Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the IoT - J On The Beach 2017

Ara
May 18, 2017
Programming
1
150

Securing the IoT - J On The Beach 2017

Most of the IoT devices are running a Linux distribution, but without a clear updates and/or security strategy.

In this talk we will go through some of the current problems the IoT devices are facing and tools and strategies we can use today to make the situation a bit better for new devices, while keeping our time to market optimized.

We will show some features in Linux and systemd that can help improving the security of these devices. We will also introduce snaps, a packaging format that helps distribute your application and install it isolated from the underlying system and from other applications; and Ubuntu Core, a small, transactional version of Ubuntu for IoT devices, based on snaps.

Ara

May 18, 2017
Tweet

More Decks by Ara

See All by Ara
Abrazando el cambio: Gobierno de Kubernetes como código con OPA y Gatekeeper
arapulido
0
36
Navigating the Sea of Local Kubernetes Clusters
arapulido
0
79
Observability For Serverless Workloads
arapulido
0
67
Cloud Services in Kubernetes - Discovering and Using Services with the Service Catalog and Kubeapps
arapulido
0
59
Telepresence - Seamless Development Environments in Kubernetes
arapulido
0
9.7k
Kubeless demo @ CNCF WG-Serverless meeting
arapulido
0
220

Other Decks in Programming

See All in Programming
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
360
Elm 0.19.0 Changes
bkuhlmann
0
490
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
250
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
26
8.2k
大規模UIKitベースアプリへのTCAの段階的導入/gradual-adoption-of-tca-in-a-large-scale-uikit-based-app
takehilo
1
110
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
What We Can Learn From OSS
inouehi
0
420
エンターテイメント業界で利用されるAWS
demuyan
0
210
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
920
ゆるい個人開発のススメ
kuroppe1819
10
990
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
370
Rethinking UI building strategies @ SFI 2024
letelete
0
270

Featured

See All Featured
Designing for Performance
lara
601
67k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Writing Fast Ruby
sferik
621
60k
Debugging Ruby Performance
tmm1
70
11k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Building an army of robots
kneath
300
41k
A Tale of Four Properties
chriscoyier
151
22k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
BBQ
matthewcrist
80
8.8k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k

Transcript

  1. Securing the IoT Ara Pulido @arapulido J ON THE BEACH

    2017

  2. The mess we’re in 145K IoT devices against The Internet

  3. None

  4. The case for regulation

  5. root/root admin/admin

  6. Software updates (lack of)

  7. (and companies!) Short product lifespans

  8. 8B 20B (2017) (2020)

  9. What do we do?

  10. “things are going to get much worse before they get

    any better” - Matthew Garrett

  11. What do we do?

  12. Kernel live patching

  13. Systemd security

  14. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    [Install] WantedBy=multi-user.target

  15. PrivateTmp

  16. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    PrivateTmp=yes [Install] WantedBy=multi-user.target

  17. PrivateTmp ProtectHome

  18. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    ProtectHome=yes [Install] WantedBy=multi-user.target

  19. PrivateTmp ProtectHome SystemCallFilter

  20. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    SystemCallFilter=~clone [Install] WantedBy=multi-user.target

  21. Security Features in systemd (Lennart Poettering)

  22. Containers

  23. Snaps & Ubuntu Core

  24. Snaps Snaps are self-contained and isolated bin1 bin2 bin3 lib1

    lib2

  25. Each snap is mounted read-only with a writable area Transactional

  26. name: hello version: "2.10" summary: GNU Hello, the "hello world"

    snap description: GNU Hello prints a friendly greeting confinement: strict grade: stable apps: hello: command: hello parts: gnu-hello: plugin: autotools source: http://ftp.gnu.org/gnu/hello/hello-2.10.tar.gz

  27. AppArmor

  28. AppArmor Seccomp

  29. AppArmor Seccomp Namespaces

  30. AppArmor Seccomp Namespaces Control groups

  31. Relaxing confinement

  32. name: wget version: "1.19" summary: GNU wget, the wget snap

    description: Utility to download the contents of a URL confinement: strict grade: stable apps: wget-snap: command: wget parts: gnu-wget: plugin: autotools source: https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz

  33. Interfaces Interfaces define access to a resource Snaps offer them

    through slots

  34. name: wget version: "1.19" summary: GNU wget, the wget snap

    description: Utility to download the contents of a URL confinement: strict grade: stable apps: wget-snap: command: wget plugs: [network] parts: gnu-wget: plugin: autotools source: https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz

  35. Ubuntu Core

  36. None

  37. Security is our responsibility

  38. Thank you! Ara Pulido @arapulido https://gist.github.com/arapulido