Description
Place: TBD
Request more information
Magnus Kindberg (SE, NO)
Phone: +46 (0)40 59 22 22
magnus.kindberg@nohau.se
Heidi Lehtomäki – Finland
phone: +358 40 196 0142
heidi.lehtomaki@nohau.fi
Klaus Ahrensbach – Denmark
Phone: +45 3116 1019
ka@nohau.dk
Advanced Embedded Systems Security
Hardening and Securing your Embedded Linux
The security of embedded systems is important today and even more in the
future.
Linux is dominant as an operating system for embedded devices. Even if there is no great ‘attack’ interest in the device itself, the embedded device can be a gateway for malware to access other systems.
In this course, you will learn to identify your Linux device’s security weaknesses and risks, and to take the necessary countermeasures to avoid threats.
You will learn techniques to harden the Linux kernel and network interfaces to withstand attack vectors moving in networks.
Objectives:
• Learn the basics of embedded Linux security.
• Understand Linux threat model.
• Discover the features in Linux kernel to harden security.
• Understand Linux Security Modules
• Learn how sandboxing can harden your system’s security.
Course Format and how online training works:
• Online course, 3 days, 6 hours each (excluding break time) total 18 hours.
• Course dispensed using Teams video-conferencing system.
• The training includes many hands-on exercises.
• The trainee receives the course material in PDF format before the training.
• Labs are conducted on QEMU ARM-based boards.
• The trainee connects to the training platform using his web browser, without having to install any tool.
• The trainee has access to all the tools he needs to perform the hands-on labs on a target board like a face-to-face training.
Prerequisites:
• C Language knowledge
• Secured Embedded Linux Platform Build
For in-house training the agenda can be adapted to your needs. Please ask!
Defining the threat model for embedded Linux
• Potential security risks to an embedded system
• Threat model for embedded Linux
– Identifying Assets and Threats
– Understanding Attack Vectors
– Identifying Security Weaknesses and Risks
– Analyzing Threats and Evaluating Impact
– Countermeasures and Threat Mitigation
• Reducing Attack Surface
• Common Linux Vulnerabilities
• Vulnerable Linux tools
• Check for known vulnerabilities
Basic security features in Linux
• User and Group Management
• File Permissions and Ownership
– Restrict access to sensitive information
– Limit public access to system files
• Adjusting Systems Services
• Input Validation and Improper Input Handling
– Overview of Input Validation and Its Importance
– Input Validation Techniques
– Preventing and Mitigating Input-Related Attacks
• Stack buffer overflow
– Understanding the impact and techniques for mitigating
– Enabling stack protection mechanisms in the Linux kernel
– Address Space Layout Randomization (ASLR)
– Preventing Stack-based Attacks through code review
Privilege Escalation
• Privilege Escalation Attack Vectors
• Horizontal and Vertical Privilege Escalation
• Exploiting SUID executables
• Escalating privileges through misconfigured services
• Multi-User Escalation
• Buffer overflow attacks
• Mitigating privilege escalation attacks
• Best practices for preventing privilege escalation
Network Hardening
• Network Security Overview
• Securing SSH
• Encrypting network traffic
• Using SSL/TLS certificates
• Virtual Private Network (VPN)
• Wireless Network Security
• Intrusion Detection Systems (IDS) and Intrusion
Prevention Systems (IPS)
• Firewall on Linux
– Types of firewalls available in Linux
– Configuring firewall using iptables, firewalld or nftables
Advanced security features in Linux
• Restricting System Calls in Linux
– Introduction to system call restrictions
– Understanding the purpose and benefits of restricting system calls
– How to use seccomp to restrict system calls in Linux
– Analyzing the impact of system call restrictions on application functionality
– seccomp limitations
– Best practices for creating a system call whitelist
– Systemd system call filtering
• Enhancing Security with Capabilities
– Overview of capabilities in Linux
– Understanding the significance of privilege separation in Linux
– The different types of capabilities
– Capability Commands
– File System Capabilities
– Implementing file system capabilities
– Protecting SUID executables
– Enhancing the security of Daemons
– Setting default capabilities for newly created processes
– Case studies and real-world examples
Hardening the Linux Kernel
• Methods to harden the Linux Kernel
• Custom kernel configuration
• Kernel hardening options
• Kernel Self-Protection
• Disabling unnecessary services
• Limiting the available memory resources
Linux Security Modules (LSMs)
• Introduction to Linux Security Modules (LSMs)
– Overview of LSMs and their purpose
– Types of LSMs available in Linux
– Understanding the Linux security model
• Access permissions
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Overview of the concepts, goals and principles of MAC security models
– MAC Models
– Implementation of MAC
– access control lists (ACLs)
– role-based access control (RBAC)
– label-based access control (LBAC)
– Managing MAC in a Multi-user Environment
– DAC vs MAC
Security Enhanced Linux (SELinux)
• Overview of SELinux and its purpose
• Enable SELinux
• Architecture and Components
• SELinux Contexts and Labels
• Benefits of using SELinux
• SELinux policies
– Understanding SELinux Policies
– Creating and managing SELinux policies
– SELinux policy structure and language
• Enforcing, Permissive, and Disabled Modes
• User, Role, and Type Components
• Defining Custom Domain Types
• SELinux Boolean Values
• SELinux Auditing and Logging
• Troubleshooting SELinux
• Advanced SELinux Configuration
– Managing SELinux Port Contexts
– Configuring SELinux for systemd Services
– Managing SELinux for Containers
Application signing in Linux
• Signing packages for package managers
• Gnu Privacy Guard (GnuPG)
• Integrity Measurement Architecture (IMA)
• The Extended Verification Module (EVM)
• evmctl tool
Sandboxing
• Overview of Sandboxing and its Importance
• Understanding the Concept of Isolation and Resource Control
• Control Groups (cgroups)
• Chroot and its Security Benefits
• Containerization with LXC (Linux Containers)
– Securing Application and Daemons with LXC
• Docker and its Security Features
• Exploring Namespaces in Linux
• Firejail overview
Testing, Logging and Auditing
• Scanning the Linux system
– Scanning for known malware
• Linux auditing and monitoring tools
• Reviewing Logs for Suspicious Activity
• Retention policies and archiving logs
• Keeping logs secure and protected against tampering or deletion