LE
Uploaded byLF Events
PDF, PPTX2,751 views

Secure IOT Gateway

LinuxCon Tokyo 2016 focused on developing secure IoT gateways. The presentation discussed gateway architecture choices like ARM and x86 processors. Connectivity options for sensors like Bluetooth and WiFi were also covered. Security is a major concern, and the talk evaluated both reactive measures like intrusion detection and proactive approaches like mandatory access control. Maintaining gateways over long product lifecycles requires techniques like live kernel patching and signed over-the-air updates to securely deploy upgrades. Embedded Linux provides a robust software platform for building reliable and secure IoT gateways.

Technology
Related topics:
Internet of Things

Embed presentation

Download as PDF, PPTX
LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead, MontaVista Software
Setting the Stage • This presentation will focus on developing Secure Gateways (Edge Computing & Connectivity) in the IoT Architecutre • Primarily discussion will be on Architecture, Security, and Maintainence features Sensors Gateway Cloud/Database & Analytics Applications L i n u x
Agenda Architecture Connectivity Security Maintainability Summary and Q&A
Architecture: Modern vs Wild West
Architecture choices Embedded processor considerations: – Processor family • ARM • Intel x86 • PowerPC and MIPS possible but not as popular – Power consumption • ARM: low power, advanced PM features • Intel x86: limited PM options
Architecture choices (ctd) Embedded processor considerations: – Performance • ARM: Good core performance on lower Ghz • Intel x86: ”Add Ghz -> more perf” – Optimizations • Security offload • Virtualization – Deployment model • SOC model vs. ”generic compute” • Longevity?
Ecosystem  Intel vs. ARM really • PPC and MIPS thin and fading ecosystem • Ubuntu, Fedora, Debian, OpenSUSE, MontaVista, WindRiver, and Enea all have/will have x86 and ARM support for mainstream distros • LINARO (ARM lead)  Yocto project (Intel lead) • Consolidate embedded development on OE/bitbake
Connectivity
Sensors, Sensors everywhere!  Simple sensor data drives the IoT engine • Fitness trackers, heart monitors, oil and pressure temperature gauges, & packet latency in SDN Gateway L i n u x  What connects them • Wireless: Bluetooth, Wi-fi, Cellular Modem, (3G/4G/5G), Zigbee, & 6loPAN • The bus lineup: Canbus, Profibus, & Modbus • Serial, SPI, I2C • Near Field Communication (NFC) • Prioprietary  Implications • Selected architecture must support (directly or USB/PCI) ALL • Drivers as well...possible port from different architecture • Enough performance • Maintain versions • Brace for the new
To the Cloud  Data from sensors is the lifeblood of IoT • Connects to cloud or database • Gateways can filter/preprocess data • Push must be secure (encrypted and authenticated) • Connectivity is bi-redirectional so IoT Gateway must be secure from the cloud  IoTivity  Community framework to connect end devices  Alljoyn Open Source Framework  Connect and communicate across transports/OSes
Security
Recent Real-World Examples • DHS confirms Public Sector Control system hacked – Attacking inadequate perimeter security, an attacker could compromise the SCADA system with capability to inject commands and read data at will – The controlled device was brought down for maintenance so no damage done • Boeing and Airbus – Hacker used in-flight Wi-Fi connection to hack into flight control systems – Allegedly controlled thrust for engines, oxygen mask deployment, etc. • Drones – Johns Hopkins University research demonstrated 3 different ways to send unwanted commands – Could force drones to land or just crash • Personal vehicles – Jeep hacked through navigation and Corvette hacked by SMS – Activate wipers, apply brakes, disable engine & brakes
Design Considerations • Building security primarily in the Gateway? – Edge devices are constrained on hardened channel – Requires encryption for the channel and two-way authentication for setup • Trusted edge vs. Edge Computing - two polars? – Moving computing to the edge can help build end-to- end efficiency, but requires edge and gateway devices to handle the security – Can also be seen as a way to fence out security threats for some layers of the processing so they cannot be exploited from the Cloud • Lifecycle: secure firmware updates and CVEs – The Edge is relying on the IT-supported backend to handle the updates, requires careful consideration for the technology and process • Provide monitoring for end-to-end data on the Gateway – Using DPI for heuristics- based detection of exploits • Combining types of security: physical, networking, system integrity and isolation of domains Architectural Functional
IoT Platform Virtualization & Security vTPM Guest VM Container Openflow DPDK LXC/Docker KVM EMBEDDED LINUX SELinux / sVirt Application Application Hardware Platform LXC/Docker Application 3rd Party Container Monitoring / Auditing Bootloader TPM (x86) Root of Trust CVEFixes and-Maintenance Network Security - IPSec HW offload - Policy Configuration Live Patching Policy Configuration based on System Requirements TrustZone (ARM) DPDK FIPS
Types of Security Measures • Reactive Measures – Common Vulnerabilities and Exposures (CVEs) • https://cve.mitre.org/ • The standard list for holes in common systems • Very important to cover the affected parts in your product; MontaVista will do this for you – Intrusion-detection systems • Take action based on perceived attack • Several systems exist for Linux (LIDS, auditd, inotify, tripwire..) – Auditing and logging • Knowing you’ve been attacked prevents further damage • Collect evidence for litigation against the attacker • Example tools: Auditd, syslog, inotify, SELinux.. • Proactive Measures – Mandatory Access Control (MAC) • Minimizes the damage that unknown exploits can do to your system • Increases the chances to block 0-day exploits (unknown vulnerabilities) – System Certification • Provide Common Criteria or similar certification for your product or platform • MontaVista’s Linux is certifiable and we can help with the process – Root of Trust
• Full featured and lightweight virtualization solutions Embedded Linux Container Core Isolation Application LXC/Docker Container Application KVM Application OS Guest VM  KVM Full virtualization  Docker Application containers  LXC Full-system Containers  Core Isolation Dataplane and RT applications Virtualization Technology for Isolation
• Make Security a Priority • Implement Mixture – Reactive – Proactive • Stay Current
Maintenance
IoT Maintainability Requirements • Product life cycle support • Ability to upgrade application, kernel, drivers, userland, or whole system • Upgrades done with little to no “human” interaction and downtime – Wireless delivery • Secure updates – Authentication – Encryption
Addressing IoT Maintenance with Linux • Long Term Support (LTS) Kernel – Can be extended beyond 10+ years in commercial Linux distributions • SMART package manager – Allows for source or binary distribution – Flexible to update userland, application, etc. • Live kernel patching • Crypto API support • Trusted Platform Module (TPM) and TrustZone for secure OTA updates
IoT: Signed OTA Updates • IoT devices and Gateways have embedded requirements for small footprint but still a very high demand for security • The process relies on the Kernel Live Patches, RPMs, or Container images being hashed and signed by a certificate that can be validated by the TPM or TEE on the target system if necessary – Can also support two-way signatures by using standard RPM signing using GPG keys, potentially enforced by the server-side TPM. • Such processes are adopted by OSVs like Symantec, Redbend and practically all product manufacturers that are concerned about running trusted/secure SW on the devices. • Without secure updates, the integrity of the platform cannot be maintained. ServerDevice Decrypt and verify signature Update Data Generate, Sign and Encrypt Host OS Update Data Pubkey- TPM SecKey- Host PubKey- Host SecKey- TPM Deliver update • RPM / deb / IPK • Docker, VM image • Kernel (Live) Patch TPM TPM/TEE SDK Linux Linux
Summary • Embedded Linux offers solid software platform to IoT Gateway developers – Architecture – Connectivity • Security is IMPORTANT to implement • High uptime maintainability
Thank You Questions/Discussion jgallagher@mvista.com

More Related Content

PPTX
Introduction to IoT Security
byCAS
 
PDF
IoT Security
byNarudom Roongsiriwong, CISSP
 
PPTX
Internet of things using Raspberry Pi
byYash Gajera
 
PPTX
Network monitoring system
byMyPresentations Services
 
PPTX
Components of IOT Implementation
byAashiq Ahamed N
 
PPTX
Web servers for the Internet of Things
byAlexandru Radovici
 
PPTX
Lecture 10 intruders
byrajakhurram
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
Introduction to IoT Security
byCAS
 
IoT Security
byNarudom Roongsiriwong, CISSP
 
Internet of things using Raspberry Pi
byYash Gajera
 
Network monitoring system
byMyPresentations Services
 
Components of IOT Implementation
byAashiq Ahamed N
 
Web servers for the Internet of Things
byAlexandru Radovici
 
Lecture 10 intruders
byrajakhurram
 
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 

What's hot

PPT
Intrusion detection system ppt
bySheetal Verma
 
PPTX
Dhcp ppt
byHema Dhariwal
 
PPTX
Intrusion Detection System(IDS)
byshraddha_b
 
PPTX
Intrusion detection
byCAS
 
PPTX
MQTT IOT Protocol Introduction
byPrem Sanil
 
PPTX
Sdn ppt
byPallavi Chhikara
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PPT
Chapter 5 Planning for Security-students.ppt
byShruthi48
 
PPTX
1. Introduction to IoT
byAbhishek Das
 
PPTX
ip security
byChirag Patel
 
PDF
Cisco Router Basic Configuration
byProf. Erwin Globio
 
PPT
Network management
byMohd Arif
 
PDF
LoRaWAN in Depth
byAPNIC
 
PPTX
Network Layer
byDr Shashikant Athawale
 
PDF
IoT & M2M.pdf
byGVNSK Sravya
 
PDF
IoT Security Elements
byEurotech
 
PPTX
Bgp protocol
bySmriti Tikoo
 
PPTX
IPv4 Addressing
byTheGodfather HA
 
PPTX
OSI Security Architecture
byuniversity of education,Lahore
 
PPTX
Intrusion detection and prevention system
byNikhil Raj
 
Intrusion detection system ppt
bySheetal Verma
 
Dhcp ppt
byHema Dhariwal
 
Intrusion Detection System(IDS)
byshraddha_b
 
Intrusion detection
byCAS
 
MQTT IOT Protocol Introduction
byPrem Sanil
 
Sdn ppt
byPallavi Chhikara
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
Chapter 5 Planning for Security-students.ppt
byShruthi48
 
1. Introduction to IoT
byAbhishek Das
 
ip security
byChirag Patel
 
Cisco Router Basic Configuration
byProf. Erwin Globio
 
Network management
byMohd Arif
 
LoRaWAN in Depth
byAPNIC
 
Network Layer
byDr Shashikant Athawale
 
IoT & M2M.pdf
byGVNSK Sravya
 
IoT Security Elements
byEurotech
 
Bgp protocol
bySmriti Tikoo
 
IPv4 Addressing
byTheGodfather HA
 
OSI Security Architecture
byuniversity of education,Lahore
 
Intrusion detection and prevention system
byNikhil Raj
 

Viewers also liked

ODP
Using open source for IoT
byIan Skerrett
 
PDF
Iot gateways march 2015
bysgadgil2002
 
PDF
Open source IoT gateway
byHenryk Konsek
 
PDF
Simplify Internet of Things with an Intelligent Gateway
byEurotech
 
PDF
Internet of Things - Advantech IoT Gateway Starter Kit
byAdvantech Europe E-IOT Business Group
 
PDF
Kura M2M IoT Gateway
byEurotech
 
Using open source for IoT
byIan Skerrett
 
Iot gateways march 2015
bysgadgil2002
 
Open source IoT gateway
byHenryk Konsek
 
Simplify Internet of Things with an Intelligent Gateway
byEurotech
 
Internet of Things - Advantech IoT Gateway Starter Kit
byAdvantech Europe E-IOT Business Group
 
Kura M2M IoT Gateway
byEurotech
 

Similar to Secure IOT Gateway

PDF
Iot development from prototype to production
byMender.io
 
PDF
IoT Development from Prototype to Production
byMender.io
 
PDF
Developing Interoperable Components for an Open IoT Foundation
byEurotech
 
PDF
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
bySeungjoo Kim
 
PDF
An Internet of Things Reference Architecture
bySymantec
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
PDF
how to implement an IoT architecture
byRoberto Siagri
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
PPTX
LAS16-300K2: Geoff Thorpe - IoT Zephyr
byShovan Sargunam
 
PDF
Lecture 7 - Security
byAlexandru Radovici
 
PDF
BKK16-500K2 CTO talk - The End to End Story
byLinaro
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
PDF
The Internet of Things: We've Got to Chat
byDuo Security
 
PDF
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?
byUtah Tech Labs
 
PDF
OSGi & Java in Industrial IoT - More than a Solid Trend - Essential to Scale ...
bymfrancis
 
PDF
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
byMender.io
 
PDF
Bridgera enterprise IoT security
byRon Pascuzzi
 
PDF
Sensor expo 2018 keynote
byShahram Mehraban
 
PDF
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 
PPTX
Security Testing for IoT Systems
bySecurity Innovation
 
Iot development from prototype to production
byMender.io
 
IoT Development from Prototype to Production
byMender.io
 
Developing Interoperable Components for an Open IoT Foundation
byEurotech
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
bySeungjoo Kim
 
An Internet of Things Reference Architecture
bySymantec
 
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
how to implement an IoT architecture
byRoberto Siagri
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
byShovan Sargunam
 
Lecture 7 - Security
byAlexandru Radovici
 
BKK16-500K2 CTO talk - The End to End Story
byLinaro
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
The Internet of Things: We've Got to Chat
byDuo Security
 
IoT Devices Security Threats in 2023. How to Protect Your IoT Ecosystem?
byUtah Tech Labs
 
OSGi & Java in Industrial IoT - More than a Solid Trend - Essential to Scale ...
bymfrancis
 
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
byMender.io
 
Bridgera enterprise IoT security
byRon Pascuzzi
 
Sensor expo 2018 keynote
byShahram Mehraban
 
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 
Security Testing for IoT Systems
bySecurity Innovation
 

More from LF Events

PDF
Feature rich BTRFS is Getting Richer with Encryption
byLF Events
 
PDF
KASan in a Bare-Metal Hypervisor
byLF Events
 
PDF
Efficient kernel backporting
byLF Events
 
PDF
Raspberry pi Update - Encourage your IOT
byLF Events
 
PDF
Introduction to Open-O
byLF Events
 
PDF
CNCF and Fujitsu
byLF Events
 
PDF
SR-IOV ixgbe Driver Limitations and Improvement
byLF Events
 
PDF
NVMe Over Fabrics Support in Linux
byLF Events
 
PDF
Linxu conj2016 96boards
byLF Events
 
PDF
Taking over to the Next Generation
byLF Events
 
PDF
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
byLF Events
 
PDF
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
byLF Events
 
PDF
Trading Derivatives on Hyperledger
byLF Events
 
PDF
Introducing Oracle Linux and Securing It With ksplice
byLF Events
 
PDF
Boost UDP Transaction Performance
byLF Events
 
PDF
Containers: Don't Skeu Them Up, Use Microservices Instead
byLF Events
 
Feature rich BTRFS is Getting Richer with Encryption
byLF Events
 
KASan in a Bare-Metal Hypervisor
byLF Events
 
Efficient kernel backporting
byLF Events
 
Raspberry pi Update - Encourage your IOT
byLF Events
 
Introduction to Open-O
byLF Events
 
CNCF and Fujitsu
byLF Events
 
SR-IOV ixgbe Driver Limitations and Improvement
byLF Events
 
NVMe Over Fabrics Support in Linux
byLF Events
 
Linxu conj2016 96boards
byLF Events
 
Taking over to the Next Generation
byLF Events
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
byLF Events
 
Generating a Reproducible and Maintainable Embedded Linux Environment with Po...
byLF Events
 
Trading Derivatives on Hyperledger
byLF Events
 
Introducing Oracle Linux and Securing It With ksplice
byLF Events
 
Boost UDP Transaction Performance
byLF Events
 
Containers: Don't Skeu Them Up, Use Microservices Instead
byLF Events
 

Recently uploaded

PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 

Secure IOT Gateway

  • 1.
    LinuxCon Tokyo, Japan 2016 SecureIoT Gateway Jim Gallagher Senior Technical Marketing Lead, MontaVista Software
  • 2.
    Setting the Stage •This presentation will focus on developing Secure Gateways (Edge Computing & Connectivity) in the IoT Architecutre • Primarily discussion will be on Architecture, Security, and Maintainence features Sensors Gateway Cloud/Database & Analytics Applications L i n u x
  • 3.
  • 4.
  • 5.
    Architecture choices Embedded processor considerations: –Processor family • ARM • Intel x86 • PowerPC and MIPS possible but not as popular – Power consumption • ARM: low power, advanced PM features • Intel x86: limited PM options
  • 6.
    Architecture choices (ctd) Embeddedprocessor considerations: – Performance • ARM: Good core performance on lower Ghz • Intel x86: ”Add Ghz -> more perf” – Optimizations • Security offload • Virtualization – Deployment model • SOC model vs. ”generic compute” • Longevity?
  • 7.
    Ecosystem  Intel vs.ARM really • PPC and MIPS thin and fading ecosystem • Ubuntu, Fedora, Debian, OpenSUSE, MontaVista, WindRiver, and Enea all have/will have x86 and ARM support for mainstream distros • LINARO (ARM lead)  Yocto project (Intel lead) • Consolidate embedded development on OE/bitbake
  • 8.
  • 9.
    Sensors, Sensors everywhere! Simple sensor data drives the IoT engine • Fitness trackers, heart monitors, oil and pressure temperature gauges, & packet latency in SDN Gateway L i n u x  What connects them • Wireless: Bluetooth, Wi-fi, Cellular Modem, (3G/4G/5G), Zigbee, & 6loPAN • The bus lineup: Canbus, Profibus, & Modbus • Serial, SPI, I2C • Near Field Communication (NFC) • Prioprietary  Implications • Selected architecture must support (directly or USB/PCI) ALL • Drivers as well...possible port from different architecture • Enough performance • Maintain versions • Brace for the new
  • 10.
    To the Cloud Data from sensors is the lifeblood of IoT • Connects to cloud or database • Gateways can filter/preprocess data • Push must be secure (encrypted and authenticated) • Connectivity is bi-redirectional so IoT Gateway must be secure from the cloud  IoTivity  Community framework to connect end devices  Alljoyn Open Source Framework  Connect and communicate across transports/OSes
  • 11.
  • 12.
    Recent Real-World Examples •DHS confirms Public Sector Control system hacked – Attacking inadequate perimeter security, an attacker could compromise the SCADA system with capability to inject commands and read data at will – The controlled device was brought down for maintenance so no damage done • Boeing and Airbus – Hacker used in-flight Wi-Fi connection to hack into flight control systems – Allegedly controlled thrust for engines, oxygen mask deployment, etc. • Drones – Johns Hopkins University research demonstrated 3 different ways to send unwanted commands – Could force drones to land or just crash • Personal vehicles – Jeep hacked through navigation and Corvette hacked by SMS – Activate wipers, apply brakes, disable engine & brakes
  • 13.
    Design Considerations • Buildingsecurity primarily in the Gateway? – Edge devices are constrained on hardened channel – Requires encryption for the channel and two-way authentication for setup • Trusted edge vs. Edge Computing - two polars? – Moving computing to the edge can help build end-to- end efficiency, but requires edge and gateway devices to handle the security – Can also be seen as a way to fence out security threats for some layers of the processing so they cannot be exploited from the Cloud • Lifecycle: secure firmware updates and CVEs – The Edge is relying on the IT-supported backend to handle the updates, requires careful consideration for the technology and process • Provide monitoring for end-to-end data on the Gateway – Using DPI for heuristics- based detection of exploits • Combining types of security: physical, networking, system integrity and isolation of domains Architectural Functional
  • 14.
    IoT Platform Virtualization& Security vTPM Guest VM Container Openflow DPDK LXC/Docker KVM EMBEDDED LINUX SELinux / sVirt Application Application Hardware Platform LXC/Docker Application 3rd Party Container Monitoring / Auditing Bootloader TPM (x86) Root of Trust CVEFixes and-Maintenance Network Security - IPSec HW offload - Policy Configuration Live Patching Policy Configuration based on System Requirements TrustZone (ARM) DPDK FIPS
  • 15.
    Types of SecurityMeasures • Reactive Measures – Common Vulnerabilities and Exposures (CVEs) • https://cve.mitre.org/ • The standard list for holes in common systems • Very important to cover the affected parts in your product; MontaVista will do this for you – Intrusion-detection systems • Take action based on perceived attack • Several systems exist for Linux (LIDS, auditd, inotify, tripwire..) – Auditing and logging • Knowing you’ve been attacked prevents further damage • Collect evidence for litigation against the attacker • Example tools: Auditd, syslog, inotify, SELinux.. • Proactive Measures – Mandatory Access Control (MAC) • Minimizes the damage that unknown exploits can do to your system • Increases the chances to block 0-day exploits (unknown vulnerabilities) – System Certification • Provide Common Criteria or similar certification for your product or platform • MontaVista’s Linux is certifiable and we can help with the process – Root of Trust
  • 16.
    • Full featuredand lightweight virtualization solutions Embedded Linux Container Core Isolation Application LXC/Docker Container Application KVM Application OS Guest VM  KVM Full virtualization  Docker Application containers  LXC Full-system Containers  Core Isolation Dataplane and RT applications Virtualization Technology for Isolation
  • 17.
    • Make Securitya Priority • Implement Mixture – Reactive – Proactive • Stay Current
  • 18.
  • 19.
    IoT Maintainability Requirements •Product life cycle support • Ability to upgrade application, kernel, drivers, userland, or whole system • Upgrades done with little to no “human” interaction and downtime – Wireless delivery • Secure updates – Authentication – Encryption
  • 20.
    Addressing IoT Maintenancewith Linux • Long Term Support (LTS) Kernel – Can be extended beyond 10+ years in commercial Linux distributions • SMART package manager – Allows for source or binary distribution – Flexible to update userland, application, etc. • Live kernel patching • Crypto API support • Trusted Platform Module (TPM) and TrustZone for secure OTA updates
  • 21.
    IoT: Signed OTAUpdates • IoT devices and Gateways have embedded requirements for small footprint but still a very high demand for security • The process relies on the Kernel Live Patches, RPMs, or Container images being hashed and signed by a certificate that can be validated by the TPM or TEE on the target system if necessary – Can also support two-way signatures by using standard RPM signing using GPG keys, potentially enforced by the server-side TPM. • Such processes are adopted by OSVs like Symantec, Redbend and practically all product manufacturers that are concerned about running trusted/secure SW on the devices. • Without secure updates, the integrity of the platform cannot be maintained. ServerDevice Decrypt and verify signature Update Data Generate, Sign and Encrypt Host OS Update Data Pubkey- TPM SecKey- Host PubKey- Host SecKey- TPM Deliver update • RPM / deb / IPK • Docker, VM image • Kernel (Live) Patch TPM TPM/TEE SDK Linux Linux
  • 22.
    Summary • Embedded Linux offerssolid software platform to IoT Gateway developers – Architecture – Connectivity • Security is IMPORTANT to implement • High uptime maintainability
  • 23.