This document discusses modern deployment techniques for embedded Linux and IoT devices. It covers topics like embedded Linux security, the Kernel Self Protection Project, lightweight containers using systemd, systemd's sandbox model, and software update mechanisms. The presenter argues that embedded Linux runtimes constitute a large attack surface due to complex open source code and lack of update mechanisms. Techniques like kernel hardening, systemd sandboxes, and atomic OTA updates can help secure embedded devices and allow safer deployment of applications. Adoption of these practices faces challenges due to embedded developers prioritizing small images over security.
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Anne Nicolas
Atom Linux is an open source project still in early starting phase. Its purpose is to give the user a way to easily create a robust and secure embedded Linux system. The user downloads a bootstrap image, then configures the utilities (servers…) and libraries needed by its custom code. Except its own code, he doesn’t need to do any compilation, the system automatically downloads prebuilt packages from the Atom Linux server. The Atom Linux system is built with robustness and security in mind. Among other features, it provides secured multi-partitioned update system and power supply fault tolerance.
Christophe BLAESS, Logilin
The document discusses how open source technology is enabling the growth of the Internet of Things (IoT). It notes that IoT devices are growing rapidly in both popularity and scale. Many companies are using open source software, hardware, and standards to develop solutions for IoT markets. The document highlights several open source projects that are helping to support IoT development, including those focused on edge devices, operating systems, containerization, connectivity standards, and more. It provides examples of how these open source tools are enabling the scalability, security, and flexibility needed as IoT devices grow into the billions.
DevOps practices are needed for IoT software to address the scale, complexity, and developer needs of billions of IoT devices. Resin.io helps with IoT DevOps by enabling developers to provision devices, deploy and configure software like the cloud, develop with fast feedback, securely update devices at scale across different form factors. It applies best practices from cloud DevOps to solve hard IoT problems like fail-safe deployments and supporting diverse device architectures. This allows hardware companies to actively manage device software to deliver ongoing value through security updates, new features, and intelligence while opening new business lines.
Building specialized container-based systems with Moby: a few use cases
This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios. We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary. Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.
A Summary about Hykes' Keynote on Dockercon 2015Henry Huang
The keynote discussed Docker's goals of reinventing the programmer's toolbox through tools like Docker runtime, distribution, composition, machine management, clustering, networking, and extensibility plugins. It also discussed building better infrastructure plumbing through projects like Notary for secure content distribution and runC as a portable container runtime. Finally, it covered promoting open standards through the Open Container Project to define a vendor-neutral container format and ensure support from a broad industry coalition.
This document discusses software-defined networking (SDN), network functions virtualization (NFV), network virtualization (NV), and open networking. It provides definitions of these concepts and compares the hardware-defined data center and software-defined data center approaches. Diagrams show the network overlay and underlay in NV. Open networking organizations and initiatives like OpenFlow, Open Network Install Environment (ONIE), Open Network Linux (ONL), OpenNSL, and OPNFV are also mentioned. Lastly, the benefits of different approaches are noted.
Introduction to DragonBoard 410c Development Board and Starting Development of Your Embedded Linux-based IIoT Device
Watch the recording at: http://bit.ly/2AskXuW
Talk at DevOpsCon 2017 Berlin, June 14th
How to create a Docker/Container enabled operation system for ARM and IoT devices. The story behind HypriotOS and the adoption of Docker technology to the Raspberry Pi computer. Build and manage your own 64bit operating system, everthing is open sourced and public available.
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Anne Nicolas
Atom Linux is an open source project still in early starting phase. Its purpose is to give the user a way to easily create a robust and secure embedded Linux system. The user downloads a bootstrap image, then configures the utilities (servers…) and libraries needed by its custom code. Except its own code, he doesn’t need to do any compilation, the system automatically downloads prebuilt packages from the Atom Linux server. The Atom Linux system is built with robustness and security in mind. Among other features, it provides secured multi-partitioned update system and power supply fault tolerance.
Christophe BLAESS, Logilin
The document discusses how open source technology is enabling the growth of the Internet of Things (IoT). It notes that IoT devices are growing rapidly in both popularity and scale. Many companies are using open source software, hardware, and standards to develop solutions for IoT markets. The document highlights several open source projects that are helping to support IoT development, including those focused on edge devices, operating systems, containerization, connectivity standards, and more. It provides examples of how these open source tools are enabling the scalability, security, and flexibility needed as IoT devices grow into the billions.
DevOps practices are needed for IoT software to address the scale, complexity, and developer needs of billions of IoT devices. Resin.io helps with IoT DevOps by enabling developers to provision devices, deploy and configure software like the cloud, develop with fast feedback, securely update devices at scale across different form factors. It applies best practices from cloud DevOps to solve hard IoT problems like fail-safe deployments and supporting diverse device architectures. This allows hardware companies to actively manage device software to deliver ongoing value through security updates, new features, and intelligence while opening new business lines.
Building specialized container-based systems with Moby: a few use cases
This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios. We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary. Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.
A Summary about Hykes' Keynote on Dockercon 2015Henry Huang
The keynote discussed Docker's goals of reinventing the programmer's toolbox through tools like Docker runtime, distribution, composition, machine management, clustering, networking, and extensibility plugins. It also discussed building better infrastructure plumbing through projects like Notary for secure content distribution and runC as a portable container runtime. Finally, it covered promoting open standards through the Open Container Project to define a vendor-neutral container format and ensure support from a broad industry coalition.
This document discusses software-defined networking (SDN), network functions virtualization (NFV), network virtualization (NV), and open networking. It provides definitions of these concepts and compares the hardware-defined data center and software-defined data center approaches. Diagrams show the network overlay and underlay in NV. Open networking organizations and initiatives like OpenFlow, Open Network Install Environment (ONIE), Open Network Linux (ONL), OpenNSL, and OPNFV are also mentioned. Lastly, the benefits of different approaches are noted.
Introduction to DragonBoard 410c Development Board and Starting Development of Your Embedded Linux-based IIoT Device
Watch the recording at: http://bit.ly/2AskXuW
Talk at DevOpsCon 2017 Berlin, June 14th
How to create a Docker/Container enabled operation system for ARM and IoT devices. The story behind HypriotOS and the adoption of Docker technology to the Raspberry Pi computer. Build and manage your own 64bit operating system, everthing is open sourced and public available.
The internet of things in now , see how golang is a part of this evolutionYoni Davidson
This document discusses how Golang can help with Internet of Things (IoT) development. It summarizes that IoT development requires skills in many areas, from embedded programming to backend development, which makes it challenging. Golang can help unify development by allowing code to run natively on devices and be used for both device and backend code, simplifying context switching. It also discusses examples of using Golang with IoT, including a code sample accessing a webcam from a Raspberry Pi. Recommended Golang packages for IoT are also listed.
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained by Offensive Security Ltd and supports x86, ARM, and Android platforms. Key features include NetHunter for porting Kali to Android devices, enabling wireless attacks and USB-based attacks from mobile devices. The Kali Linux logo has also appeared on the TV show Mr. Robot.
Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It is maintained by Offensive Security and supports 32-bit and 64-bit architectures for x86 systems as well as ARM. Key features include NetHunter for porting Kali to Android devices to enable wireless injection and other penetration testing tools from mobile devices. Kali Linux has gained popularity in culture from appearances on the TV show Mr. Robot and focuses specifically on security through dedicated developers and package signing rather than general security fixes.
Presented by: Lin Sun, IBM
Presented at All Things Open 2020
Abstract: Do you really need microservices? The Istio team have made an architecture decision to change the Istio control plane components from microservices to monolithic to simplify Istio. Come and hear why we did it and how it simplifies Istio operation experience, along with many other changes we made to simplify Istio.
Containers provide isolation at the operating system level through mechanisms like namespaces and cgroups. While containers isolate applications from each other better than traditional virtualization, some experts argue that full virtualization using hypervisors provides stronger security due to stronger isolation between virtual machines. However, container security has improved significantly over time and many argue containers can provide adequate security for many use cases. There is an ongoing debate in the industry around the relative security of containers versus virtual machines.
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It contains a collection of security and forensics tools and is maintained and funded by Offensive Security Ltd. Kali Linux is available as images for x86 and ARM architectures and supports devices like Raspberry Pi, Chromebooks, and Android through the NetHunter project. It was created as a successor to BackTrack and aims to be more secure and enterprise ready for penetration testing.
Talk by David Jorm on the state of Security in Java frameworks, and more specifically OpenDaylight. He also talks about his vision for where the platform should get to for delivering on the SDN promise.
penetration test using Kali linux seminar reportAbhayNaik8
This document is a seminar report submitted by Mr. Naik Abhay Suresh to fulfill requirements for a Bachelor of Engineering degree. The report discusses penetration testing using Kali Linux. It provides background on Kali Linux, including its history and relationship to Debian. It then describes the methodology of penetration testing, including phases such as information gathering, scanning, exploitation, and post-exploitation. The report discusses advantages and applications of using Kali Linux for penetration testing.
This document summarizes a webinar on developing user interfaces for industrial IoT applications using Qt. The webinar discusses integrating Qt into an OpenEmbedded-based Linux BSP for a DragonBoard 410c, introducing Qt software modules, setting up a Qt development environment, and writing a first Qt application. It also covers publishing sensor data using MQTT and home automation protocols like KNX that are supported by Qt.
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Nomad. We will see some code examples, basic use cases and an easy tutorial on the web.
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)Leon Anavi
Brief introduction to the state of GENIVI SOTA projects and its integration in Automotive Grade Linux (AGL) for AGL face to face meeting in Vannes 25-27 May, 2016. The presentation also features requirements and brief analysis of open source software tools for installation strategy on AGL devices.
My web application in 20 minutes with Telosys Laurent Guérin
The document introduces Telosys, an open source code generation tool that allows developers to quickly generate code from models using templates. It aims to improve productivity, standardization, quality and simplicity over manual coding. The document demonstrates how to define a model and templates, and then generate Python web application code including entities, services, controllers and views using Telosys.
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...Codemotion
Use the full potential of your favorite platform while improving a videogame's frame rate and performance with GPA (Graphic Performance Analyzer), a free tool powered by Intel. Featuring a convenient panel overlay, you can quickly identify problem areas and experiment with improvements without having to recompile the source code. System Analyzing to isolate common bottlenecks that affect your game's performance in real time. Analyze performance on a single frame down to the draw call level. Identify where you can evenly distribute workloads across the CPU and GPU.
Container technology is shaping the future of software development and is causing a structural change in the cloud-computing world. Developers are embracing container technology and enterprises are adopting it at an explosive rate. Containers are portion of "IT" in technology as they're a very powerful tool which streamline your development and ops processes, save company's money & make life for developers much easier.
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStackJoe Arnold
Lecture for the San Jose State masters program on cloud computing. Topic focuses on using OpenStack to deploy infrastructure clouds with commodity hardware and open source software. Covers virtualization, networking, storage, deployment and operations.
With 16+ million lines of code, Linux Kernel continues to be a Engineering marvel. This presentation covers some key aspects of Linux Kernel and its connections with Embedded systems.
Codecamp 2020 microservices made easy workshopJamie Coleman
Ever wondered what makes a cloud-native application “cloud-native”? Ever wondered what the unique challenges are and how best to address them on fully-open Java technologies? In this workshop, you’ll learn what it means to be cloud-native and how that impacts application development. You’ll learn about Eclipse MicroProfile, an industry collaboration defining technologies for the development and management of cloud-native microservices. With a full set of MicroProfile workshop modules available to you, you’ll be able to start with the basics of REST services and progress to more advanced topics, or you can jump right in and develop secure, fault tolerant, configurable and monitorable microservices.
Once you’ve developed your microservice, you’ll learn how to package it in a Docker container and deploy it to a Kubernetes cluster. Finally, you’ll learn the role of a service mesh and use Istio to manage your microservice interactions or you can choose to deploy your microservices to OpenShift.
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is preinstalled with over 600 penetration testing programs and based on Debian Jessie. Kali Linux supports 32- and 64-bit images for x86 systems as well as ARM architectures like BeagleBoard and Samsung Chromebook. It has a dedicated project for porting to Android devices called Kali NetHunter, which enables wireless attacks and Bad USB attacks from Nexus devices.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
Presented by: Igor Seletskiy
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: IT Teams know the drill. New security bulletins, new issues, new patches to deploy. Schedule another maintenance operation and prepare for system downtime.
There is a better way to do things. Live patching has been around in the Linux Kernel for some time now, but adoption has not been ideal so far - either because of a lack of trust in the technology or just lack of awareness - or sysadmins just enjoy interrupting their workloads or users.
Live patching consists of two aspects. First, there has to be a mechanism for function redirection in the kernel. As in many things, the kernel actually provides three different subset of tools that provide this functionality - kprobes, fprobes and Livepatching. Secondly, Live Patching relies on a set of tools to generate the actual patches to deploy, replacing the old code with new one. This is arguably the most involved part: you need to fit your new code in the proper space, you can’t overwrite other unrelated code and you need to maintain compatibility with other functions. If you change your parameter list, for example, its game over - something will break in the worst possible way.
In this talk we’ll go over issues like Consistency model, patch generation, deployment mechanisms and identify situations that are ideal candidates for live patching instead of traditional patching operations.
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)Docker, Inc.
LinuxKit is a toolkit for building secure, portable, and lean operating systems for containers. It uses Moby tooling to build system images and runs everything as containers using Containerd 1.0. In the first five months it has gained 75 contributors and support for ARM64, Windows containers, and many platforms. It also added WireGuard VPN, improved security with LSM rules and eBPF, and plans to graduate Kubernetes support. Future work includes cultivating the security community, contributing upstream, and stable releases with Containerd 1.0 integration.
Oplægget blev holdt ved et seminar i InfinIT-interessegruppen Højniveausprog til indlejrede systemer, der blev afholdt den 6. marts 2013. Læs mere om interessegruppen her: http://www.infinit.dk/dk/interessegrupper/hoejniveau_sprog_til_indlejrede_systemer/hoejniveau_sprog_til_indlejrede_systemer.htm
The internet of things in now , see how golang is a part of this evolutionYoni Davidson
This document discusses how Golang can help with Internet of Things (IoT) development. It summarizes that IoT development requires skills in many areas, from embedded programming to backend development, which makes it challenging. Golang can help unify development by allowing code to run natively on devices and be used for both device and backend code, simplifying context switching. It also discusses examples of using Golang with IoT, including a code sample accessing a webcam from a Raspberry Pi. Recommended Golang packages for IoT are also listed.
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained by Offensive Security Ltd and supports x86, ARM, and Android platforms. Key features include NetHunter for porting Kali to Android devices, enabling wireless attacks and USB-based attacks from mobile devices. The Kali Linux logo has also appeared on the TV show Mr. Robot.
Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It is maintained by Offensive Security and supports 32-bit and 64-bit architectures for x86 systems as well as ARM. Key features include NetHunter for porting Kali to Android devices to enable wireless injection and other penetration testing tools from mobile devices. Kali Linux has gained popularity in culture from appearances on the TV show Mr. Robot and focuses specifically on security through dedicated developers and package signing rather than general security fixes.
Presented by: Lin Sun, IBM
Presented at All Things Open 2020
Abstract: Do you really need microservices? The Istio team have made an architecture decision to change the Istio control plane components from microservices to monolithic to simplify Istio. Come and hear why we did it and how it simplifies Istio operation experience, along with many other changes we made to simplify Istio.
Containers provide isolation at the operating system level through mechanisms like namespaces and cgroups. While containers isolate applications from each other better than traditional virtualization, some experts argue that full virtualization using hypervisors provides stronger security due to stronger isolation between virtual machines. However, container security has improved significantly over time and many argue containers can provide adequate security for many use cases. There is an ongoing debate in the industry around the relative security of containers versus virtual machines.
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It contains a collection of security and forensics tools and is maintained and funded by Offensive Security Ltd. Kali Linux is available as images for x86 and ARM architectures and supports devices like Raspberry Pi, Chromebooks, and Android through the NetHunter project. It was created as a successor to BackTrack and aims to be more secure and enterprise ready for penetration testing.
Talk by David Jorm on the state of Security in Java frameworks, and more specifically OpenDaylight. He also talks about his vision for where the platform should get to for delivering on the SDN promise.
penetration test using Kali linux seminar reportAbhayNaik8
This document is a seminar report submitted by Mr. Naik Abhay Suresh to fulfill requirements for a Bachelor of Engineering degree. The report discusses penetration testing using Kali Linux. It provides background on Kali Linux, including its history and relationship to Debian. It then describes the methodology of penetration testing, including phases such as information gathering, scanning, exploitation, and post-exploitation. The report discusses advantages and applications of using Kali Linux for penetration testing.
This document summarizes a webinar on developing user interfaces for industrial IoT applications using Qt. The webinar discusses integrating Qt into an OpenEmbedded-based Linux BSP for a DragonBoard 410c, introducing Qt software modules, setting up a Qt development environment, and writing a first Qt application. It also covers publishing sensor data using MQTT and home automation protocols like KNX that are supported by Qt.
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Nomad. We will see some code examples, basic use cases and an easy tutorial on the web.
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)Leon Anavi
Brief introduction to the state of GENIVI SOTA projects and its integration in Automotive Grade Linux (AGL) for AGL face to face meeting in Vannes 25-27 May, 2016. The presentation also features requirements and brief analysis of open source software tools for installation strategy on AGL devices.
My web application in 20 minutes with Telosys Laurent Guérin
The document introduces Telosys, an open source code generation tool that allows developers to quickly generate code from models using templates. It aims to improve productivity, standardization, quality and simplicity over manual coding. The document demonstrates how to define a model and templates, and then generate Python web application code including entities, services, controllers and views using Telosys.
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...Codemotion
Use the full potential of your favorite platform while improving a videogame's frame rate and performance with GPA (Graphic Performance Analyzer), a free tool powered by Intel. Featuring a convenient panel overlay, you can quickly identify problem areas and experiment with improvements without having to recompile the source code. System Analyzing to isolate common bottlenecks that affect your game's performance in real time. Analyze performance on a single frame down to the draw call level. Identify where you can evenly distribute workloads across the CPU and GPU.
Container technology is shaping the future of software development and is causing a structural change in the cloud-computing world. Developers are embracing container technology and enterprises are adopting it at an explosive rate. Containers are portion of "IT" in technology as they're a very powerful tool which streamline your development and ops processes, save company's money & make life for developers much easier.
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStackJoe Arnold
Lecture for the San Jose State masters program on cloud computing. Topic focuses on using OpenStack to deploy infrastructure clouds with commodity hardware and open source software. Covers virtualization, networking, storage, deployment and operations.
With 16+ million lines of code, Linux Kernel continues to be a Engineering marvel. This presentation covers some key aspects of Linux Kernel and its connections with Embedded systems.
Codecamp 2020 microservices made easy workshopJamie Coleman
Ever wondered what makes a cloud-native application “cloud-native”? Ever wondered what the unique challenges are and how best to address them on fully-open Java technologies? In this workshop, you’ll learn what it means to be cloud-native and how that impacts application development. You’ll learn about Eclipse MicroProfile, an industry collaboration defining technologies for the development and management of cloud-native microservices. With a full set of MicroProfile workshop modules available to you, you’ll be able to start with the basics of REST services and progress to more advanced topics, or you can jump right in and develop secure, fault tolerant, configurable and monitorable microservices.
Once you’ve developed your microservice, you’ll learn how to package it in a Docker container and deploy it to a Kubernetes cluster. Finally, you’ll learn the role of a service mesh and use Istio to manage your microservice interactions or you can choose to deploy your microservices to OpenShift.
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is preinstalled with over 600 penetration testing programs and based on Debian Jessie. Kali Linux supports 32- and 64-bit images for x86 systems as well as ARM architectures like BeagleBoard and Samsung Chromebook. It has a dedicated project for porting to Android devices called Kali NetHunter, which enables wireless attacks and Bad USB attacks from Nexus devices.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
Presented by: Igor Seletskiy
Presented at the All Things Open 2021
Raleigh, NC, USA
Raleigh Convention Center
Abstract: IT Teams know the drill. New security bulletins, new issues, new patches to deploy. Schedule another maintenance operation and prepare for system downtime.
There is a better way to do things. Live patching has been around in the Linux Kernel for some time now, but adoption has not been ideal so far - either because of a lack of trust in the technology or just lack of awareness - or sysadmins just enjoy interrupting their workloads or users.
Live patching consists of two aspects. First, there has to be a mechanism for function redirection in the kernel. As in many things, the kernel actually provides three different subset of tools that provide this functionality - kprobes, fprobes and Livepatching. Secondly, Live Patching relies on a set of tools to generate the actual patches to deploy, replacing the old code with new one. This is arguably the most involved part: you need to fit your new code in the proper space, you can’t overwrite other unrelated code and you need to maintain compatibility with other functions. If you change your parameter list, for example, its game over - something will break in the worst possible way.
In this talk we’ll go over issues like Consistency model, patch generation, deployment mechanisms and identify situations that are ideal candidates for live patching instead of traditional patching operations.
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)Docker, Inc.
LinuxKit is a toolkit for building secure, portable, and lean operating systems for containers. It uses Moby tooling to build system images and runs everything as containers using Containerd 1.0. In the first five months it has gained 75 contributors and support for ARM64, Windows containers, and many platforms. It also added WireGuard VPN, improved security with LSM rules and eBPF, and plans to graduate Kubernetes support. Future work includes cultivating the security community, contributing upstream, and stable releases with Containerd 1.0 integration.
Oplægget blev holdt ved et seminar i InfinIT-interessegruppen Højniveausprog til indlejrede systemer, der blev afholdt den 6. marts 2013. Læs mere om interessegruppen her: http://www.infinit.dk/dk/interessegrupper/hoejniveau_sprog_til_indlejrede_systemer/hoejniveau_sprog_til_indlejrede_systemer.htm
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTStéphanie Roger
Faites communiquer vos objets connectés avec la solution RIOT !
RIOT est un nano système d'exploitation open source, l’équivalent de Linux, pour l’internet des objets. Grâce aux standards de communication qu'il implémente, il vous permettra de développer facilement et de façon pérenne et sécurisée vos applications pour vos objets communicants et embarqués (agriculture connectée, suivi et gestion de bâtiments intelligents, petits automatismes, usine du futur ...).
Inria, l'institut national de recherche dédié au numérique, qui à French Tech Central connecte les entrepreneurs au meilleur de la recherche publique française, est un des membres co-fondateurs de la communauté mondiale des développeurs RIOT.
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
Drew Moseley gave a presentation comparing the workflows of using binary operating systems versus build systems like Yocto Project and Buildroot for embedded and IoT development. He outlined the steps in a typical development workflow and discussed the advantages and disadvantages of each approach. He also touched on security best practices, the potential uses of containers in embedded/IoT, and concluded with recommendations to define applications early, use a reproducible build system, consider OTA updates, monitor containers, and contact Mender for additional information and resources.
This slideshow gives feedback about using Linux in industrial projects. It is part of a conference held by our company CIO Informatique Industrielle at ERTS 2008, the European Embedded Real Time software Congress in Toulouse
The Civil Infrastructure Platform (CIP) is creating a super long-term supported (SLTS) open source "base layer" for industrial grade software. We have been working on security fixes and some backported features since the moment we decided that Linux kernel v4.4 would be the first SLTS version. In this talk, we will describe the current development
status of the SLTS kernel and testing environment. First, we'll explain our kernel development policy. Then, we'll describe the functionality that has been backported. Second, we'll talk about testing before using our base-layer on real products. We have been developing a test framework to collect and share test results. To build it, we don't want to duplicate existing work such as KernelCI, Fuego and others. For that reason, we are trying to collaborate and contribute to such projects.
UniK - a unikernel compiler and runtimeLee Calcote
This document contains the slides from a presentation by Lee Calcote on UniK, an open source tool for building and deploying unikernels. UniK allows developers to compile applications written in languages like Java, C++, Python and Go directly into small, secure virtual machines called unikernels. It supports deploying unikernels on various cloud platforms and virtualization technologies. The presentation covers what unikernels are, the UniK tool, its architecture and components, and demonstrates how to use UniK to build and deploy a sample application as a unikernel.
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
Demystifying Containerization Principles for Data Scientists - An introductory tutorial on how Dockers can be used as a development environment for data science projects
A deep dive into Android OpenSource Project(AOSP)Siji Sunny
A deep dive into Android openSource project presented at
International Centre for Free and Open Source Software (ICFOSS), Kerala's OpenSource Mobile Computing Conference
Kata Containers provides container virtualization using lightweight virtual machines to gain the security of virtual machines while maintaining the speed of containers. It uses hypervisor-based isolation to make each container as secure as a virtual machine while integrating seamlessly with container ecosystems. Kata Containers has an open source architecture that supports multiple hypervisors and platforms.
Why the yocto project for my io t project elc_edinburgh_2018Mender.io
This document summarizes a presentation about using the Yocto Project for IoT projects. It discusses the challenges of embedded Linux development and introduces the Yocto Project as a build system that can address these challenges. It provides an overview of the Yocto Project workflow and features like its layer-based structure and SDK support. Finally, it outlines benefits of using the Yocto Project for IoT projects, including support for common IoT protocols and the ability to customize software for specific hardware.
Oscon 2017: Build your own container-based system with the Moby projectPatrick Chanezon
Build your own container-based system
with the Moby project
Docker Community Edition—an open source product that lets you build, ship, and run containers—is an assembly of modular components built from an upstream open source project called Moby. Moby provides a “Lego set” of dozens of components, the framework for assembling them into specialized container-based systems, and a place for all container enthusiasts to experiment and exchange ideas.
Patrick Chanezon and Mindy Preston explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud, or bare-metal scenarios. Patrick and Mindy explore Moby’s framework, components, and tooling, focusing on two components: LinuxKit, a toolkit to build container-based Linux subsystems that are secure, lean, and portable, and InfraKit, a toolkit for creating and managing declarative, self-healing infrastructure. Along the way, they demo how to use Moby, LinuxKit, InfraKit, and other components to quickly assemble full-blown container-based systems for several use cases and deploy them on various infrastructures.
The document summarizes an IBM presentation about Linux and open source. It discusses what Linux and open source are, market trends driving their adoption, IBM's strategy of participating in open source development and supporting Linux, how customers are using Linux, and myths about Linux not being ready for enterprise use.
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...Panagiotis Galinos
A list and description for interesting open source software for
#docker #decentralized #selfhosted #privacy #security
It has a description and an indicative image for each one.
A survey of problems involved in building containers and build tools such as:
buildah
nixos-container
ansible-container
Smith
Distroless
Buildkit
Source to Image (s2i)
Habitat
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
This document provides an overview of machine learning, analytics, and cyber security presented by Manjunath N V. It includes definitions of key concepts like machine learning, data analytics, and cyber security. It also discusses how machine learning, data analytics, and cyber security are related and can be combined. The document outlines topics that will be covered, including theoretical foundations, hands-on materials, career opportunities, and demonstration of a final output.
An introduction to the Moby Project and LinuxKit. The demo essentially walked through the LinuxKit examples available on Github at https://github.com/linuxkit/linuxkit paying specific attention to the linuxkit.yml nginx example in the home directory, and the redis-os example in the examples directory.
Linux Implementation ProposalRichard JohnsonWhy Linux .docxcroysierkathey
Linux Implementation Proposal
Richard Johnson
Why Linux?
Costless
Stable
Reliable
Extremely powerful
Highly Secure
Why Linux
The Linux system is very stable and is not prone to crashes unlike Windows
Linux is completely free and users do not need to pay for anything.
Cost effective: Linux can be installed on old hardware, thus helping in optimal use of all the hardware resources.
Features of Linux Operating System:
Portable(Multiplatform)
Multitasking.
Multi User.
Multiprocessor (SMP) Support.
Multithreading Support.
Virtual Memory.
Hierarchical File System.
Graphical User Interface (X Window System, Wayland)
Basic Features of Linux
Portable − Portability means software can works on different types of hardware in same way.
Multiprogramming − Linux is a multiprogramming system means multiple applications can run at same time.
Security − Linux provides user security using authentication features like password protection/ controlled access to specific files/ encryption of data. Less prone to hackers!
Software application for Linux
OpenOffice (Microsoft Office)
Adobe Acrobat Reader
Konqueror: The KDE File Manager and Web Browser (Internet Explorer)
Gedit (Notepad/Wordpad)
Gimp (Photoshop)
Cinelerra (Movie Maker)
VLC (Media Player)
Comparison of Operating System Linux v/s Windows
Linux is freely available or online downloads, for windows companies have pay for their license.
Windows need up to date time to time, its updating process is slower than Linux.
Linux supports backward compatibility unlike to the windows.
Most of the software made on the windows are need to be licensed but in Linux all of them are freely available.
Hardware Requirements
The transition to the Linux environment will not require any changes to the present hardware components.
Windows utilize Intel Core and 8 GB of ram which is more than what is required for Linux
Graphical User Interface
Users will log in with the use of specially designated user ID and passwords. This functions the same as Windows.
Each password will be unique per the user.
Each user will have different access to the system, depending on their level of use; this means that a person will be allowed to access part of the system that they work on, and the rest will be blocked.
Server File Sharing Tool
Samba Server
Share files across Linux, Windows, and Mac OS X systems
pCloud
Is a cloud storage provider
ANY QUESTIONS?
Linux Implementation Proposal: Migration Proposal Presentation (due at the end of Week 3)
Faster Computing has contacted Go2Linux and requested a brief proposal presentation for migrating its systems from Windows to Linux. The company is specifically interested in seeing the following information:
· Based on your current understanding of Faster Computing's business, what are some potential benefits of Linux?
· The company is aware that many different Linux derivatives exist. Which would Go2Linux recommend, and why?
· Are there graphical interfaces availab ...
DockerCon 2017 - General Session Day 1 - Solomon HykesDocker, Inc.
The document provides an overview of Docker and the container ecosystem. It discusses how Docker and the ecosystem have grown from early pioneers in 2013-2014 to now being mainstream. It notes how the open component model Docker uses has limitations in scaling and proposes a new approach called Moby, which is a library of components and assemblies that can be used to build specialized container systems faster by leveraging existing work. Moby will help both Docker and others in the ecosystem innovate more quickly. Examples are given of how various "weekend projects" could be built using Moby that previously took much longer.
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...ICS
Updating device software has always been a complicated process. Today, widespread use of connected IoT device fleets, along with escalating concern over cybersecurity, has made that process even more complex. Fortunately, there are a number of well-established open source solutions to help you address software update needs. But, with so many options, how do you determine which solution is right for your device?
This webinar will provide the foundation you need to make an informed decision. We’ll examine several different industry approaches, including A/B updates with a dual-redundant scheme, delta updates, container-based updates and combined strategies, as well as the leading technologies that support these approaches. Open source technologies such as Mender, RAUC and libostree-based solutions implement these strategies and provide tools to manage updates of multiple devices.
We’ll also review a variety of open source Linux software update technologies, and offer practical examples for integrating them using the Yocto Project and OpenEmbedded. In order to help you better understand the strengths and weaknesses of each technology, we’ll deep dive into various real-world use cases, including leveraging CAAM (Cryptographic Accelerator and Assurance Module) hardware on Freescale i.MX6 hardware for encrypted and signed updates and using Microsoft Azure IoT to host software updates from the cloud.
Similar to Modern IoT and Embedded Linux Deployment - Berlin (20)
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Alec Kassir cozmozone
The contemporary hospital setting is witnessing a growing convergence between physical security and cybersecurity. Because of advancements in technology and the rise in cyberattacks, healthcare facilities face unique challenges.
1. Modern Deployment for
Embedded Linux and IoT
All Systems Go! 2017 October 21-22, Berlin
Djalal Harouni @tixxdz
tixxdz@gmail.com
Modern Deployment for Embedded Linux and IoT - All Systems go! 2017, Berlin
2. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Agenda
● Background
● Embedded Linux and IoT Security
● Kernel Hardening and Kernel Self Protection Project
● Lightweight Containers
● systemd Sandbox Model
● Software Update Mechanisms
● Challenges
3. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Background
4. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Background
Embedded Linux or Linux-based IoT devices
● Today, Linux is everywhere
● Most of us have at least 3 or 4 Linux based devices
● By IoT we mean Devices that run Linux, smart gateways, IoT
devices connected to internet, etc
5. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Background
Embedded Linux Apps
● Some Embedded Linux Apps look more like PC Apps
● Big-Data Science fields and IoT devices are driving Engineers and
Programmers to do more Embedded Programming
● Javascript, node.js, golang, etc being used to deploy Apps
Note: most of these developers are new or won’t care about lower layers.
The lower layers or system layers are hard and expensive.
6. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
7. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
Board +
Yocto Layers
Hardware
Linux OS
Root Filesystem
(userspace)
Apps
Embedded Linux System
Value
Runtime (Yocto Layers)
Runtime:
● Open Source
● +hardware +Apps == Use Case
● Defines the Security dimensions
● Large
● Can be updated
8. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
Embedded Linux - Runtime
● Constitute most of the code: Complex
● Runs with higher privileges:
Kernel and third party drivers run at CPU/hardware Privileged Mode
Userspace runs at CPU user mode, with higher software privileges
Apps on top are not sandboxed
● No planned Software Update mechanisms (or not perfect)
9. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
Bugs and Vulnerabilities lifetime
Analysis by Kees Cook on Ubuntu CVE tracker 2011-2016:
Critical: 3 @ 5.3 years High: 59 @ 6.4 years
Medium: 534 @ 5.6 years Low: 273 @ 5.6 years
Source: https://outflux.net/blog/archives/2016/10/20/cve-2016-519
Note: Numbers from Ubuntu CVE, most of them were Patched
10. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
Bugs and Vulnerabilities lifetime
By Kees Cook: https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
11. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
Embedded Linux - Android - Kernel Vulnerabilities
User space <==> kernelspace is Abused or Misused.
copy_from_user() - copy_to_user()
“Since 2014, missing or invalid bounds checking has caused
about 45% of Android's kernel vulnerabilities.”
by Sami Tolvanen, Android Security
Source:
https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.htm
L
12. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
Embedded Linux - Vulnerabilities
BrickerBot targets cameras, DVRs, and IoT with busybox telnet
Pictures from https://arstechnica.com article
13. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Embedded Linux and IoT Security
Modern Deployment of Embedded Linux and IoT
Or
How to Secure your Linux-based IoT Devices
Or
How to keep your Devices alive
14. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Hardening and Kernel Self Protection Project
KSPP Logo
15. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Hardening and KSPP
Kernel Hardening
● Access Control and Linux Security Modules
● Protecting User Space
Kernel Self Protection Project more than that
● Linux kernel ability to protect itself
● Reduce the kernel attack surface
● Managed by Kees Cook and lot of contributors:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
16. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Self Protection Project
Attacks and Exploits
● Use multiple bugs and vulnerabilities
● Need to know the target, memory layout, etc
Objectives
● Eliminate or reduce exploitation targets and methods
● Eliminate or reduce information leaks
● Modify and Adopt some features from grsecurity/PaX patches
17. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Self Protection Project
Embedded Linux Security - Kernel Protections
● CONFIG_HARDENED_USERCOPY Performs extra size checks on user copy
● CONFIG_FORTIFY_SOURCE Checks string memory at compile time or runtime
● CONFIG_STRICT_KERNEL_RWX Make kernel text and rodata read-only. Kernel
version of W^X
● CONFIG_STRICT_DEVMEM=y and CONFIG_IO_STRICT_DEVMEM=y restrict physical
memory access.
● CONFIG_SECCOMP=y and CONFIG_SECCOMP_FILTER=y allows userspace to
reduce the attack surface.
● STATIC_USERMODEHELPER=y Force all usermode helper calls through a single
binary
18. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Self Protection Project
Embedded Linux Security - Kernel Protections
● CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 Disallow allocating the first 32k of
memory
● CONFIG_CPU_SW_DOMAIN_PAN=y Enable PXN/PAN Emulation, protect kernel
from executing user space memory
Guide:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Setti
ngs
19. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Self Protection Project
Our Work in Progress:
Modernization of proc file system - Eliminate Information Leaks
● Each new /proc mount will be a total separate instance
● Ability to hide processes without PID Namespaces (saves resources)
● No Kernel data or other files in /proc. Only /proc/<pids>/ by Alexey Gladkov
● Reduce /proc burden on other Security and Linux features.
Development branch: https://github.com/legionus/linux/commits/pidfs-v4
By Djalal Harouni, Alexey Gladkov and Feedback from Andy Lutomirski
20. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Self Protection Project
Our Work in Progress:
Automatic Module Loading Protection - Reduce kernel Attack Surface
● Will block auto-loading vulnerable drivers or modules
The 11 year old DCCP double free vulnerability CVE-2017–6074 (Root exploit)
kernel: Local privilege escalation in XFRM framework CVE-2017–7184 (Owned Ubuntu)
● Enabled by a global sysctl switch or a per-process tree flag
● Embedded Systems should reduce the ability to load modules at all.
V4 https://lkml.org/lkml/2017/5/22/312, V5 soon.
By Djalal Harouni, feedback from Andy Lutomirski, Kees Cook, Solar Designer and others.
21. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Kernel Self Protection Project
Our Work in Progress:
Generalize Yama Linux Security Module behaviour
● Yama blocks processes from controlling other processes (origin grsecurity)
● A sysctl flag is used to control Yama
Future:
● Generalize Yama simple behaviour on other interfaces and system calls
● A global sysctl flag or a per-process tree flag for sandboxes
● No policy for easy integration with Yocto and Embedded devices
22. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Linux Containers or Lightweight Containers
23. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Lightweight Containers
Why Containers on Embedded and IoT devices ?
● Modern Deployment workflow
● Isolation of Apps
● Allow Virtualization of some Resources with less overhead
Examples:
Resin OS - An Embedded Linux tailored for Containers
Resin OS uses Yocto and supports many embedded devices and boards
24. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Lightweight Containers
Linux Containers:
● A better develop and ship workflow
● Isolates Apps and their resources
● Sandbox mechanism
Disadvantages for Embedded Linux:
● A Container format ?
● Uses lot of Linux Technologies ?
● Over-engineered ? (Contain hacks ?)
● Heavy, too much processes
25. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Lightweight Containers
Containers Ecosystem Comparison
Source: https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html
26. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Lightweight Containers
Solution for Embedded Linux ?
systemd Portable Services/Apps or Lightweight Containers
27. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Portable Apps/Lightweight Containers
Why systemd in Embedded Linux ?
● Resource management ?
● More than three Apps running ?
● Integrated Watchdog support ?
● Socket activation - run Apps on-demand ?
● Logging ?
● Easy Apps Sandboxing ?
If no, maybe a simple init + minimal sandbox tool
28. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Portable Apps/Lightweight Containers
In Embedded:
systemd
Contained
App
Portable
App
Portable
App
Portable App with its dependencies + Sandbox Mechanism
Without systemd-nspawn
29. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Portable Apps/Lightweight Containers
systemd portable Apps/Lightweight Containers:
● For now only Linux Mount Namespaces - cheap
● Network Namespaces used to disconnect / block network access
Advantages:
● All Apps are able to work in Mount Namespaces
● No need to adapt or package your App using a specific format
● Avoids Container Managers complexity and hacks
● Avoids abusing other Linux features to workaround other misbehaviour
30. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Sandbox Model
31. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Sandbox Model
File system Sandbox:
RootImage= Root filesystem of the App
PrivateDevices= Private /dev without physical devices
BindPaths=, BindReadOnlyPaths= Makes files available, make /dev watchdog available inside
sandbox!
User Privileges Sandbox:
DynamicUser= Run Apps under different User (Unix UID/GID). The UID is allocated dynamically
and released on stops. Allowing IoT devices to follow Android model: each App is executed
under a different user.
NoNewPrivileges= No new privileges through execve().
32. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Sandbox Model
Network Sandbox:
PrivateNetwork= disconnect internet access
IPAddressDeny= All traffic from and to this address/mask will be blocked.
IPAddressAllow= The whitelist or permitted IP address/network mask list. To block
raw packets AF_PACKET
RestrictAddressFamilies=~AF_PACKET (blacklisting mode).
33. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Sandbox Model
Kernel attack surface reduction:
RestrictNamespaces= Restrict Access to Linux namespaces
ProtectKernelTunables= Blocks tuning Kernel parameter, /proc and /sys read-only.
ProtectKernelModules= Blocks Apps from explicitly loading or unloading modules.
SystemCallFilter= Seccomp system call filtering:
“@reboot” Block all related reboot system calls.
“@module” Block all kernel module system calls.
“@mount” Block all file system mount and umount system calls.
All this is Opt-IN
34. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Sandbox Model - Future
● systemd needs to adapt
It was intended to experienced service developers and SysVinit experts.
Today users are more familiar with Containers and Apps.
● New Sandbox Mechanism for Contained APPs - new Runtime mode ?
ACCESS_INTERNET , PRIVILEGED_ACCESS_INTERNET
ADMIN_SYSTEM_TIME , ADMIN_SYSTEM_TIME_ZONE
ADMIN_SYSTEM_MANAGER , ADMIN_SYSTEM_NETWORK
https://github.com/systemd/systemd/pull/6963
35. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
systemd Sandbox Model - Future
● New Sandbox Mechanism for Contained APPs - new Runtime mode ?
Seccomp policy mutation :
“@privileged” , “@container”, “@basic” and “@default” groups
+ Linux Capabilities + Abstracted Permissions
https://github.com/systemd/systemd/pull/6963
● systemd needs better integration into Embedded and IoT devices
● More user friendly features
36. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Software Update Mechanisms
37. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Software Update Mechanisms - OTA Update
● IoT Devices are exposed to Internet
BrickerBot reports say that it damaged > 2.000.000 IoT devices
No complex 0day vulnerability exploit
Fix: it only needed a configuration Update to close telnet !?
● Robust Embedded and IoT have to support a Software Update Mechanisms
Fix development bugs
Fix known and unknown vulnerabilities
38. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Software Update Mechanisms - OTA Update
Requirements:
● Secure: TLS, supports Image signing
● Atomic Update supports - Usually switch from A to B
● Ability to fall back on update failures
● Etc
Mechanisms:
● Dual Root Partition: A/B
● Other approaches based on App/Container update: Resin OS
39. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Software Update Mechanisms - OTA Update
Mechanisms:
● Dual Root Partition: A/B
● Two file system Images:
Boot A
There is an Update - Download delta
A is a reference to B
Write B
switch boot
● Work in progress: casync to stream updates - block layer support
● Traditional tools: xdelta/VCDIFF
40. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Software Update Mechanisms - OTA Update
Ready Solutions compatible with Yocto:
● Mender.io Open Source tool for updating your embedded devices safely
and reliably
New:
● rauc Safe and Secure
Others:
● Resin OS updater
41. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Challenges
42. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Challenges
Adoption ?
All this is already in Yocto!
43. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Thanks to
Daniel Mack and Lennart Poettering
44. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin
Questions ?
Feel free to contact me about topics: tixxdz@gmail.com
Djalal Harouni