INTRODUCING: VIGILES LINUX SECURITY MONITORING TOOL INTRODUCTION - - PowerPoint PPT Presentation

introducing vigiles linux security monitoring tool
SMART_READER_LITE
LIVE PREVIEW

INTRODUCING: VIGILES LINUX SECURITY MONITORING TOOL INTRODUCTION - - PowerPoint PPT Presentation

Sep 05, 2023 217 likes •502 views

INTRODUCING: VIGILES LINUX SECURITY MONITORING TOOL INTRODUCTION AND OVERVIEW DECEMBER 2019 EXTERNAL USE NXP External Use Agenda Keeping your product secure Why do I care? What is a CVE? Challenges with CVEs and keeping

slide-1
SLIDE 1

EXTERNAL USE

DECEMBER 2019

INTRODUCING: VIGILES – LINUX SECURITY MONITORING TOOL

INTRODUCTION AND OVERVIEW

NXP External Use

slide-2
SLIDE 2

EXTERNAL USE 2

Agenda

▪ Keeping your product secure

  • Why do I care?
  • What is a CVE?

▪ Challenges with CVEs and keeping secure ▪ Vigiles – tools for finding CVEs and fixes

  • NXP Yocto – starting point
  • Security reports with analysis

▪ Q&A

slide-3
SLIDE 3

EXTERNAL USE 3

Security risk on critical applications

City Kiosk Medical Government Military

slide-4
SLIDE 4

EXTERNAL USE 4

CVE – Publicly recognized security issue

▪ CVE-ID ▪ Description of the issue ▪ Estimated severity (CVSS - Common Vulnerability Scoring System )

  • Low to Critical, 0.0 to 10.0

▪ Estimated impact and domain scores

  • e.g. “Attack Vector”, “User Interaction”, “Scope”, “Confidentiality”, …

▪ Affected products, version numbers (CPEs - Common Platform Enumeration)

  • eg: cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:*

Key piece for automation

▪ List of reference links

  • Exploits, patches, bug entry, mitigation, advisories...

▪ Vulnerability Type (CWE - Common weakness enumeration)

  • e.g. “buffer overflow”, “pointer issues”
slide-5
SLIDE 5

EXTERNAL USE 5

Example: CVE-2018-18074

Impact

CVSS v3.0 Severity and Metrics: Base Score: 9.8 CRITICAL Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Impact Score: 5.9 Exploitability Score: 3.9 Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): High Integrity (I): High Availability (A): High

Current Description

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Known Affected Software Configurations cpe:2.3:a:python-requests:requests:*:*:*:*:*:*:*: * Up to (excluding) 2.20.0

slide-6
SLIDE 6

EXTERNAL USE 6

Source: cvedetails

Vulnerabilities are increasing!

  • How do we keep

devices secure?

− Companies must

integrate additional governance into development processes

Issue severity scores

(all issues) Avg. = 6.1

Vulnerabilities By Year

Reported vulnerabilities have reached 14558+ in 2019 (avg. 280 a week)

Vulnerability Distribution By CVSS Scores

slide-7
SLIDE 7

EXTERNAL USE 7

Options for product developers

With 280+ vulnerabilities reported each week, product developers can …

Ignore them Increase security risk for customers, liability for themselves Adopt automated monitoring & tracking and mitigation tool Vigiles cuts security management & mitigation burden by 90% Use open source vulnerability assessment tools Reduce time spent but chase many false positives, miss issues, does not help fixes Deal with them via manual process Consume many hours of key staff time, still miss many issues, fixes are difficult

slide-8
SLIDE 8

EXTERNAL USE 8

Manual monitoring process is expensive and error-prone

  • There is no unified name for open
  • sources. CVE can be reported for

linux-kernel, Linux, kernel, etc.

Name Version Linux kernel 4.4.15 LTS

  • penssl

1.0.2o bash 4.4.19 … …

Software manifest

  • Difficult to identify which open

source are used/maintained Challenges

slide-9
SLIDE 9

EXTERNAL USE 9

Manual process of finding & analyzing patches is time-consuming

Release Find Patch Find Version with a Fix APPLY PATCHES RETEST ENTIRE BSP Unfixed CVE List

  • Difficult to find correct

patches for all CVEs

  • Finding software versions

that could be used and are maintained is very time-consuming

  • Testing patches
  • Retesting entire BSP

Challenges

slide-10
SLIDE 10

EXTERNAL USE 10

Challenges with keeping devices secure – CVE data quality

(False positives and misses)

▪ Inconsistent naming

  • arm-trusted-firmware, arm_trusted_firmware, trusted_firmware-a

▪ Typos

  • Version number

CVE-2016-1234: 2.2.3 instead of 2.23 (corrected now)

  • CVE product name

CVE-2016-1494: python instead of rsa (corrected now)

▪ Incorrect/incomplete analysis

  • CVE-2018-14618: up to 7.61.1 instead of 7.15.4 to 7.61.1

▪ Outdated information

  • Kernel CVEs (more later)

▪ No version or cpe information

  • CVE-2018-10845:

cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*

slide-11
SLIDE 11

EXTERNAL USE 11

*approx numbers: As of 7/30/2019

Challenges with keeping devices secure – Linux kernel CVEs

▪ Typically, new CVE is listed as affecting all versions till latest ▪ Kernel maintainers do a fantastic job at backporting fixes to LTS

  • NVD CPE info not updated when patches backported
slide-12
SLIDE 12

EXTERNAL USE 12

Challenges with keeping devices secure – delays in CVE reporting / analysis

CVE-2019-6690 (python-gnupg) 1/19: Vulnerability discovered (private) 1/20: PoC created 1/22: Applied for CVE, vendor notified 1/23: CVE-2019-6690 assigned 1/23: Vendor responded, fix committed 1/25: Disclosed on oss-security (public) 3/21: NVD publishes CVE 4/2 : NVD analysis - adds cpe tags 68 days from being public to NVD analysis CVE-2019-5436 (libcurl) 4/29: Reported on hackerone (private) 4/29: Fix developed (private) 5/15: Disclosed on distros list (private) 5/20: Fix appears on github 5/22: Disclosed on oss-security (public) 5/28: NVD publishes CVE 5/29: NVD analysis - adds cpe tags 7 days from being public to NVD analysis

slide-13
SLIDE 13

EXTERNAL USE 13

NXP Presents Vigiles*: Keeping your Linux BSP Secure

www.nxp.com/vigiles

Features

  • On-demand vulnerability reports
  • Automatic alerts for newly discovered CVEs
  • Filtering CVEs by severity and whitelisting

non-issues

  • Provides direct link to fixes
  • Can be bundled with Pro-Support for assistance

Benefits

  • Maintain strong product security throughout

your product lifecycles

  • Bring more secure products to market faster
  • Make security a key product differentiator
  • Works with ANY Yocto based BSP
  • Start for free

* Vigiles is powered by a third-party vendor

On-demand security monitoring for more secure systems

  • NXP takes great care to ensure the BSP releases use recent software

when rolled out

− As time goes on, new CVEs are reported, and developers customize BSPs

to meet product requirements, resulting in possible exposure to security issues − Staying secure is a process that must be implemented by your engineering team

  • Vigiles enables you to quickly and efficiently analyze security issues

and take action

− Automatically scans for and identifies vulnerabilities specific to your projects

and software components

− Produces highly accurate security reports, which combined with a very low

false positive rate provides you with product ongoing security management that is streamlined and highly efficient

slide-14
SLIDE 14

EXTERNAL USE 14 Customer BSP Or Source Component List

Vigiles

Yocto-Layer

meta-timesys

Vulnerability Scanner Notification service Patch Notifier

BSP Maintenance Patch/Update Manager

For NXP Pro-Support customers Web Dashboard CVE Reports

Yocto manifest Results

End user

CVE Manager Feeds

CVE Analyzer NVD feed Canonical NVD Analyzer Kernel Analyzer Curated CVE Database

Conflict Notifier

UI Security bulletins Issue trackers

Vigiles team

Automatic filter & disambiguation

Status tracker

Patch /Version Database Buildroot Component List

Vigiles Technology Architecture

slide-15
SLIDE 15

EXTERNAL USE 15

How to start with Vigiles – www.nxp.com/vigiles

Register for 30-day Vigiles trial

slide-16
SLIDE 16

EXTERNAL USE 16

NXP Yocto – Vigiles starting point

  • Vigiles is enabled with a Yocto metalayer (meta-timesys)
  • Easily used with NXP Yocto Project

Can be added to any NXP Yocto BSP (https://github.com/TimesysGit/meta-timesys)

RELEASE=thud git clone https://github.com/TimesysGit/meta-timesys.git -b $RELEASE

Comes pre-integrated into NXP’s Yocto BSP - starting from Yocto “Thud”

(https://source.codeaurora.org/external/imx/imx-manifest/)

slide-17
SLIDE 17

EXTERNAL USE 17

Vigiles process for Yocto Project

  • Step 1: Configure your Yocto build for scanning with Vigiles (in conf/local.conf)

INHERIT += "vigiles" VIGILES_KEY_FILE = "/tools/timesys/linuxlink_key"

  • Step 2: Fine tune the scanning results by pointing to your Linux kernel

configuration

VIGILES_KERNEL_CONFIG = "/projects/kernel/linux-4.14-ts+imx-1.0/.config"

  • Step 3: Run the scan

$ bitbake -c vigiles_check core-image-minimal

  • Step 4: Look at the report locally
  • Step 5: Look at the details, analyze, and triage using Vigiles online UI
slide-18
SLIDE 18

EXTERNAL USE 18

Vigiles demonstration

slide-19
SLIDE 19

EXTERNAL USE 19

Vigiles Solution

Notification Management Upload Yocto, Buildroot, Factory, or CSV manifests Yocto – Command-line Capable Unfixed and Fixed CVE Trend Team Sharing for Triage Collaboration

slide-20
SLIDE 20

EXTERNAL USE 20

Vigiles: BASIC – On-Demand Report

slide-21
SLIDE 21

EXTERNAL USE 21

Vigiles: PLUS – adds collaboration, sorting and filtering

Configuration specific Security Reports Product Source Configuration Team Sharing of Product Configuration and Reports

slide-22
SLIDE 22

EXTERNAL USE 22

Vigiles: PRIME – Includes links to patches and more filtering

Link to the patch in kernel mainline Team collaboration and triage notes (PLUS) Minimum version with a fix Link to CVE details (PLUS) Filter by CVSS (PLUS) Filter by CVE Vector Filter by kernel Config Not Relevant - Move to whitelist (PLUS)

slide-23
SLIDE 23

EXTERNAL USE 23

Three options for a more secure solution

NXP Pro-Support can be added to any package to assist with patch assistance and/or a semi-annual BSP maintenance package

slide-24
SLIDE 24

EXTERNAL USE 24

DIY vulnerability mitigation cost: $96k vs. $10k

  • Monitoring

− $20K = weekly review of CVEs to stay on top — Less accurate and more false positives

  • Finding patches and fixed versions

− $20K = average BSP requires 50 patches/year − $8K = toolchain patches to fix C/C++ runtime security issues

  • $48K per configuration
  • # of configurations in a product family
  • 3 (2 deployed and 1 in-development)
  • 50% redo (assume same software components with 50% different versions and kernel version)
  • $96K is hidden cost for keeping the product family secure

− Not including patching and testing

Do It Yourself: $96,000 / year Vigiles: Starts at $10,000 / year

Monitoring Finding Patching and Testing

slide-25
SLIDE 25

EXTERNAL USE 25

Layered approach

▪ Secure by design – one time implementation

  • Hardware lockdown (serial console, jtag)
  • Secure boot, chain of trust
  • Secure storage and communications
  • Access control and hardening
  • Secure OS – OP-TEE / Arm TrustZone
  • Secure firmware update
  • Reduce attack surface
  • Security audit / pen testing

▪ Stay secure – ongoing process

  • Vulnerability monitoring and patching
  • Periodic upgrade
  • Audit log monitoring
slide-26
SLIDE 26

EXTERNAL USE 26

Benefits of using NXP Vigiles

  • Improved security

more coverage, better accuracy, early notification

  • Time saved in monitoring

Identifies/notifies on newly discovered CVEs AND fixes

  • Reduced triage burden

fewer false positives, identifies already fixed CVEs, advanced filtering

  • Workflow management

history, collaboration tools, notes, whitelist, exported reports

  • Integrates into your engineering process

plugs into Yocto, security scan can be triggered for every build

slide-27
SLIDE 27

EXTERNAL USE 27

Q & A

slide-28
SLIDE 28