Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How We Protected Our Router

During the presentation, speaker told his story of software protection to ensure the router's performance. He lead the participants through all the stages, from setting up a task to a Linux configuration and Kernel for security. He shared libraries and real examples of using security tools (SSL, ciphersuites, cgroups, tomoyo etc.) and suggest alternative tools.

This presentation by Serhii Voloshynov (Senior Software Engineer, Consultant, GlobalLogic, Kharkiv) was delivered at GlobalLogic Kharkiv Embedded TechTalk #3 on November 16, 2018.

  • Be the first to comment

  • Be the first to like this

How We Protected Our Router

  1. 1. Confidential How We Protected Our Router Presenters: - Serhii Voloshynov - Andrii Pientsov November, 2018
  2. 2. Confidential Agenda 1. About Speakers 2. Problem & Solution 3. Protection Levels 1. Digital Signatures 2. Secure connections 3. Cgroups 4. Tomoyo 4. Q&A
  3. 3. Confidential About Speakers
  4. 4. Confidential About Authors Serhii and Andrii have more than 10 years of development experience. Recently we implemented mission- critical secure wireless gateway, and plans to share experience of building such systems.
  5. 5. Confidential Problem and Solution
  6. 6. Confidential IoT growing - 26% up to 2023
  7. 7. Confidential Mirai(2016) BASHLITE(2014) Darlloz(2013) Wifatch(2014)
  8. 8. Confidential 4 September 2018 7.500+ MikroTik Routers Are Forwarding Owners’ Traffic to the Attackers. How is Yours?
  9. 9. Confidential ...The botnet, which included Smart TVs and smart fridges, delivered more than 750,000 malicious emails.
  10. 10. Confidential Platform - 400MHz 1 core CPU - 128MB RAM /256MB Flash - kernel 3.12.70 - WiFi/BT/ethernet/cellular - GPS/LoRaWAN - DNS- DDNS/DHCP/WWW/SNMP/SMT P/SMS - ….
  11. 11. Confidential Possible threats - Non-genuine firmware - Network attacks - Malware - Filesystem corruption
  12. 12. Confidential Security model - Perimeter defense - Obstruction of infiltrator - Intrusion alarm
  13. 13. Confidential Three pillars Security DetectionProtection Response
  14. 14. Confidential Non-genuine Firmware
  15. 15. Confidential Digital Signatures Firmware Image Protection
  16. 16. Confidential Network Attacks
  17. 17. Confidential Network components - Web server - SSH - VPN servers - SNMP - SMTP - DHCP - DNS - ….
  18. 18. Confidential Secure connections - SSL/TLS - The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. - The identity of the communicating parties can be authenticated using public-key cryptography. - The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.
  19. 19. Confidential Connections - best practices - Remove default user/account. Use strong passwords - Use Secure Protocols - Use Secure Ciphers - Use proper versions of 3rd party components - Use proper settings, for instance
  20. 20. Confidential Mirai ….By the end of its first day, Mirai had infected over 65,000 IoT devices. At its peak in November 2016 Mirai had infected over 600,000 IoT devices.
  21. 21. Confidential Network components - scan results ç√
  22. 22. Confidential Malware
  23. 23. Confidential Control Groups (cgroups) Cgroups (abbreviated from control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. The control groups functionality was merged into the Linux kernel mainline in kernel version 2.6.24, which was released in January 2008.
  24. 24. Confidential cgroups subsystems ● blkio ● cpu ● cpuacct ● cpuset ● devices ● freezer ● memory
  25. 25. Confidential Tomoyo Tomoyo Linux is a MAC implementation for Linux that can be used to increase the security of a system, while also being useful purely as a systems analysis tool. It was launched in March 2003. Tomoyo was merged in Linux Kernel mainline version 2.6.30 It is currently one of four standard Linux Security Modules (LSM), along with SELinux, AppArmor and SMACK.
  26. 26. Confidential Tomoyo Principles In an operating system (OS), each program or process is mostly unrestricted in the tasks that they are able to perform. A security focused OS should implement some form of restriction that prevents a process from performing tasks that they should not perform, or that the administrator specifically wants to prevent them from performing.
  27. 27. Confidential Lampson’s Access Matrix Object 1 Object 2 Object 3 ... Process 1 Read Read Write Process 2 Read Process 3 Write
  28. 28. Confidential Tomoyo Principles - domains Every process in a system belongs to a domain, which is determined by its execution history. /sbin/init ..... /bin/bash /sbin/init ..... /usr/sbin/sshd /bin/bash
  29. 29. Confidential Tomoyo Principles - Profiles Profile 2 Permit requests even if not permitted by policy Profile 0 Permit requests Profile 3 Reject requests unless permitted by policy Profile 1 Permit requests after appending to policy
  30. 30. Confidential Sample of Policy <kernel> /usr/sbin/openvpn use_profile 3 file read /run/openvpn_*.conf network unix dgram send /dev/log file create /run/openvpn_*.status 0600 file write/truncate /run/openvpn_*.status file read /run/resolv.conf file read /etc/nsswitch.conf file read /etc/host.conf …...
  31. 31. Confidential Useful Links - - RedHat cgroup manual us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01 - Настольная книга по Linux/Cgroups — Викиучебник - - TOMOYO Linux 2.5.x : The Official Guide
  32. 32. Confidential Thank You Q&A