Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the IoT - J On The Beach 2017

96af4f8a8f4d2fdf5827030da8848ca1?s=47 Ara
May 18, 2017

Securing the IoT - J On The Beach 2017

Most of the IoT devices are running a Linux distribution, but without a clear updates and/or security strategy.

In this talk we will go through some of the current problems the IoT devices are facing and tools and strategies we can use today to make the situation a bit better for new devices, while keeping our time to market optimized.

We will show some features in Linux and systemd that can help improving the security of these devices. We will also introduce snaps, a packaging format that helps distribute your application and install it isolated from the underlying system and from other applications; and Ubuntu Core, a small, transactional version of Ubuntu for IoT devices, based on snaps.

96af4f8a8f4d2fdf5827030da8848ca1?s=128

Ara

May 18, 2017
Tweet

Transcript

  1. Securing the IoT Ara Pulido @arapulido J ON THE BEACH

    2017
  2. The mess we’re in 145K IoT devices against The Internet

  3. None
  4. The case for regulation

  5. root/root admin/admin

  6. Software updates (lack of)

  7. (and companies!) Short product lifespans

  8. 8B 20B (2017) (2020)

  9. What do we do?

  10. “things are going to get much worse before they get

    any better” - Matthew Garrett
  11. What do we do?

  12. Kernel live patching

  13. Systemd security

  14. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    [Install] WantedBy=multi-user.target
  15. PrivateTmp

  16. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    PrivateTmp=yes [Install] WantedBy=multi-user.target
  17. PrivateTmp ProtectHome

  18. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    ProtectHome=yes [Install] WantedBy=multi-user.target
  19. PrivateTmp ProtectHome SystemCallFilter

  20. [Unit] Description=crash report submission daemon [Service] Environment="CRASH_DB_URL=https://daisy.ubuntu.com" ExecStart=/usr/bin/whoopsie -f Restart=always

    SystemCallFilter=~clone [Install] WantedBy=multi-user.target
  21. Security Features in systemd (Lennart Poettering)

  22. Containers

  23. Snaps & Ubuntu Core

  24. Snaps Snaps are self-contained and isolated bin1 bin2 bin3 lib1

    lib2
  25. Each snap is mounted read-only with a writable area Transactional

  26. name: hello version: "2.10" summary: GNU Hello, the "hello world"

    snap description: GNU Hello prints a friendly greeting confinement: strict grade: stable apps: hello: command: hello parts: gnu-hello: plugin: autotools source: http://ftp.gnu.org/gnu/hello/hello-2.10.tar.gz
  27. AppArmor

  28. AppArmor Seccomp

  29. AppArmor Seccomp Namespaces

  30. AppArmor Seccomp Namespaces Control groups

  31. Relaxing confinement

  32. name: wget version: "1.19" summary: GNU wget, the wget snap

    description: Utility to download the contents of a URL confinement: strict grade: stable apps: wget-snap: command: wget parts: gnu-wget: plugin: autotools source: https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz
  33. Interfaces Interfaces define access to a resource Snaps offer them

    through slots
  34. name: wget version: "1.19" summary: GNU wget, the wget snap

    description: Utility to download the contents of a URL confinement: strict grade: stable apps: wget-snap: command: wget plugs: [network] parts: gnu-wget: plugin: autotools source: https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz
  35. Ubuntu Core

  36. None
  37. Security is our responsibility

  38. Thank you! Ara Pulido @arapulido https://gist.github.com/arapulido