeKernelConfigswhicharepresentonlytosupportlegacybinaries.Seealso"Consoles"partinordertodisablingsupportforlegacybinaryformats.The uselibsystemcall,inparticular,hasnovaliduseinany libc6or uclibcsysteminrecenttimes.ThisconfigurationissupportedinLinux3.15andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-General-LegacyLinux-1 CONFIG_USELIB n
Disablefirmwareauto-loadingusermodehelperThefirmwareautoloadinghelper,whichisautilityexecutedbythekernelon hotplugeventsrequiringfirmware,needstobeset setuid.Asaresultofthis,thehelperutilityisanattractivetargetforattackerswithcontrolofphysicalportsonthedevice.DisablingthisconfigurationthatissupportedinLinux3.9andgreater.
Domain Configname Value
Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n
EnableKernelPaniconOOPS
When fuzzing the kernel or attempting kernel exploits attackers are likely to trigger kernelOOPSes. Setting the behavior onOOPStoPANICcanimpedetheirprogress.
ThisconfigurationissupportedinLinux3.5andgreaterandthusshouldonlybeenabledforsuchversions.
Domain Configname Value
Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y
IoT.Bzh Security-blueprint
Version4.99.4 18December2017
![Page 19: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/19.jpg)
Disablesocketmonitoringinterface
ThesemonitorscanbeusedtoinspectsharedfiledescriptorsonUnixDomainsocketsortrafficon'localhost'whichisotherwiseassumedtobeconfidential.
The CONFIG_PACKET_DIAG configuration is supported inLinux 3.7 and greater and thus should only be disabled for suchversions.
The CONFIG_UNIX_DIAGconfigurationissupportedinLinux3.3andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n
DisableBPFJIT
TheBPFJITcanbeusedtocreatekernel-payloadsfromfirewalltablerules.
ThisconfigurationforissupportedinLinux3.16andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n
EnableEnforcedModuleSigningThekernelshouldneverallowanunprivilegedusertheabilitytoloadspecifickernelmodules,sincethatwouldprovideafacilitytounexpectedlyextendtheavailableattacksurface.
Toprotectagainstevenprivilegedusers,systemsmayneedtoeitherdisablemoduleloadingentirely,orprovidesignedmodules(e.g.CONFIG_MODULE_SIG_FORCE,ordm-cryptwithLoadPin),tokeepfromhavingrootloadarbitrarykernelcodeviathemoduleloaderinterface.
ThisconfigurationissupportedinLinux3.7andgreaterandthusshouldonlybeenabledforsuchversions.
Domain Configname Value
Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y
IoT.Bzh Security-blueprint
Version4.99.4 19December2017
![Page 20: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/20.jpg)
DisableallUSB,PCMCIA(andother hotplugbus)driversthataren'tneeded
Toreducetheattacksurface,thedriverenumeration,probe,andoperationhappeninthekernel.Thedriverdataisparsedbythekernel,soanylogicbugsinthesedriverscanbecomekernelexploits.
Domain Object State
Kernel-General-Drivers-1 USB Disabled
Kernel-General-Drivers-2 PCMCIA Disabled
Kernel-General-Drivers-3 Other hotplugbus Disabled
PositionIndependentExecutables
Domain compilerand linkeroptions State
Kernel-General-IndependentExec-1 -pie-fpic Enable
Produceapositionindependentexecutableontargetswhichsupportsit.
PreventOverwriteAttacks-z,relrolinkingoptionhelpsduringprogramload,severalELFmemorysectionsneedtobewrittenbythelinker,butcanbeturnedread-onlybeforeturningovercontroltotheprogram.ThispreventssomeGlobalOffsetTableGOToverwriteattacks,orinthedtorssectionoftheELFbinary.
Domain compilerand linkeroptions State
Kernel-General-OverwriteAttacks-1 -z,relro Enable
Kernel-General-OverwriteAttacks-2 -z,now Enable
During program load, all dynamic symbols are resolved, allowing for the completeGOT to bemarked read-only (due to -zrelro above).This preventsGOToverwrite attacks.For very large application, this can incur someperformance loss duringinitialloadwhilesymbolsareresolved,butthisshouldn'tbeanissuefordaemons.
IoT.Bzh Security-blueprint
Version4.99.4 20December2017
![Page 21: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/21.jpg)
Librarylinking
Itisrecommendedthatdynamiclinkingshouldgenerallynotbeallowed.Thiswillavoidtheuserfromreplacingalibrarywithmaliciouslibrary.Alllibrariesshouldbelinkedstatically,butthisisdifficulttoimplement.
Domain compilerand linkeroptions State
Kernel-General-LibraryLinking-1 -static Enable
IoT.Bzh Security-blueprint
Version4.99.4 21December2017
![Page 22: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/22.jpg)
Memory
Restrictaccesstokernelmemory
The/dev/kmemfileinLinuxsystemsisdirectlymappedtokernelvirtualmemory.Thiscanbedisastrousifanattackergainsrootaccess,astheattackerwouldhavedirectaccesstokernelvirtualmemory.
Todisablethe/dev/kmemfile,whichisveryinfrequentlyusedbyapplications,thefollowingkerneloptionshouldbesetinthecompile-timekernelconfiguration:
Domain Configname Value
Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n
Incaseapplicationsinuserspaceneed/dev/kmemsupport,itshouldbeavailableonlyforauthenticatedapplications.
Disableaccesstoakernelcoredump
Thiskernelconfigurationdisablesaccesstoakernelcoredumpfromuserspace.Ifenabled,itgivesattackersausefulviewintokernelmemory.
Domain Configname Value
Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n
DisableswapIfnotdisabled,attackerscanenableswapatruntime,addpressuretothememorysubsystemandthenscourthepageswrittentoswapforusefulinformation.
Domain Configname Value
Kernel-Memory-Swap-1 CONFIG_SWAP n
IoT.Bzh Security-blueprint
Version4.99.4 22December2017
![Page 23: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/23.jpg)
Disable"LoadAllSymbols"
There is a /proc/kallsyms filewhich exposes the kernelmemory space address ofmany kernel symbols (functions, variables,etc...). This information is useful to attackers in identifying kernel versions/configurations and in preparing payloads for theexploitsofkernelspace.
Both KALLSYMS_ALLand KALLSYMSshallbedisabled;
Domain Configname Value
Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n
Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n
Stackprotection
Topreventstack-smashing,similartothestackprotectorusedforELFprogramsinuser-space,thekernelcanprotectitsinternalstacksaswell.
ThisconfigurationissupportedinLinux3.11andgreaterandthusshouldonlybeenabledforsuchversions.
Thisconfigurationalsorequiresbuildingthekernelwiththegcccompiler4.2orgreater.
Domain Configname Value
Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y
Otherdefensesincludethingslikeshadowstacks.
Disableaccessto/dev/memThe /dev/mem file in Linux systems is directlymapped to physicalmemory. This can be disastrous if an attacker gains rootaccess,as theattackerwouldhavedirectaccess tophysicalmemory through thisconvenientdevice file. Itmaynotalwaysbepossibletodisablesuchfile,assomeapplicationsmightneedsuchsupport.Inthatcase,thenthisdevicefileshouldbeavailableonlyforauthenticatedapplications.
ThisconfigurationissupportedinLinux4.0andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-Memory-Access-1 CONFIG_DEVMEM n
IoT.Bzh Security-blueprint
Version4.99.4 23December2017
![Page 24: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/24.jpg)
Disablecross-memoryattach
Disabletheprocessvm*vsyscallswhichallowoneprocesstopeek/pokethevirtualmemoryofanother.
ThisconfigurationissupportedinLinux3.5andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n
StackSmashingAttacks
Domain compilerand linkeroptions State
Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable
Emitextracodetocheckforbufferoverflows,suchasstacksmashingattacks.
DetectBufferOverflows
Domain compilerand linkeroptions Value
Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2
Helpsdetectsomebufferoverflowerrors.
IoT.Bzh Security-blueprint
Version4.99.4 24December2017
![Page 25: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/25.jpg)
Serial
Disableserialconsole
Theserialconsoleshouldbedisabledtopreventanattackerfromaccessingthispowerfulinterface.
Domain Configname Value
Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n
Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n
Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n
Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n
Bake-inthekernelcommand-lineThekernelcommand-lineisusedtocontrolmanyaspectsofthebootingkernel,andispronetotamperingastheyarepassedinRAMwith little tono reversevalidationon theseparameters.Toprevent this typeof attack, thekernel shallbeconfigured toignorecommandslinearguments,andusepre-configured(compiletime)optionsinstead.
Setthekernelcommandlineinthe CONFIG_CMDLINEKConfigitemandthenpassnoargumentsfromthebootloader.
Domain Configname Value
Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y
Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"
Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y
Itisrecommendedthatanyper-devicesettings(e.g:MACaddresses,serialnumbers,etc.)bestoredandaccessedfromread-onlymemory(orfiles),andthatanysuchparametersbeverified(signaturechecking)priortotheiruse.
DisableKGDBTheLinuxkernelsupportsKGDBoverUSBandconsoleports.Thesemechanismsarecontrolledbythe kgdbdbgpand kgdbockernelcommand-lineparameters.ItisimportanttoensurethatnoshippingproductcontainsakernelwithKGDBcompiled-in.
Domain Configname Value
Kernel-Consoles-KDBG-1 CONFIG_KGDB n
IoT.Bzh Security-blueprint
Version4.99.4 25December2017
![Page 26: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/26.jpg)
Disablemagicsysrqsupport
Ona fewarchitectures,youcanaccessapowerfuldebugger interface from thekeyboard.The samepowerful interfacecanbepresentontheserialconsole(respondingtoserialbreak)ofLinuxonotherarchitectures.Disable toavoidpotentiallyexposingthispowerfulbackdoor.
Domain Configname Value
Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n
DisablesupportforbinaryformatsotherthanELFThiswillmakepossible toplugwrapper-drivenbinaryformats into thekernel. Itenablessupportforbinaryformatsother thanELF.Providingtheabilitytousealternateinterpreterswouldassistanattackerindiscoveringattackvectors.
Domain Configname Value
Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n
IoT.Bzh Security-blueprint
Version4.99.4 26December2017
![Page 27: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/27.jpg)
Debug
Nodebuggersshallbepresentonthefilesystem.Thisincludes,butisnotlimitedto,theGNUDebuggerclient/server(commonlyknownintheirshortformnamessuchasthe gdband gdbserverexecutablebinariesrespectively),the LLDBnextgenerationdebugger or the TCF (Target Communications Framework) agnostic framework. Including these binaries as part of the filesystemwillfacilitateanattacker'sabilitytoreverseengineeranddebug(eitherlocallyorremotely)anyprocessthatiscurrentlyexecutingonthedevice.
Kerneldebugsymbols
Debugsymbolsshouldalwaysberemovedfromproductionkernelsastheyprovidealotofinformationtoattackers.
Domain Configname Value
Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n
These kernel debug symbols are enabled by other config items in the kernel. Care should be taken to disable those also. IfCONFIG_DEBUG_INFOcannotbedisabled,thenenabling CONFIG_DEBUG_INFO_REDUCEDissecondbest.
DisableKprobesKprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively.Youcantrapatalmostanykernelcodeaddress,specifyingahandlerroutinetobeinvokedwhenthebreakpointishit.
Domain Configname Value
Kernel-Debug-Kprobes-1 CONFIG_KPROBES n
DisableTracing
FTrace enables the kernel to trace every kernel function. Providing kernel trace functionality would assist an attacker indiscoveringattackvectors.
Domain Configname Value
Kernel-Debug-Tracing-1 CONFIG_FTRACE n
DisableProfiling
IoT.Bzh Security-blueprint
Version4.99.4 27December2017
![Page 28: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/28.jpg)
DisableProfiling
Profiling and OProfile enables profiling the whole system, include the kernel, kernel modules, libraries, and applications.Providingprofilingfunctionalitywouldassistanattackerindiscoveringattackvectors.
Domain Configname Value
Kernel-Debug-Profiling-1 CONFIG_OPROFILE n
Kernel-Debug-Profiling-2 CONFIG_PROFILING n
DisableOOPSprintonBUG()
TheoutputfromOOPSprintcanbehelpfulinReturnOrientedProgramming(ROP)whentryingtodeterminetheeffectivenessofanexploit.
Domain Configname Value
Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n
DisableKernelDebuggingThere are development-only branches of code in the kernel enabled by the DEBUG_KERNEL conf. This should be disabled tocompile-outthesebranches.
Domain Configname Value
Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n
Kernel-Debug-Dev-2 CONFIG_EMBEDDED n
In some kernel versions, disabling this requires also disabling CONFIG_EMBEDDED , and CONFIG_EXPERT . DisablingCONFIG_EXPERTmakesitimpossibletodisable COREDUMP, DEBUG_BUGVERBOSE, NAMESPACES, KALLSYMSand BUG.Inwhichcaseitisbettertoleavethisenabledthanenabletheothers.
IoT.Bzh Security-blueprint
Version4.99.4 28December2017
![Page 29: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/29.jpg)
Disablethekerneldebugfilesystem
Thekerneldebugfilesystempresentsalotofusefulinformationandmeansofmanipulationofthekerneltoanattacker.
Domain Configname Value
Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n
DisableBUG()supportThekernelwilldisplaybacktraceandregisterinformationforBUGsandWARNsinkernelspace,makingiteasierforattackerstodevelopexploits.
Domain Configname Value
Kernel-Debug-BUG-1 CONFIG_BUG n
Disablecoredumps
Coredumpsprovidealotofdebuginformationforhackers.Sodisablingcoredumpsarerecommendedinproductionbuilds.
ThisconfigurationissupportedinLinux3.7andgreaterandthusshouldonlybedisabledforsuchversions.
Domain Configname Value
Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n
IoT.Bzh Security-blueprint
Version4.99.4 29December2017
![Page 30: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/30.jpg)
KernelAddressDisplayRestriction
Whenattackers try todevelop"runanywhere"exploits forkernelvulnerabilities, they frequentlyneed toknow the locationofinternal kernel structures.By treatingkernel addresses as sensitive information, those locations arenot visible to regular localusers.
/proc/sys/kernel/kptr_restrictissetto"1"toblockthereportingofknownkerneladdressleaks.
Domain Filename Value
Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1
Additionally, various files and directories should be readable only by the root user: /boot/vmlinuz* , /boot/System.map* ,/sys/kernel/debug/, /proc/slabinfo
Domain Fileor Directoriename State
Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser
DMESGRestrictionsWhenattackers try todevelop"runanywhere"exploits forvulnerabilities, theyfrequentlywilluse dmesg output.Bytreatingdmesgoutputassensitiveinformation,thisoutputisnotavailabletotheattacker.
/proc/sys/kernel/dmesg_restrictcanbesetto"1"totreatdmesgoutputassensitive.
Domain Filename Value
Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1
Enable thebelowcompiler and linkeroptionswhenbuildinguser-space applications to avoid stack smashing,bufferoverflowattacks.
IoT.Bzh Security-blueprint
Version4.99.4 30December2017
![Page 31: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/31.jpg)
Disable/proc/config.gz
Itisextremelyimportanttonotexposethekernelconfigurationusedonaproductiondevicetoapotentialattacker.Withaccesstothekernelconfig, it couldbepossible foranattacker tobuildacustomkernel for thedevice thatmaydisablecritical securityfeatures.
Domain Configname Value
Kernel-Debug-Config-1 CONFIG_IKCONFIG n
IoT.Bzh Security-blueprint
Version4.99.4 31December2017
![Page 32: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/32.jpg)
FileSystem
Disableallfilesystemsnotneeded
Toreducetheattacksurface,filesystemdataisparsedbythekernel,soanylogicbugsinfilesystemdriverscanbecomekernelexploits.
DisableNFSfilesystem
NFSFileSystemsareusefulduringdevelopmentphases,butthiscanbeaveryhelpfulwayforanattackertogetfileswhenyouareinproductionmode,sowemustdisablethem.
Domain Configname Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n
IoT.Bzh Security-blueprint
Version4.99.4 32December2017
![Page 33: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/33.jpg)
PartitionMountOptions
Thereareseveralsecurityrestrictionsthatcanbesetonafilesystemwhenitismounted.Somecommonsecurityoptionsinclude,butarenotlimitedto:
nosuid-Donotallowset-user-identifierorset-group-identifierbitstotakeeffect.
nodev-Donotinterpretcharacterorblockspecialdevicesonthefilesystem.
noexec-Donotallowexecutionofanybinariesonthemountedfilesystem.
ro-Mountfilesystemasread-only.
Thefollowingflagsshallbeusedformountingcommonfilesystems:
Domain Partition Value
Kernel-FileSystems-Mount-1
/boot nosuid, nodevand noexec.
Kernel-FileSystems-Mount-2 /var& /tmp In /etc/fstabor vfstab,add nosuid, nodevand
noexec.
Kernel-FileSystems-Mount-3 Non-rootlocal Iftypeis ext2or ext3andmountpointnot'/',add
nodev.
Kernel-FileSystems-Mount-4
Removablestorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-5
Temporarystorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-6
/dev/shm Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-7
/dev Add nosuidand noexec.
If CONFIG_DEVTMPFS_MOUNTisset,thenthekernelwillmount/devandwillnotapplythe nosuid, noexecoptions.Eitherdisable CONFIG_DEVTMPFS_MOUNToraddaremountwith noexecand nosuidoptionstosystemstartup.
Domain Configname Stateor Value
Kernel-FileSystems-Mount-1
CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwith noexecand nosuidtosystemstartup.
IoT.Bzh Security-blueprint
Version4.99.4 33December2017
![Page 34: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/34.jpg)
Part5-Platform
Abstract
ThispartfocusesontheAGLplatformincludingalltoolsandtechniquesusedtoupgradethesecurityanddowngradethedanger.Itmustbepossibletoapplythetwofundamentalprincipleswrittenattheverybeginningofthedocument.Firstofall,securitymanagementmustremainsimple.Youmustalsoprohibiteverythingbydefault,andthendefineasetofauthorizationrules.Ascasestodealwith,wemust:
ImplementaMACforprocessesandfiles.Limitcommunicationbetweenapplications(SystemBusandSystemDpart).Prohibitalltoolsusedduringdevelopmentmode(UtilitiesandServicespart).Manageusercapabilities(Userspart).Manageapplicationpermissionsandpolicies(AGLFwpart).
Thetoolsandconceptsusedtomeettheseneedsareonlyexamples.Anyothertoolthatmeetstheneedcanbeused.
InAGL,asinmanyotherembeddedsystems,differentsecuritymechanismssettleinthecorelayerstoensureisolationanddataprivacy.While theMandatoryAccess Control layer (SMACK) provides global security and isolation, othermechanisms likeCynaraarerequired tocheckapplication'spermissionsat runtime.Applicativepermissions(alsocalled"privileges")mayvarydependingontheuserandtheapplicationbeingrun:anapplicationshouldhaveaccesstoagivenserviceonlyifitisrunbytheproperuserandiftheappropriatepermissionsaregranted.
IoT.Bzh Security-blueprint
Version4.99.4 34December2017
![Page 35: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/35.jpg)
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
ACL AccessControlLists
alsa AdvancedLinuxSoundArchitecture
API ApplicationProgrammingInterface
AppFw ApplicationFramework
Cap Capabilities
DAC DiscretionaryAccessControl
DDOS DistributedDenialOfService
DOS DenialOfService
IPC Inter-ProcessCommunication
MAC MandatoryAccessControl
PAM PluggableAuthenticationModules
SMACK SimplifiedMandatoryAccessControlKernel
IoT.Bzh Security-blueprint
Version4.99.4 35December2017
![Page 36: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/36.jpg)
MandatoryAccessControl
WedecidedtoputtheMACprotectionontheplatformpartdespitethefactthatitappliestothekerneltoo,sinceitsusewillbemainlyattheplatformlevel(exceptfloorpart).
MandatoryAccessControl(MAC)isaprotectionprovidedbytheLinuxkernelthatrequiresaLinuxSecurityModule(LSM).AGL uses anLSM calledSimplifiedMandatoryAccessControlKernel (SMACK). This protection involves the creation ofSMACKlabelsaspartoftheextendedattributesSMACKlabelstothefileextendedattributes.Andapolicyisalsocreatedtodefinethebehaviourofeachlabel.
The kernel access controls is based on these labels and this policy. If there is no rule, no access will be granted and as aconsequence,whatisnotexplicitlyauthorizedisforbidden.
TherearetwotypesofSMACKlabels:
ExecutionSMACK(Attachedtotheprocess):Defineshowfilesareaccessedandcreatedbythatprocess.FileAccessSMACK(Writtentotheextendedattributeofthefile):Defineswhichprocesscanaccessthefile.
BydefaultaprocessexecuteswithitsFileAccessSMACKlabelunlessanExecutionSMACKlabelisdefined.
AGL'sSMACKschemeisbasedontheTizen3Q2/2015.ItdividestheSystemintothefollowingdomains:
Floor.System.Applications,ServicesandUser.
SeeAGLsecurityframeworkreviewandSmackWhitePaperformoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 36December2017
![Page 37: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/37.jpg)
Floor
Thefloordomainincludesthebasesystemservicesandanyassociateddataandlibraries.Thisdataremainsunchangedatruntime.Writingtofloorfilesordirectoriesisallowedonlyindevelopmentmodeorduringsoftwareinstallationorupgrade.
Thefollowingtabledetailsthefloordomain:
Label Name ExecutionSMACK FileAccessSMACK
- Floor r-xforall Onlykernelandinternalkernelthread.
Hat ---forall rxonalldomains.
* Star rwxforall None
TheHatlabelisOnlyforprivilegedsystemservices(currentlyonlysystemd-journal).Usefulforbackuporvirusscans.Nofilewiththislabelshouldexistexceptinthedebuglog.
TheStarlabelisusedfordevicefilesor /tmpAccessrestrictionmanagedviaDAC.IndividualfilesremainprotectedbytheirSMACKlabel.
Domain Labelname Recommendations
Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.
Kernel-MAC-Floor-2 * Usedfordevicefilesor /tmpAccessrestrictionviaDAC.
IoT.Bzh Security-blueprint
Version4.99.4 37December2017
![Page 38: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/38.jpg)
System
Thesystemdomainincludesareducedsetofcoresystemservicesof theOSandanyassociateddata.Thisdatamaychangeatruntime.
Thefollowingtabledetailsthesystemdomain:
Label Name ExecutionSMACK FileAccessSMACK
System System None Privilegedprocesses
System::Run Run rwxatlforUserandSystemlabel None
System::Shared Shared rwxatlforsystemdomain r-xforUserlabel None
System::Log Log rwaforSystemlabel xaforuserlabel None
System::Sub SubSystem SubsystemConfigfiles SubSystemonly
Domain Labelname Recommendations
Kernel-MAC-System-1
System Processshouldwriteonlytofilewithtransmuteattribute.
Kernel-MAC-System-2
System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwith w.
Kernel-MAC-System-3
System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.
Kernel-MAC-System-4
System::Log Somelimitationmayimposetoadd wtoenableappend.
Kernel-MAC-System-5
System::Sub IsolationofriskySubsystem.
IoT.Bzh Security-blueprint
Version4.99.4 38December2017
![Page 39: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/39.jpg)
Applications,ServicesandUser
Theapplication,servicesanduserdomainincludescodethatprovidesservicestothesystemanduser,aswellasanyassociateddata.AllcoderunningonthisdomainisunderCynaracontrol.
Thefollowingtabledetailstheapplication,servicesanduserdomain:
Label Name ExecutionSMACK FileAccessSMACK
User::Pkg::$AppID AppID rwx(forfilescreatedbytheApp). rxforfilesinstalledbyAppFw
$Appruntimeexecuting$App
User::Home Home rwx-tfromSystemlabel r-x-lfromApp None
User::App-Shared Shared rwxatfromSystemandUserdomainslabelof$User None
Domain Labelname Recommendations
Kernel-MAC-System-1
User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwin rwxmode.
Kernel-MAC-System-2
User::Home
AppFwneedstocreateadirectoryin /home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessis User::App-Sharedwithouttransmute.
Kernel-MAC-System-3
User::App-Shared SharedspacebetweenallApprunningforagivenuser.
IoT.Bzh Security-blueprint
Version4.99.4 39December2017
![Page 40: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/40.jpg)
SystemD
afm-system-daemonisusedto:
Manageusersandusersessions.Setupapplicationsandservices(CGroups,namespaces,autostart,permissions).Useof libsystemdforitsprograms(eventmanagement,D-Businterface).
Domain Object Recommendations
Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.
Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.
Seesystemdintegrationandusermanagementformoreinformation.
BenefitsRemovalofoneprivilegedprocess:afm-user-daemonAccessanduseofhighlevelfeatures:
Socketactivation.ManagementofusersandintegrationofPAM.Dependencyresolutiontoservices.Cgroupsandresourcecontrol.Namespacescontainerization.AutostartofrequiredAPI.Permissionsandsecuritysettings.Networkmanagement.
IoT.Bzh Security-blueprint
Version4.99.4 40December2017
![Page 41: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/41.jpg)
CGroups
Control Groups offer a lot of features, with the most useful ones you can control: Memory usage, how much CPU time isallocated,howmuchdeviceI/Oisallowedorwhichdevicescanbeaccessed.SystemDusesCGroupstoorganiseprocesses(eachserviceisaCGroups,andallprocessesstartedbythatserviceusethatCGroups).Bydefault,SystemDautomaticallycreatesahierarchyofslice,scopeandserviceunitstoprovideaunifiedstructurefortheCGroupstree.Withthe systemctlcommand,youcanfurthermodifythisstructurebycreatingcustomslices.Currently,inAGL,thereare2slices(user.sliceandsystem.slice).
Namespaces
Userside
Thereareseveralwaysofauthenticatingusers(KeyRadioFrequency,Phone,Gesture,...).Eachauthenticationprovidesdynamicallocationofuidstoauthenticatedusers.UidsisusedtoensureprivacyofusersandSMACKforapplicationsprivacy.
First, the user initiates authentication with PAM activation. PAM Standard offers highly configurable authentication withmodulardesign like face recognition,Voice identificationorwithapassword.Thenusers shouldaccess identity serviceswithservicesandapplications.
IoT.Bzh Security-blueprint
Version4.99.4 41December2017
![Page 42: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/42.jpg)
D-Bus
D-Busisawell-knownIPC(Inter-ProcessCommunication)protocol(anddaemon)thathelpsapplicationstotalktoeachother.TheuseofD-Busisgreatbecauseitallowstoimplementdiscoveryandsignaling.
The D-Bus session is by default addressed by environment variable DBUS_SESSION_BUS_ADDRESS . Using systemd variableDBUS_SESSION_BUS_ADDRESSisautomaticallysetforusersessions.D-Bususageislinkedtopermissions.
D-Bus has already had several security issues (mostlyDoS issues), to allow applications to keep talking to each other. It isimportanttoprotectagainstthistypeofattacktokeepthesystemmorestable.
Domain Object Recommendations
Platform-DBus-1 Securitymodel UseD-BusasIPC.
Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE
IoT.Bzh Security-blueprint
Version4.99.4 42December2017
![Page 43: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/43.jpg)
Systemservicesanddaemons
Domain Improvement
Platform-Services-1 SystemD?
Platform-Services-2 Securedaemon?
Tools
connman:Aninternetconnectionmanagerdesignedtobeslimandtouseasfewresourcesaspossible.Itisafullymodularsystemthatcanbeextended,throughplug-ins,tosupportallkindsofwiredorwirelesstechnologies.bluezisaBluetoothstack.ItsgoalistoprogramanimplementationoftheBluetoothwirelessstandardsspecifications.Inadditiontothebasicstack,the bluez-utilsand bluez-firmwarepackagescontainlowlevelutilitiessuchas dfutoolwhichcaninterrogatetheBluetoothadapterchipsetinordertodeterminewhetheritsfirmwarecanbeupgraded.gstreamerisapipeline-basedmultimediaframework.Itcanbeusedtobuildasystemthatreadsfilesinoneformat,processesthem,andexportstheminanotherformat.alsaisasoftwareframeworkandpartoftheLinuxkernelthatprovidesanAPIforsoundcarddevicedrivers.
Domain Toolname State
Platform-Utilities-1 connman Usedasaconnectionmanager.
Platform-Utilities-2 bluez UsedasaBluetoothmanager.
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.
IoT.Bzh Security-blueprint
Version4.99.4 43December2017
![Page 44: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/44.jpg)
Applicationframework/model(AppFw)
Theapplicationframeworkmanages:
Theapplicationsandservicesmanagement:Installing,Uninstalling,Listing,...Thelifecycleofapplications:Start->(Pause,Resume)->Stop.Eventsandsignalspropagation.Privilegesgrantingandchecking.APIforinteractionwithapplications.
The security model refers to the security model used to ensure security and to the tools that are provided forimplementing that model. It's an implementation detail that should not impact the layers above the applicationframework.
The security model refers to howDAC (Discretionary Access Control),MAC (Mandatory Access Control) andCapabilitiesareusedby thesystemtoensuresecurityandprivacy. Italso includes featuresof reportingusingauditfeaturesandbymanaginglogsandalerts.
TheAppFw uses the security model to ensure the security and the privacy of the applications that it manages. It must becompliantwiththeunderlyingsecuritymodel.Butitshouldhideittotheapplications.
Domain Object Recommendations
Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.
SeeAGLAppFwPrivilegesManagementandAGL-ApplicationFrameworkDocumentationformoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 44December2017
![Page 45: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/45.jpg)
Cynara
There'saneedforanothermechanismresponsibleforcheckingapplicativepermissions:CurrentlyinAGL,thistaskdependsonapolicy-checkerservice(Cynara).
Storescomplexpoliciesindatabases."Soft"security(accessischeckedbytheframework).
CynarainteractwithD-Businordertodeliverthisinformation.
Domain Object Recommendations
Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.
Policies
Policyrules:
Aresimple-forpair[applicationcontext,privilege]thereisstraightanswer(singlePolicyType):[ALLOW/DENY/...].Nocodeisexecuted(noscript).Canbeeasilycachedandmanaged.
Applicationcontext(describesidoftheuserandtheapplicationcredentials)Itisbuildof:
UIDoftheuserthatrunstheapplication.SMACKlabelofapplication.
Holdingpolicies
Policiesarekeptinbuckets.Bucketsaresetofpolicieswhichhaveadditionalapropertyofdefaultanswer,thedefaultanswerisyieldedifnopolicymatchessearchedkey.Bucketshavenameswhichmightbeusedinpolicies(fordirections).
IoT.Bzh Security-blueprint
Version4.99.4 45December2017
![Page 46: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/46.jpg)
Utilities
busybox:Softwarethatprovidesseveralstripped-downUnixtoolsinasingleexecutablefile.Ofcourse,itwillbenecessarytousea"production"versionofbusyboxinordertoavoidallthetoolsusefulonlyindevelopmentmode.
Domain Toolname State
Platform-Utilities-1 busybox Usedtoprovideanumberoftools.Donotcompiledevelopmenttools.
Functionalitiestoexcludeinproductionmode
Inproductionmode,anumberoftoolsmustbedisabledtopreventanattackerfromfindinglogsforexample.Thisisusefultolimitthevisiblesurfaceandthuscomplicatethefaultfindingprocess.Thetoolsusedonlyindevelopmentmodearemarkedbyan'agl-devel'feature.Whenbuildinginproductionmode,thesetoolswillnotbecompiled.
Domain Utilitynameandnormal path State
Platform-Utilities-1 chgrpin /bin/chgrp Disabled
Platform-Utilities-2 chmodin /bin/chmod Disabled
Platform-Utilities-3 chownin /bin/chown Disabled
Platform-Utilities-4 dmesgin /bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainnamein /bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear,Remove"dropbear"from /etc/init.d/rcs Disabled
Platform-Utilities-7 Editorsin(vi) /bin/vi Disabled
Platform-Utilities-8 findin /bin/find Disabled
Platform-Utilities-9 gdbserverin /bin/gdbserver Disabled
Platform-Utilities-10 hexdumpin /bin/hexdump Disabled
Platform-Utilities-11 hostnamein /bin/hostname Disabled
Platform-Utilities-12 installin /bin/install Disabled
Platform-Utilities-13 iostatin /bin/iostat Disabled
Platform-Utilities-14 killallin /bin/killall Disabled
Platform-Utilities-15 klogdin /sbin/klogd Disabled
Platform-Utilities-16 loggerin /bin/logger Disabled
Platform-Utilities-17 lsmodin /sbin/lsmod Disabled
Platform-Utilities-18 pmapin /bin/pmap Disabled
Platform-Utilities-19 psin /bin/ps Disabled
Platform-Utilities-20 psin /bin/ps Disabled
Platform-Utilities-21 rpmin /bin/rpm Disabled
IoT.Bzh Security-blueprint
Version4.99.4 46December2017
![Page 47: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/47.jpg)
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplugin /sbin/stbhotplug Disabled
Platform-Utilities-24 stracein /bin/trace Disabled
Platform-Utilities-25 suin /bin/su Disabled
Platform-Utilities-26 syslogdin(logger) /bin/logger Disabled
Platform-Utilities-27 topin /bin/top Disabled
Platform-Utilities-28 UARTin /proc/tty/driver/ Disabled
Platform-Utilities-29 whichin /bin/which Disabled
Platform-Utilities-30 whoand whoamiin /bin/whoami Disabled
Platform-Utilities-31 awk(busybox) Enabled
Platform-Utilities-32 cut(busybox) Enabled
Platform-Utilities-33 df(busybox) Enabled
Platform-Utilities-34 echo(busybox) Enabled
Platform-Utilities-35 fdisk(busybox) Enabled
Platform-Utilities-36 grep(busybox) Enabled
Platform-Utilities-37 mkdir(busybox) Enabled
Platform-Utilities-38 mount(vfat)(busybox) Enabled
Platform-Utilities-39 printf(busybox) Enabled
Platform-Utilities-40 sedin /bin/sed(busybox) Enabled
Platform-Utilities-41 tail(busybox) Enabled
Platform-Utilities-42 tee(busybox) Enabled
Platform-Utilities-43 test(busybox) Enabled
TheEnabledUnix/Linuxutilitiesaboveshallbepermittedastheyareoftenusedinthestart-upscriptsandforUSBlogging.Ifanyoftheseutilitiesarenotrequiredbythedevicethenthoseshouldberemoved.
IoT.Bzh Security-blueprint
Version4.99.4 47December2017
![Page 48: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/48.jpg)
Users
Theuserpolicycangroupusersbyfunctionwithinthecar.Forexample,wecanconsideradriverandhispassengers.Eachuserisassignedtoasinglegrouptosimplifythemanagementofspacesecurity.
RootAccess
Themainapplications,thosethatprovidetheprincipalfunctionalityoftheembeddeddevice,shouldnotexecutewithrootidentityoranycapability.
Ifthemainapplicationisallowedtoexecuteatanycapability,thentheentiresystemisatthemercyofthesaidapplication'sgoodbehaviour. Problems arise when an application is compromised and able to execute commandswhich could consistently andpersistentlycompromisethesystembyimplantingrogueapplications.
It issuggestedthat themiddlewareandtheUIshouldruninacontextonauserwithnocapabilityandallpersistentresourcesshouldbemaintainedwithoutanycapability.
Onewaytoensurethisisbyimplementingaserver-clientparadigm.Servicesprovidedbythesystem'sdriverscanbesharedthisway.Theotheradvantageofthisapproachisthatmultipleapplicationscansharethesameresourcesatthesametime.
Domain Object Recommendations
Platform-Users-root-1 Mainapplication Shouldnotexecuteasroot.
Platform-Users-root-2 UI Shouldruninacontextonauserwithnocapability.
Rootaccessshouldnotbeallowedforthefollowingutilities:
Domain Utilityname State
Platform-Users-root-3 login Notallowed
Platform-Users-root-4 su Notallowed
Platform-Users-root-5 ssh Notallowed
Platform-Users-root-6 scp Notallowed
Platform-Users-root-7 sftp Notallowed
Rootaccessshouldnotbeallowedfor theconsoledevice.Thedevelopmentenvironmentshouldallowusers to loginwithpre-createduseraccounts.
Switchingtoelevatedprivilegesshallbeallowedinthedevelopmentenvironmentvia sudo.
IoT.Bzh Security-blueprint
Version4.99.4 48December2017
![Page 49: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/49.jpg)
Capabilities
Domain Improvement
Platform-Users-Capabilities-1 KernelorPlatform-user?
Platform-Users-Capabilities-2 Addconfignote.
ThegoalistorestrictfunctionalitythatwillnotbeusefulinAGL.TheyareintegratedintotheLSM.Eachprivilegedtransactionisassociatedwithacapability.Thesecapabilitiesaredividedintothreegroups:
e:Effective:Thismeansthecapabilityis“activated”.p:Permitted:Thismeansthecapabilitycanbeused/isallowed.i:Inherited:Thecapabilityiskeptbychild/subprocessesuponexecve()forexample.
IoT.Bzh Security-blueprint
Version4.99.4 49December2017
![Page 50: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/50.jpg)
Part6-Application
Abstract
ApplicationHardening:Bestpracticestoapplytothebuildandreleaseofuserspaceapplications,inordertoreducethenumberofattacksurfacesusedbypotentialattackers.
ThetermofApplication(App)hasaverywidedefinitioninAGL.AlmostanythingwhichisnotinthecoreOperatingSystem(OS)isanApplication.Applicationscanbeincludedinthebasesoftwarepackage(image)orcanbeaddedatrun-time.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
3GPP 3rdGenerationPartnershipProject
CASB CloudAccessSecurityBroker
DAST DynamicApplicationSecurityTesting
DPI DeepPacketInspection
IDS IntrusionDetectionSystems
IPS IntrusionPreventionSystems
IPSec InternetProtocolSecurity
LSM LinuxSecurityModule
MITM ManInTheMiddle
OSI OpenSystemsInterconnection
SATS StaticApplicationSecurityTesting
IoT.Bzh Security-blueprint
Version4.99.4 50December2017
![Page 51: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/51.jpg)
Local
Domain Improvement
Application-Installation-1 TalkaboutAppFwofflinemode.
Installation
Applicationscanbedeliveredandinstalledwiththebaseimageusingaspecialoffline-modeprovidedbytheAppFw.Appscanalsobeinstalledatruntime.
Duringearlyrelease,defaultAppsareinstalledontheimageatfirstboot.
Domain Object Recommendations
Application-Installation-1 AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.
Application-Installation-2 Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.
IoT.Bzh Security-blueprint
Version4.99.4 51December2017
![Page 52: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/52.jpg)
Local
PrivilegeManagement
Application privileges aremanaged byCynara and the securitymanager in theAppFw. Formore details, please refer to theAppFwdocumentationinPlatformpart.
IoT.Bzh Security-blueprint
Version4.99.4 52December2017
![Page 53: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/53.jpg)
AppSignature
Domain Improvement
Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).
IoT.Bzh Security-blueprint
Version4.99.4 53December2017
![Page 54: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/54.jpg)
Services
Domain Improvement
Application-Services-1 Addcontent(Whichservices?).
Application-Services-2 AddBinder.
IoT.Bzh Security-blueprint
Version4.99.4 54December2017
![Page 55: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/55.jpg)
Part7-Connectivity
Abstract
ThispartshowsdifferentConnectivityattacksonthecar.
Domain Improvement
Connectivity-Abstract-1 Improveabstract.
IoT.Bzh Security-blueprint
Version4.99.4 55December2017
![Page 56: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/56.jpg)
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
ARP AddressResolutionProtocol
BLE BluetoothLowEnergy
CAN CarAreaNetwork
CCMP Counter-Mode/CBC-MacProtocol
EDGE EnhancedDataRatesforGSMEvolution-EvolutionofGPRS
GEA GPRSEncryptionAlgorithm
GPRS GeneralPacketRadioService(2,5G,2G+)
GSM GlobalSystemforMobileCommunications(2G)
HSPA HighSpeedPacketAccess(3G+)
IMEI InternationalMobileEquipmentIdentity
LIN LocalInterconnectNetwork
MOST MediaOrientedSystemTransport
NFC NearFieldCommunication
OBD On-BoardDiagnostics
PATS PassiveAnti-TheftSystem
PKE PassiveKeylessEntry
PSK Phase-ShiftKeying
RDS RadioDataSystem
RFID RadioFrequencyIdentification
RKE RemoteKeylessEntry
SDR SoftwareDefinedRadio
SSP SecureSimplePairing
TKIP TemporalKeyIntegrityProtocol
TPMS TirePressureMonitoringSystem
UMTS UniversalMobileTelecommunicationsSystem(3G)
USB UniversalSerialBus
WEP WiredEquivalentPrivacy
WPA WifiProtectedAccess
IoT.Bzh Security-blueprint
Version4.99.4 56December2017
![Page 57: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/57.jpg)
Bus
WeonlyspeakabouttheCANbustotakeanexample,becausethedifferentattacksonbuslikeFlewRay,ByteFlight,MostandLinuseretroengineeringandthemainargumenttoimprovetheirsecurityistoencryptdatapackets.Wejustdescribethemabit:
CAN:ControllerAreaNetwork,developedintheearly1980s,isanevent-triggeredcontrollernetworkforserialcommunicationwithdataratesuptooneMBit/s.CANmessagesareclassifiedovertheirrespectiveidentifier.CANcontrollerbroadcasttheirmessagestoallconnectednodesandallreceivingnodesdecideindependentlyiftheyprocessthemessage.FlewRay:Isadeterministicanderror-toleranthigh-speedbus.Withadatarateupto10MBit/s.ByteFlight:Isusedforsafety-criticalapplicationsinmotorvehicleslikeair-bags.Byteflightrunsat10Mbpsover2or3wiresplasticopticalfibers.Most:MediaOrientedSystemTransport,isusedfortransmittingaudio,video,voice,andcontroldataviafiberopticcables.Thespeedis,forthesynchronousway,upto24MBit/sandasynchronouswayupto14MBit/s.MOSTmessagesincludealwaysaclearsenderandreceiveraddress.LIN:LocalInterconnectNetwork,isasingle-wiresubnetworkforlow-cost,serialcommunicationbetweensmartsensorsandactuatorswithtypicaldataratesupto20kBit/s.Itisintendedtobeusedfromtheyear2001oneverywhereinacar,wherethebandwidthandversatilityofaCANnetworkisnotrequired.
Domain Techname Recommendations
Connectivity-BusAndConnector-Bus-1 CAN Implementhardwaresolutioninordertoprohibitsending
unwantedsignals.
SeeSecurityinAutomotiveBusSystemsformoreinformation.
Connectors
Fortheconnectors,wesupposedthattheyweredisabledbydefault.Forexample,theUSBmustbedisabledtoavoidattackslikeBadUSB.Ifnot,configuretheKerneltoonlyenabletheminimumrequireUSBdevices.TheconnectorsusedtodiagnosethecarlikeOBD-IImustbedisabledoutsidegarages.
Domain Techname Recommendations
Connectivity-BusAndConnector-Connectors-1 USB Mustbedisabled.Ifnot,onlyenabletheminimumrequire
USBdevices.
Connectivity-BusAndConnector-Connectors-2 USB ConfidentialdataexchangedwiththeECUoverUSBmust
besecure.
Connectivity-BusAndConnector-Connectors-3 USB USBBootonaECUmustbedisable.
Connectivity-BusAndConnector-Connectors-4 OBD-II Mustbedisabledoutsidegarages.
IoT.Bzh Security-blueprint
Version4.99.4 57December2017
![Page 58: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/58.jpg)
Wireless
In this part, we talk about possible remote attacks on a car, according to the different areas of possible attacks. For eachcommunicationchannels,wedescribeattacksandhowtopreventthemwithsomerecommendations.Themainrecommendationistoalwaysfollowthelatestupdatesoftheseremotecommunicationchannels.
Domain Object Recommendations
Connectivity-Wireless-1 Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.
Wewillseethefollowingparts:
Wifi
Bluetooth
Cellular
Radio
NFC
Domain Improvement
Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).
Forexistingautomotive-specificmeans,wetakeexamplesofexistingsystemattacksfromtheIOActivedocument(ASurveyofRemoteAutomotiveAttackSurfaces)andfromtheETHdocument(RelayAttacksonPassiveKeylessEntryandStartSystemsinModernCars).
Telematics
PassiveAnti-TheftSystem(PATS)
TirePressureMonitoringSystem(TPMS)
RemoteKeylessEntry/Start(RKE)
PassiveKeylessEntry(PKE)
IoT.Bzh Security-blueprint
Version4.99.4 58December2017
![Page 59: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/59.jpg)
Wifi
Attacks
Wecandifferentiateexistingattacksonwifiintwocategories:ThoseonWEPandthoseonWPA.
WEPattacks:
FMS:(Fluhrer,MantinandShamirattack)isa"StreamcipherattackonthewidelyusedRC4streamcipher.TheattackallowsanattackertorecoverthekeyinanRC4encryptedstreamfromalargenumberofmessagesinthatstream."KoreK:"Allowstheattackertoreducethekeyspace".PTW:(PyshkinTewsWeinmannattack).Chopchop:FoundbyKoreK,"WeaknessoftheCRC32checksumandthelackofreplayprotection."Fragmentation
WPAattacks:
BeckandTews:ExploitweaknessinTKIP."AllowtheattackertodecryptARPpacketsandtoinjecttrafficintoanetwork,evenallowinghimtoperformaDoSoranARPpoisoning".KRACK:(K)ey(R)einstallation(A)tta(ck)(jiraAGLSPEC-1017).
Recommendations
DonotuseWEP,PSKandTKIP.
UseWPA2withCCMP.
Shouldprotectdatasniffing.
Domain Technameorobject Recommendations
Connectivity-Wireless-Wifi-1 WEP,PSK,TKIP Disabled
Connectivity-Wireless-Wifi-2
WPA2andAES-CCMP Used
Connectivity-Wireless-Wifi-3 WPA2 Shouldprotectdatasniffing.
Connectivity-Wireless-Wifi-4 PSK Changingregularlythepassword.
Connectivity-Wireless-Wifi-5 Device Upgradedeasilyinsoftwareorfirmwaretohavethelast
securityupdate.
SeeWifiattacksWEPWPAandBreakingwepandwpa(BeckandTews)formoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 59December2017
![Page 60: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/60.jpg)
Bluetooth
Attacks
BluesnarfingattacksinvolveanattackercovertlygainingaccesstoyourBluetooth-enableddeviceforthepurposeofretrievinginformation,includingaddresses,calendarinformationoreventhedevice'sInternationalMobileEquipmentIdentity.WiththeIMEI,anattackercouldrouteyourincomingcallstohiscellphone.BluebuggingisaformofBluetoothattackoftencausedbyalackofawareness.Similartobluesnarfing,bluebuggingaccessesandusesallphonefeaturesbutislimitedbythetransmittingpowerofclass2Bluetoothradios,normallycappingitsrangeat10-15meters.Bluejackingisthesendingofunsolicitedmessages.BLE:BluetoothLowEnergyattacks.DoS:Drainadevice'sbatteryortemporarilyparalyzethephone.
Recommendations
NotallowingBluetoothpairingattemptswithoutthedriver'sfirstmanuallyplacingthevehicleinpairingmode.Monitoring.UseBLEwithcaution.Forv2.1andlaterdevicesusingSecureSimplePairing(SSP),avoidusingthe"JustWorks"associationmodel.Thedevicemustverifythatanauthenticatedlinkkeywasgeneratedduringpairing.
Domain Techname Recommendations
Connectivity-Wireless-Bluetooth-1 BLE Usewithcaution.
Connectivity-Wireless-Bluetooth-2 Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3 SSP Avoidusingthe"JustWorks"associationmodel.
Connectivity-Wireless-Bluetooth-4 Visibility Configuredbydefaultasundiscoverable.Exceptwhen
needed.
Connectivity-Wireless-Bluetooth-5
Anti-scanning Used,interalia,toslowdownbruteforceattacks.
SeeLowenergyandtheautomotivetransformation,GattackingBluetoothSmartDevices,ComprehensiveExperimentalAnalysesofAutomotiveAttackSurfacesandWithLowEnergycomesLowSecurityformoreinformation.
IoT.Bzh Security-blueprint
Version4.99.4 60December2017
![Page 61: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/61.jpg)
Cellular
Attacks
IMSI-Catcher:Isatelephoneeavesdroppingdeviceusedforinterceptingmobilephonetrafficandtrackinglocationdataofmobilephoneusers.Essentiallya"fake"mobiletoweractingbetweenthetargetmobilephoneandtheserviceprovider'srealtowers,itisconsideredaman-in-the-middle(MITM)attack.
Lackofmutualauthentication(GPRS/EDGE)andencryptionwithGEA0.
FallbackfromUMTS/HSPAtoGPRS/EDGE(JammingagainstUMTS/HSPA).
4GDoSattack.
Recommendations
Checkantennalegitimacy.
Domain Techname Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.
SeeApracticalattackagainstGPRS/EDGE/UMTS/HSPAmobiledatacommunicationsformoreinformation.
Radio
Attacks
Interceptionofdatawithlowcostmaterial(SDRwithhijackedDVB-T/DABforexample).
Recommendations
UsetheRadioDataSystem(RDS)onlytosendsignalsforaudiooutputandmetaconcerningradio.
Domain Techname Recommendations
Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.
IoT.Bzh Security-blueprint
Version4.99.4 61December2017
![Page 62: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/62.jpg)
NFC
Attacks
MITM:Relayandreplayattack.
Recommendations
Shouldimplementsprotectionagainstrelayandreplayattacks(Tokens,etc...).Disableunneededandunapprovedservicesandprofiles.NFCshouldbeuseencryptedlink(securechannel).AstandardkeyagreementprotocollikeDiffie-HellmannbasedonRSAorEllipticCurvescouldbeappliedtoestablishasharedsecretbetweentwodevices.AutomotiveNFCdeviceshouldbecertifiedbyNFCforumentity:TheNFCForumCertificationMarkshowsthatproductsmeetglobalinteroperabilitystandards.NFCModifiedMillercodingispreferredoverNFCManchestercoding.
Domain Techname Recommendations
Connectivity-Wireless-NFC-1 NFC Protectedagainstrelayandreplayattacks.
Connectivity-Wireless-NFC-2 Device Disableunneededandunapprovedservicesandprofiles.
IoT.Bzh Security-blueprint
Version4.99.4 62December2017
![Page 63: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/63.jpg)
Cloud
Download
authentication:Authenticationisthesecurityprocessthatvalidatestheclaimedidentityofadevice,entityorperson,relyingononeormorecharacteristicsboundtothatdevice,entityorperson.
Authorization: Parses the network to allow access to some or all network functionality by providing rules and allowingaccessordenyingaccessbasedonasubscriber'sprofileandservicespurchased.
Domain Object Recommendations
Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.
Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.
InfrastructureDeepPacketInspection:DPIprovidestechniquestoanalyzethepayloadofeachpacket,addinganextralayerofsecurity.DPIcandetectandneutralizeattacksthatwouldbemissedbyothersecuritymechanisms.
ADoSprotectioninordertoavoidthattheInfrastructureisnomoreaccessibleforaperiodoftime.
ScanningtoolssuchasSATSandDASTassessmentsperformvulnerabilityscansonthesourcecodeanddataflowsonwebapplications.Manyofthesescanningtoolsrundifferentsecurityteststhatstressapplicationsundercertainattackscenariostodiscoversecurityissues.
IDS & IPS: IDS detect and log inappropriate, incorrect, or anomalous activity. IDS can be located in thetelecommunications networks and/or within the host server or computer. Telecommunications carriers build intrusiondetection capability in all network connections to routers and servers, as well as offering it as a service to enterprisecustomers.OnceIDSsystemshaveidentifiedanattack,IPSensuresthatmaliciouspacketsareblockedbeforetheycauseanyharmtobackendsystemsandnetworks.IDStypicallyfunctionsviaoneormoreofthreesystems:
1. Patternmatching.2. Anomalydetection.3. Protocolbehavior.
IoT.Bzh Security-blueprint
Version4.99.4 63December2017
![Page 64: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/64.jpg)
Domain Object Recommendations
Application-Cloud-Infrastructure-1 Packet ShouldimplementaDPI.
Application-Cloud-Infrastructure-2 DoS MustimplementaDoSprotection.
Application-Cloud-Infrastructure-3 Test ShouldimplementscanningtoolslikeSATSandDAST.
Application-Cloud-Infrastructure-4 Log Shouldimplementsecuritytools(IDSandIPS).
Application-Cloud-Infrastructure-5
Appintegrity
Applicationsmustbesignedbythecodesigningauthority.
Transport
For data transport, it is necessary to encrypt data end-to-end. To preventMITM attacks, no third party should be able tointerprettransporteddata.Anotheraspectisthedataanonymizationinordertoprotecttheleakageofprivateinformationontheuseroranyotherthirdparty.
The use of standards such as IPSec provides "private and secure communications over IP networks, through the use ofcryptographicsecurityservices,isasetofprotocolsusingalgorithmstotransportsecuredataoveranIPnetwork.".Inaddition,IPSecoperatesatthenetworklayeroftheOSImodel,contrarytopreviousstandardsthatoperateattheapplicationlayer.ThismakesitsapplicationindependentandmeansthatusersdonotneedtoconfigureeachapplicationtoIPSecstandards.
IPSecprovidestheservicesbelow:
Confidentiality:Aservicethatmakesitimpossibletointerpretdataifitisnottherecipient.Itistheencryptionfunctionthatprovidesthisservicebytransformingintelligible(unencrypted)dataintounintelligible(encrypted)data.Authentication:Aservicethatensuresthatapieceofdatacomesfromwhereitissupposedtocomefrom.Integrity:Aservicethatconsistsinensuringthatdatahasnotbeentamperedwithaccidentallyorfraudulently.ReplayProtection:Aservicethatpreventsattacksbyre-sendingavalidinterceptedpackettothenetworkforthesameauthorization.Thisserviceisprovidedbythepresenceofasequencenumber.Keymanagement:MechanismfornegotiatingthelengthofencryptionkeysbetweentwoIPSecelementsandexchangeofthesekeys.
AnadditionalmeansofprotectionwouldbetodothemonitoringbetweenusersandthecloudasaCASBwillprovide.
Domain Object Recommendations
Application-Cloud-Transport-1 Integrity,confidentialityandlegitimacy ShouldimplementIPSecstandards.
IoT.Bzh Security-blueprint
Version4.99.4 64December2017
![Page 65: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/65.jpg)
Part8-Update(OTA)
Abstract
Updatingapplicationsandfirmwareisessentialforthedevelopmentofnewfeaturesandevenmoretofixsecuritybugs.However,if amalicious third partymanages to divert its first use, it could alter the functioning of the system and/or applications. Thesecurity of the updates is therefore a critical point to evaluate in order to guarantee the integrity, the confidentiality and thelegitimacyofthetransmitteddata.
AcronymsandAbbreviations
Thefollowingtableliststhetermsutilizedwithinthispartofthedocument.
AcronymsorAbbreviations Description
FOTA FirmwareOverTheAir
OTA OverTheAir
SOTA SoftwareOverTheAir
IoT.Bzh Security-blueprint
Version4.99.4 65December2017
![Page 66: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/66.jpg)
FirmwareOverTheAir
The firmware update is critical since its alteration back to compromise the entire system. It is therefore necessary to takeappropriateprotectivemeasures.Theprincipleofverifyingchain integrity fulfillsmuchofAGL's security.During a firmwareupdate,itisnecessarytoupdatethedifferentsignaturestochecktheintegrityofthesystem.
Thereisalsotheconstraintoftheupdatetime:Thesystemmuststartquicklyandtherefore,updateitselfasquickly.Weimaginethat theFOTA ismainlyused in thevehiclemaintenancesession(e.g.Garage).Wewill thenusenomoreFOTAbutawiredupdate.Thereisalimittowhatcanbeupdatedwirelessly.Thismaintenanceupdatecouldsolvetheseproblems.
FieldupgradescanbeachievedsecurelybyusingaSecureLoader.Thisloaderwillauthenticateanincomingimage(USB,Serial,Network)prior towriting it to theflashmemoryon thedevice. Itshouldnotbepossible towrite toflashfrombootloader (U-Boot).NotethatbecauseUSBsupportistobedisabledwithinthesboot/U-Bootcode,theboardspecificimplementationoftheSecureLoaderwillhavetomanagetheentireUSBinitialization,enumeration,andread/writeaccesstothemassstoragedevice.
Domain Object Recommendations
Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.
DifferentpossibletypeofFOTA:
Package-basedlikerpm,dpkg:
+Simple.-Power-off.-Dependency.
Fullfilesystemupdates:
+Robust.-Tendsdevice-specific.-Needrsyncorsimilar.
Atomicdifferential:
+Robust.+Minimalbandwidthconsumption.+Easyreusable.-Physicallyonefilesystem(Corruption->unbootablesystem).-Norollbacklogic.
IoT.Bzh Security-blueprint
Version4.99.4 66December2017
![Page 67: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/67.jpg)
SoftwareOverTheAir
SOTAismadepossiblebyAppFw(SeePlatformpart).Itwillbepossibletomanageinasimplewaythepackets(i.g.Androidlike).
Domain Improvement
Update-SOTA-1 Parttocomplete.
IoT.Bzh Security-blueprint
Version4.99.4 67December2017
![Page 68: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/68.jpg)
Part9-Securedevelopment
Inordertosavealotoftimeincodeauditing,developersmustfollowcodingguidelines.
Securebuild
Kernelbuild
Toolslike:
Codeoptimisation.KernelDriverstestwithdocs.
Domain Improvement
SecureDev-SecureBuild-1 Addcontent.
App/Widgetsignatures
Domain Improvement
SecureDev-Signatures-1 Addcontent.
CodeauditThesetoolsareusedtocheckthecorrectimplementationoffunctionalitiesandcompliancewithrelatedgoodpractices.
ContinuousCodeQuality.
Domain Improvement
SecureDev-CodeAudit-1 AddCVEanalyser.
SecureDev-CodeAudit-2 OSSTMM.
SATS
RATS(Maybetoold).FlawFinder.
wikilist.
Mathematicalapproach.
IoT.Bzh Security-blueprint
Version4.99.4 68December2017
![Page 69: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/69.jpg)
Itisnecessarytoverifythattheapplicationcodedoesnotusefunctionsthataredepreciatedandrecognizedasunsecuredorcauseproblems.
DATS
wikilist.
IoT.Bzh Security-blueprint
Version4.99.4 69December2017
![Page 70: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/70.jpg)
Annexes
Thefirstpartresumedalltheconfigurationsyoumustimplementwithoutanyexplicationssincealltheexplanationsaregivenasandwheninthedocument.
The second one allows to visualize all the todo notes in order to have a global vision of the possible improvements of thedocument.
IoT.Bzh Security-blueprint
Version4.99.4 70December2017
![Page 71: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/71.jpg)
Confignotes
Domain Object Recommendations
Hardware-Integrity-1 Bootloader Mustcontrolbootloaderintegrity.
Hardware-Integrity-2 Board MustuseaHSM.
Hardware-Integrity-3 RTC Mustnotbealterable.
Domain Object Recommendations
Hardware-Certificate-1
System Shallallowstoringdedicatedcertificates.
Hardware-Certificate-2
ECU TheECUmustverifythecertificationauthorityhierarchy.
Hardware-Certificate-3
System Allowthemodificationofcertificatesonlyifthesourcecanbeauthenticatedbyacertificatealreadystoredorinthehigherlevelsofthechainoftrust.
Domain Object Recommendations
Hardware-Memory-1 ECU TheECUshallneverexposetheunencryptedkeyinRAMwhenusing
cryptographickeys.
Hardware-Memory-2 Bootloader InternalNVMonly
Hardware-Module-3 - HSMmustbeusedtosecurekeys.
Domain Variable/ Configname Value
Boot-Image-Selection-1 CONFIG_BOOTDELAY -2
Boot-Image-Selection-2 bootdelay -2
Domain Configname State
Boot-Image-Authenticity-1 CONFIG_FIT Enable
Boot-Image-Authenticity-2 CONFIG_FIT_SIGNATURE Enable
Boot-Image-Authenticity-3 CONFIG_RSA Enable
Boot-Image-Authenticity-4 CONFIG_OF_CONTROL Enable
Boot-Image-Authenticity-5 CONFIG_OF_SEPARATE Enable
Boot-Image-Authenticity-6 CONFIG_DEFAULT_DEVICE_TREE Enable
Domain Communicationmodes State
Boot-Communication-1
USB DisabledandCompiled-outifnotrequired.
Boot-
IoT.Bzh Security-blueprint
Version4.99.4 71December2017
![Page 72: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/72.jpg)
Boot-Communication-2
USBElse,KernelshouldbeconfiguredtoonlyenabletheminimumrequiredUSBdevicesandfilesystemsshouldbetreatedwithspecialcare.
Boot-Communication-3
Ethernet Disabled
Boot-Communication-4
U-bootandsboot DOCSIS Disabled
Boot-Communication-5
Serialports Disabled
Domain Configname State
Boot-Communication-USB-1 CONFIG_CMD_USB Notdefined
Boot-Communication-USB-2 CONFIG_USB_UHCI Notdefined
Boot-Communication-USB-3 CONFIG_USB_KEYBOARD Notdefined
Boot-Communication-USB-4 CONFIG_USB_STORAGE Notdefined
Boot-Communication-USB-5 CONFIG_USB_HOST_ETHER Notdefined
Domain Communicationmodes State
Boot-Communication-1
Network
interfaces
Preferablynonetworkinterfaceisallowed,otherwise,restricttheservicestothoseused.
Domain Object Recommendations
Boot-Communication-1
Services, portsanddevices
Restrictthe services, portsand devicestothoseused.
Domain Commandname State
Boot-Communication-Flash-1 do_nand Disable
Domain Configname Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable
Domain Environmentvariablename State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Notdefined
Domain Configname State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
IoT.Bzh Security-blueprint
Version4.99.4 72December2017
![Page 73: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/73.jpg)
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define
Domain Commandname State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled
Domain Object Recommendations
Kernel-General-MAC-1 SMACK MustimplementaMandatoryAccessControl.
Domain Configname Value
Kernel-General-kexec-1 CONFIG_KEXEC n
Domain Configname Value
Kernel-General-IPAutoConf-1 CONFIG_IP_PNP n
Domain Configname Value
Kernel-General-SysCtl_SysCall-1 CONFIG_SYSCTL_SYSCALL n
Domain Configname Value
Kernel-General-LegacyLinux-1 CONFIG_USELIB n
Domain Configname Value
Kernel-General-FirmHelper-1 CONFIG_FW_LOADER_USER_HELPER n
Domain Configname Value
Kernel-General-PanicOnOOPS-1 CONFIG_PANIC_ON_OOPS y
Domain Configname Value
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
IoT.Bzh Security-blueprint
Version4.99.4 73December2017
![Page 74: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/74.jpg)
Kernel-General-SocketMon-1 CONFIG_PACKET_DIAG n
Kernel-General-SocketMon-2 CONFIG_UNIX_DIAG n
Domain Configname Value
Kernel-General-BPF_JIT-1 CONFIG_BPF_JIT n
Domain Configname Value
Kernel-General-ModuleSigning-1 CONFIG_MODULE_SIG_FORCE y
Domain Object State
Kernel-General-Drivers-1 USB Disabled
Kernel-General-Drivers-2 PCMCIA Disabled
Kernel-General-Drivers-3 Other hotplugbus Disabled
Domain compilerand linkeroptions State
Kernel-General-IndependentExec-1 -pie-fpic Enable
Domain compilerand linkeroptions State
Kernel-General-OverwriteAttacks-1 -z,relro Enable
Kernel-General-OverwriteAttacks-2 -z,now Enable
Domain compilerand linkeroptions State
Kernel-General-LibraryLinking-1 -static Enable
Domain Configname Value
Kernel-Memory-RestrictAccess-1 CONFIG_DEVKMEM n
Domain Configname Value
Kernel-Memory-CoreDump-1 CONFIG_PROC_KCORE n
Domain Configname Value
Kernel-Memory-Swap-1 CONFIG_SWAP n
Domain Configname Value
Kernel-Memory-LoadAllSymbols-1 CONFIG_KALLSYMS n
Kernel-Memory-LoadAllSymbols-2 CONFIG_KALLSYMS_ALL n
Domain Configname Value
Kernel-Memory-Stack-1 CONFIG_CC_STACKPROTECTOR y
Domain Configname Value
Kernel-Memory-Access-1 CONFIG_DEVMEM n
Domain Configname Value
IoT.Bzh Security-blueprint
Version4.99.4 74December2017
![Page 75: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/75.jpg)
Kernel-Memory-CrossMemAttach-1 CROSS_MEMORY_ATTACH n
Domain compilerand linkeroptions State
Kernel-Memory-StackSmashing-1 -fstack-protector-all Enable
Domain compilerand linkeroptions Value
Kernel-Memory-BufferOverflows-1 -D_FORTIFY_SOURCE 2
Domain Configname Value
Kernel-Consoles-Serial-1 CONFIG_SERIAL_8250 n
Kernel-Consoles-Serial-2 CONFIG_SERIAL_8250_CONSOLE n
Kernel-Consoles-Serial-3 CONFIG_SERIAL_CORE n
Kernel-Consoles-Serial-4 CONFIG_SERIAL_CORE_CONSOLE n
Domain Configname Value
Kernel-Consoles-CommandLine-1 CONFIG_CMDLINE_BOOL y
Kernel-Consoles-CommandLine-2 CONFIG_CMDLINE "insertkernelcommandlinehere"
Kernel-Consoles-CommandLine-3 CONFIG_CMDLINE_OVERRIDE y
Domain Configname Value
Kernel-Consoles-KDBG-1 CONFIG_KGDB n
Domain Configname Value
Kernel-Consoles-SysRQ-1 CONFIG_MAGIC_SYSRQ n
Domain Configname Value
Kernel-Consoles-BinaryFormat-1 CONFIG_BINFMT_MISC n
Domain Configname Value
Kernel-Debug-Symbols-1 CONFIG_DEBUG_INFO n
Domain Configname Value
Kernel-Debug-Kprobes-1 CONFIG_KPROBES n
Domain Configname Value
Kernel-Debug-Tracing-1 CONFIG_FTRACE n
Domain Configname Value
Kernel-Debug-Profiling-1 CONFIG_OPROFILE n
Kernel-Debug-Profiling-2 CONFIG_PROFILING n
Domain Configname Value
Kernel-Debug-OOPSOnBUG-1 CONFIG_DEBUG_BUGVERBOSE n
IoT.Bzh Security-blueprint
Version4.99.4 75December2017
![Page 76: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/76.jpg)
Domain Configname Value
Kernel-Debug-Dev-1 CONFIG_DEBUG_KERNEL n
Kernel-Debug-Dev-2 CONFIG_EMBEDDED n
Domain Configname Value
Kernel-Debug-FileSystem-1 CONFIG_DEBUG_FS n
Domain Configname Value
Kernel-Debug-BUG-1 CONFIG_BUG n
Domain Configname Value
Kernel-Debug-CoreDumps-1 CONFIG_COREDUMP n
Domain Filename Value
Kernel-Debug-AdressDisplay-1 /proc/sys/kernel/kptr_restrict 1
Domain Fileor Directoriename State
Kernel-Debug-AdressDisplay-1 /boot/vmlinuz* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-2 /boot/System.map* ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-3 /sys/kernel/debug/ ReadableOnlyforrootuser
Kernel-Debug-AdressDisplay-4 /proc/slabinfo ReadableOnlyforrootuser
Domain Filename Value
Kernel-Debug-DMESG-1 /proc/sys/kernel/dmesg_restrict 1
Domain Configname Value
Kernel-Debug-Config-1 CONFIG_IKCONFIG n
Domain Configname Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n
Domain Partition Value
Kernel-FileSystems-Mount-1
/boot nosuid, nodevand noexec.
Kernel-FileSystems-Mount-2 /var& /tmp In /etc/fstabor vfstab,add nosuid, nodevand
noexec.
Kernel-FileSystems-Mount-3 Non-rootlocal Iftypeis ext2or ext3andmountpointnot'/',add
nodev.
Kernel-FileSystems-Mount-4
Removablestorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-5
Temporarystorage Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-6
/dev/shm Add nosuid, nodevand noexec.
IoT.Bzh Security-blueprint
Version4.99.4 76December2017
![Page 77: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/77.jpg)
Mount-6/dev/shm Add nosuid, nodevand noexec.
Kernel-FileSystems-Mount-7
/dev Add nosuidand noexec.
Domain Configname Stateor Value
Kernel-FileSystems-Mount-1
CONFIG_DEVTMPFS_MOUNTDisabledoraddremountwith noexecand nosuidtosystemstartup.
Domain Labelname Recommendations
Kernel-MAC-Floor-1 Onlyforprivilegedsystemservices.
Kernel-MAC-Floor-2 * Usedfordevicefilesor /tmpAccessrestrictionviaDAC.
Domain Labelname Recommendations
Kernel-MAC-System-1
System Processshouldwriteonlytofilewithtransmuteattribute.
Kernel-MAC-System-2
System::runFilesarecreatedwiththedirectorylabelfromuserandsystemdomain(transmute)Lockisimplicitwith w.
Kernel-MAC-System-3
System::SharedFilesarecreatedwiththedirectorylabelfromsystemdomain(transmute)Userdomainhaslockedprivilege.
Kernel-MAC-System-4
System::Log Somelimitationmayimposetoadd wtoenableappend.
Kernel-MAC-System-5
System::Sub IsolationofriskySubsystem.
Domain Labelname Recommendations
Kernel-MAC-System-1
User::Pkg::$AppIDOnlyoneLabelisallowedperApp.AdatadirectoryiscreatedbytheAppFwin rwxmode.
Kernel-MAC-System-2
User::Home
AppFwneedstocreateadirectoryin /home/$USER/App-Sharedatfirstlaunchifnotpresentwithlabelapp-dataaccessis User::App-Sharedwithouttransmute.
Kernel-MAC-System-3
User::App-Shared SharedspacebetweenallApprunningforagivenuser.
Domain Object Recommendations
Platform-SystemD-1 Securitymodel UseNamespacesforcontainerization.
Platform-SystemD-2 Securitymodel UseCGroupstoorganiseprocesses.
Domain Object Recommendations
Platform-DBus-1 Securitymodel UseD-BusasIPC.
Platform-DBus-2 Securitymodel ApplyD-BUSsecuritypatches:D-BusCVE
Domain Toolname State
Platform-Utilities-1 connman Usedasaconnectionmanager.
Platform-Utilities-2 bluez UsedasaBluetoothmanager.
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
IoT.Bzh Security-blueprint
Version4.99.4 77December2017
![Page 78: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/78.jpg)
Platform-Utilities-3 gstreamer Usedtomanagemultimediafileformat.
Platform-Utilities-4 alsa UsedtoprovidesanAPIforsoundcarddevicedrivers.
Domain Object Recommendations
Platform-AGLFw-AppFw-1 Securitymodel UsetheAppFwasSecuritymodel.
Domain Object Recommendations
Platform-AGLFw-Cynara-1 Permissions UseCynaraaspolicy-checkerservice.
Domain Toolname State
Platform-Utilities-1 busybox Usedtoprovideanumberoftools.Donotcompiledevelopmenttools.
Domain Utilitynameandnormal path State
Platform-Utilities-1 chgrpin /bin/chgrp Disabled
Platform-Utilities-2 chmodin /bin/chmod Disabled
Platform-Utilities-3 chownin /bin/chown Disabled
Platform-Utilities-4 dmesgin /bin/dmesg Disabled
Platform-Utilities-5 Dnsdomainnamein /bin/dnsdomainname Disabled
Platform-Utilities-6 dropbear,Remove"dropbear"from /etc/init.d/rcs Disabled
Platform-Utilities-7 Editorsin(vi) /bin/vi Disabled
Platform-Utilities-8 findin /bin/find Disabled
Platform-Utilities-9 gdbserverin /bin/gdbserver Disabled
Platform-Utilities-10 hexdumpin /bin/hexdump Disabled
Platform-Utilities-11 hostnamein /bin/hostname Disabled
Platform-Utilities-12 installin /bin/install Disabled
Platform-Utilities-13 iostatin /bin/iostat Disabled
Platform-Utilities-14 killallin /bin/killall Disabled
Platform-Utilities-15 klogdin /sbin/klogd Disabled
Platform-Utilities-16 loggerin /bin/logger Disabled
Platform-Utilities-17 lsmodin /sbin/lsmod Disabled
Platform-Utilities-18 pmapin /bin/pmap Disabled
Platform-Utilities-19 psin /bin/ps Disabled
Platform-Utilities-20 psin /bin/ps Disabled
Platform-Utilities-21 rpmin /bin/rpm Disabled
Platform-Utilities-22 SSH Disabled
Platform-Utilities-23 stbhotplugin /sbin/stbhotplug Disabled
Platform-Utilities-24 stracein /bin/trace Disabled
Platform-Utilities-25 suin /bin/su Disabled
Platform-Utilities-26 syslogdin(logger) /bin/logger Disabled
IoT.Bzh Security-blueprint
Version4.99.4 78December2017
![Page 79: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/79.jpg)
Platform-Utilities-26 syslogdin(logger) /bin/logger Disabled
Platform-Utilities-27 topin /bin/top Disabled
Platform-Utilities-28 UARTin /proc/tty/driver/ Disabled
Platform-Utilities-29 whichin /bin/which Disabled
Platform-Utilities-30 whoand whoamiin /bin/whoami Disabled
Platform-Utilities-31 awk(busybox) Enabled
Platform-Utilities-32 cut(busybox) Enabled
Platform-Utilities-33 df(busybox) Enabled
Platform-Utilities-34 echo(busybox) Enabled
Platform-Utilities-35 fdisk(busybox) Enabled
Platform-Utilities-36 grep(busybox) Enabled
Platform-Utilities-37 mkdir(busybox) Enabled
Platform-Utilities-38 mount(vfat)(busybox) Enabled
Platform-Utilities-39 printf(busybox) Enabled
Platform-Utilities-40 sedin /bin/sed(busybox) Enabled
Platform-Utilities-41 tail(busybox) Enabled
Platform-Utilities-42 tee(busybox) Enabled
Platform-Utilities-43 test(busybox) Enabled
Domain Object Recommendations
Platform-Users-root-1 Mainapplication Shouldnotexecuteasroot.
Platform-Users-root-2 UI Shouldruninacontextonauserwithnocapability.
Domain Utilityname State
Platform-Users-root-3 login Notallowed
Platform-Users-root-4 su Notallowed
Platform-Users-root-5 ssh Notallowed
Platform-Users-root-6 scp Notallowed
Platform-Users-root-7 sftp Notallowed
Domain Object Recommendations
Application-Installation-1 AppFw Provideoffline-modeinordertoinstallappwiththebaseimage.
Application-Installation-2 Integrity Allowtheinstallationofapplicationsonlyiftheirintegrityisgood.
Domain Techname Recommendations
Connectivity-BusAndConnector-Bus-1 CAN Implementhardwaresolutioninordertoprohibitsending
unwantedsignals.
Tech
IoT.Bzh Security-blueprint
Version4.99.4 79December2017
![Page 80: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/80.jpg)
Domain name Recommendations
Connectivity-BusAndConnector-
Connectors-1 USB
Mustbedisabled.Ifnot,onlyenabletheminimumrequire
USBdevices.
Connectivity-BusAndConnector-Connectors-2 USB ConfidentialdataexchangedwiththeECUoverUSBmust
besecure.
Connectivity-BusAndConnector-Connectors-3 USB USBBootonaECUmustbedisable.
Connectivity-BusAndConnector-Connectors-4 OBD-II Mustbedisabledoutsidegarages.
Domain Object Recommendations
Connectivity-Wireless-1 Update Alwaysfollowthelatestupdatesofremotecommunicationchannels.
Domain Technameorobject Recommendations
Connectivity-Wireless-Wifi-1 WEP,PSK,TKIP Disabled
Connectivity-Wireless-Wifi-2
WPA2andAES-CCMP Used
Connectivity-Wireless-Wifi-3 WPA2 Shouldprotectdatasniffing.
Connectivity-Wireless-Wifi-4 PSK Changingregularlythepassword.
Connectivity-Wireless-Wifi-5 Device Upgradedeasilyinsoftwareorfirmwaretohavethelast
securityupdate.
Domain Techname Recommendations
Connectivity-Wireless-Bluetooth-1 BLE Usewithcaution.
Connectivity-Wireless-Bluetooth-2 Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3 SSP Avoidusingthe"JustWorks"associationmodel.
Connectivity-Wireless-Bluetooth-4 Visibility Configuredbydefaultasundiscoverable.Exceptwhen
needed.
Connectivity-Wireless-Bluetooth-5
Anti-scanning Used,interalia,toslowdownbruteforceattacks.
Domain Techname Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA ProtectedagainstJamming.
Domain Techname Recommendations
Connectivity-Wireless-Radio-1 RDS Onlyaudiooutputandmetaconcerningradio.
IoT.Bzh Security-blueprint
Version4.99.4 80December2017
![Page 81: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/81.jpg)
Domain Techname Recommendations
Connectivity-Wireless-NFC-1 NFC Protectedagainstrelayandreplayattacks.
Connectivity-Wireless-NFC-2 Device Disableunneededandunapprovedservicesandprofiles.
Domain Object Recommendations
Application-Cloud-Download-1 authentication Mustimplementauthenticationprocess.
Application-Cloud-Download-2 Authorization MustimplementAuthorizationprocess.
Domain Object Recommendations
Application-Cloud-Infrastructure-1 Packet ShouldimplementaDPI.
Application-Cloud-Infrastructure-2 DoS MustimplementaDoSprotection.
Application-Cloud-Infrastructure-3 Test ShouldimplementscanningtoolslikeSATSandDAST.
Application-Cloud-Infrastructure-4 Log Shouldimplementsecuritytools(IDSandIPS).
Application-Cloud-Infrastructure-5
Appintegrity
Applicationsmustbesignedbythecodesigningauthority.
Domain Object Recommendations
Application-Cloud-Transport-1 Integrity,confidentialityandlegitimacy ShouldimplementIPSecstandards.
Domain Object Recommendations
Update-FOTA-1 Integrity,confidentialityandlegitimacy Mustbesecure.
IoT.Bzh Security-blueprint
Version4.99.4 81December2017
![Page 82: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/82.jpg)
Todonotes
Domain Improvement
Boot-Abstract-1 Moregenericandaddexamples(Thechainoftrust).
Domain Improvement
Boot-Abstract-1 Reviewthedefinitionofthe"bootloader".
Domain Improvement
Boot-Consoles-1 Secureloader:Noreferenceearlier?
Domain Improvement
Hypervisor-Abstract-1 CompleteHypervisorpart(jailhouse/KVM/Xen).
Domain Improvement
Kernel-MAC-1 AddMACconfignote.
Domain Improvement
Platform-Services-1 SystemD?
Platform-Services-2 Securedaemon?
Domain Improvement
Platform-Users-Capabilities-1 KernelorPlatform-user?
Platform-Users-Capabilities-2 Addconfignote.
Domain Improvement
Application-Installation-1 TalkaboutAppFwofflinemode.
Domain Improvement
Application-Signature-1 Addcontent(seesecurebuildinSecuredevelopmentpart).
Domain Improvement
Application-Services-1 Addcontent(Whichservices?).
Application-Services-2 AddBinder.
Domain Improvement
Connectivity-Abstract-1 Improveabstract.
Domain Improvement
Connectivity-Wireless-1 Addcommunicationchannels(RFID,ZigBee?).
Domain Improvement
IoT.Bzh Security-blueprint
Version4.99.4 82December2017
![Page 83: Table of Contents...Introduction This document presents the different attacks that can be envisaged on a recent car in order to be able to create a set of tests verifying the security](https://reader033.vdocuments.us/reader033/viewer/2022060416/5f13a44955c4c7764f5bc0eb/html5/thumbnails/83.jpg)
Update-SOTA-1 Parttocomplete.
Domain Improvement
SecureDev-SecureBuild-1 Addcontent.
Domain Improvement
SecureDev-Signatures-1 Addcontent.
Domain Improvement
SecureDev-CodeAudit-1 AddCVEanalyser.
SecureDev-CodeAudit-2 OSSTMM.
IoT.Bzh Security-blueprint
Version4.99.4 83December2017