.. _security-overview: Zephyr Security Overview ######################## Introduction ************ This document outlines the steps of the Zephyr Security board towards a defined security process that helps developers build more secure software while addressing security compliance requirements. It presents the key ideas of the security process and outlines which documents need to be created. After the process is implemented and all supporting documents are created, this document is a top-level overview and entry point. Overview and Scope ================== We begin with an overview of the Zephyr development process, which mainly focuses on security functionality. In subsequent sections, the individual parts of the process are treated in detail. As depicted in Figure 1, these main steps are: 1. **Secure Development:** Defines the system architecture and development process that ensures adherence to relevant coding guidelines and quality assurance procedures. 2. **Secure Design:** Defines security procedures and implement measures to enforce them. A security architecture of the system and relevant sub-modules is created, threats are identified, and countermeasures designed. Their correct implementation and the validity of the threat models are checked by code reviews. Finally, a process shall be defined for reporting, classifying, and mitigating security issues.. 3. **Security Certification:** Defines the certifiable part of the Zephyr RTOS. This includes an evaluation target, its assets, and how these assets are protected. Certification claims shall be determined and backed with appropriate evidence. .. figure:: media/security-process-steps.png Figure 1. Security Process Steps Intended Audience ================= This document is a guideline for the development of a security process by the Zephyr Security Committee and the Zephyr Technical Steering Committee. It provides an overview of the Zephyr security process for (security) engineers and architects. Nomenclature ============ In this document, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in `RFC2119`_. These words are used to define absolute requirements (or prohibitions), highly recommended requirements, and truly optional requirements. As noted in RFC-2119, "These terms are frequently used to specify behavior with security implications. The effects on security of not implementing a MUST or SHOULD, or doing something the specification says MUST NOT or SHOULD NOT be done may be very subtle. Document authors should take the time to elaborate the security implications of not following recommendations or requirements as most implementors will not have had the benefit of the experience and discussion that produced the specification." Security Document Update ======================== This document is a living document. As new requirements, features, and changes are identified, they will be added to this document through the following process: 1. Changes will be submitted from the interested party(ies) via pull requests to the Zephyr documentation repository. 2. The security committee will review these changes and provide feedback or acceptance of the changes. 3. Once accepted, these changes will become part of the document. Current Security Definition *************************** This section recapitulates the current status of secure development within the Zephyr RTOS. Currently, focus is put on functional security and code quality assurance, although additional security features are scoped. The three major security measures currently implemented are: - **Security** **Functionality** with a focus on cryptographic algorithms and protocols. Support for cryptographic hardware is scoped for future releases.The Zephyr runtime architecture is a monolithic binary and removes the need for dynamic loaders , thereby reducing the exposed attack surface. - **Quality Assurance** is driven by using a development process that requires all code to be reviewed before being committed to the common repository. Furthermore, the reuse of proven building blocks such as network stacks increases the overall quality level and guarantees stable APIs. Static code analyses are planned for the near future. - **Execution Protection** including thread separation, stack and memory protection is currently available in the upstream Zephyr RTOS starting with version 1.9.0 (stack protection). Memory protection and thread separation was added in version 1.10.0 for X86 and in version 1.11.0 for ARM and ARC. These topics are discussed in more detail in the following subsections. Security Functionality ====================== The security functionality in Zephyr hinges mainly on the inclusion of cryptographic algorithms, and on its monolithic system design. The cryptographic features are provided through a set of cryptographic libraries. Applications can choose TinyCrypt2 or mbedTLS based on their needs. TinyCrypt2 supports key cryptographic algorithms required by the connectivity stacks. Tinycrypt2, however, only provides a limited set of algorithms. mbedTLS supports a wider range of algorithms, but at the cost of additional requirements such as malloc support. Applications can choose the solution that matches their individual requirements. Future work may include APIs to abstract the underlying crypto library choice. APIs for vendor specific cryptographic IPs in both hardware and software are planned, including secure key storage in the form of secure access modules (SAMs), Trusted Platform Modules (TPMs), and Trusted Execution Environments (TEEs). The security architecture is based on a monolithic design where the Zephyr kernel and all applications are compiled into a single static binary. System calls are implemented as function calls without requiring context switches. Static linking eliminates the potential for dynamically loading malicious code. Additional protection features are available in later releases. Stack protection mechanisms are provided to protect against stack overruns. In addition, applications can take advantage of thread separation features to split the system into privileged and unprivileged execution environments. Memory protection features provide the capability to partition system resources (memory, peripheral address space, etc) and assign resources to individual threads or groups of threads. Stack, thread execution level, and memory protection constraints are enforced at the time of context switch. Quality Assurance ================= The Zephyr project uses an automated quality assurance process. The goal is to have a process including mandatory code reviews, feature and issue management/tracking, and static code analyses. Code reviews are documented and enforced using a voting system before getting checked into the repository by the responsible subsystem's maintainer. The main goals of the code review are: - Verifying correct functionality of the implementation - Increasing the readability and maintainability of the contributed source code - Ensuring appropriate usage of string and memory functions - Validation of the user input - Reviewing the security relevant code for potential issues The current coding guidelines focus mostly on coding styles and conventions. Functional correctness is ensured by the build system and the experience of the reviewer. Especially for security relevant code, concrete and detailed guidelines need to be developed and aligned with the developers (see: :ref:`secure code`). Static code analyses are run on the Zephyr code tree on a regular basis using the open source Coverity Scan tool. Coverity Scan now includes complexity analysis. Bug and issue tracking and management is performed using Jira. The term "survivability" was coined to cover pro-active security tasks such as security issue categorization and management. Initial effort has been started on the definition of vulnerability categorization and mitigation processes within Jira. Issues determined by Coverity should have more stringent reviews before they are closed as non issues (at least another person educated in security processes need to agree on non-issue before closing). A security subcommittee has been formed to develop a security process in more detail; this document is part of that process. Execution Protection ==================== Execution protection is supported and can be categorized into the following tasks: - **Memory separation:** Memory will be partitioned into regions and assigned attributes based on the owner of that region of memory. Threads will only have access to regions they control. - **Stack protection:** Stack guards would provide mechanisms for detecting and trapping stack overruns. Individual threads should only have access to their own stacks. - **Thread separation:** Individual threads should only have access to their own memory resources. As threads are scheduled, only memory resources owned by that thread will be accessible. Topics such as program flow protection and other measures for tamper resistance are currently not in scope. System Level Security (Ecosystem, ...) ====================================== System level security encompasses a wide variety of categories. Some examples of these would be: - Secure/trusted boot - Over the air (OTA) updates - External Communication - Device authentication - Access control of onboard resources - Flash updating - Secure storage - Peripherals - Root of trust - Reduction of attack surface Some of these categories are interconnected and rely on multiple pieces to be in place to produce a full solution for the application. Secure Development Process ************************** The development of secure code shall adhere to certain criteria. These include coding guidelines and development processes that can be roughly separated into two categories related to software quality and related to software security. Furthermore, a system architecture document shall be created and kept up-to-date with future development. System Architecture =================== .. figure:: media/security-zephyr-system-architecture.png Figure 2: Zephyr System Architecture A high-level schematic of the Zephyr system architecture is given in Figure 2. It separates the architecture into an OS part (*kernel + OS Services*) and a user-specific part (*Application Services*). The OS part itself contains low-level, platform specific drivers and the generic implementation of I/O APIs, file systems, kernel-specific functions, and the cryptographic library. A document describing the system architecture and design choices shall be created and kept up to date with future development. This document shall include the base architecture of the Zephyr OS and an overview of important submodules. For each of the modules, a dedicated architecture document shall be created and evaluated against the implementation. These documents shall serve as an entry point to new developers and as a basis for the security architecture. Please refer to the :ref:`Zephyr Kernel subsystem documentation ` for detailed information. Secure Coding Guidelines ======================== Designing an open software system such as Zephyr to be secure requires adhering to a defined set of design standards. These standards are included in the Zephyr Project documentation, specifically in its :ref:`secure code` section. In [SALT75]_, the following, widely accepted principles for protection mechanisms are defined to prevent security violations and limit their impact: - **Open design** as a design guideline incorporates the maxim that protection mechanisms cannot be kept secret on any system in widespread use. Instead of relying on secret, custom-tailored security measures, publicly accepted cryptographic algorithms and well established cryptographic libraries shall be used. - **Economy of mechanism** specifies that the underlying design of a system shall be kept as simple and small as possible. In the context of the Zephyr project, this can be realized, e.g., by modular code [PAUL09]_ and abstracted APIs. - **Complete mediation** requires that each access to every object and process needs to be authenticated first. Mechanisms to store access conditions shall be avoided if possible. - **Fail-safe defaults** defines that access is restricted by default and permitted only in specific conditions defined by the system protection scheme, e.g., after successful authentication. Furthermore, default settings for services shall be chosen in a way to provide maximum security. This corresponds to the "Secure by Default" paradigm [MS12]_. - **Separation of privilege** is the principle that two conditions or more need to be satisfied before access is granted. In the context of the Zephyr project, this could encompass split keys [PAUL09]_. - **Least privilege** describes an access model in which each user, program and thread shall have the smallest possible subset of permissions in the system required to perform their task. This positive security model aims to minimize the attack surface of the system. - **Least common mechanism** specifies that mechanisms common to more than one user or process shall not be shared if not strictly required. The example given in [SALT75]_ is a function that should be implemented as a shared library executed by each user and not as a supervisor procedure shared by all users. - **Psychological acceptability** requires that security features are easy to use by the developers in order to ensure its usage and the correctness of its application. In addition to these general principles, the following points are specific to the development of a secure RTOS: - **Complementary Security/Defense in Depth:** do not rely on a single threat mitigation approach. In case of the complementary security approach, parts of the threat mitigation are performed by the underlying platform. In case such mechanisms are not provided by the platform, or are not trusted, a defense in depth [MS12]_ paradigm shall be used. - **Less commonly used services off by default**: to reduce the exposure of the system to potential attacks, features or services shall not be enabled by default if they are only rarely used (a threshold of 80% is given in [MS12]_). For the Zephyr project, this can be realized using the configuration management. Each functionality and module shall be represented as a configuration option and needs to be explicitly enabled. Then, all features, protocols, and drivers not required for a particular use case can be disabled. The user shall be notified if low-level options and APIs are enabled but not used by the application. - **Change management:** to guarantee a traceability of changes to the system, each change shall follow a specified process including a change request, impact analysis, ratification, implementation, and validation phase. In each stage, appropriate documentation shall be provided. All commits shall be related to a bug report or change request in the issue tracker. Commits without a valid reference shall be denied. Based on these design principles and commonly accepted best practices, a secure development guide shall be developed, published, and implemented into the Zephyr development process. Further details on this are given in the `Secure Design`_ section. Quality Assurance ================= The quality assurance part encompasses the following criteria: - **Adherence to the Coding Guidelines** with respect to coding style, naming schemes of modules, functions, variables, and so forth. This increases the readability of the Zephyr code base and eases the code review. These coding guidelines are enforced by automated scripts prior to check-in. - **Adherence to Deployment Guidelines** is required to ensure consistent releases with a well-documented feature set and a trackable list of security issues. - **Code Reviews** ensure the functional correctness of the code base and shall be performed on each proposed code change prior to check-in. Code reviews shall be performed by at least one independent reviewer other than the author(s) of the code change. These reviews shall be performed by the subsystem maintainers and developers on a functional level and are to be distinguished from security reviews as laid out in Chapter 4. Please refer to the `development model documentation`_ on the Zephyr project Wiki. - **Static Code Analysis** tools efficiently detect common coding mistakes in large code bases. All code shall be analyzed using an appropriate tool prior to merges into the main repository. This is not per individual commit, but is to be run on some interval on specific branches. It is mandatory to remove all findings or waive potential false-positives before each release. To process process documentation. Waivers shall be documented centrally and in form of a comment inside the source code itself. The documentation shall include the employed tool and its version, the date of the analysis, the branch and parent revision number, the reason for the waiver, the author of the respective code, and the approver(s) of the waiver. This shall as a minimum run on the main release branch and on the security branch. It shall be ensured that each release has zero issues with regard to static code analysis (including waivers). Please refer to the `development model documentation`_ on the Zephyr project Wiki. - **Complexity Analyses** shall be performed as part of the development process and metrics such as cyclomatic complexity shall be evaluated. The main goal is to keep the code as simple as possible. - **Automation:** the review process and checks for coding rule adherence are a mandatory part of the precommit checks. To ensure consistent application, they shall be automated as part of the precommit procedure. Prior to merging large pieces of code in from subsystems, in addition to review process and coding rule adherence, all static code analysis must have been run and issues resolved. Release and Lifecycle Management ================================ Lifecycle management contains several aspects: - **Device management** encompasses the possibility to update the operating system and/or security related sub-systems of Zephyr enabled devices in the field. - **Lifecycle management:** system stages shall be defined and documented along with the transactions between the stages in a system state diagram. For security reasons, this shall include locking of the device in case an attack has been detected, and a termination if the end of life is reached. - **Release management** describes the process of defining the release cycle, documenting releases, and maintaining a record of known vulnerabilities and mitigations. Especially for certification purposes the integrity of the release needs to be ensured in a way that later manipulation (e.g. inserting of backdoors, etc.) can be easily detected. - **Rights management and NDAs:** if required by the chosen certification, the confidentiality and integrity of the system needs to be ensured by an appropriate rights management (e.g. separate source code repository) and non-disclosure agreements between the relevant parties. In case of a repository shared between several parties, measures shall be taken that no malicious code is checked in. These points shall be evaluated with respect to their impact on the development process employed for the Zephyr project. Secure Design ************* In order to obtain a certifiable system or product, the security process needs to be clearly defined and its application needs to be monitored and driven. This process includes the development of security related modules in all of its stages and the management of reported security issues. Furthermore, threat models need to be created for currently known and future attack vectors, and their impact on the system needs to be investigated and mitigated. Please refer to the :ref:`secure code` outlined in the Zephyr project documentation for detailed information. The software security process includes: - **Adherence to the Secure Development Guidelines** is mandatory to avoid that individual components breach the system security and to minimize the vulnerability of individual modules. While this can be partially achieved by automated tests, it is inevitable to investigate the correct implementation of security features such as countermeasures manually in security-critical modules. - **Security Reviews** shall be performed by a security architect in preparation of each security-targeted release and each time a security-related module of the Zephyr project is changed. This process includes the validation of the effectiveness of implemented security measures, the adherence to the global security strategy and architecture, and the preparation of audits towards a security certification if required. - **Security Issue Management** encompasses the evaluation of potential system vulnerabilities and their mitigation as described in the `Security Issue Management`_ Section. These criteria and tasks need to be integrated into the development process for secure software and shall be automated wherever possible. On system level, and for each security related module of the secure branch of Zephyr, a directly responsible security architect shall be defined to guide the secure development process. Security Architecture ===================== The general guidelines above shall be accompanied by an architectural security design on system- and module-level. The high level considerations include - The identification of **security and compliance requirements** - **Functional security** such as the use of cryptographic functions whenever applicable - Design of **countermeasures** against known attack vectors - Recording of security relevant **auditable events** - Support for **Trusted Platform Modules (TPM)** and **Trusted Execution Environments (TEE)** - Mechanisms to allow for **in-the-field** **updates** of devices using Zephyr - Task scheduler and separation The security architecture development is based on assets derived from the structural overview of the overall system architecture. Based on this, the individual steps include: 1. **Identification of assets** such as user data, authentication and encryption keys, key generation data (obtained from RNG), security relevant status information. 2. **Identification of threats** against the assets such as breaches of confidentiality, manipulation of user data, etc. 3. **Definition of requirements** regarding security and protection of the assets, e.g. countermeasures or memory protection schemes. The security architecture shall be harmonized with the existing system architecture and implementation to determine potential deviations and mitigate existing weaknesses. Newly developed sub-modules that are integrated into the secure branch of the Zephyr project shall provide individual documents describing their security architecture. Additionally, their impact on the system level security shall be considered and documented. Security Issue Management ========================= In order to quickly respond to security threats towards the Zephyr RTOS, a well-defined security issue management needs to be established. Such issues shall be reported through the Zephyr Jira bug tracking system. Some JIRA modifications will be necessary to accommodate management of security issues. In addition, there will be guidelines that govern visibility, control, and resolution of security issues. The following is the current proposal: - A boolean field shall be added to JIRA bugs to mark it security sensitive (or any other name that makes sense). This renders the entry invisible to anyone except as described below. - Security sensitive bugs are only accessible (view/modify) to members of the Security Group; members of this Security Group are: - members of the Security Subcommittee - other as proposed and ratified Security Subcommittee, who will also have the authority to remove others - the reporter - Ability to add other users for individual issues - Security Subcommittee meetings have to review the embargoed bugs on every meeting with more than three people in attendance. Said review process shall decide if new issues needs to be embargoed or not. - Security sensitive bugs shall be made public (by removing the security sensitive indicator) after an embargo period of TBD days. The Security Subcommittee is the only entity with authority to extend the embargo period on a case by case basis; the JIRA entry should be updated with the rationale for the embargo extension so at some point said rationale will be made public.If the Security Subcommittee does not act upon a security sensitive bug after its TBD days of embargo are over, it shall be automatically made public by removing the security sensitive setting. - Likewise, there shall be code repositories marked as security sensitive, accessible only to the Security Group members where the code to fix said issues is being worked on and reviewed. The person/s contributing the fix shall also have access, but fix contributors shall have only access to the tree for said fix, not to other security sensitive trees. - A CVE space shall be allocated to assign Zephyr issues when the SWG decides such is needed. - The severity of the issue with regard to security shall be entered by the reporter. - All security relevant issues shall trigger an automated notification on the Zephyr security mailing list (vulnerabilities@zephyrproject.org). Any member of the security board can then triage the severity of the issue according to the `Common Vulnerability Scoring System v3.0 `_ - Depending on the resulting severity score of the issue, the issue is prioritized and assigned to the owner of the affected module. Additionally, the system security architect and the security architect of the module are notified and shall take the responsibility to mitigate the issue and review the solution or counter-measure. In any case, the security issue shall be documented centrally, including the affected modules, software releases, and applicable workarounds for immediate mitigation. A list of known security issues per public release of the Zephyr shall be published and maintained by the security board after a risk assessment. Threat Modeling and Mitigation ============================== The modeling of security threats against the Zephyr RTOS is required for the development of an accurate security architecture and for most certification schemes. The first step of this process is the definition of assets to be protected by the system. The next step then models how these assets are protected by the system and which threats against them are present. After a threat has been identified, a corresponding threat model is created. This model contains the asset and system vulnerabilities, as well as the description of the potential exploits of these vulnerabilities. Additionally, the impact on the asset, the module it resides in, and the overall system is to be estimated. This threat model is then considered in the module and system security architecture and appropriate counter-measures are defined to mitigate the threat or limit the impact of exploits. In short, the threat modeling process can be separated into these steps (adapted from `Application Thread Modeling`_: 1. Definition of assets 2. Application decomposition and creation of appropriate data flow diagrams (DFDs) 3. Threat identification and categorization using the `STRIDE`_ and `CVSS`_ approaches 4. Determination of countermeasures and other mitigation approaches This procedure shall be carried out during the design phase of modules and before major changes of the module or system architecture. Additionally, new models shall be created or existing ones shall be updated whenever new vulnerabilities or exploits are discovered. During security reviews, the threat models and the mitigation techniques shall be evaluated by the responsible security architect. From these threat models and mitigation techniques tests shall be derived that prove the effectiveness of the countermeasures. These tests shall be integrated into the continuous integration workflow to ensure that the security is not impaired by regressions. Vulnerability Analyses ====================== In order to find weak spots in the software implementation, vulnerability analyses (VA) shall be performed. Of special interest are investigations on cryptographic algorithms, critical OS tasks, and connectivity protocols. On a pure software level, this encompasses - **Penetration testing** of the RTOS on a particular hardware platform, which involves testing the respective Zephyr OS configuration and hardware as one system. - **Side channel attacks** (timing invariance, power invariance, etc.) should be considered. For instance, ensuring **timing invariance** of the cryptographic algorithms and modules is required to reduce the attack surface. This applies to both the software implementations and when using cryptographic hardware. - **Fuzzing tests** shall be performed on both exposed APIs and protocols. The list given above serves primarily illustration purposes. For each module and for the complete Zephyr system (in general on a particular hardware platform), a suitable VA plan shall be created and executed. The findings of these analyses shall be considered in the security issue management process, and learnings shall be formulated as guidelines and incorporated into the secure coding guide. If possible (as in case of fuzzing analyses), these tests shall be integrated into the continuous integration process. Security Certification ********************** One goal of creating a secure branch of the Zephyr RTOS is to create a certifiable system or certifiable submodules thereof. The certification scope and scheme is yet to be decided. However, many certification such as Common Criteria [CCITSE12]_ require evidence that the evaluation claims are indeed fulfilled, so a general certification process is outlined in the following. Based on the final choices for the certification scheme and evaluation level, this process needs to be refined. Generic Certification Process ============================= In general, the steps towards a certification or precertification (compare [MICR16]_) are: 1. The **definition of assets** to be protected within the Zephyr RTOS. Potential candidates are confidential information such as cryptographic keys, user data such as communication logs, and potentially IP of the vendor or manufacturer. 2. Developing a **threat model** and **security architecture** to protect the assets against exploits of vulnerabilities of the system. As a complete threat model includes the overall product including the hardware platform, this might be realized by a split model containing a precertified secure branch of Zephyr which the vendor could use to certify their Zephyr-enabled product. 3. Formulating an **evaluation target** that includes the **certification claims** on the security of the assets to be evaluated and certified, as well as assumptions on the operating conditions. 4. Providing **proof** that the claims are fulfilled. This includes consistent documentation of the security development process, etc. These steps are partially covered in previous sections as well. In contrast to these sections, the certification process only requires to consider those components that shall be covered by the certification. The security architecture, for example, considers assets on system level and might include items not relevant for the certification. Certification Options ===================== For the security certification as such, the following options can be pursued: 1. **Abstract precertification of Zephyr as a pure software system:** this option requires assumptions on the underlying hardware platform and the final application running on top of Zephyr. If these assumptions are met by the hardware and the application, a full certification can be more easily achieved. This option is the most flexible approach but puts the largest burden on the product vendor. 2. **Certification of Zephyr on specific hardware platform without a specific application in mind:** this scenario describes the enablement of a secure platform running the Zephyr RTOS. The hardware manufacturer certifies the platform under defined assumptions on the application. If these are met, the final product can be certified with little effort. 3. **Certification of an actual product:** in this case, a full product including a specific hardware, the Zephyr RTOS, and an application is certified. In all three cases, the certification scheme (e.g. FIPS 140-2 [NIST02]_ or Common Criteria [CCITSE12]_), the scope of the certification (main-stream Zephyr, security branch, or certain modules), and the certification/assurance level need to be determined. In case of partial certifications (options 1 and 2), assumptions on hardware and/or software are required for certifications. These can include [GHS10]_ - **Appropriate physical security** of the hardware platform and its environment. - **Sufficient protection of storage and timing channels** on the hardware platform itself and all connected devices. (No mentioning of remote connections.) - Only **trusted/assured applications** running on the device - The device and its software stack is configured and operated by **properly trained and trusted individuals** with no malicious intent. These assumptions shall be part of the security claim and evaluation target documents. References ********** See :ref:`security-citations` .. _`RFC2119`: https://www.ietf.org/rfc/rfc2119.txt .. _`Application Thread Modeling`: https://www.owasp.org/index.php/Application_Threat_Modeling .. _`STRIDE`: https://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx .. _`development model documentation`: https://github.com/zephyrproject-rtos/zephyr/wiki/Development-Model .. _`CVSS`: https://www.first.org/cvss/specification-document