SlideShare a Scribd company logo

Modern IoT and Embedded Linux Deployment - Berlin

D
Djalal Harouni

This document discusses modern deployment techniques for embedded Linux and IoT devices. It covers topics like embedded Linux security, the Kernel Self Protection Project, lightweight containers using systemd, systemd's sandbox model, and software update mechanisms. The presenter argues that embedded Linux runtimes constitute a large attack surface due to complex open source code and lack of update mechanisms. Techniques like kernel hardening, systemd sandboxes, and atomic OTA updates can help secure embedded devices and allow safer deployment of applications. Adoption of these practices faces challenges due to embedded developers prioritizing small images over security.

Internet
1 of 44
Download to read offline
Modern Deployment for Embedded Linux and IoT All Systems Go! 2017 October 21-22, Berlin Djalal Harouni @tixxdz tixxdz@gmail.com Modern Deployment for Embedded Linux and IoT - All Systems go! 2017, Berlin
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Agenda ● Background ● Embedded Linux and IoT Security ● Kernel Hardening and Kernel Self Protection Project ● Lightweight Containers ● systemd Sandbox Model ● Software Update Mechanisms ● Challenges
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux or Linux-based IoT devices ● Today, Linux is everywhere ● Most of us have at least 3 or 4 Linux based devices ● By IoT we mean Devices that run Linux, smart gateways, IoT devices connected to internet, etc
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux Apps ● Some Embedded Linux Apps look more like PC Apps ● Big-Data Science fields and IoT devices are driving Engineers and Programmers to do more Embedded Programming ● Javascript, node.js, golang, etc being used to deploy Apps Note: most of these developers are new or won’t care about lower layers. The lower layers or system layers are hard and expensive.
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Board + Yocto Layers Hardware Linux OS Root Filesystem (userspace) Apps Embedded Linux System Value Runtime (Yocto Layers) Runtime: ● Open Source ● +hardware +Apps == Use Case ● Defines the Security dimensions ● Large ● Can be updated
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Runtime ● Constitute most of the code: Complex ● Runs with higher privileges: Kernel and third party drivers run at CPU/hardware Privileged Mode Userspace runs at CPU user mode, with higher software privileges Apps on top are not sandboxed ● No planned Software Update mechanisms (or not perfect)
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime Analysis by Kees Cook on Ubuntu CVE tracker 2011-2016: Critical: 3 @ 5.3 years High: 59 @ 6.4 years Medium: 534 @ 5.6 years Low: 273 @ 5.6 years Source: https://outflux.net/blog/archives/2016/10/20/cve-2016-519 Note: Numbers from Ubuntu CVE, most of them were Patched
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime By Kees Cook: https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Android - Kernel Vulnerabilities User space <==> kernelspace is Abused or Misused. copy_from_user() - copy_to_user() “Since 2014, missing or invalid bounds checking has caused about 45% of Android's kernel vulnerabilities.” by Sami Tolvanen, Android Security Source: https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.htm L
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Vulnerabilities BrickerBot targets cameras, DVRs, and IoT with busybox telnet Pictures from https://arstechnica.com article
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Modern Deployment of Embedded Linux and IoT Or How to Secure your Linux-based IoT Devices Or How to keep your Devices alive
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and Kernel Self Protection Project KSPP Logo
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and KSPP Kernel Hardening ● Access Control and Linux Security Modules ● Protecting User Space Kernel Self Protection Project more than that ● Linux kernel ability to protect itself ● Reduce the kernel attack surface ● Managed by Kees Cook and lot of contributors: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Attacks and Exploits ● Use multiple bugs and vulnerabilities ● Need to know the target, memory layout, etc Objectives ● Eliminate or reduce exploitation targets and methods ● Eliminate or reduce information leaks ● Modify and Adopt some features from grsecurity/PaX patches
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_HARDENED_USERCOPY Performs extra size checks on user copy ● CONFIG_FORTIFY_SOURCE Checks string memory at compile time or runtime ● CONFIG_STRICT_KERNEL_RWX Make kernel text and rodata read-only. Kernel version of W^X ● CONFIG_STRICT_DEVMEM=y and CONFIG_IO_STRICT_DEVMEM=y restrict physical memory access. ● CONFIG_SECCOMP=y and CONFIG_SECCOMP_FILTER=y allows userspace to reduce the attack surface. ● STATIC_USERMODEHELPER=y Force all usermode helper calls through a single binary
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 Disallow allocating the first 32k of memory ● CONFIG_CPU_SW_DOMAIN_PAN=y Enable PXN/PAN Emulation, protect kernel from executing user space memory Guide: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Setti ngs
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Modernization of proc file system - Eliminate Information Leaks ● Each new /proc mount will be a total separate instance ● Ability to hide processes without PID Namespaces (saves resources) ● No Kernel data or other files in /proc. Only /proc/<pids>/ by Alexey Gladkov ● Reduce /proc burden on other Security and Linux features. Development branch: https://github.com/legionus/linux/commits/pidfs-v4 By Djalal Harouni, Alexey Gladkov and Feedback from Andy Lutomirski
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Automatic Module Loading Protection - Reduce kernel Attack Surface ● Will block auto-loading vulnerable drivers or modules The 11 year old DCCP double free vulnerability CVE-2017–6074 (Root exploit) kernel: Local privilege escalation in XFRM framework CVE-2017–7184 (Owned Ubuntu) ● Enabled by a global sysctl switch or a per-process tree flag ● Embedded Systems should reduce the ability to load modules at all. V4 https://lkml.org/lkml/2017/5/22/312, V5 soon. By Djalal Harouni, feedback from Andy Lutomirski, Kees Cook, Solar Designer and others.
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Generalize Yama Linux Security Module behaviour ● Yama blocks processes from controlling other processes (origin grsecurity) ● A sysctl flag is used to control Yama Future: ● Generalize Yama simple behaviour on other interfaces and system calls ● A global sysctl flag or a per-process tree flag for sandboxes ● No policy for easy integration with Yocto and Embedded devices
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Linux Containers or Lightweight Containers
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Why Containers on Embedded and IoT devices ? ● Modern Deployment workflow ● Isolation of Apps ● Allow Virtualization of some Resources with less overhead Examples: Resin OS - An Embedded Linux tailored for Containers Resin OS uses Yocto and supports many embedded devices and boards
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Linux Containers: ● A better develop and ship workflow ● Isolates Apps and their resources ● Sandbox mechanism Disadvantages for Embedded Linux: ● A Container format ? ● Uses lot of Linux Technologies ? ● Over-engineered ? (Contain hacks ?) ● Heavy, too much processes
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Containers Ecosystem Comparison Source: https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Solution for Embedded Linux ? systemd Portable Services/Apps or Lightweight Containers
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers Why systemd in Embedded Linux ? ● Resource management ? ● More than three Apps running ? ● Integrated Watchdog support ? ● Socket activation - run Apps on-demand ? ● Logging ? ● Easy Apps Sandboxing ? If no, maybe a simple init + minimal sandbox tool
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers In Embedded: systemd Contained App Portable App Portable App Portable App with its dependencies + Sandbox Mechanism Without systemd-nspawn
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers systemd portable Apps/Lightweight Containers: ● For now only Linux Mount Namespaces - cheap ● Network Namespaces used to disconnect / block network access Advantages: ● All Apps are able to work in Mount Namespaces ● No need to adapt or package your App using a specific format ● Avoids Container Managers complexity and hacks ● Avoids abusing other Linux features to workaround other misbehaviour
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model File system Sandbox: RootImage= Root filesystem of the App PrivateDevices= Private /dev without physical devices BindPaths=, BindReadOnlyPaths= Makes files available, make /dev watchdog available inside sandbox! User Privileges Sandbox: DynamicUser= Run Apps under different User (Unix UID/GID). The UID is allocated dynamically and released on stops. Allowing IoT devices to follow Android model: each App is executed under a different user. NoNewPrivileges= No new privileges through execve().
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Network Sandbox: PrivateNetwork= disconnect internet access IPAddressDeny= All traffic from and to this address/mask will be blocked. IPAddressAllow= The whitelist or permitted IP address/network mask list. To block raw packets AF_PACKET RestrictAddressFamilies=~AF_PACKET (blacklisting mode).
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Kernel attack surface reduction: RestrictNamespaces= Restrict Access to Linux namespaces ProtectKernelTunables= Blocks tuning Kernel parameter, /proc and /sys read-only. ProtectKernelModules= Blocks Apps from explicitly loading or unloading modules. SystemCallFilter= Seccomp system call filtering: “@reboot” Block all related reboot system calls. “@module” Block all kernel module system calls. “@mount” Block all file system mount and umount system calls. All this is Opt-IN
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● systemd needs to adapt It was intended to experienced service developers and SysVinit experts. Today users are more familiar with Containers and Apps. ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? ACCESS_INTERNET , PRIVILEGED_ACCESS_INTERNET ADMIN_SYSTEM_TIME , ADMIN_SYSTEM_TIME_ZONE ADMIN_SYSTEM_MANAGER , ADMIN_SYSTEM_NETWORK https://github.com/systemd/systemd/pull/6963
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? Seccomp policy mutation : “@privileged” , “@container”, “@basic” and “@default” groups + Linux Capabilities + Abstracted Permissions https://github.com/systemd/systemd/pull/6963 ● systemd needs better integration into Embedded and IoT devices ● More user friendly features
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update ● IoT Devices are exposed to Internet BrickerBot reports say that it damaged > 2.000.000 IoT devices No complex 0day vulnerability exploit Fix: it only needed a configuration Update to close telnet !? ● Robust Embedded and IoT have to support a Software Update Mechanisms Fix development bugs Fix known and unknown vulnerabilities
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Requirements: ● Secure: TLS, supports Image signing ● Atomic Update supports - Usually switch from A to B ● Ability to fall back on update failures ● Etc Mechanisms: ● Dual Root Partition: A/B ● Other approaches based on App/Container update: Resin OS
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Mechanisms: ● Dual Root Partition: A/B ● Two file system Images: Boot A There is an Update - Download delta A is a reference to B Write B switch boot ● Work in progress: casync to stream updates - block layer support ● Traditional tools: xdelta/VCDIFF
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Ready Solutions compatible with Yocto: ● Mender.io Open Source tool for updating your embedded devices safely and reliably New: ● rauc Safe and Secure Others: ● Resin OS updater
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges Adoption ? All this is already in Yocto!
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Thanks to Daniel Mack and Lennart Poettering
Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Questions ? Feel free to contact me about topics: tixxdz@gmail.com Djalal Harouni

Recommended

Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Anne Nicolas
 
Platform for a Connected World
Platform for a Connected WorldPlatform for a Connected World
Platform for a Connected World
All Things Open
 
Resin.io overview (2016 July)
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)
Balena
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
Patrick Chanezon
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015
Henry Huang
 
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
VMUG IT
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Qualcomm Developer Network
 
Docker opens the Doors for IoT
Docker opens the Doors for IoTDocker opens the Doors for IoT
Docker opens the Doors for IoT
Dieter Reuter
 

Recommended

Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Embedded Recipes 2017 - An easy-to-install real world embedded Linux distribu...
Anne Nicolas
 
Platform for a Connected World
Platform for a Connected WorldPlatform for a Connected World
Platform for a Connected World
All Things Open
 
Resin.io overview (2016 July)
Resin.io overview (2016 July)Resin.io overview (2016 July)
Resin.io overview (2016 July)
Balena
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
Patrick Chanezon
 
A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015A Summary about Hykes' Keynote on Dockercon 2015
A Summary about Hykes' Keynote on Dockercon 2015
Henry Huang
 
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529SDN NFV NV OpenNetwork @ VMUG.IT 20150529
SDN NFV NV OpenNetwork @ VMUG.IT 20150529
VMUG IT
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Qualcomm Developer Network
 
Docker opens the Doors for IoT
Docker opens the Doors for IoTDocker opens the Doors for IoT
Docker opens the Doors for IoT
Dieter Reuter
 
The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
Yoni Davidson
 
Kali Linux
Kali Linux Kali Linux
Kali Linux
aliabintouq
 
Kalilinux
KalilinuxKalilinux
Kalilinux
almuhairi2000
 
IstioD - From Microservices to Monolithic
IstioD - From Microservices to MonolithicIstioD - From Microservices to Monolithic
IstioD - From Microservices to Monolithic
All Things Open
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
smart_bit
 
Shamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linuxShamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linux
shamsaot
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
OpenDaylight
 
penetration test using Kali linux seminar report
penetration test using Kali linux seminar reportpenetration test using Kali linux seminar report
penetration test using Kali linux seminar report
AbhayNaik8
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Qualcomm Developer Network
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Leon Anavi
 
My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys
Laurent Guérin
 
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Codemotion
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko
 
Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con... Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con...
Synergetics Learning and Cloud Consulting
 
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStackCMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
Joe Arnold
 
Linux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvelLinux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvel
Emertxe Information Technologies Pvt Ltd
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
Jamie Coleman
 
Kali linux
Kali linuxKali linux
Kali linux
afraalfalasii
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
All Things Open
 
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
Docker, Inc.
 
Dedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SDedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/S
InfinIT - Innovationsnetværket for it
 

More Related Content

What's hot

The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
Yoni Davidson
 
Kali Linux
Kali Linux Kali Linux
Kali Linux
aliabintouq
 
Kalilinux
KalilinuxKalilinux
Kalilinux
almuhairi2000
 
IstioD - From Microservices to Monolithic
IstioD - From Microservices to MonolithicIstioD - From Microservices to Monolithic
IstioD - From Microservices to Monolithic
All Things Open
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
smart_bit
 
Shamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linuxShamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linux
shamsaot
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
OpenDaylight
 
penetration test using Kali linux seminar report
penetration test using Kali linux seminar reportpenetration test using Kali linux seminar report
penetration test using Kali linux seminar report
AbhayNaik8
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Qualcomm Developer Network
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Leon Anavi
 
My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys
Laurent Guérin
 
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Codemotion
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
Deborah Akuoko
 
Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con... Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con...
Synergetics Learning and Cloud Consulting
 
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStackCMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
Joe Arnold
 
Linux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvelLinux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvel
Emertxe Information Technologies Pvt Ltd
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
Jamie Coleman
 
Kali linux
Kali linuxKali linux
Kali linux
afraalfalasii
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
All Things Open
 

What's hot (20)

The internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolutionThe internet of things in now , see how golang is a part of this evolution
The internet of things in now , see how golang is a part of this evolution
 
Kali Linux
Kali Linux Kali Linux
Kali Linux
 
Kalilinux
KalilinuxKalilinux
Kalilinux
 
IstioD - From Microservices to Monolithic
IstioD - From Microservices to MonolithicIstioD - From Microservices to Monolithic
IstioD - From Microservices to Monolithic
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Shamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linuxShamsa altayer 10bg kali linux
Shamsa altayer 10bg kali linux
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
 
penetration test using Kali linux seminar report
penetration test using Kali linux seminar reportpenetration test using Kali linux seminar report
penetration test using Kali linux seminar report
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 3
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
Software, Over the Air (SOTA) for Automotive Grade Linux (AGL)
 
My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys My web application in 20 minutes with Telosys
My web application in 20 minutes with Telosys
 
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
Debug, Analyze and Optimize Games with Intel Tools - Matteo Valoriani - Codem...
 
BASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUXBASIC OVERVIEW OF KALI LINUX
BASIC OVERVIEW OF KALI LINUX
 
Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con... Introduction to Containers & Diving a little deeper into the benefits of Con...
Introduction to Containers & Diving a little deeper into the benefits of Con...
 
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStackCMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
CMPE 297 Lecture: Building Infrastructure Clouds with OpenStack
 
Linux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvelLinux Kernel - An Engineering marvel
Linux Kernel - An Engineering marvel
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
 
Kali linux
Kali linuxKali linux
Kali linux
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
 

Similar to Modern IoT and Embedded Linux Deployment - Berlin

LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
Docker, Inc.
 
Dedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SDedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/S
InfinIT - Innovationsnetværket for it
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Stéphanie Roger
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
ERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projectsERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projects
Christian Charreyre
 
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Yoshitake Kobayashi
 
UniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtimeUniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtime
Lee Calcote
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)
Siji Sunny
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
Mender.io
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
Patrick Chanezon
 
Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation
webhostingguy
 
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
Panagiotis Galinos
 
Survey of Container Build Tools
Survey of Container Build ToolsSurvey of Container Build Tools
Survey of Container Build Tools
Michael Ducy
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
PranavPatil822557
 
Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017
Stephen Walli
 
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docxLinux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
croysierkathey
 
DockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon Hykes
Docker, Inc.
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
ICS
 

Similar to Modern IoT and Embedded Linux Deployment - Berlin (20)

LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
 
Dedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SDedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/S
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
ERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projectsERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projects
 
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
 
UniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtimeUniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtime
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
 
Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation Linux @ IBM © 2003 IBM Corporation
Linux @ IBM © 2003 IBM Corporation
 
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
The Ultimate List of Opensource Software for #docker #decentralized #selfhost...
 
Survey of Container Build Tools
Survey of Container Build ToolsSurvey of Container Build Tools
Survey of Container Build Tools
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017
 
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docxLinux Implementation ProposalRichard JohnsonWhy Linux .docx
Linux Implementation ProposalRichard JohnsonWhy Linux .docx
 
DockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon Hykes
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
 

Recently uploaded

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Alec Kassir cozmozone
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 

Recently uploaded (14)

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 

Modern IoT and Embedded Linux Deployment - Berlin

  • 1. Modern Deployment for Embedded Linux and IoT All Systems Go! 2017 October 21-22, Berlin Djalal Harouni @tixxdz tixxdz@gmail.com Modern Deployment for Embedded Linux and IoT - All Systems go! 2017, Berlin
  • 2. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Agenda ● Background ● Embedded Linux and IoT Security ● Kernel Hardening and Kernel Self Protection Project ● Lightweight Containers ● systemd Sandbox Model ● Software Update Mechanisms ● Challenges
  • 3. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background
  • 4. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux or Linux-based IoT devices ● Today, Linux is everywhere ● Most of us have at least 3 or 4 Linux based devices ● By IoT we mean Devices that run Linux, smart gateways, IoT devices connected to internet, etc
  • 5. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Background Embedded Linux Apps ● Some Embedded Linux Apps look more like PC Apps ● Big-Data Science fields and IoT devices are driving Engineers and Programmers to do more Embedded Programming ● Javascript, node.js, golang, etc being used to deploy Apps Note: most of these developers are new or won’t care about lower layers. The lower layers or system layers are hard and expensive.
  • 6. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security
  • 7. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Board + Yocto Layers Hardware Linux OS Root Filesystem (userspace) Apps Embedded Linux System Value Runtime (Yocto Layers) Runtime: ● Open Source ● +hardware +Apps == Use Case ● Defines the Security dimensions ● Large ● Can be updated
  • 8. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Runtime ● Constitute most of the code: Complex ● Runs with higher privileges: Kernel and third party drivers run at CPU/hardware Privileged Mode Userspace runs at CPU user mode, with higher software privileges Apps on top are not sandboxed ● No planned Software Update mechanisms (or not perfect)
  • 9. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime Analysis by Kees Cook on Ubuntu CVE tracker 2011-2016: Critical: 3 @ 5.3 years High: 59 @ 6.4 years Medium: 534 @ 5.6 years Low: 273 @ 5.6 years Source: https://outflux.net/blog/archives/2016/10/20/cve-2016-519 Note: Numbers from Ubuntu CVE, most of them were Patched
  • 10. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Bugs and Vulnerabilities lifetime By Kees Cook: https://outflux.net/blog/archives/2016/10/18/security-bug-lifetime/
  • 11. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Android - Kernel Vulnerabilities User space <==> kernelspace is Abused or Misused. copy_from_user() - copy_to_user() “Since 2014, missing or invalid bounds checking has caused about 45% of Android's kernel vulnerabilities.” by Sami Tolvanen, Android Security Source: https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.htm L
  • 12. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Embedded Linux - Vulnerabilities BrickerBot targets cameras, DVRs, and IoT with busybox telnet Pictures from https://arstechnica.com article
  • 13. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Embedded Linux and IoT Security Modern Deployment of Embedded Linux and IoT Or How to Secure your Linux-based IoT Devices Or How to keep your Devices alive
  • 14. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and Kernel Self Protection Project KSPP Logo
  • 15. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Hardening and KSPP Kernel Hardening ● Access Control and Linux Security Modules ● Protecting User Space Kernel Self Protection Project more than that ● Linux kernel ability to protect itself ● Reduce the kernel attack surface ● Managed by Kees Cook and lot of contributors: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
  • 16. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Attacks and Exploits ● Use multiple bugs and vulnerabilities ● Need to know the target, memory layout, etc Objectives ● Eliminate or reduce exploitation targets and methods ● Eliminate or reduce information leaks ● Modify and Adopt some features from grsecurity/PaX patches
  • 17. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_HARDENED_USERCOPY Performs extra size checks on user copy ● CONFIG_FORTIFY_SOURCE Checks string memory at compile time or runtime ● CONFIG_STRICT_KERNEL_RWX Make kernel text and rodata read-only. Kernel version of W^X ● CONFIG_STRICT_DEVMEM=y and CONFIG_IO_STRICT_DEVMEM=y restrict physical memory access. ● CONFIG_SECCOMP=y and CONFIG_SECCOMP_FILTER=y allows userspace to reduce the attack surface. ● STATIC_USERMODEHELPER=y Force all usermode helper calls through a single binary
  • 18. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Embedded Linux Security - Kernel Protections ● CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 Disallow allocating the first 32k of memory ● CONFIG_CPU_SW_DOMAIN_PAN=y Enable PXN/PAN Emulation, protect kernel from executing user space memory Guide: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Setti ngs
  • 19. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Modernization of proc file system - Eliminate Information Leaks ● Each new /proc mount will be a total separate instance ● Ability to hide processes without PID Namespaces (saves resources) ● No Kernel data or other files in /proc. Only /proc/<pids>/ by Alexey Gladkov ● Reduce /proc burden on other Security and Linux features. Development branch: https://github.com/legionus/linux/commits/pidfs-v4 By Djalal Harouni, Alexey Gladkov and Feedback from Andy Lutomirski
  • 20. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Automatic Module Loading Protection - Reduce kernel Attack Surface ● Will block auto-loading vulnerable drivers or modules The 11 year old DCCP double free vulnerability CVE-2017–6074 (Root exploit) kernel: Local privilege escalation in XFRM framework CVE-2017–7184 (Owned Ubuntu) ● Enabled by a global sysctl switch or a per-process tree flag ● Embedded Systems should reduce the ability to load modules at all. V4 https://lkml.org/lkml/2017/5/22/312, V5 soon. By Djalal Harouni, feedback from Andy Lutomirski, Kees Cook, Solar Designer and others.
  • 21. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Kernel Self Protection Project Our Work in Progress: Generalize Yama Linux Security Module behaviour ● Yama blocks processes from controlling other processes (origin grsecurity) ● A sysctl flag is used to control Yama Future: ● Generalize Yama simple behaviour on other interfaces and system calls ● A global sysctl flag or a per-process tree flag for sandboxes ● No policy for easy integration with Yocto and Embedded devices
  • 22. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Linux Containers or Lightweight Containers
  • 23. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Why Containers on Embedded and IoT devices ? ● Modern Deployment workflow ● Isolation of Apps ● Allow Virtualization of some Resources with less overhead Examples: Resin OS - An Embedded Linux tailored for Containers Resin OS uses Yocto and supports many embedded devices and boards
  • 24. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Linux Containers: ● A better develop and ship workflow ● Isolates Apps and their resources ● Sandbox mechanism Disadvantages for Embedded Linux: ● A Container format ? ● Uses lot of Linux Technologies ? ● Over-engineered ? (Contain hacks ?) ● Heavy, too much processes
  • 25. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Containers Ecosystem Comparison Source: https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html
  • 26. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Lightweight Containers Solution for Embedded Linux ? systemd Portable Services/Apps or Lightweight Containers
  • 27. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers Why systemd in Embedded Linux ? ● Resource management ? ● More than three Apps running ? ● Integrated Watchdog support ? ● Socket activation - run Apps on-demand ? ● Logging ? ● Easy Apps Sandboxing ? If no, maybe a simple init + minimal sandbox tool
  • 28. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers In Embedded: systemd Contained App Portable App Portable App Portable App with its dependencies + Sandbox Mechanism Without systemd-nspawn
  • 29. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Portable Apps/Lightweight Containers systemd portable Apps/Lightweight Containers: ● For now only Linux Mount Namespaces - cheap ● Network Namespaces used to disconnect / block network access Advantages: ● All Apps are able to work in Mount Namespaces ● No need to adapt or package your App using a specific format ● Avoids Container Managers complexity and hacks ● Avoids abusing other Linux features to workaround other misbehaviour
  • 30. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model
  • 31. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model File system Sandbox: RootImage= Root filesystem of the App PrivateDevices= Private /dev without physical devices BindPaths=, BindReadOnlyPaths= Makes files available, make /dev watchdog available inside sandbox! User Privileges Sandbox: DynamicUser= Run Apps under different User (Unix UID/GID). The UID is allocated dynamically and released on stops. Allowing IoT devices to follow Android model: each App is executed under a different user. NoNewPrivileges= No new privileges through execve().
  • 32. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Network Sandbox: PrivateNetwork= disconnect internet access IPAddressDeny= All traffic from and to this address/mask will be blocked. IPAddressAllow= The whitelist or permitted IP address/network mask list. To block raw packets AF_PACKET RestrictAddressFamilies=~AF_PACKET (blacklisting mode).
  • 33. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model Kernel attack surface reduction: RestrictNamespaces= Restrict Access to Linux namespaces ProtectKernelTunables= Blocks tuning Kernel parameter, /proc and /sys read-only. ProtectKernelModules= Blocks Apps from explicitly loading or unloading modules. SystemCallFilter= Seccomp system call filtering: “@reboot” Block all related reboot system calls. “@module” Block all kernel module system calls. “@mount” Block all file system mount and umount system calls. All this is Opt-IN
  • 34. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● systemd needs to adapt It was intended to experienced service developers and SysVinit experts. Today users are more familiar with Containers and Apps. ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? ACCESS_INTERNET , PRIVILEGED_ACCESS_INTERNET ADMIN_SYSTEM_TIME , ADMIN_SYSTEM_TIME_ZONE ADMIN_SYSTEM_MANAGER , ADMIN_SYSTEM_NETWORK https://github.com/systemd/systemd/pull/6963
  • 35. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin systemd Sandbox Model - Future ● New Sandbox Mechanism for Contained APPs - new Runtime mode ? Seccomp policy mutation : “@privileged” , “@container”, “@basic” and “@default” groups + Linux Capabilities + Abstracted Permissions https://github.com/systemd/systemd/pull/6963 ● systemd needs better integration into Embedded and IoT devices ● More user friendly features
  • 36. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms
  • 37. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update ● IoT Devices are exposed to Internet BrickerBot reports say that it damaged > 2.000.000 IoT devices No complex 0day vulnerability exploit Fix: it only needed a configuration Update to close telnet !? ● Robust Embedded and IoT have to support a Software Update Mechanisms Fix development bugs Fix known and unknown vulnerabilities
  • 38. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Requirements: ● Secure: TLS, supports Image signing ● Atomic Update supports - Usually switch from A to B ● Ability to fall back on update failures ● Etc Mechanisms: ● Dual Root Partition: A/B ● Other approaches based on App/Container update: Resin OS
  • 39. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Mechanisms: ● Dual Root Partition: A/B ● Two file system Images: Boot A There is an Update - Download delta A is a reference to B Write B switch boot ● Work in progress: casync to stream updates - block layer support ● Traditional tools: xdelta/VCDIFF
  • 40. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Software Update Mechanisms - OTA Update Ready Solutions compatible with Yocto: ● Mender.io Open Source tool for updating your embedded devices safely and reliably New: ● rauc Safe and Secure Others: ● Resin OS updater
  • 41. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges
  • 42. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Challenges Adoption ? All this is already in Yocto!
  • 43. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Thanks to Daniel Mack and Lennart Poettering
  • 44. Modern Deployment for Embedded Linux and IoT - All Systems go conf! 2017, Berlin Questions ? Feel free to contact me about topics: tixxdz@gmail.com Djalal Harouni