Awesome Embedded Linux Security

A collection of awesome tools, books, resources, software, documents and cool stuff about embedded linux security

Thanks to all contributors. The goal is to build community-driven collection of well-known resources.

Contents

• Root of Trust
• Trusted Execution Environment (TEE)
• Secure Boot
• Bootloaders
• Access Control and Kernel modules
• Operating Systems
• Container Security
  • Articles
  • Tools
  • Best Practices
  • Guides and Documentation
• Useful Websites
• Host-based Intrusion Detection Systems
• Kernel Memory Protection
• Return Oriented Programming
• Data Integrity and Security
  • Block Level Encryption
  • Filesystem Level Encryption
  • Usage and Implementation Details
  • Considerations
• Hardening Yocto
• Linux Firewalls
• Testing Linux Software for Security
  • Static Analysis
  • Dynamic Analysis
  • Fuzz Testing
  • Linux Kernel Fuzzers
  • Sanitizers
  • Cyclomatic Complexity
• Lockdown
  • Disabled/Restricted Access
  • Signed Kernel Modules
  • IMA Secure Boot Rules
• Books

Root of Trust

• OpenTitan - OpenTitan is the first open source project building a transparent, high-quality reference design and integration guidelines for silicon root of trust (RoT) chips
• Project Cerberus - Project Cerberus is designed to be a hardware root of trust (RoT) for server platforms. It provides functionality to enforce secure boot for firmware on devices with or without intrinsic secure boot capabilities. It also provides a mechanism to securely attest to the state of the device firmware.
• Trusted Platform Module (TPM) - TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy.
• Device Identifier Composition Engine (DICE) - DICE is a hardware Root-of-Trust (RoT) used to protect the devices and components where a TPM would be impractical or infeasible. When a TPM is present, DICE is used to protect communication with the TPM and provides the Root of Trust for Measurement (RTM) for the platform. DICE was designed to close critical gaps in infrastructure and help to establish safeguarding measures for devices. The DICE RoT can also be easily integrated into existing infrastructure, with the architecture being flexible and interoperable with existing security standards.

Trusted Execution Environment (TEE)

• ARM TrustZone - TrustZone technology for Arm Cortex-M processors enables robust levels of protection at all cost points for IoT devices. The technology reduces the potential for attack by isolating the critical security firmware, assets and private information from the rest of the application.
• RISC-V Keystone - Keystone is an open-source project for building customizable trusted execution environments (TEEs) based on RISC-V for various platforms and use cases.
• OP-TEE - OP-TEE is an open-source TEE designed for ARM TrustZone. It provides a secure and efficient environment for running trusted applications on ARM processors, implementing the GlobalPlatform TEE system architecture and APIs.
• Intel SGX (Software Guard Extensions) - Intel SGX is a set of security-related instruction codes that are built into modern Intel CPUs. It allows applications to create secure enclaves for code and data. While SGX itself is not open-source, there are open-source SDKs and tools for developing SGX applications.
• AMD SEV (Secure Encrypted Virtualization - AMD SEV is a technology that provides encryption for virtual machine memory. It helps protect VMs from attacks and unauthorized access. While SEV is a hardware feature, there are open-source tools and frameworks for leveraging SEV in virtualized environments.

Secure Boot

• UEFI Secure Boot - UEFI specifications, including the Secure Boot protocol.
• Secure Boot on ARM - ARM Firmware Security Requirements whitepaper covering Secure Boot implementation on ARM-based platforms.
• Linux Kernel Documentation - Linux kernel documentation on key management and integration with UEFI Secure Boot.
• Secure Boot with OpenEmbedded/Yocto - Yocto Project documentation on enabling Secure Boot support in embedded Linux builds.
• Introduction to UEFI Secure Boot - An in-depth overview of UEFI Secure Boot and how it works.
• Implementing Secure Boot in Embedded Linux - A guide on implementing Secure Boot in Embedded Linux systems.
• Secure Boot for Embedded Devices - Application note from NXP providing insights into implementing Secure Boot for embedded devices.
• Overview of Secure Boot in Linux - Presentation slides providing an overview of Secure Boot with Linux.

Bootloaders

• U-Boot (Das U-Boot) - U-Boot is a powerful bootloader used primarily in embedded systems. It supports a wide range of architectures and file systems, and is highly customizable for different hardware platforms.
• GNU GRUB GRand Unified Bootloader - GRUB is the most popular bootloader for Linux. It supports a wide range of operating systems and file systems, and provides powerful features such as the ability to boot from network and scriptable menu entries.
• systemd-boot - systemd-boot (formerly known as gummiboot) is a simple UEFI boot manager that reads boot entries directly from the EFI system partition. It integrates seamlessly with systemd, making it a good choice for modern Linux systems.
• coreboot - coreboot is an extended firmware platform that provides a fast and secure boot experience. It is often used in combination with other bootloaders like GRUB or SeaBIOS.
• rEFInd - rEFInd is an easy-to-use boot manager for UEFI systems. It provides a graphical interface and supports booting multiple operating systems, including Linux, macOS, and Windows.
• Barebox - Barebox is a modern bootloader for embedded systems, designed as a successor to U-Boot. It provides a robust environment with a scripting language, fast boot times, and extensive support for different hardware.
• Petitboot - Petitboot is a Linux-based bootloader for the Power architecture, which can also be used on other architectures. It provides a flexible and powerful boot environment with support for multiple file systems and network booting.
• RedBoot - RedBoot is a complete bootstrap environment for embedded systems. Based on the eCos Hardware Abstraction Layer, RedBoot inherits the eCos qualities of reliability, compactness, configurability, and portability.

Access Control and Kernel modules

• SELinux (Security-Enhanced Linux) - Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access control (MAC). It helps to confine user programs and system services to the minimum amount of privilege they require to do their jobs.
• AppArmor - Linux Security Module that provides MAC style security extension for the Linux kernel. It allows the system administrator to restrict programs' capabilities with per-program profiles.
• Tomoyo - Linux security module that implements mandatory access control policies. It focuses on ease of use and learning mode, which helps to create security policies automatically based on the behavior of the system.
• Yama - Linux security module that collects system-wide security enhancements that are not handled by other LSMs. It includes restrictions on the ptrace system call, which is used for debugging and manipulating processes.
• Audit - Linux Audit subsystem provides a way to track security-relevant information on a system. It consists of a kernel component and a user-space component, allowing administrators to create, store, and analyze audit records for security monitoring and compliance.
• Integrity Measurement Architecture (IMA) - Linux kernel feature that helps ensure the integrity of the system by measuring and attesting to the integrity of files. It can be used to detect if files have been tampered with or altered.
• eBPF (Extended Berkeley Packet Filter) - Powerful technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. It is used for various security purposes, such as monitoring, networking, and performance analysis.
• LKRG (Linux Kernel Runtime Guard) - Kernel module designed to detect and respond to unauthorized modifications to the Linux kernel at runtime. It helps in detecting rootkits and other kernel-level malware.
• Seccomp (Secure Computing Mode) - Linux kernel feature that allows a process to make a one-way transition into a restricted state where it can only make a specified set of system calls. This reduces the kernel attack surface.
• SMACK (Simplified Mandatory Access Control Kernel) - Linux security module that provides simplified mandatory access control. It implements a rule-based access control mechanism to protect processes and objects on the system.

Operating Systems

• OpenWRT - The OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management.
• Yocto Project - A project that provides templates, tools, and methods to create custom Linux-based systems for embedded products, regardless of hardware architecture.
• Buildroot - A simple, efficient, and easy-to-use tool to generate embedded Linux systems through cross-compilation.
• OpenEmbedded - A build framework for embedded Linux systems. It offers a wide range of pre-built packages and customizable configurations.
• Ubuntu Core - A minimalist version of Ubuntu designed for IoT devices and appliances. It includes transactional updates and a secure app store.
• PREEMPT-RT - A patchset for the Linux kernel that provides real-time capabilities, suitable for embedded systems requiring deterministic response times.
• Xenomai - A real-time development framework for Linux. It allows developers to create real-time applications alongside Linux user-space applications.
• Alpine Linux - A lightweight Linux distribution known for its security features, small footprint, and simplicity. It's suitable for resource-constrained embedded systems.
• Tiny Core Linux - A minimalist Linux distribution designed to be as small as possible while still being a functional operating system. It's suitable for embedded devices with limited storage and memory.
• BalenaOS - A container-centric Linux distribution designed for IoT and edge computing. It includes built-in support for containerized applications and fleet management features.
• ROCK Pi - A Linux distribution optimized for ROCK Pi single-board computers, offering pre-built images and software support tailored for these devices.
• Raspberry Pi OS - The official operating system for Raspberry Pi devices, offering a Debian-based Linux distribution with optimized performance and hardware support.

Container Security

Articles

• Container Security: A Comprehensive Overview - An overview of container security challenges and best practices.
• Top 10 Container Security Risks - A list of the top 10 security risks associated with container deployments.
• Securing Containerized Applications - Best practices for securing containerized applications running in Kubernetes environments.
• Introduction to Docker Security - Docker's guide to security best practices for building and deploying containerized applications.

Tools

• Docker Bench Security - A script that checks for dozens of common best-practices around deploying Docker containers in production.
• Clair - An open-source vulnerability scanner for containers, providing static analysis of container images.
• Falco - An open-source cloud-native runtime security project that monitors container workloads for abnormal behavior.
• Cilium - A network security project that provides network and application layer visibility and security for containers.
• LXD - A next-generation system container manager providing a more user-friendly and feature-rich interface for managing containers.

Best Practices

• CIS Docker Benchmark - A comprehensive guide to securing Docker containers, developed by the Center for Internet Security (CIS).
• Kubernetes Security Best Practices - Official Kubernetes documentation on security best practices for securing Kubernetes clusters and workloads.
• OWASP Docker Security Cheat Sheet - A cheat sheet from OWASP providing guidance on securing Docker containers.
• Docker Security Cheat Sheet - A concise summary of Docker security best practices and mitigation strategies.

Guides and Documentation

• Docker Security Documentation - Official Docker documentation covering security features, best practices, and configuration options.
• Kubernetes Security Guide - Official Kubernetes documentation providing guidance on securing Kubernetes clusters and workloads.
• Container Security with AWS - AWS documentation on securing containerized applications on Amazon ECS and EKS.
• Google Kubernetes Engine (GKE) Security - Google Cloud documentation on hardening your Google Kubernetes Engine (GKE) clusters.

Useful Websites

• Trusted Computing Group (TCG) - Through open standards and specifications, Trusted Computing Group (TCG) enables secure computing. Benefits of TCG technologies include protection of business-critical data and systems, secure authentication and strong protection of user identities, and the establishment of strong machine identity and network integrity. Trusted hardware and applications reduce enterprise total cost of ownership and support regulatory compliance.

Host-based Intrusion Detection Systems

• OSSEC - An open-source host-based intrusion detection system that performs log analysis, file integrity checking, rootkit detection, and real-time alerting.
• Wazuh - A fork of OSSEC with additional features and enhancements, providing security monitoring, incident response, and compliance capabilities.
• Tripwire - A commercial HIDS solution that performs file integrity monitoring, change detection, and policy-based alerting for embedded Linux systems.
• Samhain - An open-source HIDS that provides file integrity checking, system monitoring, and rootkit detection for embedded Linux environments.
• chrootkit - chkrootkit is a tool to locally check for signs of a rootkit.
• AIDE - Advanced Intrusion Detection Environment, a file and directory integrity checker.
• afick - Another File Integrity Checker, monitors changes on the file system and detects intrusions.
• Open Source Tripwire - Security and data integrity tool for monitoring and alerting on file & directory changes.
• rkhunter - A rootkit hunter.
• SAMHAIN - Provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

Kernel Memory Protection

• AddressSanitizer (ASan) - A runtime memory error detector that finds buffer overflow and use-after-free bugs in C/C++ programs.
• KASAN (Kernel Address Sanitizer) - A dynamic memory error detector for the Linux kernel, similar to AddressSanitizer but tailored for kernel code.
• KPTR_CHECK (Kernel Pointer Authentication) - A kernel boot parameter that enables pointer authentication checks for kernel addresses to prevent kernel pointer leaks.
• Strict Kernel Memory Permissions - Enforces strict permissions on kernel and module memory regions to prevent data execution and memory corruption vulnerabilities.
  • Config options: CONFIG_STRICT_KERNEL_RWX, CONFIG_STRICT_MODULE_RWX, CONFIG_DEBUG_ALIGN_RODATA
• Kernel Address Space Layout Randomization (KASLR) - Randomizes the base address of the kernel's virtual address space to mitigate memory-based attacks.
  • Config option: CONFIG_RANDOMIZE_BASE
• Stack Canary - Description: Inserts a canary value before the return address on the stack to detect buffer overflow attacks.
  • Config option: CONFIG_STACK_PROTECTOR
• SLUB Allocator Heap Memory Security - SLUB allocator is recommended for security due to its improved security features compared to other memory allocators like SLAB and SLOB.

Return Oriented Programming

Return-Oriented Programming (ROP) is an advanced exploitation technique used in software security research to construct malicious payloads by chaining together short sequences of code fragments called "gadgets" from existing program code. ROP enables attackers to execute arbitrary code even in the presence of modern security mitigations like DEP and ASLR.

• ROPgadget - A command-line tool for finding gadgets and building ROP chains.
• ROPInjector - A tool for generating ROP payloads and injecting them into target processes.
• ROPShell - A Python script to assist in the exploitation of buffer overflows using ROP techniques.
• RP++ - A ROP gadget discovery tool that parses binaries and provides information about available gadgets.
• Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64)
• Pwntools - pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible

Data Integrity and Security

Block Level Encryption

• dm-verity - A Linux kernel feature providing transparent integrity checking of block devices.
• fs-verity - A filesystem-level integrity checking feature that works with read-only files and directories.
• dm-crypt - A disk encryption mechanism in the Linux kernel, providing block-level encryption for data at rest.
  • Config Option: CONFIG_DM_CRYPT
• Inline Encryption - A feature enabling inline encryption of data stored on block devices.
  • Config Option: CONFIG_BLK_INLINE_ENCRYPTION

Filesystem Level Encryption

• fscrypt - A Linux kernel feature for filesystem-level encryption, supporting various filesystems including ext4, F2FS, and UBIFS.
  • Config Options: CONFIG_ECRYPT_FS, CONFIG_FS_ENCRYPTION
  • User-space tools: fscryptctl

Usage and Implementation Details

• fscrypt Documentation - Official documentation providing details on using fscrypt for filesystem encryption.
• Cryptsetup Repository - GitLab repository for cryptsetup, the user-space tool for configuring dm-crypt encryption.
• Android Security: File-Based Encryption - Documentation on Android's usage of fscrypt for file-based encryption, used to encrypt data at the directory level.
• Chrome OS Security: Encrypted User Data - Overview of Chrome OS's usage of fscrypt for encrypting user data.

Considerations

• Integrity Protection: Note that while dm-verity and fs-verity provide integrity checking, dm-crypt and fscrypt focus on encryption and do not provide integrity protection.
• Metadata Encryption: dm-crypt protects all metadata, including extended attributes while fscrypt only encrypts filenames.

Hardening Yocto

• Yocto CVE Check Documentation - Official documentation providing guidance on performing security vulnerability scans with cve-check in Yocto.
• Yocto Project Security Advisories - Official security advisories and updates for the Yocto Project, complementing cve-check with additional information about vulnerabilities and patches.

Linux firewalls

• IPtables - IPtables is a powerful firewall utility in Linux that allows administrators to configure rules for filtering and manipulating network packets at the kernel level. It provides granular control over network traffic based on various criteria such as source/destination IP addresses, ports, and protocols.
• NFTables - NFTables is the successor to iptables and provides a more flexible and efficient framework for packet filtering and network address translation (NAT) in Linux. It offers a simpler syntax and improved performance compared to iptables.
• Firewalld - Firewalld is a dynamic firewall management tool that simplifies the configuration and administration of firewalls in Linux distributions such as Fedora, CentOS, and RHEL. It provides a higher-level abstraction and a more user-friendly interface for managing firewall rules.
• UFW (Uncomplicated Firewall) - UFW is a front-end for iptables that aims to make firewall configuration easier for novice users. It provides a simplified command-line interface and predefined application profiles for common services.

Testing Linux Software for Security

Testing Linux software for security vulnerabilities is crucial to ensure the reliability and integrity of the system. Various testing techniques and tools are available to identify and mitigate potential security risks in Linux applications. Here are some common approaches:

Static Analysis

Static analysis involves examining the source code or binaries without executing them. It helps identify potential security vulnerabilities, coding errors, and compliance issues early in the development process.

• Cppcheck - A static analysis tool for C/C++ code.
• Clang Static Analyzer - A static analysis tool based on Clang for C/C++ code.
• FindBugs - A static analysis tool for Java code.
• Brakeman - A static analysis tool for Ruby on Rails applications.
• Coverity - Coverity, now part of Synopsys, is a commercial static analysis tool that provides comprehensive code analysis capabilities for identifying defects, security vulnerabilities, and compliance issues in software projects. It supports multiple programming languages and integrates seamlessly with development workflows.
• Klocwork - Klocwork is a static analysis tool offered by Perforce that helps developers identify and remediate defects and security vulnerabilities in their codebase. It provides advanced analysis techniques and integrates with popular development environments to streamline the detection and resolution of issues.
• SonarQube is an open-source platform for continuous inspection of code quality and security. While the basic version is free and open-source, SonarSource offers commercial editions with additional features and support. It supports various programming languages and provides detailed reports on code quality, security vulnerabilities, and more.

Dynamic Analysis

Dynamic analysis involves executing the software with various inputs to observe its behavior and identify potential vulnerabilities in runtime.

• Valgrind - A dynamic analysis tool for memory debugging, memory leak detection, and profiling.
• GDB - The GNU Debugger, which can be used for dynamic analysis by stepping through code, setting breakpoints, and examining memory.
• Strace - A system call tracer that captures and displays system calls made by a program.

Fuzz Testing

Fuzz-testing involves providing invalid, unexpected, or random data as inputs to the software to uncover bugs and vulnerabilities.

• American Fuzzy Lop (AFL) - A popular fuzz-testing tool for finding security vulnerabilities in software.
• AFL++ - AFL++ is an improved version of AFL with additional features and enhancements for better fuzz testing capabilities.
• Peach Fuzzer - A platform for fuzz-testing software applications, protocols, and file formats.

Linux Kernel Fuzzers

• Trinity - Trinity is a syscall fuzzer specifically designed for the Linux kernel. It generates random system calls and their arguments to stress-test the kernel's interface and uncover potential bugs.
• syzkaller - Syzkaller is another Linux kernel fuzzer developed by Google. It systematically generates and executes system call sequences to explore the kernel's behavior and identify vulnerabilities.

Sanitizers

Sanitizers are runtime tools that detect various types of bugs and vulnerabilities, such as memory errors, data races, and undefined behavior.

• AddressSanitizer (ASan) - Detects memory corruption bugs, such as buffer overflows and use-after-free errors.
• ThreadSanitizer (TSan) - Detects data races and synchronization issues in multithreaded programs.
• UndefinedBehaviorSanitizer (UBSan) - Detects undefined behavior in C/C++ programs.

Cyclomatic Complexity

Cyclomatic Complexity (CC) is a simple metric for quantifying the complexity of a program by measuring the number of linearly independent paths through its source code. It helps identify areas of code that may be difficult to understand, test, or maintain.

• Lizard - Lizard is a command-line tool that analyzes code and generates reports on Cyclomatic Complexity and other metrics. It supports various programming languages, including C/C++, Java, Python, and more.

Lockdown

Lockdown is a security feature in the Linux kernel designed to prevent unauthorized access to a running kernel image and enhance system security. Here are the key aspects of Lockdown:

Disabled/Restricted Access

Lockdown disables or restricts access to certain critical kernel interfaces and resources, including:

• /dev/mem, /dev/kmem, /dev/kcore, and /dev/ioports: Direct memory and I/O port access are disabled to prevent unauthorized manipulation of system memory and hardware.
• BPF (Berkeley Packet Filter) and kprobes: These powerful kernel features are restricted to prevent potential abuse or exploitation.
• debugfs: Debugging interfaces are disabled to prevent unauthorized access to kernel internals.

Signed Kernel Modules

• Lockdown requires that kernel modules be signed or appraised by the Integrity Measurement Architecture (IMA) before they can be loaded into the kernel. This ensures that only trusted and verified modules are allowed to execute, reducing the risk of malicious code injection.

IMA Secure Boot Rules

• Lockdown may enforce "secure_boot" rules in the Integrity Measurement Architecture (IMA) policy. These rules ensure that only signed and trusted code is executed during the boot process, enhancing the overall security of the system.

Books

• Mastering Linux Security and Hardening - 2022, Publisher: Packt, Author(s): Donald A. Tevault
• Linux Security Cookbook: Practical Security Solutions for Linux Systems - 2021, Publisher: O'Reilly Media, Author(s): Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
• Practical Linux Security Cookbook - 2018, Publisher: Packt, Author(s): Tajinder Kalsi
• Embedded Linux Systems with the Yocto Project - 2020, Publisher: Packt, Author(s): Rudolf J. Streif
• Linux Kernel Security - 2019, Publisher: Packt, Author(s): John P. Baugh