SlideShare a Scribd company logo
Integrity Protection Solutions
for Embedded Systems
Dmitry Kasatkin
Samsung Open Source Group
Samsung Research UK, Finland branch
FOSDEM 2014
Brussels, Belgium, February 1 – 2, 2014
INTEL CONFIDENTIAL

© 2014 SAMSUNG Electronics Co.
Agenda
●

What is integrity protection?

●

Pre-OS integrity protection

●

●

●

2

OS integrity protection
●
Block-level integrity protection
●
Linux Integrity subsystem
Summary
Q&A

FOSDEM 2014
What is integrity protection?
●

●

●

●

3

Runtime system integrity is protected by Access Control mechanism,
such as DAC and MACs.
Assumes trustworthiness of the access control/security related
metadata
Integrity protection ensures that offline modification of the data will
not remain undetected and access to such data will be forbidden
Was achieved by file system encryption

FOSDEM 2014
Pre-OS Integrity Protection
UEFI x86 boot process
Trusted Boot

Secure Boot
UEFI
Boot ROM
UEFI
boot loader

Measured
Boot

TPM
PCRs

Linux Kernel
/init

5

Attestation
Client

nonce
quote
FOSDEM 2014

Attestation
Server
UEFI x86 boot process
●

●

●

6

Trusted Boot (TCG, Pre-UEFI)
●
TPM based measurements
●
Does not prevent booting if measurement is wrong
UEFI Secure Boot – PreOS boot
●
Root of trust in the firmware (UEFI)
●
Prevents modified firmware and boot loader from running
●
Boot loader verifies Linux kernel
OS Trusted/Secure Boot?
●
Linux kernel verifies kernel modules
●
What about user space??
FOSDEM 2014
Embedded System Boot – not-connected
Secure Boot
Secure ROM
Root of trust
boot loader
(u-boot)
Linux Kernel
/init

7

FOSDEM 2014
Embedded System Boot – for connected
Trusted Boot

Secure Boot
Secure ROM
Root of trust
boot loader
(u-boot)

TEE based
Mobile TPM
PCRs

Measured
Boot

Linux Kernel
/init

8

Attestation
Client

nonce
quote
FOSDEM 2014

Attestation
Server
Secure/Trusted u-boot (~2013.07)
●

●

9

Secure boot extensions since 2013.07
●
Create FIT kernel image (Flattened uImage Tree)
●
mkimage -f kernel.its kernel.itb
●
Create signed FIT kernel image
●
mkimage -f kernel.its -k /path/to/keys -K u-boot.dtb kernel.itb
●
Resign
●
mkimage -F -k /path/to/keys -K u-boot.dtb kernel.itb
TPM support
●
TPM library
●
Drivers for common TPMs
FOSDEM 2014
Signature in FIT
{
description = "Simple kernel / FDT configuration";
images {
kernel@1 {
data = /incbin/("../vmlinuz-3.13.0");
kernel-version = <1>;
signature@1 {
algo = "sha1,rsa2048";
key-name-hint = "dev";
};
};
fdt@1 {
description = "snow";
data = /incbin/("exynos5250-snow.dtb");
type = "flat_dt";
arch = "arm";
};
};
};
10

FOSDEM 2014
Block level Integrity protection
Approaches
dm-verity
●
●
●

●
●

12

Transparent block-level integrity protection solution for read-only partitions
dm-verity is a device mapper target
Uses hash-tree
●
Calculates a hash of every block
●
Stores hashes in the additional block and calculates hash of that block
●
Final hash – root hash – hash of the top level hash-block
●
Root hash is passed as a target parameter
Used in ChromeOS to protect read-only partition
Update can be done only by overwriting entire partition

FOSDEM 2014
dm-integrity
●
●

●

●

●

13

Transparent block-level integrity protection solution for RW partitions
dm-integrity is a device mapper target
●
virtual block device on the top of real
Maintains HMAC for every block in special integrity store
●
may be the same or different block device
●
additional space
Verify HMAC on every read-request and update HMAC on every
write-request (BIO request)
Keeps a cache of LRU integrity metadata for performance purpose

FOSDEM 2014
Linux Integrity Subsystem
Linux Integrity Subsystem
●
●
●
●

●

Allows to extend Trusted and Secure Boot to user space
Linux integrity subsystem is the Policy Based VFS level integrity protection
Located under <linux>/security/integrity
Provides several integrity functions such as
●
Collect, store, attest, apprise, protect, audit
Consists of following components:
●
IMA – Integrity Measurement Architecture module
–
–
–
●
●

15

IMA-measurement
IMA-appraisal
Directory integrity verification extension

EVM – Extended Verification Module
Digital signature verification support
FOSDEM 2014
IMA/EVM hooks
●

16

IMA hooks
●
int ima_bprm_check();
●
int ima_file_check();
●
int ima_file_free();
●
int ima_file_mmap();
●
int ima_module_check();

●

EVM hooks
●
int evm_inode_setattr();
●
void evm_inode_post_setattr();
●
int evm_inode_setxattr();
●
void evm_inode_post_setxattr();
●
int evm_inode_removexattr();
●
void evm_inode_post_removexattr();

FOSDEM 2014
IMA-measurement
●
●
●

●

●

●

17

Since 2.6.30 (CONFIG_IMA)
Can be used to remotely attest system's runtime integrity
Collect: measure a file's content before it is accessed using cryptographic
hash
Store: add the measurement to the runtime measurement list, and if
TPM is present, extend the IMA PCR-10
●
Incorrect value may “lock” TPM secrets such as keys
Attest: if TPM is present, sign IMA PCR value to allow remote validation of
the measurement list
●
Requires attestation server (challenger) to maintain hash database
Also calculates and stores boot aggregate value over the TPM PCRs 0 - 7
FOSDEM 2014
IMA measurement list – original format
●
●
●

18

/sys/kernel/security/integrity/ima/ascii_runtime_measurements
Format: PCR template-hash template filedata-hash pathname
Original SHA1 format:
10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima
1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init

FOSDEM 2014
IMA measurement list – new format
●
●

PCR template-hash template algo:filedata-hash pathname file-signature
Larger hash algo:
10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-ng
sha256:c023470c0fc8aa1dbb95504d5af5d46cad94e8bf5eea8e0ab0eeff7a7fe1697a
/sbin/init

●

Signatures:
10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-sig
1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init
030202db1ff72a008016c593387220a2adda990969d87a56a8a24eece51e3689fd229
c4c56e7fddd4eb99f360c2ee3ff0f6344de24ecd3263f4c7a74ac6498403d7ce9e9865e
4d2f32522de79e96d0cb265d5b2ab8fe54953ce53d5e59a51460f67d18e2cbacb4765
ea97f2d9cdd2065816d50fb74e631efd4c2e07c72c01fd9b0f9e3efc6d91a789d

19

FOSDEM 2014
EVM – extended verification module
●
●

●
●

20

Since 3.2 (CONFIG_EVM)
Protect: protects integrity of file (extended) attributes against offline
modification
●
attributes: ino, uid, gid, mode
●
extended attributes: security.{ima,SMACK64,selinux}
Measures integrity using (keyed) cryptographic hash (hash/HMAC)
Performs local integrity validation and enforcement against a “good”
reference HMAC value
●
'security.evm' extended attribute
●
May contain HMAC or signature

FOSDEM 2014
Digital signature extension
●
●

●

21

Since 3.3 (CONFIG_INTEGRITY_SIGNATURE)
Protects file attributes using digital signatures
●
security.evm may hold signature instead of hmac
●
signature is replaced with hmac on successful verification
EVM signatures may be used
●
When there is no possibility to use device-specific HMAC key during
flashing/copying
– No special flashing/update mode (fastboot on Android)
●
When raw FS image needs to be created for use on multiple devices
– HMAC key is device-specific and cannot be used during image
creation
FOSDEM 2014
IMA-appraisal
●
●

●
●

22

Since 3.7 (CONFIG_IMA_APPRAISE)
Appraise: enforce local integrity validation of a file measurement against a
“good” reference value
●
'security.ima' extended attribute may hold hash or signature
●
signature is never replaced with hash – file is immutable
●
Protected by EVM
In other words, allows to protect file data from offline modification
IMA signatures may be used
●
To protect immutable files from runtime modification
●
To perform remote attestation without maintaining hash-database

FOSDEM 2014
IMA policy
# see <linux>/Documentation/ABI/testing/ima_policy
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
dont_appraise fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
dont_appraise fsmagic=0x64626720
…...
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
appraise obj_user=sig_t func=FILE_CHECK appraise_type=imasig
appraise fowner=1001 appraise_type=imasig
appraise fowner=0
23

FOSDEM 2014
Directory & special files integrity protection
●
●

●

●

●

●
●

24

Work in progress (CONFIG_IMA_DIRECTORIES)
New hooks for directory/special files integrity verification in fs/namei.c
●
ima_dir_check(), ima_dir_update(), ima_link_check()
Directory measurement is a hash over directory content
●
List of (inode number, file name) tuples
Symlink measurement
●
Hash of the target path
Device node measurement
●
Hash over MAJOR:MINOR
Hash is also stored in 'security.ima'
No EVM changes are required for this
FOSDEM 2014
ima-evm-utils
●
●

Use of digital signatures requires user-space tools
ima-evm-utils (evmctl)
●

●
●

●

25

Sign file metadata and content
– evmctl sign –imahash foo
– evmctl sign –imasig foo
Verify (for testing purpose)
Import public keys into the kernel keyring
– evmctl import /path/to/key
Supports password protected private keys

FOSDEM 2014
Example: initramfs script
grep -v "^#" /etc/ima_policy >/sys/kernel/security/ima/policy

# load IMA policy

keyctl add user kmk "testing123" @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

# import EVM HMAC key

ima_id=`keyctl newring _ima @u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id

# import IMA public key

evm_id=`keyctl newring _evm @u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
echo "1" > /sys/kernel/security/evm

26

# import EVM public key
# enable EVM

FOSDEM 2014
Example: labeling with signatures
Label one file:
$ echo Hello >foo
$ sudo evmctl sign --imahash foo
$ getfattr -e hex -m security -d foo
# file: foo
security.evm=0x030155475e4e0000bc16a96303fd3e7901040060bab44648764dca46ad71827a48c3e171b7e
9444b47b79b7bd7c7f1783852be9b4f038f2c1dd57320b257619b9fa3a9cadea2c679faf83a9755f2a015995ec43
332fdedcc2c72cb87f2eb25a8ef524c3ec78134aaa5b6dd18c8c1bf5e16d886a03dd36587aa927e07154c0009cd
af71c1fcbc37fa15a8bd153ba360bf73bafb
security.ima=0x011d229271928d3f9e2bb0375bd6ce5db6c6d348d9
Label whole file system:
$ evmctl -r sign --imahash /

27

FOSDEM 2014
Summary
●

●
●

28

Integrity protection can be implemented in most embedded systems
●
Main requirement is HW root of trust: Secure ROM
U-boot provides support for secure/trusted boot
Linux kernel provides support for protecting integrity of the storage
●
Linux Integrity Subsystem
●
policy, local appraisal, remote attestation
●
Block-level integrity protection
●
dm-verity
●
dm-integrity

FOSDEM 2014
Links
U-Boot
●
http://www.denx.de/wiki/U-Boot
IMA/EVM
●
Integrity tree: http://git.kernel.org/?p=linux/kernel/git/zohar/linux-integrity.git
●
Dir tree: http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git
●
Linux IMA project page: http://sourceforge.net/projects/linux-ima
●
Utils: http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree
dm-integrity
●
git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git#dm-integ
rity

29

FOSDEM 2014
0

Questions?

INTEL CONFIDENTIAL

© 2014 SAMSUNG Electronics Co.

More Related Content

What's hot

Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
NSConclave
 
GS-4106 The AMD GCN Architecture - A Crash Course, by Layla Mah
GS-4106 The AMD GCN Architecture - A Crash Course, by Layla MahGS-4106 The AMD GCN Architecture - A Crash Course, by Layla Mah
GS-4106 The AMD GCN Architecture - A Crash Course, by Layla Mah
AMD Developer Central
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
Emertxe Information Technologies Pvt Ltd
 
Net Devops Overview
Net Devops OverviewNet Devops Overview
Net Devops Overview
Joel W. King
 
Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019
Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019
Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019
Unity Technologies
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
linuxlab_conf
 
Reverse Engineering of Rocket Chip
Reverse Engineering of Rocket ChipReverse Engineering of Rocket Chip
Reverse Engineering of Rocket Chip
RISC-V International
 
Benefits of Multi-rail Cluster Architectures for GPU-based Nodes
Benefits of Multi-rail Cluster Architectures for GPU-based NodesBenefits of Multi-rail Cluster Architectures for GPU-based Nodes
Benefits of Multi-rail Cluster Architectures for GPU-based Nodes
inside-BigData.com
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
mukul bhardwaj
 
AMD Chiplet Architecture for High-Performance Server and Desktop Products
AMD Chiplet Architecture for High-Performance Server and Desktop ProductsAMD Chiplet Architecture for High-Performance Server and Desktop Products
AMD Chiplet Architecture for High-Performance Server and Desktop Products
AMD
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
Emertxe Information Technologies Pvt Ltd
 
Linux power management: are you doing it right?
Linux power management: are you doing it right?Linux power management: are you doing it right?
Linux power management: are you doing it right?
Chris Simmonds
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
Dheryta Jaisinghani
 
Scalability for All: Unreal Engine* 4 with Intel
Scalability for All: Unreal Engine* 4 with Intel Scalability for All: Unreal Engine* 4 with Intel
Scalability for All: Unreal Engine* 4 with Intel
Intel® Software
 
God Of War : post mortem
God Of War : post mortemGod Of War : post mortem
God Of War : post mortem
Mustapha Tachouct
 
The future of RISC-V Supervisor Binary Interface(SBI)
The future of RISC-V Supervisor Binary Interface(SBI)The future of RISC-V Supervisor Binary Interface(SBI)
The future of RISC-V Supervisor Binary Interface(SBI)
Atish Patra
 
Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)
Emertxe Information Technologies Pvt Ltd
 
Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)
Pradeep Kumar TS
 
The Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on LinuxThe Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on Linux
Picker Weng
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
The Linux Foundation
 

What's hot (20)

Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
 
GS-4106 The AMD GCN Architecture - A Crash Course, by Layla Mah
GS-4106 The AMD GCN Architecture - A Crash Course, by Layla MahGS-4106 The AMD GCN Architecture - A Crash Course, by Layla Mah
GS-4106 The AMD GCN Architecture - A Crash Course, by Layla Mah
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
 
Net Devops Overview
Net Devops OverviewNet Devops Overview
Net Devops Overview
 
Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019
Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019
Learn how to do stylized shading with Shader Graph – Unite Copenhagen 2019
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
Reverse Engineering of Rocket Chip
Reverse Engineering of Rocket ChipReverse Engineering of Rocket Chip
Reverse Engineering of Rocket Chip
 
Benefits of Multi-rail Cluster Architectures for GPU-based Nodes
Benefits of Multi-rail Cluster Architectures for GPU-based NodesBenefits of Multi-rail Cluster Architectures for GPU-based Nodes
Benefits of Multi-rail Cluster Architectures for GPU-based Nodes
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
AMD Chiplet Architecture for High-Performance Server and Desktop Products
AMD Chiplet Architecture for High-Performance Server and Desktop ProductsAMD Chiplet Architecture for High-Performance Server and Desktop Products
AMD Chiplet Architecture for High-Performance Server and Desktop Products
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
Linux power management: are you doing it right?
Linux power management: are you doing it right?Linux power management: are you doing it right?
Linux power management: are you doing it right?
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
 
Scalability for All: Unreal Engine* 4 with Intel
Scalability for All: Unreal Engine* 4 with Intel Scalability for All: Unreal Engine* 4 with Intel
Scalability for All: Unreal Engine* 4 with Intel
 
God Of War : post mortem
God Of War : post mortemGod Of War : post mortem
God Of War : post mortem
 
The future of RISC-V Supervisor Binary Interface(SBI)
The future of RISC-V Supervisor Binary Interface(SBI)The future of RISC-V Supervisor Binary Interface(SBI)
The future of RISC-V Supervisor Binary Interface(SBI)
 
Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)
 
Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)Simulators for Wireless Sensor Networks (OMNeT++)
Simulators for Wireless Sensor Networks (OMNeT++)
 
The Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on LinuxThe Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on Linux
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 

Viewers also liked

Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
hidenorly
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
OWASP
 
Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013
Opersys inc.
 
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
Wei-Ning Huang
 
Chromium OS Introduction
Chromium OS IntroductionChromium OS Introduction
Chromium OS Introduction
Wei-Ning Huang
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
k33a
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
Denis Gundarev
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
Opersys inc.
 

Viewers also liked (9)

Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
 
Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013Running Code in the Android Stack at ELCE 2013
Running Code in the Android Stack at ELCE 2013
 
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
EMSCRIPTEN: 將應用快速 PORT 到 JAVASCRIPT 上的神物
 
Chromium OS Introduction
Chromium OS IntroductionChromium OS Introduction
Chromium OS Introduction
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
 

Similar to Integrity Protection for Embedded Systems

What's New in Security for IBM i?
What's New in Security for IBM i?What's New in Security for IBM i?
What's New in Security for IBM i?
HelpSystems
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
a3sec
 
Nat mikrotik
Nat mikrotikNat mikrotik
Nat mikrotik
louisraj
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
sanchetanparmar
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
Vibhor Kumar
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS Presentation
Dan Barr
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
Sophos Benelux
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
SUSE Labs Taipei
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
High end security for low-end microcontrollers
High end security for low-end microcontrollersHigh end security for low-end microcontrollers
High end security for low-end microcontrollers
Milosch Meriac
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
David Sweigert
 
QueueMetrics - Tips and Tricks
QueueMetrics - Tips and TricksQueueMetrics - Tips and Tricks
QueueMetrics - Tips and Tricks
Clarotech_Events
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatforms
Abdullah Deeb
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
247infotech
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an audit
Concentrated Technology
 

Similar to Integrity Protection for Embedded Systems (20)

What's New in Security for IBM i?
What's New in Security for IBM i?What's New in Security for IBM i?
What's New in Security for IBM i?
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
 
Nat mikrotik
Nat mikrotikNat mikrotik
Nat mikrotik
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS Presentation
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
High end security for low-end microcontrollers
High end security for low-end microcontrollersHigh end security for low-end microcontrollers
High end security for low-end microcontrollers
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
QueueMetrics - Tips and Tricks
QueueMetrics - Tips and TricksQueueMetrics - Tips and Tricks
QueueMetrics - Tips and Tricks
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatforms
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an audit
 

More from Samsung Open Source Group

The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)
Samsung Open Source Group
 
Easy IoT with JavaScript
Easy IoT with JavaScriptEasy IoT with JavaScript
Easy IoT with JavaScript
Samsung Open Source Group
 
Spawny: A New Approach to Logins
Spawny: A New Approach to LoginsSpawny: A New Approach to Logins
Spawny: A New Approach to Logins
Samsung Open Source Group
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USB
Samsung Open Source Group
 
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesTizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Samsung Open Source Group
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and Beyond
Samsung Open Source Group
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
Samsung Open Source Group
 
GENIVI + OCF Cooperation
GENIVI + OCF CooperationGENIVI + OCF Cooperation
GENIVI + OCF Cooperation
Samsung Open Source Group
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
Samsung Open Source Group
 
Open Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategyOpen Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate Strategy
Samsung Open Source Group
 
IoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilityIoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT Interoperability
Samsung Open Source Group
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
Samsung Open Source Group
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Samsung Open Source Group
 
IoTivity: From Devices to the Cloud
IoTivity: From Devices to the CloudIoTivity: From Devices to the Cloud
IoTivity: From Devices to the Cloud
Samsung Open Source Group
 
SOSCON 2016 JerryScript
SOSCON 2016 JerryScriptSOSCON 2016 JerryScript
SOSCON 2016 JerryScript
Samsung Open Source Group
 
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivityIoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
Samsung Open Source Group
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
Samsung Open Source Group
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Samsung Open Source Group
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
Samsung Open Source Group
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsJerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
Samsung Open Source Group
 

More from Samsung Open Source Group (20)

The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)
 
Easy IoT with JavaScript
Easy IoT with JavaScriptEasy IoT with JavaScript
Easy IoT with JavaScript
 
Spawny: A New Approach to Logins
Spawny: A New Approach to LoginsSpawny: A New Approach to Logins
Spawny: A New Approach to Logins
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USB
 
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesTizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and Beyond
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
 
GENIVI + OCF Cooperation
GENIVI + OCF CooperationGENIVI + OCF Cooperation
GENIVI + OCF Cooperation
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
 
Open Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategyOpen Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate Strategy
 
IoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilityIoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT Interoperability
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
IoTivity: From Devices to the Cloud
IoTivity: From Devices to the CloudIoTivity: From Devices to the Cloud
IoTivity: From Devices to the Cloud
 
SOSCON 2016 JerryScript
SOSCON 2016 JerryScriptSOSCON 2016 JerryScript
SOSCON 2016 JerryScript
 
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivityIoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsJerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
 

Recently uploaded

Paris 2024 France Names Men's Football Squad for Olympic Paris.pdf
Paris 2024 France Names Men's Football Squad for Olympic Paris.pdfParis 2024 France Names Men's Football Squad for Olympic Paris.pdf
Paris 2024 France Names Men's Football Squad for Olympic Paris.pdf
Eticketing.co
 
Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...
Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...
Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...
Eticketing.co
 
Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...
Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...
Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...
bhumivarma35300
 
Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...
Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...
Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...
Eticketing.co
 
Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...
Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...
Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...
shanihomely
 
Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
norina2645
 
USD Cert degree offer diploma
USD Cert degree offer diploma USD Cert degree offer diploma
USD Cert degree offer diploma
hwyve
 
Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...
Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...
Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...
Eticketing.co
 
Agility training from the top down..pptx
Agility training from the top down..pptxAgility training from the top down..pptx
Agility training from the top down..pptx
Sports World
 
Fitness-Testing-for-Swimming-Steve-Haupt.pdf
Fitness-Testing-for-Swimming-Steve-Haupt.pdfFitness-Testing-for-Swimming-Steve-Haupt.pdf
Fitness-Testing-for-Swimming-Steve-Haupt.pdf
Sports World
 
Chennai Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Chennai Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room DeliveryChennai Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Chennai Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
The Paris Olympic Opening Ceremony Starting Date and Time.pdf
The Paris Olympic Opening Ceremony Starting Date and Time.pdfThe Paris Olympic Opening Ceremony Starting Date and Time.pdf
The Paris Olympic Opening Ceremony Starting Date and Time.pdf
Eticketing.co
 
How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...
How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...
How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...
LetMeBet.com
 
Agility training from the top downn.pptx
Agility training from the top downn.pptxAgility training from the top downn.pptx
Agility training from the top downn.pptx
jango D
 
Turkiye and Italy Eye Squad Overhauls for FIFA 2026.docx
Turkiye and Italy Eye Squad Overhauls for FIFA 2026.docxTurkiye and Italy Eye Squad Overhauls for FIFA 2026.docx
Turkiye and Italy Eye Squad Overhauls for FIFA 2026.docx
FIFA world Cup
 
Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12
Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12
Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12
Apk Toly
 
Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...
Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...
Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...
Eticketing.co
 
Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...
Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...
Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...
Worldwideticketsandhospitality
 
Why Prada is expanding production in Italy and its …
Why Prada is expanding production in Italy and its …Why Prada is expanding production in Italy and its …
Why Prada is expanding production in Italy and its …
908dutch
 
High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...
High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...
High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...
3610stuck
 

Recently uploaded (20)

Paris 2024 France Names Men's Football Squad for Olympic Paris.pdf
Paris 2024 France Names Men's Football Squad for Olympic Paris.pdfParis 2024 France Names Men's Football Squad for Olympic Paris.pdf
Paris 2024 France Names Men's Football Squad for Olympic Paris.pdf
 
Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...
Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...
Paris Olympic A Historic Olympic Opening Celebration of Tradition and Innovat...
 
Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...
Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...
Female Girls call Pune 000XX00000 Provide Best And Top Girl Service And No1 i...
 
Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...
Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...
Paris 2024 Croatia's Sinkovic brothers aim for rowing gold at the Paris Olymp...
 
Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...
Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...
Verified Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service...
 
Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Exclusive Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
 
USD Cert degree offer diploma
USD Cert degree offer diploma USD Cert degree offer diploma
USD Cert degree offer diploma
 
Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...
Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...
Paris 2024 USA’s Men’s Basketball Dominates Canada in Exhibition Match, Kawhi...
 
Agility training from the top down..pptx
Agility training from the top down..pptxAgility training from the top down..pptx
Agility training from the top down..pptx
 
Fitness-Testing-for-Swimming-Steve-Haupt.pdf
Fitness-Testing-for-Swimming-Steve-Haupt.pdfFitness-Testing-for-Swimming-Steve-Haupt.pdf
Fitness-Testing-for-Swimming-Steve-Haupt.pdf
 
Chennai Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Chennai Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room DeliveryChennai Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Chennai Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
The Paris Olympic Opening Ceremony Starting Date and Time.pdf
The Paris Olympic Opening Ceremony Starting Date and Time.pdfThe Paris Olympic Opening Ceremony Starting Date and Time.pdf
The Paris Olympic Opening Ceremony Starting Date and Time.pdf
 
How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...
How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...
How Do Moneyline Calculations Work? Find Out How to Calculate Your Total Payo...
 
Agility training from the top downn.pptx
Agility training from the top downn.pptxAgility training from the top downn.pptx
Agility training from the top downn.pptx
 
Turkiye and Italy Eye Squad Overhauls for FIFA 2026.docx
Turkiye and Italy Eye Squad Overhauls for FIFA 2026.docxTurkiye and Italy Eye Squad Overhauls for FIFA 2026.docx
Turkiye and Italy Eye Squad Overhauls for FIFA 2026.docx
 
Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12
Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12
Download Grand Theft Auto: Vice City Mod Apk Latest Version 1.12
 
Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...
Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...
Olympic 2024 Team USA's Star-Studded Basketball Roster Prepares for Paris Glo...
 
Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...
Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...
Italy FIFA World Cup Italy coach Mancini We want to win the World Cup in 2026...
 
Why Prada is expanding production in Italy and its …
Why Prada is expanding production in Italy and its …Why Prada is expanding production in Italy and its …
Why Prada is expanding production in Italy and its …
 
High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...
High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...
High Profile Girls Call Vadodara 🛵🚡9930687706 💃 Choose Best And Top Girl Serv...
 

Integrity Protection for Embedded Systems

  • 1. Integrity Protection Solutions for Embedded Systems Dmitry Kasatkin Samsung Open Source Group Samsung Research UK, Finland branch FOSDEM 2014 Brussels, Belgium, February 1 – 2, 2014 INTEL CONFIDENTIAL © 2014 SAMSUNG Electronics Co.
  • 2. Agenda ● What is integrity protection? ● Pre-OS integrity protection ● ● ● 2 OS integrity protection ● Block-level integrity protection ● Linux Integrity subsystem Summary Q&A FOSDEM 2014
  • 3. What is integrity protection? ● ● ● ● 3 Runtime system integrity is protected by Access Control mechanism, such as DAC and MACs. Assumes trustworthiness of the access control/security related metadata Integrity protection ensures that offline modification of the data will not remain undetected and access to such data will be forbidden Was achieved by file system encryption FOSDEM 2014
  • 5. UEFI x86 boot process Trusted Boot Secure Boot UEFI Boot ROM UEFI boot loader Measured Boot TPM PCRs Linux Kernel /init 5 Attestation Client nonce quote FOSDEM 2014 Attestation Server
  • 6. UEFI x86 boot process ● ● ● 6 Trusted Boot (TCG, Pre-UEFI) ● TPM based measurements ● Does not prevent booting if measurement is wrong UEFI Secure Boot – PreOS boot ● Root of trust in the firmware (UEFI) ● Prevents modified firmware and boot loader from running ● Boot loader verifies Linux kernel OS Trusted/Secure Boot? ● Linux kernel verifies kernel modules ● What about user space?? FOSDEM 2014
  • 7. Embedded System Boot – not-connected Secure Boot Secure ROM Root of trust boot loader (u-boot) Linux Kernel /init 7 FOSDEM 2014
  • 8. Embedded System Boot – for connected Trusted Boot Secure Boot Secure ROM Root of trust boot loader (u-boot) TEE based Mobile TPM PCRs Measured Boot Linux Kernel /init 8 Attestation Client nonce quote FOSDEM 2014 Attestation Server
  • 9. Secure/Trusted u-boot (~2013.07) ● ● 9 Secure boot extensions since 2013.07 ● Create FIT kernel image (Flattened uImage Tree) ● mkimage -f kernel.its kernel.itb ● Create signed FIT kernel image ● mkimage -f kernel.its -k /path/to/keys -K u-boot.dtb kernel.itb ● Resign ● mkimage -F -k /path/to/keys -K u-boot.dtb kernel.itb TPM support ● TPM library ● Drivers for common TPMs FOSDEM 2014
  • 10. Signature in FIT { description = "Simple kernel / FDT configuration"; images { kernel@1 { data = /incbin/("../vmlinuz-3.13.0"); kernel-version = <1>; signature@1 { algo = "sha1,rsa2048"; key-name-hint = "dev"; }; }; fdt@1 { description = "snow"; data = /incbin/("exynos5250-snow.dtb"); type = "flat_dt"; arch = "arm"; }; }; }; 10 FOSDEM 2014
  • 11. Block level Integrity protection Approaches
  • 12. dm-verity ● ● ● ● ● 12 Transparent block-level integrity protection solution for read-only partitions dm-verity is a device mapper target Uses hash-tree ● Calculates a hash of every block ● Stores hashes in the additional block and calculates hash of that block ● Final hash – root hash – hash of the top level hash-block ● Root hash is passed as a target parameter Used in ChromeOS to protect read-only partition Update can be done only by overwriting entire partition FOSDEM 2014
  • 13. dm-integrity ● ● ● ● ● 13 Transparent block-level integrity protection solution for RW partitions dm-integrity is a device mapper target ● virtual block device on the top of real Maintains HMAC for every block in special integrity store ● may be the same or different block device ● additional space Verify HMAC on every read-request and update HMAC on every write-request (BIO request) Keeps a cache of LRU integrity metadata for performance purpose FOSDEM 2014
  • 15. Linux Integrity Subsystem ● ● ● ● ● Allows to extend Trusted and Secure Boot to user space Linux integrity subsystem is the Policy Based VFS level integrity protection Located under <linux>/security/integrity Provides several integrity functions such as ● Collect, store, attest, apprise, protect, audit Consists of following components: ● IMA – Integrity Measurement Architecture module – – – ● ● 15 IMA-measurement IMA-appraisal Directory integrity verification extension EVM – Extended Verification Module Digital signature verification support FOSDEM 2014
  • 16. IMA/EVM hooks ● 16 IMA hooks ● int ima_bprm_check(); ● int ima_file_check(); ● int ima_file_free(); ● int ima_file_mmap(); ● int ima_module_check(); ● EVM hooks ● int evm_inode_setattr(); ● void evm_inode_post_setattr(); ● int evm_inode_setxattr(); ● void evm_inode_post_setxattr(); ● int evm_inode_removexattr(); ● void evm_inode_post_removexattr(); FOSDEM 2014
  • 17. IMA-measurement ● ● ● ● ● ● 17 Since 2.6.30 (CONFIG_IMA) Can be used to remotely attest system's runtime integrity Collect: measure a file's content before it is accessed using cryptographic hash Store: add the measurement to the runtime measurement list, and if TPM is present, extend the IMA PCR-10 ● Incorrect value may “lock” TPM secrets such as keys Attest: if TPM is present, sign IMA PCR value to allow remote validation of the measurement list ● Requires attestation server (challenger) to maintain hash database Also calculates and stores boot aggregate value over the TPM PCRs 0 - 7 FOSDEM 2014
  • 18. IMA measurement list – original format ● ● ● 18 /sys/kernel/security/integrity/ima/ascii_runtime_measurements Format: PCR template-hash template filedata-hash pathname Original SHA1 format: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init FOSDEM 2014
  • 19. IMA measurement list – new format ● ● PCR template-hash template algo:filedata-hash pathname file-signature Larger hash algo: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-ng sha256:c023470c0fc8aa1dbb95504d5af5d46cad94e8bf5eea8e0ab0eeff7a7fe1697a /sbin/init ● Signatures: 10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-sig 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init 030202db1ff72a008016c593387220a2adda990969d87a56a8a24eece51e3689fd229 c4c56e7fddd4eb99f360c2ee3ff0f6344de24ecd3263f4c7a74ac6498403d7ce9e9865e 4d2f32522de79e96d0cb265d5b2ab8fe54953ce53d5e59a51460f67d18e2cbacb4765 ea97f2d9cdd2065816d50fb74e631efd4c2e07c72c01fd9b0f9e3efc6d91a789d 19 FOSDEM 2014
  • 20. EVM – extended verification module ● ● ● ● 20 Since 3.2 (CONFIG_EVM) Protect: protects integrity of file (extended) attributes against offline modification ● attributes: ino, uid, gid, mode ● extended attributes: security.{ima,SMACK64,selinux} Measures integrity using (keyed) cryptographic hash (hash/HMAC) Performs local integrity validation and enforcement against a “good” reference HMAC value ● 'security.evm' extended attribute ● May contain HMAC or signature FOSDEM 2014
  • 21. Digital signature extension ● ● ● 21 Since 3.3 (CONFIG_INTEGRITY_SIGNATURE) Protects file attributes using digital signatures ● security.evm may hold signature instead of hmac ● signature is replaced with hmac on successful verification EVM signatures may be used ● When there is no possibility to use device-specific HMAC key during flashing/copying – No special flashing/update mode (fastboot on Android) ● When raw FS image needs to be created for use on multiple devices – HMAC key is device-specific and cannot be used during image creation FOSDEM 2014
  • 22. IMA-appraisal ● ● ● ● 22 Since 3.7 (CONFIG_IMA_APPRAISE) Appraise: enforce local integrity validation of a file measurement against a “good” reference value ● 'security.ima' extended attribute may hold hash or signature ● signature is never replaced with hash – file is immutable ● Protected by EVM In other words, allows to protect file data from offline modification IMA signatures may be used ● To protect immutable files from runtime modification ● To perform remote attestation without maintaining hash-database FOSDEM 2014
  • 23. IMA policy # see <linux>/Documentation/ABI/testing/ima_policy # SYSFS_MAGIC dont_measure fsmagic=0x62656572 dont_appraise fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 dont_appraise fsmagic=0x64626720 …... measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 appraise obj_user=sig_t func=FILE_CHECK appraise_type=imasig appraise fowner=1001 appraise_type=imasig appraise fowner=0 23 FOSDEM 2014
  • 24. Directory & special files integrity protection ● ● ● ● ● ● ● 24 Work in progress (CONFIG_IMA_DIRECTORIES) New hooks for directory/special files integrity verification in fs/namei.c ● ima_dir_check(), ima_dir_update(), ima_link_check() Directory measurement is a hash over directory content ● List of (inode number, file name) tuples Symlink measurement ● Hash of the target path Device node measurement ● Hash over MAJOR:MINOR Hash is also stored in 'security.ima' No EVM changes are required for this FOSDEM 2014
  • 25. ima-evm-utils ● ● Use of digital signatures requires user-space tools ima-evm-utils (evmctl) ● ● ● ● 25 Sign file metadata and content – evmctl sign –imahash foo – evmctl sign –imasig foo Verify (for testing purpose) Import public keys into the kernel keyring – evmctl import /path/to/key Supports password protected private keys FOSDEM 2014
  • 26. Example: initramfs script grep -v "^#" /etc/ima_policy >/sys/kernel/security/ima/policy # load IMA policy keyctl add user kmk "testing123" @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u # import EVM HMAC key ima_id=`keyctl newring _ima @u` evmctl import /etc/keys/pubkey_evm.pem $ima_id # import IMA public key evm_id=`keyctl newring _evm @u` evmctl import /etc/keys/pubkey_evm.pem $evm_id echo "1" > /sys/kernel/security/evm 26 # import EVM public key # enable EVM FOSDEM 2014
  • 27. Example: labeling with signatures Label one file: $ echo Hello >foo $ sudo evmctl sign --imahash foo $ getfattr -e hex -m security -d foo # file: foo security.evm=0x030155475e4e0000bc16a96303fd3e7901040060bab44648764dca46ad71827a48c3e171b7e 9444b47b79b7bd7c7f1783852be9b4f038f2c1dd57320b257619b9fa3a9cadea2c679faf83a9755f2a015995ec43 332fdedcc2c72cb87f2eb25a8ef524c3ec78134aaa5b6dd18c8c1bf5e16d886a03dd36587aa927e07154c0009cd af71c1fcbc37fa15a8bd153ba360bf73bafb security.ima=0x011d229271928d3f9e2bb0375bd6ce5db6c6d348d9 Label whole file system: $ evmctl -r sign --imahash / 27 FOSDEM 2014
  • 28. Summary ● ● ● 28 Integrity protection can be implemented in most embedded systems ● Main requirement is HW root of trust: Secure ROM U-boot provides support for secure/trusted boot Linux kernel provides support for protecting integrity of the storage ● Linux Integrity Subsystem ● policy, local appraisal, remote attestation ● Block-level integrity protection ● dm-verity ● dm-integrity FOSDEM 2014
  • 29. Links U-Boot ● http://www.denx.de/wiki/U-Boot IMA/EVM ● Integrity tree: http://git.kernel.org/?p=linux/kernel/git/zohar/linux-integrity.git ● Dir tree: http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git ● Linux IMA project page: http://sourceforge.net/projects/linux-ima ● Utils: http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree dm-integrity ● git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git#dm-integ rity 29 FOSDEM 2014
  • 30. 0 Questions? INTEL CONFIDENTIAL © 2014 SAMSUNG Electronics Co.