Embedded Application Security Best Practices
  • Embedded Application Security Best Practices
  • What are Embedded Systems?
  • Buffer and Stack Overflow Protection
  • Injection Prevention
  • Firmware Updates and Cryptographic Signatures
  • Securing Sensitive Information
  • Identity Management
  • Embedded Framework and C-Based Toolchain Hardening
  • Usage of Debugging Code and Interfaces
  • Transport Layer Security
  • Usage of Data Collection and Storage - Privacy
  • Third Party Code and Components
  • Threat Modeling
  • About OWASP
Powered by GitBook
On this page

Was this helpful?

Embedded Framework and C-Based Toolchain Hardening

PreviousIdentity ManagementNextUsage of Debugging Code and Interfaces

Last updated 1 year ago

Was this helpful?

Limit BusyBox, embedded frameworks, and toolchains to only those libraries and functions being used when configuring firmware builds. Embedded Linux build systems such as Buildroot, Yocto and others typically perform this task. Removal of known insecure libraries and protocols such as Telnet not only minimize attack entry points in firmware builds, but also provide a secure-by-design approach to building software in efforts to thwart potential security threats.

Hardening a library : It is known that (amongst others),, , as well as early versions of TLS . In addition, suppose you don't use hardware and engines, and only allow static linking. Given the knowledge and specifications, you would configure the OpenSSL library as follows:

$ Configure darwin64-x86_64-cc -no-hw -no-engine -no-comp -no-shared -no-dso -no-ssl2 -no-ssl3 --openssldir=

Selecting one shell Example: Utilizing buildroot, the screenshot below demonstrates only one Shell being enabled, bash. (Note: Buildroot examples are shown below but there are other ways to accomplish the same configuration with other embedded Linux build systems.)

Hardening Services Example: The screenshot below shows openssh enabled but not FTP daemons proftpd and pure-ftpd. Only enable FTP if TLS is to be utilized. For example, proftpd and pureftpd require custom compilation to use TLS with mod_tls for proftpd and passing ./configure --with-tls for pureftpd.

Hardening Das U-boot Example: Often, physical access to an embedded device enables attack paths to modify bootloader configurations. Below, example best practice configurations for uboot_config are provided. Note: The uboot_config file is typically auto generated depending on the build environment and specific board.

Configure "Verified Boot" (secure boot) for U-Boot 2013.07 versions and above. Verified Boot is not enabled by default and requires board support with the below configurations required at the minimum.

CONFIG_ENABLE_VBOOT=y #Enables Verified Boot

CONFIG_FIT_SIGNATURE=y #Enables signature verification of FIT images.

CONFIG_RSA=y #Enables RSA algorithm used for FIT image verification

CONFIG_OF_SEPARATE=y #Enables separate build of u-Boot from the device tree.

CONFIG_FIT=y #Enables support for Flat Image Tree (FIT) uImage format.

CONFIG_OF_CONTROL=y #Enables Flattened Device Tree (FDT) configuration.

CONFIG_OF_LIBFDT=y

CONFIG_DEFAULT_DEVICE_TREE=y #Specifies the default Device Tree used for the run-time configuration of U-Boot.

  1. Build U-Boot for the board, with the verified boot options enabled.

  2. Obtain a suitable Linux kernel (preferably the latest)

  3. Create a Image Tree Source file (ITS) file describing how you want the kernel to be packaged, compressed and signed.

  4. Create an RSA key pair with RSA2048 and use SHA256 hashing algorithm for authentication (store your private key in a safe place and not hardcoded into firmware)

  5. Sign the kernel

  6. Put the public key into U-Boot's image

  7. Put U-Boot and the kernel onto the board

  8. Test the image and boot configurations

In addition to the above, make the applicable configurations valid to the context of your embedded device. Below are notable configurations that can be made.

CONFIG_BOOTDELAY -2. #Prevents access to u-boot's console when auto boot is used

CONFIG_CMD_USB=n #Disables basic USB support and the usb command

CONFIG_USB_UHCI: defines the lowlevel part.

CONFIG_USB_KEYBOARD: enables the USB Keyboard

CONFIG_USB_STORAGE: enables the USB storage devices

CONFIG_USB_HOST_ETHER: enables USB ethernet adapter support

Disabling serial console output in U-Boot via the following configuration macros:

CONFIG_SILENT_CONSOLE

CONFIG_SYS_DEVICE_NULLDEV

CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC

To enable immutable U-boot environment variables to prevent unauthorized changes (e.g. Modifying bootargs, updating verified boot public keys etc.) or side-loading of firmware, remove non-volatile memory settings such as the following:

#define CONFIG_ENV_IS_IN_MMC

#define CONFIG_ENV_IS_IN_NAND

#define CONFIG_ENV_IS_IN_NVRAM

#define CONFIG_ENV_IS_IN_SPI_FLASH

#define CONFIG_ENV_IS_IN_REMOTE

#define CONFIG_ENV_IS_IN_EEPROM

#define CONFIG_ENV_IS_IN_FLASH

#define CONFIG_ENV_IS_IN_DATAFLASH

#define CONFIG_ENV_IS_IN_MMC

#define CONFIG_ENV_IS_IN_FAT

#define CONFIG_ENV_IS_IN_ONENAND

#define CONFIG_ENV_IS_IN_UBI

Considerations (Disclaimer: The List below is non-exhaustive):

  • Ensure services such as SSH have a secure password created.

  • Remove unused language interpreters such as: perl, python, lua.

  • Remove dead code from unused library functions.

  • Remove unused shell interpreters such as: ash, dash, zsh.

    • Review /etc/shell

  • Remove legacy insecure daemons which includes but not limited to:

    • telnetd

    • ftpd

    • ftpget

    • ftpput

    • tftp

    • rlogind

    • rshd

    • rexd

    • rcmd

    • rhosts

    • rexecd

    • rwalld

    • rbootd

    • rusersd

    • rquotad

    • rstatd

    • nfs

  • Remove unused/unnecessary utilities such as:

    • sed, wget, curl, awk, cut, df, dmesg, echo, fdisk, grep, mkdir, mount (vfat), printf, tail, tee, test (directory), test (file), head, cat

Utility Name

Location

Debug Environment

Production Environment

Strace

/bin/trace

INCLUDE

EXCLUDE

Klogd

/sbin/klogd

INCLUDE

EXCLUDE

Syslogd(logger)

/bin/logger

INCLUDE

EXCLUDE

Gdbserver

/bin/gdbserver

INCLUDE

EXCLUDE

Dropbear

Remove “dropbear” from ‘/etc/init.d/rcs’

EXCLUDE

EXCLUDE

SSH

NA

INCLUDE

EXCLUDE

Editors (vi)

/bin/vi

INCLUDE

EXCLUDE

Dmesg

/bin/dmesg

INCLUDE

EXCLUDE

UART

/proc/tty/driver/

INCLUDE

EXCLUDE

Hexdump

/bin/hexdump

INCLUDE

EXCLUDE

Dnsdomainname

/bin/dnsdomainname

EXCLUDE

EXCLUDE

Hostname

/bin/hostname

INCLUDE

EXCLUDE

Pmap

/bin/pmap

INCLUDE

EXCLUDE

su

/bin/su

INCLUDE

EXCLUDE

Which

/bin/which

INCLUDE

EXCLUDE

Who and whoami

/bin/whoami

INCLUDE

EXCLUDE

ps

/bin/ps

INCLUDE

EXCLUDE

lsmod

/sbin/lsmod

INCLUDE

EXCLUDE

install

/bin/install

INCLUDE

EXCLUDE

logger

/bin/logger

INCLUDE

EXCLUDE

ps

/bin/ps

INCLUDE

EXCLUDE

rpm

/bin/rpm

INCLUDE

EXCLUDE

Iostat

/bin/iostat

INCLUDE

EXCLUDE

find

/bin/find

INCLUDE

EXCLUDE

Chgrp

/bin/chgrp

INCLUDE

EXCLUDE

Chmod

/bin/chmod

INCLUDE

EXCLUDE

Chown

/bin/chown

INCLUDE

EXCLUDE

killall

/bin/killall

INCLUDE

EXCLUDE

top

/bin/top

INCLUDE

EXCLUDE

stbhotplug

/sbin/stbhotplug

INCLUDE

EXCLUDE

    • Review the report in: /var/log/lynis.log

  • Perform iterative threat model exercises with developers as well as relative stakeholders on software running on the embedded device.

Additional References

Afterwards, a series of steps are needed for configuring Verified Boot. An example overview of building is:

of common utilities and their usage for debug or production environments (builds).

Utilize tools such as for hardening auditing and suggestions. wget --no-check-certificate https://github.com/CISOfy/lynis/archive/master.zip && unzip master.zip && cd lynis-master/ && bash lynis audit system

(page 34-38)

- Details on buildroot and yocto

Verified Boot for a Beaglebone black board
Automotive Grade Linux (AGL) has developed an example table
Lynis
https://www.owasp.org/index.php/C-Based_Toolchain_Hardening
https://www.bulkorder.ftc.gov/system/files/publications/pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf
http://isa99.isa.org/Public/Documents/ISA-62443-4-1-WD.pdf
https://events.linuxfoundation.org/sites/events/files/slides/belloni-petazzoni-buildroot-oe_0.pdf
http://elinux.org/Toolchains
https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
http://www.proftpd.org/docs/howto/TLS.html
https://www.owasp.org/index.php/Application_Threat_Modeling
GNU C Library Vulnerability in Industrial Products
Linux Exploit Quick Listing
Hardened U-boot
Verified boot
Improving Your Embedded Linux Security Posture with Yocto
Example
compression is insecure
SSLv2 is insecure
SSLv3 is insecure