ready made recipes to add security and data protection to
play

Ready made Recipes to add Security and Data Protection to a Yocto - PowerPoint PPT Presentation

Dec 08, 2023 •357 likes •682 views

Ready made Recipes to add Security and Data Protection to a Yocto based Project reusing Tizen-Meta Dominig ar Foll (Intel Open Source Technology Centre) dominig.arfoll@fridu.net March 2015 Tizen-Meta IoT and Security What is Tizen

  1. Ready made Recipes to add Security and Data Protection to a Yocto based Project reusing Tizen-Meta Dominig ar Foll (Intel Open Source Technology Centre) dominig.arfoll@fridu.net March 2015

  2. Tizen-Meta ● IoT and Security ● What is Tizen ● Security Model for IoT ● How Security is enforced in Tizen ● What's next. Dominig ar Foll 2 Linux Embedded March 2015 Intel Open Source Technology Centre

  3. Intel’s IoT Vision INTELLIGENT END TO END INTELLIGENT DEVICES GATEWAYS ANALYTICS Deliver Intelligence Unlocking and Solutions from device where sharing valuable data to cloud to deliver needed to acquire in both legacy and end-to-end and filter new devices customer value IoT Solutions are End-to-End Distributed Applications data securely Dominig ar Foll 3 Linux Embedded March 2015 Intel Open Source Technology Centre 3

  4. IoT Has Security and Privacy Concerns Venture Beat News: “The Internet of Things will be vulnerable for years, and no one is incentivized to fix it” CMS Wire: “Top 5 IoT security concerns: Privacy, Authentication, Transport Encryption, Web Interface, Insecure Software” Wired: “The Internet of Things has Arrived – And so have Massive Security Issues” The Inquirer: “The Internet of Things needs a security model to protect user data” CSO: “Mainstream Internet of Things raising consumer security, privacy concerns” Dominig ar Foll 4 Linux Embedded March 2015 Intel Open Source Technology Centre 4

  5. Distributed IoT Applications = Distributed Threats INTELLIGENT INTELLIGENT END TO END DEVICES GATEWAYS ANALYTICS New Security Traditional Security Boundary Boundary Dominig ar Foll 5 Linux Embedded March 2015 Intel Open Source Technology Centre

  6. Tizen, an OS for Connected Devices Multiple profiles: • Mobile • IVI • TV • Household equipments • Wearables Dominig ar Foll 6 Linux Embedded March 2015 Intel Open Source Technology Centre

  7. Hacker Friendly supported platforms • • Intel ARM • NUC • Odroid U3 • MinnowBoard Max • Galileo-2 Dominig ar Foll 7 Linux Embedded March 2015 Intel Open Source Technology Centre

  8. Architecture Overview (Mobile Profile) Manufacturer Adaptation SMACK SMACK Interface Dominig ar Foll 8 Linux Embedded March 2015 Intel Open Source Technology Centre

  9. Tizen Connectivity* • • Bluetooth 4 (Low energy) Tethering • • Ethernet AV Hand Free support • • Wifi P2P Miracast • • GSM 3G/4G DLNA • Phone • Shared Drive • Messages • Data • Multi Screen • IoTivity * hardware dependent Dominig ar Foll 9 Linux Embedded March 2015 Intel Open Source Technology Centre

  10. 4 kinds of security • Isolation of the users and applications • An application cannot access the data of other application • How? Use of Smack and DAC • Restriction of the services • An application cannot access the services without authorisation • How? Use of Smack and Cynara • Restriction of the network • An application cannot access network without authorisation • How? Use of Smack and netfilter • Integrity • Code and stable Data integrity enforcement • How ? check by Kerne l Dominig ar Foll 10 Linux Embedded March 2015 Intel Open Source Technology Centre

  11. Security Model • Reduce all surfaces of Attack • Enforce a minimum privilege policy • Reduce on and off line Attack • Provide a ready and easy to use solution • Protect Code, Data and Connections • Deliver with existing tools Dominig ar Foll 11 Linux Embedded March 2015 Intel Open Source Technology Centre

  12. Isolation of applications AppX AppY AppX AppY alice alice bob bob • The file system is cut in user parts NO using traditionnal Unix DAC uid AppX NO NO YES (DAC+ alice (MAC) (DAC) partition MAC) • A user can access its own $HOME NO AppY NO NO • A user cannot access the home of other YES (DAC+ alice (MAC) (DAC) MAC) users NO • The file system is cut in application AppX NO NO (DAC+ YES bob (DAC) (MAC) MAC) parts using the Smack MAC labels • Each application has its own label NO AppY NO NO • An application can only access its own (DAC+ YES bob (DAC) (MAC) MAC) labelled files Dominig ar Foll 12 Linux Embedded March 2015 Intel Open Source Technology Centre

  13. Short overview • The author of Smack is mainly Casey Schaufler. • In Linux since kernel 2 6 25 – 17 April 2008 – as a LSM (Linux Security Module) • Evolving since this first days. • Inside Tizen since the first days (2012). • Use extended file attributes to store data relating to files. • Controlled via a filesystem interface: smackfs. • Controls accesses of processes to files, IPC, sockets and processes (ptrace, signals, ...). • Controls CIPSO labelled IPV4 packets Dominig ar Foll 13 Linux Embedded March 2015 Intel Open Source Technology Centre

  14. The Smack rules S • Smack's rules have 3 items: i m p • the subject's label l e ! • the object's label ! ! • the access System User rwx This rule tells to allow read , write and execute access to objects labelled User for the processes labelled System . What are labels? What are subjects? What are objects? How to set? Dominig ar Foll 14 Linux Embedded March 2015 Intel Open Source Technology Centre

  15. Integrity • P o l i c y b a s e d o n : – Path – File owner – Process owner – File permissions (executable/non-executable) – LSM labels – Action (open/exec) • Possible runtime policy management (C API): – Get current policy – Set policy from file – Set policy from list of rules (**char) • Documentation • https://wiki.tizen.org/w/index.php?title=Security:IntegrityMeasurement Dominig ar Foll 15 Linux Embedded March 2015 Intel Open Source Technology Centre

  16. Application live cycle • Applications are installed by an Installed Applications Trusted System (untrusted) (installed, signed) installer • The installer enable the application, Installer Installed configure the system according to Application with manifest the manifest. launcher • Applications are launched by a launcher • The launcher prepare the netfilte Cynar Smack process environment in agreement with the r rules a rules rules manifest and launch the application Trusted environment in the trusted environment. Dominig ar Foll 16 Linux Embedded March 2015 Intel Open Source Technology Centre

  17. 3 kinds of applications • The web applications • Written in HTML5/CSS3/JAVASCRIPT • The native applications • Written in any language including C/C++ • The hybrid applications • Mainly written in HTML5/CSS3/JAVASCRIPT • Includes a web runtime plugin or a some native service or application Services Service 1 Service 2 WebApp ... NativApp Web RunTime Kernel Dominig ar Foll 17 Linux Embedded March 2015 Intel Open Source Technology Centre

  18. Restriction of access to services ● Apps must provide a manifest declaring required services ● Access to Service is control by the OS from Manifest ● Control enforced for : ■ Enabled Daemon ■ D-Bus ■ Devices ■ Files ● Under investigation ■ Access to the network using MAC and netfilter and name spaces ■ Shared Libraries ■ Name spaces Dominig ar Foll 18 Linux Embedded March 2015 Intel Open Source Technology Centre

  19. Restriction of services • The invocations of services are using UDS • The UDS expose the credentials of the pair: Smack label, uid, pid • Before servicing, the service ask cynara for the authorisation using the smack label, the uid and some session id • Cynara scans its database and reply • A fast cache is enable • Cynara can request user decision through HMI Dominig ar Foll 19 Linux Embedded March 2015 Intel Open Source Technology Centre

  20. Restriction of network • To be finalised • Access to the network are filtered using DAC and netfilter • A filtering proxy-firewal may be also implemented for parental control. Dominig ar Foll 20 Linux Embedded March 2015 Intel Open Source Technology Centre

  21. The native applications • The applications cannot be launched directly • The launcher is in charge of setting the runtime environment of applications • Specific gid • Netfilter data • Services • D-Bus filtering • Service daemon Dominig ar Foll 21 Linux Embedded March 2015 Intel Open Source Technology Centre

  22. The web applications • As natives plus: • The Web runtime (crosswalk) is in charge of enforcing the security of the application • Because of its model, the Web Runtime includes a trusted part (in the system space) • The Web runtime ensure respect of the Content Security Policy (W3C) Dominig ar Foll 22 Linux Embedded March 2015 Intel Open Source Technology Centre

  23. Restriction of shared files • Some files (like /dev/camera) are shared to users but restricted by privileges. Note that this resources can be subject to resource management (murphy) • When no service is used as a mediator to access this resources, then: • No Cynara check can be performed. • For this specific shared files, the access is restricted by DAC and gid to a specific group. • The launcher is in charge to add the group to the launched application that requires following the cynara diagnostic Dominig ar Foll 23 Linux Embedded March 2015 Intel Open Source Technology Centre

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Home Made Formula Recipes NOTE: These recipes do NOT provide

Home Made Formula Recipes NOTE: These recipes do NOT provide

Home Made Formula Recipes NOTE: These recipes do NOT provide complete vitamins and minerals for either children or adults. Additional fat or protein may

164 views • 3 slides
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf Agenda Background Security in the context of this presentation

800 views • 59 slides
Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly internal problem Protection: mechanism for controlling the access of programs, processes, or users to the resources defined by a computer

499 views • 16 slides
Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela

Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela

Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela Cianfrone EMEA Solution Architect @ Protegrity USA Implement Data Centric Security Design Data Security Solutions Agenda Using Walls to

877 views • 34 slides
Data protection in the EU Area of Data protection in the EU Area of ection tection freedom,

Data protection in the EU Area of Data protection in the EU Area of ection tection freedom,

isor visor Superv Super Data protection in the EU Area of Data protection in the EU Area of ection tection freedom, security and justice under the Lisbon Treaty d th Li b T t ta Prot ta Pro ean Da an Da Bndicte Havelange

739 views • 10 slides
iOS Security Data protection January 17, Tokyo iOS Meetup What is? It is a feature to protect

iOS Security Data protection January 17, Tokyo iOS Meetup What is? It is a feature to protect

iOS Security Data protection January 17, Tokyo iOS Meetup What is? It is a feature to protect data at rest and to make offline attacks difficult. iOS 4 DATA PROTECTION 101

713 views • 60 slides
7642284v1 Countdown to GDPR General Data Protection Regulation - Regulation (EU) 2016/679

7642284v1 Countdown to GDPR General Data Protection Regulation - Regulation (EU) 2016/679

GDPR Is your Fund ready? Etain de Valera 21 st September 2017 7642284v1 Countdown to GDPR General Data Protection Regulation - Regulation (EU) 2016/679 Replaces existing data protection law in all member states on 25 May 2018 Designed to

807 views • 53 slides
Thing Description Recipes Linked Data & Semantic Processing TF F2F Meeting, 13.07.2017

Thing Description Recipes Linked Data & Semantic Processing TF F2F Meeting, 13.07.2017

Web of Things Thing Description Recipes Linked Data & Semantic Processing TF F2F Meeting, 13.07.2017 Dsseldrof Darko Anicic Thing Description Recipes (Darko, Koster, Aparna, Danh) Problem Statement How to easily enable thing

282 views • 11 slides
PROTECTION OF PERSONAL DATA IN SECURITY ALERT SHARING PLATFORMS Friday 1 st September, 2017

PROTECTION OF PERSONAL DATA IN SECURITY ALERT SHARING PLATFORMS Friday 1 st September, 2017

PROTECTION OF PERSONAL DATA IN SECURITY ALERT SHARING PLATFORMS Friday 1 st September, 2017 Martin Husk Vclav Stupka Martin Hork Introduction Collaborative Security Emerging trend in cyber security, popular among CSIRT/CERT teams,

335 views • 15 slides
SALE OF REA SALE OF READY-MADE BUSI MADE BUSINESS PRODUCT ESS PRODUCTION ON OF OF FURNITURE F

SALE OF REA SALE OF READY-MADE BUSI MADE BUSINESS PRODUCT ESS PRODUCTION ON OF OF FURNITURE F

SALE OF REA SALE OF READY-MADE BUSI MADE BUSINESS PRODUCT ESS PRODUCTION ON OF OF FURNITURE F FURNITURE FROM OM SOLID BE SOLID BEECH CH PROJECT DESCRIPTION Form: ready-made business Form Acquisition or corporatization of a company for

496 views • 16 slides
Is your company ready for GDPR? DPOrganizer is an online tool that helps you map, visualize,

Is your company ready for GDPR? DPOrganizer is an online tool that helps you map, visualize,

Data Protection Management Software Is your company ready for GDPR? DPOrganizer is an online tool that helps you map, visualize, report and manage your processing of personal data. GDPR dporganizer.com Data Protection Management Software

100 views • 6 slides
Social security data and indicators y Social security Social security covers all measures

Social security data and indicators y Social security Social security covers all measures

Social security data and indicators y Social security Social security covers all measures providing benefits, whether in p g f , cash or in kind, to secure protection, inter alia, from (a) lack of work-related income (or insufficient

608 views • 19 slides
PAN EUROPEAN ROUTINES FOR MASTER KEY SYSTEMS DATA PROTECTION September 2018 ARGE MKS DATA

PAN EUROPEAN ROUTINES FOR MASTER KEY SYSTEMS DATA PROTECTION September 2018 ARGE MKS DATA

September 2018 PAN EUROPEAN ROUTINES FOR MASTER KEY SYSTEMS DATA PROTECTION September 2018 ARGE MKS DATA PROTECTION INITIATIVE 1 September 2018 INTRODUCTION AND BACKGROUND Information Physical Security Security GDPR Compliance September

447 views • 15 slides
The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes.

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes.

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes. www.bbqsecrets.ca The best BBQ Recipes Online Tasty BBQ Ribs Tasty Steak Chewy Chicken Beef Ka Bobs Melt In Your Mouth Meatloaf More Great Recipes Fish Cakes

325 views • 30 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Protection & Security Threat is potential security violation Attack is attempt to

Protection & Security Threat is potential security violation Attack is attempt to

CSE 421/521 - Operating Systems The Security Problem Fall 2011 Protecting your system resources, your files, identity, confidentiality, or privacy Lecture - XXVI Intruders (crackers) attempt to breach security Protection &

437 views • 5 slides
ENGN2219/COMP6719 Computer Architecture & Simulation Ramesh Sankaranarayana Semester 1, 2020

ENGN2219/COMP6719 Computer Architecture & Simulation Ramesh Sankaranarayana Semester 1, 2020

ENGN2219/COMP6719 Computer Architecture & Simulation Ramesh Sankaranarayana Semester 1, 2020 (based on original material by Ben Swit and Uwe Zimmer) 1 Week 11: Networks 2 Outline basic concepts 7-layer OSI model Examples: standard

780 views • 59 slides
A Hierarchical Characterization of a Live Streaming Media Workload Eveline Veloso Computer

A Hierarchical Characterization of a Live Streaming Media Workload Eveline Veloso Computer

A Hierarchical Characterization of a Live Streaming Media Workload Eveline Veloso Computer Science Department Virglio Almeida Federal University of Minas Gerais Wagner Meira Brazil Computer Science Department Azer Bestavros Boston

495 views • 20 slides
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based on them. What happened when you

592 views • 33 slides
Networks Computer-Computer Comm CPU CPU CPU CPU Memory Device Device Memory Memory

Networks Computer-Computer Comm CPU CPU CPU CPU Memory Device Device Memory Memory

Networks Computer-Computer Comm CPU CPU CPU CPU Memory Device Device Memory Memory Device Device Memory Computer-Computer Comm CPU CPU CPU CPU Comm Comm Comm Comm Memory Memory Memory Memory Device Device Device Device

629 views • 36 slides
Bitwise 2 / ISAs (start) 1 Changelog Changes made in this version not seen in fjrst lecture: 4

Bitwise 2 / ISAs (start) 1 Changelog Changes made in this version not seen in fjrst lecture: 4

Bitwise 2 / ISAs (start) 1 Changelog Changes made in this version not seen in fjrst lecture: 4 Feb 2019: exercise (near end): replace abcdef with uvwxyz in exercise + explanation to make it more obviously not hexadecimal 1 last time C nits:

1k views • 83 slides
x86 architecture We will focus on the Pentium instruction set. Todays history lesson : a

x86 architecture We will focus on the Pentium instruction set. Todays history lesson : a

x86 architecture We will focus on the Pentium instruction set. Todays history lesson : a processor on a chip Approx. 10,000 transistors on a single chip gives enough circuitry for a processor on a chip. mid 1970s Favored entries in this

408 views • 25 slides
L1 -> x86_64 Simone Campanoni simonec@eecs.northwestern.edu Before we start We use

L1 -> x86_64 Simone Campanoni simonec@eecs.northwestern.edu Before we start We use

L1 -> x86_64 Simone Campanoni simonec@eecs.northwestern.edu Before we start We use AT&T assembly syntax For compatibility with GNU tools rdi += rsi AT&T: addq %rsi, %rdi Intel: addq %rdi, %rsi Outline Setup

743 views • 48 slides
Concurrency: Solving the Critical Section Problem 1 University of New Mexico Locks: The Basic

Concurrency: Solving the Critical Section Problem 1 University of New Mexico Locks: The Basic

University of New Mexico Concurrency: Solving the Critical Section Problem 1 University of New Mexico Locks: The Basic Idea Ensure that any critical section executes as if it were a single atomic instruction. An example: the canonical

206 views • 17 slides

More recommend