Twitter
Home Blog Page 554

Pros and Cons of System Update and Integrity Protection Schemes

By
Eric Brown
-

Given the increasing malware attacks against Linux-based IoT devices, there is growing interest in integrity protection schemes, as well as system update mechanisms that support over-the-air (OTA) field upgrades. At the recent Embedded Linux Conference, Patrick Ohly, a software engineer at Intel GmbH, Germany, who works on the Yocto Project and the IoT Reference OS Kit for Intel(r) architecture, surveyed both topics and explained how they interrelate.

With attacks on the rise, embedded developers need a combination of proactive hardening with integrity protection schemes and regular system updates, among other security precautions. “Integrity protection ensures that your device only runs software that has been verified to be unmodified,” said Ohly. “But you can’t count on catching everything in advance, and there will be new vulnerabilities and attack methods, so that’s why you need system updates.”

The bulk of Ohly’s talk explored the pros and cons of update and protection schemes available for Yocto/OpenEmbedded. Ohly is the maintainer of meta-integrity and meta-swupd — two layers that make the Linux Integrity Measurement Architecture (IMA) integrity protection scheme and the Clear Linux OS swupd update mechanism available on Yocto/OE. The experience has led him to see the benefits of swupd, as well as the problems with IMA.

Ohly explained the differences between block-based (swupdate, Mender.io) and file-based (swupd, OSTree) system update mechanisms. He then compared three integrity protection schemes: IMA with Extended Verification Module (EVM), or IMA/EVM, as well as whole-disk encryption with per-machine secret key, and dm-verity.

One’s choice of system update mechanism can affect the choice of integrity protection scheme. IMA/EVM works only with the file-based swupd and OSTree while dm-verity works only with the block-based Mender.io and swupdate. Whole disk encryption, meanwhile, works with all four. Although this talk is specific to Yocto, all but these components can work with other embedded Linux environments, with the possible exception of the more Yocto-specific swupdate.

Toward the end of the talk, Ohly detailed a recent project in which he took dm-verity and integrated it with whole-disk encryption into the IoT Refkit. “We are trying to use this to extend Yocto to additional use cases,” he said. Here, we only briefly reference the project, which involves integrating LUKS (Linux Unified Key Setup) and finessing QEMU to properly emulate TPM. If you’re interested, the discussion begins about 33 minutes into the 51-minute talk.

System update pros and cons

Before comparing the system update schemes available to Yocto/OE developers, Ohly noted that “they all have pros and cons, and in some cases, need further work.” The first decision is whether to with a block-based or file-based mechanism. Block-based schemes like swupdate and Mender.io have fixed partition sizes. This means “you can’t have an update stream that is supplied to different devices with different hard disks because they have to be partitioned the same way,” said Ohly. File-based mechanisms like swupd and OSTree “make it easier to support a variety of devices,” he added.

In addition, updating selected files instead of entire partitions is a lot faster. “Swupd in particular works really hard to do the minimal amount of work for updates,” said Ohly.

The two file-based mechanisms have further differences. “OSTree creates an alternative tree using hard-linking, and then during reboot it switches over to a new root,” said Ohly. “It’s a bit more atomic than swupd, but it still needs a writable root file system.”

Another point of comparison lies in partition layout. A single partition approach is the default mode for OSTree and swupd, and is supported by swupdate. Mender.io, by contrast, requires an A/B setup in which you have both a live partition and a standby partition. The A/B approach lets you override the standby partition, and after rebooting, switch to the other partition.

“Having a second partition is nice if you get file system corruption,” said Ohly. A/B partitioning is optional on swupdate, and is possible on OSTree and swupd, although it would require a lot more work, he added.

Other issues concern the integration with boot process. “If you have an A/B setup, how do you choose which partition to boot into?” said Ohly. “Can a hacker force us to boot into something we don’t want?” To address this, the mechanisms that currently support A/B setup rely on the U-Boot bootloader and set U-Boot variables, which must be stored by the hardware such that an attacker cannot tamper with them.

One’s choice of update mechanism can affect integration with an OTA update server. “If you have many devices you might want to update a subset, which depends on detecting which devices are currently checking for an update,” said Ohly.

Swupd and OSTree require that clients pull updates anonymously, so they would need additional telemetry to check update status. By comparison, Mender.io offers a dedicated update server. “This allows you to do real device management, so you know if a device has updated,” said Ohly. Swupdate, meanwhile, supports hawkBit, which does something similar.

Integrity protection pros and cons

Ohly went on to compare three integrity protection schemes: IMA/EVM, whole disk encryption, and dm-verity. In a previous project with the Yocto-based Ostro Project, Ohly used IVA/EVM, which like dm-verity is now baked into the Linux kernel. He had a lot of trouble making IVA/EVM more secure, however.

“I concluded that IVA/EVM is not yet ready for production,” said Ohly. When allowing to write files, there’s an increased risk that files become unreadable after a sudden power loss. IMA relies on hashing the modified file content after writing and verifies the checksum when opening a file again. This rehashing only happens on ‘close()’, which isn’t called by long-running processes that keep an sqlite database open. Even when rehashing happens, the checksum and the actual data are not necessarily written to disk together.”

Another problem with IMA/EVM is its lack of directory protection. “There are known attacks because IMA/EVM doesn’t protect the integrity of a directory,” said Ohly. “That allows an attacker to remove a configuration file and replace it with a link to something unprotected. There have been patches to address this, but they have not yet been merged.”

By comparison, the whole disk encryption with per-machine secret key technique “is a lot more mature” than IMA/EVM, said Ohly. With whole disk, when a device is turned off, a malicious hacker sees only “garbage” in the partition, he added. “If the intruder lacks access to the secret key and tries to modify the partition, once the device boots up again, some blocks will be completely modified, so there’s no way to do dedicated file editing.”

Whole disk encryption works great on laptops, but in the embedded realm, the scheme poses the tricky challenge of how to securely store the encryption key. “On a laptop, the user types in something, or plugs in a USB stick, but that doesn’t work in embedded,” said Ohly.

Ohly’s code for the IoT Ref Kit adds an extra layer of security for whole disk encryption by using a Trusted Platform Module (TPM) to store the secret key. “It’s not a perfect solution since someone still has the device with the key in their hands, but it’s a bit more secure than just dumping the key on the hard disk,” said Ohly. “When you combine that with the secure boot, you make it very hard for an attacker to get the key.”

Finally, Ohly examined dm-verity, which was originally designed for Chrome OS, and is supported by Android. Unlike the other schemes, dm-verity won’t let you write to and modify files. The mechanism verifies the integrity of each block in a read-only partition so that any modifications immediately lead to a read error.

“The advantage of dm-verity over whole disk encryption is that you get a really specific read error saying this block is unreadable,” said Ohly. One side benefit is its ability to detect if a USB stick is corrupted. “It’s a common problem,” said Ohly. “You flash something and it doesn’t work, and it turns out to be a bit flip on the USB stick.”

Finally, if you’re wondering why Ohly is wearing a Santa Claus hat, be advised that it’s rather “a genuine dwarf hat from the coal mines of the Black Forest.” The hat reminds Ohly that much of his work is based on existing open source code. “I feel like I’m a dwarf standing on the shoulders of giants,” he said.

Ohly removed the hat, however, when discussing the aspects of the IoT Refkit solution that he wrote himself. “It’s getting kind of hot in here,” he added.

The full video is available below:

https://www.youtube.com/watch?v=N8V0W0p3YBU?list=PLbzoR-pLrL6pSlkQDW7RpnNLuxPq6WVUR

Connect with the Linux community at Open Source Summit North America on September 11-13. Linux.com readers can register now with the discount code, LINUXRD5, for 5% off the all-access attendee registration price. Register now to save over $300!

Improve Your Online Security with Tails

By
Carla Schroder
-

The popular image of online dangers is scary bad guys trying to steal our stuff. This image is accurate if you remember to include unfettered corporate interests as the scary bad guys.

Our protections against our good friends the telcos and cable companies have never been strong, and now they’re nearly non-existent. Repealing Broadband Privacy Rules, Congress Sides with the Cable and Telephone Industry sums it up beautifully: “Internet providers will be given new powers to harvest your personal information in extraordinarily creepy ways.” And buy and sell it with no oversight or accountability, and law enforcement will get their hands on it as surely as road apples draw flies.

What can we do about it? I believe that the best solution is legislative. I prefer technical solutions for protecting ourselves from hostile and predatory interests, but there aren’t many, and they’re incomplete. Internet access is a requirement for many routine aspects of our daily lives, and even if you avoid going online you have no knowledge or control of the information the vendors and service providers that you use are collecting and trading, or what people share about you on social media. Stores, electric and gas utilities, healthcare providers, tradespeople, private clubs, non-profit organizations, charitable groups, banks, insurance companies, and on and on. They all collect information about you, and many trade it freely. Of course, it’s not fair to assume that everyone is venal, but even when a vendor has a heart of gold they may be lacking in technical competence.

Don’t hold your breath waiting for meaningful laws to protect us. What can you do? You can secure your online communications and your web surfing to a degree with Tails, the forgetful Linux distribution. We’ll get back to this after a brief rant about “helpful” web browsers.

“Helpful” Web Browsers

The good nerds behind Firefox and Chrome try so hard to help us, and the harder they try the more annoying they become. First there were the nice discreet little color-coded padlocks in the URL bar (Figure 1).

Figure 1: Secure connection.

I like those. They don’t get in the way, and they tell useful information. Useful, that is, if you have any idea what it all means. And even if you do, how do you know you can rely on it? Root certificate authorities have been hacked multiple times, including bigwigs Verisign and Microsoft.

Then Firefox and Chrome got downright hysterical, and make us jump through multiple hoops to enter sites they think are dangerous. Sometimes these warnings are useful, for example when a site is infected with malware, or has been hijacked. Most of the time they’re simply not SSL-enabled, and then we see something like Figure 2.

Figure 2: Connection not secure.

I appreciate the effort, but there is already excessive noise in normal computer use, and we are continually swatting away unhelpful notifications and warnings like annoying gnats. Many of these SSL defects are technicalities, like the domain name is not exactly correct. It’s all nutty anyway, because most of us are not security experts and have no idea how to evaluate if these warnings are meaningful.

Hide Yourself With Tails

Tails, the Amnesic Incognito Live System, is a nice live Linux distro that runs from removable media, like a USB stick, SD card, or DVD. Tails bundles a number of privacy tools into a polished Debian-based distro, including Tor (the Onion Router), HTTPS Everywhere, tools for controlling what information the Iceweasel web browser retains, NoScript, and other useful privacy tools.

To use Tails simply boot your Tails media. All the apps bundled in Tails are configured to route your traffic through Tor: email, Web surfing, instant messaging, the works. Tor foils traffic analysis by routing your online sessions through relays all over the world to hide your physical location, and to separate your identity from your online activities. Foiling traffic analysis is a substantial benefit, because marketers and government snoops rely on sophisticated traffic analysis to connect your identity to your online activities. You might have noticed how smartphones apps are especially greedy for your physical location; use the Tails Android app, Orbot. There is not a Tails app for iOS, but there is a Tor app for iOS.

Tor encrypts your session and hides your backtrail inside the Tor network of routers. After it leaves an exit node it’s back to whatever state it was when it left your computer, so if you’re surfing in the clear then it comes out in the clear. Encrypting your online sessions end-to-end is a separate problem, and Tails comes with a full complement of encryption tools: HTTP Everywhere to force SSL on sites that use SSL, OpenPGP for encrypting and digitally signing emails and documents, LUKS for disk encryption, OTR for instant messaging, and Nautilus Wipe for secure file deletion.

Tails leaves no trace; it makes no changes to the host system. When you’re finished reboot and it’s as though you were never there. If you need persistent storage you can copy files to a USB stick, or enable persistent storage on your Tails USB stick or SD card.

The downside of Tails is that Tor is often slow. For us fortunate ones, this is an inconvenience. For many people, it is a small price to pay for a literal life-saver.

Another hurdle is downloading and installing it onto removable media, which is an easy task when you know how. Fortunately the good Tails people have written a top-quality howto that walks you through every step, and provides excellent copy-and-paste commands, so that even a novice should be able to set it up.

Trust?

In preparation for this article, I followed the Tails installation instructions and created a brand-new Tails USB stick. You might notice the same thing I did: It still comes down to trusting unknown people, the Debian maintainers, the maintainers of the Tails downloads, various distro maintainers, the GPG signing keys, the Tails web site… we still have to place our trust in somebody.

Additional Reading

Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.

The Future of Big Data: Distilling Less Knowledge Per Bit

By
IEEE Spectrum
-

Until recently, the word data didn’t require a modifier. But we passed a watershed moment when we started referring to big data. Apparently, that wasn’t a sufficient description for some chunks of data, because people grasped for bolder terms, such as humongous data. Sadly, now, it appears that we have run out of appropriate adjectives. And yet data keeps getting bigger and bigger.

So instead of mentioning data, people have begun waving their hands and talking vaguely about the “cloud.” This seems to be the perfect metaphor—a mystical vapor hanging over Earth, occasionally raining information on the parched recipients below. It is both unknowable and all-knowing. It answers all questions, if only we know how to interpret those answers.

Read more at IEEE Spectrum

Supply Chain Case Study: Canonical and Ubuntu

By
Open Source Entrepreneur Network
-

I love talking about supply chain management in an open source software context, especially as it applies to managing collaborative processes between upstream projects and their downstream products. In the article linked above, I called out a couple of examples of supply chain management: an enterprise OpenStack distribution and a container management product utilizing Kubernetes and Docker for upstream platforms.

What about anti-patterns or things to avoid? There are several we could call out. At the risk of picking on someone I like, I’ll choose Canonical simply because they’ve been in the headlines recently for changes they’ve made to their organization, cutting back on some efforts and laying off some people. As I look at Canonical from a product offering perspective, there’s a lot they got right, which others could benefit from. But they also made many mistakes, some of which could have been avoided. First, the good.

Read more at OSEN

How to Restore Deleted /tmp Directory in Linux

By
Tecmint
-

The /tmp directory contains mostly files that are required temporarily, it is used by different programs to create lock files and for temporary storage of data. Many of these files are important for currently running programs and deleting them may result in a system crash.

On all if not most Linux systems, the contents of the /tmp directory are deleted (cleared out) at boot time or at shutdown by the local system. This is a standard procedure for system administration, to reduce the amount of storage space used (typically, on a disk drive).

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Read more at Tecmint

How Kubernetes Is Making Contributing Easy

By
OpenSource.com
-

As the program manager of the Kubernetes community at Google, Sarah Novotny has years of experience in open source communities including MySQL and NGINX. Sarah sat down with me at CloudNativeCon in Berlin at the end of March to discuss both the Kubernetes community and open source communities more broadly.

Among the topics we covered in the podcast were the challenges inherent in shifting from a company-led project to a community-led one, principles that can lead to more successful communities, and how to structure decision-making.

Read more at OpenSource.com

Announcing Linkerd 1.0

By
Buoyant Blog
-

Today, we’re thrilled to announce Linkerd version 1.0. A little more than one year from our initial launch, Linkerd is part of the Cloud Native Computing Foundation and has a thriving community of contributors and users. Adopters range from startups like Monzo, which is disrupting the UK banking industry, to high scale Internet companies like PaypalTicketmaster, and Credit Karma, to companies that have been in business for hundreds of years like Houghton Mifflin Harcourt.

A 1.0 release is a meaningful milestone for any open source project. In our case, it’s a recognition that we’ve hit a stable set of features that our users depend on to handle their most critical production traffic. It also signals a commitment to limiting breaking configuration changes moving forward.

Read more at Buoyant.io

How to Run NGINX as a Docker Container

By
Tech Republic
-

Using Docker containers makes for an incredibly easy way to roll out apps and services onto your network. With this, you can extend the offerings of your business or quickly test a new server or service. With these apps as containers, it becomes possible to cut down on sysadmin overhead, thanks to no longer having to manage applications through package managers or installing from source. By installing the likes of NGINX as a Docker container, you can simply replace the image when new updates arrive.

But how do you deploy NGINX as a Docker container? Let me walk you through the process. I will demonstrate on Ubuntu 16.04 and will assume you already have docker installed and ready to go.

Read more at Tech Republic

Tales of a Chef Workflow: Cookbook Organization and Maintenance

By
dnsimple
-

In this post I want to cover a few small tips and lessons learned from working with Chef for about 5 years now. The last 3 years at DNSimple have helped further shape my personal opinions on organization of Chef cookbooks workflows. What follows is how we do things at DNSimple and not the one and only way to do things with Chef. One of Chef’s greatest strengths is its flexibility, however it can also be a challenge for Chef developers of any skill level.

Naming things

They say the 2 hardest problems in computer science are naming things, cache invalidation, and off by one errors.

Read more at dnsimple

Free Webinar on Starting a Collaborative Open Source Project

By
The Linux Foundation
-

Starting a collaborative open source software project involves more than a great idea and the code to get it going. Much of the work involves deciding how you want your community of developers to build and evolve the code. But there’s no need to be intimidated by the process. This upcoming free webinar — from Capital One and The Linux Foundation — will provide the necessary information to get your open source project underway with proven best practices.

In this webinar, The Linux Foundation’s Mike Dolan, VP of Strategic Programs, and Scott Nicholas, Sr. Director of Strategic Programs, will outline important steps to get your project going and keep it on track for success.

You’ll learn how to:

  • Set up your decision making model

  • Understand and clearly document your licensing policy

  • Create a trademark and usage policy that fits your code

  • Successfully contribute to existing open source projects

The “Best Practices for Starting an Open Source Project” webinar will be held Wednesday, May 3, at 2:00 PM Eastern time. Register now!

Mike Dolan is VP of Strategic Programs responsible for Collaborative Projects and Legal Programs at The Linux Foundation. Mr. Dolan has set up and launched dozens of open source and open standards projects covering technology segments including networking, virtualization, cloud, blockchain, Internet of Things, Big Data and analytics, security, containers, storage and embedded devices.

Scott Nicholas is Sr. Director of Strategic Programs for The Linux Foundation. Scott assists in the launch and support of open source projects and contributes to the foundation’s legal programs. Scott has set up numerous collaborative projects across the technology stack. Scott assists in the execution of The Linux Foundation’s annual Legal Summit and other legal programs.

1...553554555...10,742Page 554 of 10,742