Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the IoT - J On The Beach 2017

Ara
May 18, 2017
Programming
1
150

Securing the IoT - J On The Beach 2017

Most of the IoT devices are running a Linux distribution, but without a clear updates and/or security strategy.

In this talk we will go through some of the current problems the IoT devices are facing and tools and strategies we can use today to make the situation a bit better for new devices, while keeping our time to market optimized.

We will show some features in Linux and systemd that can help improving the security of these devices. We will also introduce snaps, a packaging format that helps distribute your application and install it isolated from the underlying system and from other applications; and Ubuntu Core, a small, transactional version of Ubuntu for IoT devices, based on snaps.

Ara

May 18, 2017
Tweet

More Decks by Ara

See All by Ara
CloudConf Italy - A Tale of Tail Latency
arapulido
0
39
Abrazando el cambio: Gobierno de Kubernetes como código con OPA y Gatekeeper
arapulido
0
55
Navigating the Sea of Local Kubernetes Clusters
arapulido
0
88
Observability For Serverless Workloads
arapulido
0
71
Cloud Services in Kubernetes - Discovering and Using Services with the Service Catalog and Kubeapps
arapulido
0
73
Telepresence - Seamless Development Environments in Kubernetes
arapulido
0
10k
Kubeless demo @ CNCF WG-Serverless meeting
arapulido
0
270

Other Decks in Programming

See All in Programming
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.1k
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
870
Macとオーディオ再生 2024/11/02
yusukeito
0
370
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
250
EventSourcingの理想と現実
wenas
6
2.3k
ヤプリ新卒SREの オンボーディング
masaki12
0
130
CSC509 Lecture 09
javiergs
PRO
0
140
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
24k
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
860
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
580

Featured

See All Featured
KATA
mclloyd
29
14k
Rails Girls Zürich Keynote
gr2m
94
13k
Six Lessons from altMBA
skipperchong
27
3.5k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Optimizing for Happiness
mojombo
376
70k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
Adopting Sorbet at Scale
ufuk
73
9.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k

Transcript

  1. Securing the IoT Ara Pulido @arapulido J ON THE BEACH

    2017

  2. The mess we’re in 145K IoT devices against The Internet

  3. None

  4. The case for regulation

  5. root/root admin/admin

  6. Software updates (lack of)

  7. (and companies!) Short product lifespans

  8. 8B 20B (2017) (2020)

  9. What do we do?

  10. “things are going to get much worse before they get

    any better” - Matthew Garrett

  11. What do we do?

  12. Kernel live patching

  13. Systemd security

  14. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    [Install] WantedBy=multi-user.target

  15. PrivateTmp

  16. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    PrivateTmp=yes [Install] WantedBy=multi-user.target

  17. PrivateTmp ProtectHome

  18. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    ProtectHome=yes [Install] WantedBy=multi-user.target

  19. PrivateTmp ProtectHome SystemCallFilter

  20. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    SystemCallFilter=~clone [Install] WantedBy=multi-user.target

  21. Security Features in systemd (Lennart Poettering)

  22. Containers

  23. Snaps & Ubuntu Core

  24. Snaps Snaps are self-contained and isolated bin1 bin2 bin3 lib1

    lib2

  25. Each snap is mounted read-only with a writable area Transactional

  26. name: hello version: "2.10" summary: GNU Hello, the "hello world"

    snap description: GNU Hello prints a friendly greeting confinement: strict grade: stable apps: hello: command: hello parts: gnu-hello: plugin: autotools source: http://ftp.gnu.org/gnu/hello/hello-2.10.tar.gz

  27. AppArmor

  28. AppArmor Seccomp

  29. AppArmor Seccomp Namespaces

  30. AppArmor Seccomp Namespaces Control groups

  31. Relaxing confinement

  32. name: wget version: "1.19" summary: GNU wget, the wget snap

    description: Utility to download the contents of a URL confinement: strict grade: stable apps: wget-snap: command: wget parts: gnu-wget: plugin: autotools source: https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz

  33. Interfaces Interfaces define access to a resource Snaps offer them

    through slots

  34. name: wget version: "1.19" summary: GNU wget, the wget snap

    description: Utility to download the contents of a URL confinement: strict grade: stable apps: wget-snap: command: wget plugs: [network] parts: gnu-wget: plugin: autotools source: https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz

  35. Ubuntu Core

  36. None

  37. Security is our responsibility

  38. Thank you! Ara Pulido @arapulido https://gist.github.com/arapulido