Embedded Framework and C-Based Toolchain Hardening

Limit BusyBox, embedded frameworks, and toolchains to only those libraries and functions being used when configuring firmware builds. Embedded Linux build systems such as Buildroot, Yocto and others typically perform this task. Removal of known insecure libraries and protocols such as Telnet not only minimize attack entry points in firmware builds, but also provide a secure-by-design approach to building software in efforts to thwart potential security threats.

Hardening a library Example: It is known that compression is insecure (amongst others),SSLv2 is insecure, SSLv3 is insecure, as well as early versions of TLS . In addition, suppose you don't use hardware and engines, and only allow static linking. Given the knowledge and specifications, you would configure the OpenSSL library as follows:

$ Configure darwin64-x86_64-cc -no-hw -no-engine -no-comp -no-shared -no-dso -no-ssl2 -no-ssl3 --openssldir=

Selecting one shell Example: Utilizing buildroot, the screenshot below demonstrates only one Shell being enabled, bash. (Note: Buildroot examples are shown below but there are other ways to accomplish the same configuration with other embedded Linux build systems.)

Hardening Services Example: The screenshot below shows openssh enabled but not FTP daemons proftpd and pure-ftpd. Only enable FTP if TLS is to be utilized. For example, proftpd and pureftpd require custom compilation to use TLS with mod_tls for proftpd and passing ./configure --with-tls for pureftpd.

Considerations (Disclaimer: The List below is non-exhaustive):

  • Ensure services such as SSH have a secure password created.
  • Remove unused language interpreters such as: perl, python, lua.
  • Remove dead code from unused library functions.
  • Remove unused shell interpreters such as: ash, dash, zsh.
    • Review /etc/shell
  • Remove legacy insecure daemons which includes but not limited to: Telnet, FTP, TFTP.
  • Utilize tools such as Lynis for hardening auditing and suggestions.

    *   wget --no-check-certificate https://github.com/CISOfy/lynis/archive/master.zip && unzip master.zip && cd lynis-master/ && bash lynis audit system
    
    • Review the report in: /var/log/lynis.log
  • Perform iterative threat model exercises with developers as well as relative stakeholders on software running on the embedded device.

Additional References

results matching ""

    No results matching ""