SlideShare ist ein Scribd-Unternehmen logo

Integrity Protection for Embedded Systems

Samsung Open Source Group
Samsung Open Source Group

Dmitry Kasatkin from the Samsung OSG group in the UK talks about designing and enabling integrity protection for embedded systems.

Sport
1 von 30
Downloaden Sie, um offline zu lesen
Integrity Protection Solutions for Embedded Systems Dmitry Kasatkin Samsung Open Source Group Samsung Research UK, Finland branch FOSDEM 2014 Brussels, Belgium, February 1 – 2, 2014 INTEL CONFIDENTIAL © 2014 SAMSUNG Electronics Co.
Agenda ● What is integrity protection? ● Pre-OS integrity protection ● ● ● 2 OS integrity protection ● Block-level integrity protection ● Linux Integrity subsystem Summary Q&A FOSDEM 2014
What is integrity protection? ● ● ● ● 3 Runtime system integrity is protected by Access Control mechanism, such as DAC and MACs. Assumes trustworthiness of the access control/security related metadata Integrity protection ensures that offline modification of the data will not remain undetected and access to such data will be forbidden Was achieved by file system encryption FOSDEM 2014
Pre-OS Integrity Protection
UEFI x86 boot process Trusted Boot Secure Boot UEFI Boot ROM UEFI boot loader Measured Boot TPM PCRs Linux Kernel /init 5 Attestation Client nonce quote FOSDEM 2014 Attestation Server
UEFI x86 boot process ● ● ● 6 Trusted Boot (TCG, Pre-UEFI) ● TPM based measurements ● Does not prevent booting if measurement is wrong UEFI Secure Boot – PreOS boot ● Root of trust in the firmware (UEFI) ● Prevents modified firmware and boot loader from running ● Boot loader verifies Linux kernel OS Trusted/Secure Boot? ● Linux kernel verifies kernel modules ● What about user space?? FOSDEM 2014
Embedded System Boot – not-connected Secure Boot Secure ROM Root of trust boot loader (u-boot) Linux Kernel /init 7 FOSDEM 2014
Embedded System Boot – for connected Trusted Boot Secure Boot Secure ROM Root of trust boot loader (u-boot) TEE based Mobile TPM PCRs Measured Boot Linux Kernel /init 8 Attestation Client nonce quote FOSDEM 2014 Attestation Server
Secure/Trusted u-boot (~2013.07) ● ● 9 Secure boot extensions since 2013.07 ● Create FIT kernel image (Flattened uImage Tree) ● mkimage -f kernel.its kernel.itb ● Create signed FIT kernel image ● mkimage -f kernel.its -k /path/to/keys -K u-boot.dtb kernel.itb ● Resign ● mkimage -F -k /path/to/keys -K u-boot.dtb kernel.itb TPM support ● TPM library ● Drivers for common TPMs FOSDEM 2014
Signature in FIT { description = "Simple kernel / FDT configuration"; images { kernel@1 { data = /incbin/("../vmlinuz-3.13.0"); kernel-version = <1>; signature@1 { algo = "sha1,rsa2048"; key-name-hint = "dev"; }; }; fdt@1 { description = "snow"; data = /incbin/("exynos5250-snow.dtb"); type = "flat_dt"; arch = "arm"; }; }; }; 10 FOSDEM 2014
Block level Integrity protection Approaches
dm-verity ● ● ● ● ● 12 Transparent block-level integrity protection solution for read-only partitions dm-verity is a device mapper target Uses hash-tree ● Calculates a hash of every block ● Stores hashes in the additional block and calculates hash of that block ● Final hash – root hash – hash of the top level hash-block ● Root hash is passed as a target parameter Used in ChromeOS to protect read-only partition Update can be done only by overwriting entire partition FOSDEM 2014
dm-integrity ● ● ● ● ● 13 Transparent block-level integrity protection solution for RW partitions dm-integrity is a device mapper target ● virtual block device on the top of real Maintains HMAC for every block in special integrity store ● may be the same or different block device ● additional space Verify HMAC on every read-request and update HMAC on every write-request (BIO request) Keeps a cache of LRU integrity metadata for performance purpose FOSDEM 2014
Linux Integrity Subsystem
Linux Integrity Subsystem ● ● ● ● ● Allows to extend Trusted and Secure Boot to user space Linux integrity subsystem is the Policy Based VFS level integrity protection Located under <linux>/security/integrity Provides several integrity functions such as ● Collect, store, attest, apprise, protect, audit Consists of following components: ● IMA – Integrity Measurement Architecture module – – – ● ● 15 IMA-measurement IMA-appraisal Directory integrity verification extension EVM – Extended Verification Module Digital signature verification support FOSDEM 2014
IMA/EVM hooks ● 16 IMA hooks ● int ima_bprm_check(); ● int ima_file_check(); ● int ima_file_free(); ● int ima_file_mmap(); ● int ima_module_check(); ● EVM hooks ● int evm_inode_setattr(); ● void evm_inode_post_setattr(); ● int evm_inode_setxattr(); ● void evm_inode_post_setxattr(); ● int evm_inode_removexattr(); ● void evm_inode_post_removexattr(); FOSDEM 2014
IMA-measurement ● ● ● ● ● ● 17 Since 2.6.30 (CONFIG_IMA) Can be used to remotely attest system's runtime integrity Collect: measure a file's content before it is accessed using cryptographic hash Store: add the measurement to the runtime measurement list, and if TPM is present, extend the IMA PCR-10 ● Incorrect value may “lock” TPM secrets such as keys Attest: if TPM is present, sign IMA PCR value to allow remote validation of the measurement list ● Requires attestation server (challenger) to maintain hash database Also calculates and stores boot aggregate value over the TPM PCRs 0 - 7 FOSDEM 2014
IMA measurement list – original format ● ● ● 18 /sys/kernel/security/integrity/ima/ascii_runtime_measurements Format: PCR template-hash template filedata-hash pathname Original SHA1 format: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init FOSDEM 2014
IMA measurement list – new format ● ● PCR template-hash template algo:filedata-hash pathname file-signature Larger hash algo: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-ng sha256:c023470c0fc8aa1dbb95504d5af5d46cad94e8bf5eea8e0ab0eeff7a7fe1697a /sbin/init ● Signatures: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-sig 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init 030202db1ff72a008016c593387220a2adda990969d87a56a8a24eece51e3689fd229 c4c56e7fddd4eb99f360c2ee3ff0f6344de24ecd3263f4c7a74ac6498403d7ce9e9865e 4d2f32522de79e96d0cb265d5b2ab8fe54953ce53d5e59a51460f67d18e2cbacb4765 ea97f2d9cdd2065816d50fb74e631efd4c2e07c72c01fd9b0f9e3efc6d91a789d 19 FOSDEM 2014
EVM – extended verification module ● ● ● ● 20 Since 3.2 (CONFIG_EVM) Protect: protects integrity of file (extended) attributes against offline modification ● attributes: ino, uid, gid, mode ● extended attributes: security.{ima,SMACK64,selinux} Measures integrity using (keyed) cryptographic hash (hash/HMAC) Performs local integrity validation and enforcement against a “good” reference HMAC value ● 'security.evm' extended attribute ● May contain HMAC or signature FOSDEM 2014
Digital signature extension ● ● ● 21 Since 3.3 (CONFIG_INTEGRITY_SIGNATURE) Protects file attributes using digital signatures ● security.evm may hold signature instead of hmac ● signature is replaced with hmac on successful verification EVM signatures may be used ● When there is no possibility to use device-specific HMAC key during flashing/copying – No special flashing/update mode (fastboot on Android) ● When raw FS image needs to be created for use on multiple devices – HMAC key is device-specific and cannot be used during image creation FOSDEM 2014
IMA-appraisal ● ● ● ● 22 Since 3.7 (CONFIG_IMA_APPRAISE) Appraise: enforce local integrity validation of a file measurement against a “good” reference value ● 'security.ima' extended attribute may hold hash or signature ● signature is never replaced with hash – file is immutable ● Protected by EVM In other words, allows to protect file data from offline modification IMA signatures may be used ● To protect immutable files from runtime modification ● To perform remote attestation without maintaining hash-database FOSDEM 2014
IMA policy # see <linux>/Documentation/ABI/testing/ima_policy # SYSFS_MAGIC dont_measure fsmagic=0x62656572 dont_appraise fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 dont_appraise fsmagic=0x64626720 …... measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 appraise obj_user=sig_t func=FILE_CHECK appraise_type=imasig appraise fowner=1001 appraise_type=imasig appraise fowner=0 23 FOSDEM 2014
Directory & special files integrity protection ● ● ● ● ● ● ● 24 Work in progress (CONFIG_IMA_DIRECTORIES) New hooks for directory/special files integrity verification in fs/namei.c ● ima_dir_check(), ima_dir_update(), ima_link_check() Directory measurement is a hash over directory content ● List of (inode number, file name) tuples Symlink measurement ● Hash of the target path Device node measurement ● Hash over MAJOR:MINOR Hash is also stored in 'security.ima' No EVM changes are required for this FOSDEM 2014
ima-evm-utils ● ● Use of digital signatures requires user-space tools ima-evm-utils (evmctl) ● ● ● ● 25 Sign file metadata and content – evmctl sign –imahash foo – evmctl sign –imasig foo Verify (for testing purpose) Import public keys into the kernel keyring – evmctl import /path/to/key Supports password protected private keys FOSDEM 2014
Example: initramfs script grep -v "^#" /etc/ima_policy >/sys/kernel/security/ima/policy # load IMA policy keyctl add user kmk "testing123" @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u # import EVM HMAC key ima_id=`keyctl newring _ima @u` evmctl import /etc/keys/pubkey_evm.pem $ima_id # import IMA public key evm_id=`keyctl newring _evm @u` evmctl import /etc/keys/pubkey_evm.pem $evm_id echo "1" > /sys/kernel/security/evm 26 # import EVM public key # enable EVM FOSDEM 2014
Example: labeling with signatures Label one file: $ echo Hello >foo $ sudo evmctl sign --imahash foo $ getfattr -e hex -m security -d foo # file: foo security.evm=0x030155475e4e0000bc16a96303fd3e7901040060bab44648764dca46ad71827a48c3e171b7e 9444b47b79b7bd7c7f1783852be9b4f038f2c1dd57320b257619b9fa3a9cadea2c679faf83a9755f2a015995ec43 332fdedcc2c72cb87f2eb25a8ef524c3ec78134aaa5b6dd18c8c1bf5e16d886a03dd36587aa927e07154c0009cd af71c1fcbc37fa15a8bd153ba360bf73bafb security.ima=0x011d229271928d3f9e2bb0375bd6ce5db6c6d348d9 Label whole file system: $ evmctl -r sign --imahash / 27 FOSDEM 2014
Summary ● ● ● 28 Integrity protection can be implemented in most embedded systems ● Main requirement is HW root of trust: Secure ROM U-boot provides support for secure/trusted boot Linux kernel provides support for protecting integrity of the storage ● Linux Integrity Subsystem ● policy, local appraisal, remote attestation ● Block-level integrity protection ● dm-verity ● dm-integrity FOSDEM 2014
Links U-Boot ● http://www.denx.de/wiki/U-Boot IMA/EVM ● Integrity tree: http://git.kernel.org/?p=linux/kernel/git/zohar/linux-integrity.git ● Dir tree: http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git ● Linux IMA project page: http://sourceforge.net/projects/linux-ima ● Utils: http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree dm-integrity ● git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git#dm-integ rity 29 FOSDEM 2014
0 Questions? INTEL CONFIDENTIAL © 2014 SAMSUNG Electronics Co.

Empfohlen

Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewRajKumar Rampelli
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLinaro
 
ARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいwata2ki
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)fefe7270
 
Android デバッグ小ネタ
Android デバッグ小ネタAndroid デバッグ小ネタ
Android デバッグ小ネタl_b__
 

Empfohlen

Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewRajKumar Rampelli
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLinaro
 
ARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいwata2ki
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
Android audio system(audioflinger)
Android audio system(audioflinger)Android audio system(audioflinger)
Android audio system(audioflinger)fefe7270
 
Android デバッグ小ネタ
Android デバッグ小ネタAndroid デバッグ小ネタ
Android デバッグ小ネタl_b__
 
Multicast in OpenStack
Multicast in OpenStackMulticast in OpenStack
Multicast in OpenStackVikram G Hosakote
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationNational Cheng Kung University
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Ray Jenkins
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!Mr. Vengineer
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in AndroidOpersys inc.
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver艾鍗科技
 
Wireshark入門(2)
Wireshark入門(2)Wireshark入門(2)
Wireshark入門(2)彰 村地
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料一路 川染
 
Plan 9のお話
Plan 9のお話Plan 9のお話
Plan 9のお話Ryousei Takano
 
Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウchancelab
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Adrian Huang
 
Linux device driver
Linux device driverLinux device driver
Linux device driverchatsiri
 
Achieving the ultimate performance with KVM
Achieving the ultimate performance with KVM Achieving the ultimate performance with KVM
Achieving the ultimate performance with KVM ShapeBlue
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reporthidenorly
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 

Weitere ähnliche Inhalte

Was ist angesagt?

LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Ray Jenkins
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!Mr. Vengineer
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in AndroidOpersys inc.
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver艾鍗科技
 
Wireshark入門(2)
Wireshark入門(2)Wireshark入門(2)
Wireshark入門(2)彰 村地
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料一路 川染
 
Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウchancelab
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Adrian Huang
 
Linux device driver
Linux device driverLinux device driver
Linux device driverchatsiri
 
Achieving the ultimate performance with KVM
Achieving the ultimate performance with KVM Achieving the ultimate performance with KVM
Achieving the ultimate performance with KVM ShapeBlue
 

Was ist angesagt? (20)

Multicast in OpenStack
Multicast in OpenStackMulticast in OpenStack
Multicast in OpenStack
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Features
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
 
用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver用Raspberry Pi 學Linux I2C Driver
用Raspberry Pi 學Linux I2C Driver
 
Wireshark入門(2)
Wireshark入門(2)Wireshark入門(2)
Wireshark入門(2)
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料
 
Plan 9のお話
Plan 9のお話Plan 9のお話
Plan 9のお話
 
Android起動周りのノウハウ
Android起動周りのノウハウAndroid起動周りのノウハウ
Android起動周りのノウハウ
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
 
Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...Decompressed vmlinux: linux kernel initialization from page table configurati...
Decompressed vmlinux: linux kernel initialization from page table configurati...
 
Linux device driver
Linux device driverLinux device driver
Linux device driver
 
Achieving the ultimate performance with KVM
Achieving the ultimate performance with KVM Achieving the ultimate performance with KVM
Achieving the ultimate performance with KVM
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 

Andere mochten auch

Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reporthidenorly
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013Opersys inc.
 
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物Wei-Ning Huang
 
Chromium OS Introduction
Chromium OS IntroductionChromium OS Introduction
Chromium OS IntroductionWei-Ning Huang
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI securityDenis Gundarev
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in AndroidOpersys inc.
 

Andere mochten auch (9)

Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
 
Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013
 
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
 
Chromium OS Introduction
Chromium OS IntroductionChromium OS Introduction
Chromium OS Introduction
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
 

Ähnlich wie Integrity Protection for Embedded Systems

What's New in Security for IBM i?
What's New in Security for IBM i?What's New in Security for IBM i?
What's New in Security for IBM i?HelpSystems
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment Systema3sec
 
Nat mikrotik
Nat mikrotikNat mikrotik
Nat mikrotiklouisraj
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agencysanchetanparmar
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationDan Barr
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Sophos Benelux
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
High end security for low-end microcontrollers
High end security for low-end microcontrollersHigh end security for low-end microcontrollers
High end security for low-end microcontrollersMilosch Meriac
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
QueueMetrics - Tips and Tricks
QueueMetrics - Tips and TricksQueueMetrics - Tips and Tricks
QueueMetrics - Tips and TricksClarotech_Events
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsAbdullah Deeb
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 

Ähnlich wie Integrity Protection for Embedded Systems (20)

What's New in Security for IBM i?
What's New in Security for IBM i?What's New in Security for IBM i?
What's New in Security for IBM i?
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
 
Nat mikrotik
Nat mikrotikNat mikrotik
Nat mikrotik
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS Presentation
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
High end security for low-end microcontrollers
High end security for low-end microcontrollersHigh end security for low-end microcontrollers
High end security for low-end microcontrollers
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
QueueMetrics - Tips and Tricks
QueueMetrics - Tips and TricksQueueMetrics - Tips and Tricks
QueueMetrics - Tips and Tricks
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatforms
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an audit
 

Mehr von Samsung Open Source Group

The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)Samsung Open Source Group
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBSamsung Open Source Group
 
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesTizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesSamsung Open Source Group
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondSamsung Open Source Group
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialSamsung Open Source Group
 
Open Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategyOpen Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategySamsung Open Source Group
 
IoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilityIoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilitySamsung Open Source Group
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...Samsung Open Source Group
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceSamsung Open Source Group
 
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivityIoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivitySamsung Open Source Group
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxSamsung Open Source Group
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxSamsung Open Source Group
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsJerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsSamsung Open Source Group
 

Mehr von Samsung Open Source Group (20)

The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)
 
Easy IoT with JavaScript
Easy IoT with JavaScriptEasy IoT with JavaScript
Easy IoT with JavaScript
 
Spawny: A New Approach to Logins
Spawny: A New Approach to LoginsSpawny: A New Approach to Logins
Spawny: A New Approach to Logins
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USB
 
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesTizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and Beyond
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
 
GENIVI + OCF Cooperation
GENIVI + OCF CooperationGENIVI + OCF Cooperation
GENIVI + OCF Cooperation
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
 
Open Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategyOpen Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate Strategy
 
IoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilityIoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT Interoperability
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
IoTivity: From Devices to the Cloud
IoTivity: From Devices to the CloudIoTivity: From Devices to the Cloud
IoTivity: From Devices to the Cloud
 
SOSCON 2016 JerryScript
SOSCON 2016 JerryScriptSOSCON 2016 JerryScript
SOSCON 2016 JerryScript
 
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivityIoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsJerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
 

Kürzlich hochgeladen

Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxSlovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxWorld Wide Tickets And Hospitality
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...World Wide Tickets And Hospitality
 
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docxUEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docxEuro Cup 2024 Tickets
 
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfJORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfArturo Pacheco Alvarez
 
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Marina Costa
 
08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking MenDelhi Call girls
 
WhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room packageWhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room packageNitya salvi
 
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...baharayali
 
ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024Brian Slack
 
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...World Wide Tickets And Hospitality
 
Sports Writing (Rules,Tips, Examples, etc)
Sports Writing (Rules,Tips, Examples, etc)Sports Writing (Rules,Tips, Examples, etc)
Sports Writing (Rules,Tips, Examples, etc)CMBustamante
 
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking MenDelhi Call girls
 
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeTechnical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeOptics-Trade
 
08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking Men08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking MenDelhi Call girls
 
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdfTAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdfSocial Samosa
 
Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...Nitya salvi
 
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Eticketing.co
 
Personal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley DennisPersonal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley Dennisjocksofalltradespodc
 
Hire 💕 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire 💕 8617697112 Kasauli Call Girls Service Call Girls AgencyHire 💕 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire 💕 8617697112 Kasauli Call Girls Service Call Girls AgencyNitya salvi
 

Kürzlich hochgeladen (20)

Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxSlovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
Spain Vs Italy 20 players confirmed for Spain's Euro 2024 squad, and three po...
 
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docxUEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
 
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfJORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
 
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
 
08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men
 
WhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room packageWhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: 📞 8617697112 Birbhum Call Girl available for hotel room package
 
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
 
ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024
 
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
 
Sports Writing (Rules,Tips, Examples, etc)
Sports Writing (Rules,Tips, Examples, etc)Sports Writing (Rules,Tips, Examples, etc)
Sports Writing (Rules,Tips, Examples, etc)
 
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
 
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeTechnical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
 
08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking Men08448380779 Call Girls In IIT Women Seeking Men
08448380779 Call Girls In IIT Women Seeking Men
 
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdfTAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
 
Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts In...
 
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
 
Personal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley DennisPersonal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley Dennis
 
Hire 💕 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire 💕 8617697112 Kasauli Call Girls Service Call Girls AgencyHire 💕 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire 💕 8617697112 Kasauli Call Girls Service Call Girls Agency
 

Integrity Protection for Embedded Systems

  • 1. Integrity Protection Solutions for Embedded Systems Dmitry Kasatkin Samsung Open Source Group Samsung Research UK, Finland branch FOSDEM 2014 Brussels, Belgium, February 1 – 2, 2014 INTEL CONFIDENTIAL © 2014 SAMSUNG Electronics Co.
  • 2. Agenda ● What is integrity protection? ● Pre-OS integrity protection ● ● ● 2 OS integrity protection ● Block-level integrity protection ● Linux Integrity subsystem Summary Q&A FOSDEM 2014
  • 3. What is integrity protection? ● ● ● ● 3 Runtime system integrity is protected by Access Control mechanism, such as DAC and MACs. Assumes trustworthiness of the access control/security related metadata Integrity protection ensures that offline modification of the data will not remain undetected and access to such data will be forbidden Was achieved by file system encryption FOSDEM 2014
  • 5. UEFI x86 boot process Trusted Boot Secure Boot UEFI Boot ROM UEFI boot loader Measured Boot TPM PCRs Linux Kernel /init 5 Attestation Client nonce quote FOSDEM 2014 Attestation Server
  • 6. UEFI x86 boot process ● ● ● 6 Trusted Boot (TCG, Pre-UEFI) ● TPM based measurements ● Does not prevent booting if measurement is wrong UEFI Secure Boot – PreOS boot ● Root of trust in the firmware (UEFI) ● Prevents modified firmware and boot loader from running ● Boot loader verifies Linux kernel OS Trusted/Secure Boot? ● Linux kernel verifies kernel modules ● What about user space?? FOSDEM 2014
  • 7. Embedded System Boot – not-connected Secure Boot Secure ROM Root of trust boot loader (u-boot) Linux Kernel /init 7 FOSDEM 2014
  • 8. Embedded System Boot – for connected Trusted Boot Secure Boot Secure ROM Root of trust boot loader (u-boot) TEE based Mobile TPM PCRs Measured Boot Linux Kernel /init 8 Attestation Client nonce quote FOSDEM 2014 Attestation Server
  • 9. Secure/Trusted u-boot (~2013.07) ● ● 9 Secure boot extensions since 2013.07 ● Create FIT kernel image (Flattened uImage Tree) ● mkimage -f kernel.its kernel.itb ● Create signed FIT kernel image ● mkimage -f kernel.its -k /path/to/keys -K u-boot.dtb kernel.itb ● Resign ● mkimage -F -k /path/to/keys -K u-boot.dtb kernel.itb TPM support ● TPM library ● Drivers for common TPMs FOSDEM 2014
  • 10. Signature in FIT { description = "Simple kernel / FDT configuration"; images { kernel@1 { data = /incbin/("../vmlinuz-3.13.0"); kernel-version = <1>; signature@1 { algo = "sha1,rsa2048"; key-name-hint = "dev"; }; }; fdt@1 { description = "snow"; data = /incbin/("exynos5250-snow.dtb"); type = "flat_dt"; arch = "arm"; }; }; }; 10 FOSDEM 2014
  • 11. Block level Integrity protection Approaches
  • 12. dm-verity ● ● ● ● ● 12 Transparent block-level integrity protection solution for read-only partitions dm-verity is a device mapper target Uses hash-tree ● Calculates a hash of every block ● Stores hashes in the additional block and calculates hash of that block ● Final hash – root hash – hash of the top level hash-block ● Root hash is passed as a target parameter Used in ChromeOS to protect read-only partition Update can be done only by overwriting entire partition FOSDEM 2014
  • 13. dm-integrity ● ● ● ● ● 13 Transparent block-level integrity protection solution for RW partitions dm-integrity is a device mapper target ● virtual block device on the top of real Maintains HMAC for every block in special integrity store ● may be the same or different block device ● additional space Verify HMAC on every read-request and update HMAC on every write-request (BIO request) Keeps a cache of LRU integrity metadata for performance purpose FOSDEM 2014
  • 15. Linux Integrity Subsystem ● ● ● ● ● Allows to extend Trusted and Secure Boot to user space Linux integrity subsystem is the Policy Based VFS level integrity protection Located under <linux>/security/integrity Provides several integrity functions such as ● Collect, store, attest, apprise, protect, audit Consists of following components: ● IMA – Integrity Measurement Architecture module – – – ● ● 15 IMA-measurement IMA-appraisal Directory integrity verification extension EVM – Extended Verification Module Digital signature verification support FOSDEM 2014
  • 16. IMA/EVM hooks ● 16 IMA hooks ● int ima_bprm_check(); ● int ima_file_check(); ● int ima_file_free(); ● int ima_file_mmap(); ● int ima_module_check(); ● EVM hooks ● int evm_inode_setattr(); ● void evm_inode_post_setattr(); ● int evm_inode_setxattr(); ● void evm_inode_post_setxattr(); ● int evm_inode_removexattr(); ● void evm_inode_post_removexattr(); FOSDEM 2014
  • 17. IMA-measurement ● ● ● ● ● ● 17 Since 2.6.30 (CONFIG_IMA) Can be used to remotely attest system's runtime integrity Collect: measure a file's content before it is accessed using cryptographic hash Store: add the measurement to the runtime measurement list, and if TPM is present, extend the IMA PCR-10 ● Incorrect value may “lock” TPM secrets such as keys Attest: if TPM is present, sign IMA PCR value to allow remote validation of the measurement list ● Requires attestation server (challenger) to maintain hash database Also calculates and stores boot aggregate value over the TPM PCRs 0 - 7 FOSDEM 2014
  • 18. IMA measurement list – original format ● ● ● 18 /sys/kernel/security/integrity/ima/ascii_runtime_measurements Format: PCR template-hash template filedata-hash pathname Original SHA1 format: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init FOSDEM 2014
  • 19. IMA measurement list – new format ● ● PCR template-hash template algo:filedata-hash pathname file-signature Larger hash algo: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-ng sha256:c023470c0fc8aa1dbb95504d5af5d46cad94e8bf5eea8e0ab0eeff7a7fe1697a /sbin/init ● Signatures: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-sig 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init 030202db1ff72a008016c593387220a2adda990969d87a56a8a24eece51e3689fd229 c4c56e7fddd4eb99f360c2ee3ff0f6344de24ecd3263f4c7a74ac6498403d7ce9e9865e 4d2f32522de79e96d0cb265d5b2ab8fe54953ce53d5e59a51460f67d18e2cbacb4765 ea97f2d9cdd2065816d50fb74e631efd4c2e07c72c01fd9b0f9e3efc6d91a789d 19 FOSDEM 2014
  • 20. EVM – extended verification module ● ● ● ● 20 Since 3.2 (CONFIG_EVM) Protect: protects integrity of file (extended) attributes against offline modification ● attributes: ino, uid, gid, mode ● extended attributes: security.{ima,SMACK64,selinux} Measures integrity using (keyed) cryptographic hash (hash/HMAC) Performs local integrity validation and enforcement against a “good” reference HMAC value ● 'security.evm' extended attribute ● May contain HMAC or signature FOSDEM 2014
  • 21. Digital signature extension ● ● ● 21 Since 3.3 (CONFIG_INTEGRITY_SIGNATURE) Protects file attributes using digital signatures ● security.evm may hold signature instead of hmac ● signature is replaced with hmac on successful verification EVM signatures may be used ● When there is no possibility to use device-specific HMAC key during flashing/copying – No special flashing/update mode (fastboot on Android) ● When raw FS image needs to be created for use on multiple devices – HMAC key is device-specific and cannot be used during image creation FOSDEM 2014
  • 22. IMA-appraisal ● ● ● ● 22 Since 3.7 (CONFIG_IMA_APPRAISE) Appraise: enforce local integrity validation of a file measurement against a “good” reference value ● 'security.ima' extended attribute may hold hash or signature ● signature is never replaced with hash – file is immutable ● Protected by EVM In other words, allows to protect file data from offline modification IMA signatures may be used ● To protect immutable files from runtime modification ● To perform remote attestation without maintaining hash-database FOSDEM 2014
  • 23. IMA policy # see <linux>/Documentation/ABI/testing/ima_policy # SYSFS_MAGIC dont_measure fsmagic=0x62656572 dont_appraise fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 dont_appraise fsmagic=0x64626720 …... measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 appraise obj_user=sig_t func=FILE_CHECK appraise_type=imasig appraise fowner=1001 appraise_type=imasig appraise fowner=0 23 FOSDEM 2014
  • 24. Directory & special files integrity protection ● ● ● ● ● ● ● 24 Work in progress (CONFIG_IMA_DIRECTORIES) New hooks for directory/special files integrity verification in fs/namei.c ● ima_dir_check(), ima_dir_update(), ima_link_check() Directory measurement is a hash over directory content ● List of (inode number, file name) tuples Symlink measurement ● Hash of the target path Device node measurement ● Hash over MAJOR:MINOR Hash is also stored in 'security.ima' No EVM changes are required for this FOSDEM 2014
  • 25. ima-evm-utils ● ● Use of digital signatures requires user-space tools ima-evm-utils (evmctl) ● ● ● ● 25 Sign file metadata and content – evmctl sign –imahash foo – evmctl sign –imasig foo Verify (for testing purpose) Import public keys into the kernel keyring – evmctl import /path/to/key Supports password protected private keys FOSDEM 2014
  • 26. Example: initramfs script grep -v "^#" /etc/ima_policy >/sys/kernel/security/ima/policy # load IMA policy keyctl add user kmk "testing123" @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u # import EVM HMAC key ima_id=`keyctl newring _ima @u` evmctl import /etc/keys/pubkey_evm.pem $ima_id # import IMA public key evm_id=`keyctl newring _evm @u` evmctl import /etc/keys/pubkey_evm.pem $evm_id echo "1" > /sys/kernel/security/evm 26 # import EVM public key # enable EVM FOSDEM 2014
  • 27. Example: labeling with signatures Label one file: $ echo Hello >foo $ sudo evmctl sign --imahash foo $ getfattr -e hex -m security -d foo # file: foo security.evm=0x030155475e4e0000bc16a96303fd3e7901040060bab44648764dca46ad71827a48c3e171b7e 9444b47b79b7bd7c7f1783852be9b4f038f2c1dd57320b257619b9fa3a9cadea2c679faf83a9755f2a015995ec43 332fdedcc2c72cb87f2eb25a8ef524c3ec78134aaa5b6dd18c8c1bf5e16d886a03dd36587aa927e07154c0009cd af71c1fcbc37fa15a8bd153ba360bf73bafb security.ima=0x011d229271928d3f9e2bb0375bd6ce5db6c6d348d9 Label whole file system: $ evmctl -r sign --imahash / 27 FOSDEM 2014
  • 28. Summary ● ● ● 28 Integrity protection can be implemented in most embedded systems ● Main requirement is HW root of trust: Secure ROM U-boot provides support for secure/trusted boot Linux kernel provides support for protecting integrity of the storage ● Linux Integrity Subsystem ● policy, local appraisal, remote attestation ● Block-level integrity protection ● dm-verity ● dm-integrity FOSDEM 2014
  • 29. Links U-Boot ● http://www.denx.de/wiki/U-Boot IMA/EVM ● Integrity tree: http://git.kernel.org/?p=linux/kernel/git/zohar/linux-integrity.git ● Dir tree: http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git ● Linux IMA project page: http://sourceforge.net/projects/linux-ima ● Utils: http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree dm-integrity ● git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git#dm-integ rity 29 FOSDEM 2014
  • 30. 0 Questions? INTEL CONFIDENTIAL © 2014 SAMSUNG Electronics Co.