Linux Security Summit 2013/Abstracts/Safford

From Linux Kernel Security Subsystem
Jump to navigation Jump to search


Embedded Linux Security


David Safford, IBM


Linux is in widespread use in embedded devices, but these devices typically lack critical security features found in higher-end Linux systems. They typically do not have any way to validate their firmware, they do not have hardware roots of trust for trusted or secure boot, they do not have provisions for physical presence, and they do not have secure update. Vendors claim that these features are either too large, or too expensive to fit in their embedded devices.

This presentation will summarize the recent widespread vulnerabilities and compromises of embedded devices, and will show how the given security features would defeat such attacks, relating the concepts to the NIST SP800 guidelines for BIOS measurement and protection, and to the ongoing work on Linux secure boot for higher end devices.

It will look at four typical embedded devices, will show how all of these features can be added at _zero_ cost, and will give a live demonstration of the added security features on one such device - a TP-Link MR3020.

As a bonus, the presentation will show how the same techniques can be used to fix the restricted boot of the Samsung Arm Chromebook, with physical presence enablement for updating the secure boot public key.