[agl-discussions] RFC - Security Framework for AGL
Dominig ar Foll (Intel OTC)
dominig.arfoll at fridu.net
Thu Sep 24 10:06:33 UTC 2015
Le 22/09/2015 09:37, Jeremiah Foster a écrit :
>
>
>
> Please forgive me if this sounds like a rant, I really do not want to
> rant, but I hold some fairly strong opinions regarding security. It
> really won't fit into a couple of SAT discussions. If, as the cliche
> goes, security is a culture, then security needs to be thought of
> during the design phase of a given system. It is an anti-pattern to
> rely on patches later. You want the system architects to be able to
> understand their domains well enough so they can spot security holes
> in the design phase. Look at the design and implementation of kdbus
> for example, that is the kind of security posture you need to have to
> ensure security is designed into the system.
Unfortunately since along time "Perfect is the enemy of Good" (extract
from Voltaire Dictionary of philosophy 1770), trying to cover everything
is not a viable security model.
If you want to succeed, I would advise to start some very simple bases
that you enforce at low level when starting the implementation and then
build on top. So far I a have used quite successfully on several secured
project the two initial starting motto to build the architecture:
- only what is explicitly allowed is possible (white list model)
- secured SW software update is possible even on a compromised system.
The KDbus is a good example of a project which has been about to succeed
to make in the up streamed kernel form more than 3 years but is still
not in. Further more as it has missed 4.1 it will not be in this year
LSTi so fore many of us that means out for all 2016 at least. I am
afraid that while security is important, time to market is also
critical. I personally always try to remain very pragmatic.
>
> Also, there needs to be discussion on many more topics than just a MAC
> tool. Security will require experts, in both automotive and GNU/Linux,
> who can elucidate best practices and proper, testable configuration.
> You'll want to have an interface to the HSM that is as hardware
> independent as possible, up to date information on ciphers and HMAC
> algorithms, PKI, vulnerability reporting, bug embargo policy,
> responsible disclosure policy, intrusion detection, a threat model,
> and path to mitigation when exploits and/or privilege escalation is
> found. There is no alternative to a holistic security discussion since
> missing one piece may lead to catastrophic failure.
The most obvious starting point is to reduce the surface of attack what
can be done greatly by white listing services and access (most often
with a MAC) as well as insuring the integrity of the system and the
cypher block.
In the later HW helpers even if not portable are the most efficient
solution.
One practical model that could work for AGL is to slice the problem. I
share with you the list that I use when I start a project.
- Trusted Boot and GW chain of trust
- Integrity of the SW in operation
- white listing service and resources access
- process and application containment
- SW update process.
- Code static analysis
- Compiler and tool secure option enforcement
- Test and validation.
The other issue such as closed reporting and embargo are coming far
later and to be honest are more process hygiene rather than architecture
issues.
One thing is sure if AGL architects do not want to be shamed and their
companies in trouble, when the next million+ cars ,security related call
back will come (I have no doubt it will happen again), you better start
to implement the base now and work the details later.
Regards
--
Dominig ar Foll
Senior Software Architect
Open Source Technology Centre
Intel SSG
More information about the automotive-discussions
mailing list