Can embedded devices have the same type of security that normal desktops run? Can the security be enhanced in some way? The answer is yes! With the new meta-security-layer which can be used with the Yocto Project. Now it's very simple to build a Linux distribution with the Yocto Project and use all the security tools to harden, protect, and detect vulnerabilities on embedded devices.

Why the security layer?

As embedded devices keep getting more and more powerful, there must be some concern regarding the security of that device. Maybe some devices are in a closed environment, with no access from outside, but that is not the case for all of them. If someone is running a webserver on a router for example, or uses a device that is permanently connected to the internet, it can be susceptible to hijacking. With this security layer we wanted to give the users the chance to enhance the security on every device that uses the Yocto Project.

What does it contain?

After searching the internet looking for open source security packages that can be used on embedded devices, we came down to a list that covers a wide range of functionalities useful for the user. At the moment the security layer contains hardening tools, security checking tools, a library for syscall filtering, webserver security, port scanners, and other features that are targeted to different levels of system security, from low-level to high level.

The packages included in this layer are described below, along with some usage examples.

We are going to start with Bastille, which is a hardening program used to secure the system and environment in order to make it non-penetrable and non-exploitable. It is an easy to use, rule-based hardening tool, which has an interactive way of configuring it. On the first run with "bastille -c", the user must go through a list of questions. After all questions are answered, a config file is created and run. After running the config file, the system is hardened based on the answers to the questions. Also, if a config file is already present on the system, it can be run by simply writing "bastille -b".

Next in line are the redhat-security tools. This is a collection of scripts that analyzes security problems ranging from file permissions to correctness of code. Here are some items from that list:

  • find-chroot.sh - This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir. Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
  • find-nodrop-groups.sh - This script scans a whole file system to see if a program makes calls to change UID and GID without also calling setgroups or initgroups.
  • find-hidden-exec.sh - This script scans the whole file system looking for excutables that are hidden. Anything found must be investigated since its highly unusual for executables to be hidden.

Another tool that is included is pax-utils. This package also includes a list of scripts that scan ELF files for consistency and not only. One of the most popular ones is scanelf. With this script you can print out the information specific to the ELF structure of a binary. Also, very useful for developers is dumpelf. This is a user space utility that dumps all of the internal ELF structures into the equivalent C structures for debugging or reference purposes.

Buck-security is a security scanner that checks and reports any vulnerabilities. Unlike bastille which also hardens your system, buck-security runs a series of scripts present in the configuration file. The user can add or remove some checks if they are not necessary.

Libseccomp is a library that provides a platform independent, easy to use, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by application developers.

Checksecurity checks for changes to setuid programs. The command scans the mounted files systems (subject to the filter defined in /etc/checksecurity.conf) and compares the list of setuid programs to the list created on the previous run. Any changes are printed to standard output. Also, it generates a list of nfs and afs filesystems that are mounted insecurely (i.e. they are missing the nodev and either the noexec or nosuid flags).

Nikto is very useful if you have a web server running on your device. Nikto is a scanner which performs comprehensive tests against web servers for potentially dangerous files or CGI's, checks for outdated versions of over 1250 servers and version specific problems.

And last but not least: Nmap. This famous tool used for network discovery and security auditing is very useful for system and network administrators. Now, you can monitor anything on the network via your embedded device with the usage of this tool.

Conclusion

The best way to have a secure embedded device is to "keep it simple". That means, if you want to be bulletproof, don't include tools that can bring security holes to your device. But when you really need those programs, it is best to bring them along with a security checking tool that assures you the security you need.