During the presentation, speaker told his story of software protection to ensure the router's performance. He lead the participants through all the stages, from setting up a task to a Linux configuration and Kernel for security. He shared libraries and real examples of using security tools (SSL, ciphersuites, cgroups, tomoyo etc.) and suggest alternative tools. This presentation by Serhii Voloshynov (Senior Software Engineer, Consultant, GlobalLogic, Kharkiv) was delivered at GlobalLogic Kharkiv Embedded TechTalk #3 on November 16, 2018.

1. Confidential
How We Protected
Our Router
Presenters:
- Serhii Voloshynov
- Andrii Pientsov
November, 2018

2. Confidential
Agenda
1. About Speakers
2. Problem & Solution
3. Protection Levels
1. Digital Signatures
2. Secure connections
3. Cgroups
4. Tomoyo
4. Q&A

3. Confidential
About Speakers

4. Confidential
About Authors
Serhii and Andrii have more than 10
years of development experience.
Recently we implemented mission-
critical secure wireless gateway, and
plans to share experience of building
such systems.

5. Confidential
Problem and
Solution

6. Confidential
IoT growing - 26% up to 2023

7. Confidential
Mirai(2016)
BASHLITE(2014)
Darlloz(2013)
Wifatch(2014)

8. Confidential
4 September 2018
7.500+ MikroTik Routers
Are Forwarding Owners’
Traffic to the Attackers.
How is Yours?
blog.netlab.360.com

9. Confidential
...The botnet, which
included Smart TVs
and smart fridges,
delivered more than
750,000 malicious
emails.
https://bgr.com/2014/01/20/smart-tvs-fridge-hacked/

10. Confidential
Platform
- 400MHz 1 core CPU
- 128MB RAM /256MB Flash
- kernel 3.12.70
- WiFi/BT/ethernet/cellular
- GPS/LoRaWAN
- DNS-
DDNS/DHCP/WWW/SNMP/SMT
P/SMS
- ….

11. Confidential
Possible threats
- Non-genuine firmware
- Network attacks
- Malware
- Filesystem corruption

12. Confidential
Security model
- Perimeter defense
- Obstruction of infiltrator
- Intrusion alarm

13. Confidential
Three pillars
Security
DetectionProtection Response

14. Confidential
Non-genuine
Firmware

15. Confidential
Digital Signatures Firmware
Image Protection

16. Confidential
Network Attacks

17. Confidential
Network components
- Web server
- SSH
- VPN servers
- SNMP
- SMTP
- DHCP
- DNS
- ….

18. Confidential
Secure connections - SSL/TLS
- The connection is private (or secure) because symmetric
cryptography is used to encrypt the data transmitted.
- The identity of the communicating parties can be
authenticated using public-key cryptography.
- The connection is reliable because each message
transmitted includes a message integrity check using a
message authentication code to prevent undetected loss
or alteration of the data during transmission.

19. Confidential
Connections - best practices
- Remove default user/account. Use strong passwords
- Use Secure Protocols
- Use Secure Ciphers
- Use proper versions of 3rd party components
- Use proper settings, for instance
https://community.openvpn.net/openvpn/wiki/Hardening
https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html

20. Confidential
Mirai
….By the end of its first day, Mirai had
infected over 65,000 IoT devices.
At its peak in November 2016 Mirai had
infected over 600,000 IoT devices.

21. Confidential
Network components - scan results
ç√

22. Confidential
Malware

23. Confidential
Control Groups (cgroups)
Cgroups (abbreviated from control groups) is a
Linux kernel feature that limits, accounts for, and
isolates the resource usage (CPU, memory, disk I/O,
network, etc.) of a collection of processes.
The control groups functionality was merged into
the Linux kernel mainline in kernel version 2.6.24,
which was released in January 2008.

24. Confidential
cgroups subsystems
● blkio
● cpu
● cpuacct
● cpuset
● devices
● freezer
● memory

25. Confidential
Tomoyo
Tomoyo Linux is a MAC implementation for Linux
that can be used to increase the security of a
system, while also being useful purely as a
systems analysis tool. It was launched in March
2003.
Tomoyo was merged in Linux Kernel mainline
version 2.6.30 It is currently one of four standard
Linux Security Modules (LSM), along with
SELinux, AppArmor and SMACK.

26. Confidential
Tomoyo Principles
In an operating system (OS), each program or
process is mostly unrestricted in the tasks that
they are able to perform.
A security focused OS should implement some
form of restriction that prevents a process from
performing tasks that they should not perform, or
that the administrator specifically wants to
prevent them from performing.

27. Confidential
Lampson’s Access Matrix
Object 1 Object 2 Object 3 ...
Process 1 Read Read Write
Process 2 Read
Process 3 Write

28. Confidential
Tomoyo Principles - domains
Every process in a system belongs to
a domain, which is determined by its
execution history.
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash

29. Confidential
Tomoyo Principles - Profiles
Profile 2
Permit requests even if
not permitted by policy
Profile 0
Permit requests
Profile 3
Reject requests unless
permitted by policy
Profile 1
Permit requests after
appending to policy

30. Confidential
Sample of Policy
<kernel> /usr/sbin/openvpn
use_profile 3
file read /run/openvpn_*.conf
network unix dgram send /dev/log
file create /run/openvpn_*.status 0600
file write/truncate /run/openvpn_*.status
file read /run/resolv.conf
file read /etc/nsswitch.conf
file read /etc/host.conf
…...

31. Confidential
Useful Links
- https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
- RedHat cgroup manual https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01
- Настольная книга по Linux/Cgroups — Викиучебник
- https://en.wikipedia.org/wiki/Cgroups
- TOMOYO Linux 2.5.x : The Official Guide https://tomoyo.osdn.jp/2.5/index.html.en

32. Confidential
Thank You
Q&A