792 lines
35 KiB
ReStructuredText
792 lines
35 KiB
ReStructuredText
.. _security-overview:
|
|
|
|
Zephyr Security Overview
|
|
########################
|
|
|
|
+------------------------+------------------+---------------------------+
|
|
| **Revision history** |
|
|
+========================+==================+===========================+
|
|
| **Rev** | **Date** | **Description** |
|
|
+------------------------+------------------+---------------------------+
|
|
| 1.0 Draft | July 27, 2016 | Initial draft version |
|
|
+------------------------+------------------+---------------------------+
|
|
| 1.0-rc1 | April 21, 2017 | Draft for review by TSC |
|
|
+------------------------+------------------+---------------------------+
|
|
|
|
Introduction
|
|
************
|
|
|
|
This document outlines the steps of the Zephyr Security board towards a
|
|
defined security process that helps developers build more secure
|
|
software while addressing security compliance requirements. It presents
|
|
the key ideas of the security process and outlines which documents need
|
|
to be created. After the process is implemented and all supporting
|
|
documents are created, this document is a top-level overview and entry
|
|
point.
|
|
|
|
Overview and Scope
|
|
==================
|
|
|
|
We begin with an overview of the Zephyr development process, which
|
|
mainly focuses on security functionality.
|
|
|
|
In subsequent sections, the individual parts of the process are treated
|
|
in detail. As depicted in Figure 1, these main steps are:
|
|
|
|
1. **Secure Development:** Defines the system architecture and
|
|
development process that ensures adherence to relevant coding
|
|
guidelines and quality assurance procedures.
|
|
|
|
2. **Secure Design:** Defines security procedures and implement measures
|
|
to enforce them. A security architecture of the system and
|
|
relevant sub-modules is created, threats are identified, and
|
|
countermeasures designed. Their correct implementation and the
|
|
validity of the threat models are checked by code reviews.
|
|
Finally, a process shall be defined for reporting, classifying,
|
|
and mitigating security issues..
|
|
|
|
3. **Security Certification:** Defines the certifiable part of the
|
|
Zephyr RTOS. This includes an evaluation target, its assets, and
|
|
how these assets are protected. Certification claims shall be
|
|
determined and backed with appropriate evidence.
|
|
|
|
.. figure:: media/security-process-steps.png
|
|
|
|
Figure 1. Security Process Steps
|
|
|
|
Intended Audience
|
|
=================
|
|
|
|
This document is a guideline for the development of a security process
|
|
by the Zephyr Security Committee and the Zephyr Technical Steering
|
|
Committee. It provides an overview of the Zephyr security process for
|
|
(security) engineers and architects.
|
|
|
|
Nomenclature
|
|
============
|
|
|
|
In this document, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL",
|
|
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
|
|
"OPTIONAL" are to be interpreted as described in `RFC2119`_.
|
|
|
|
These words are used to define absolute requirements (or prohibitions),
|
|
highly recommended requirements, and truly optional requirements. As
|
|
noted in RFC-2119, "These terms are frequently used to specify behavior
|
|
with security implications. The effects on security of not implementing
|
|
a MUST or SHOULD, or doing something the specification says MUST NOT or
|
|
SHOULD NOT be done may be very subtle. Document authors should take the
|
|
time to elaborate the security implications of not following
|
|
recommendations or requirements as most implementors will not have had
|
|
the benefit of the experience and discussion that produced the
|
|
specification."
|
|
|
|
Security Document Update
|
|
========================
|
|
|
|
This document is a living document. As new requirements, features, and
|
|
changes are identified, they will be added to this document through the
|
|
following process:
|
|
|
|
1. Changes will be submitted from the interested party(ies) via pull
|
|
requests to the Zephyr documentation repository.
|
|
|
|
2. The security committee will review these changes and provide feedback
|
|
or acceptance of the changes.
|
|
|
|
3. Once accepted, these changes will become part of the document.
|
|
|
|
Current Security Definition
|
|
***************************
|
|
|
|
This section recapitulates the current status of secure development
|
|
within the Zephyr RTOS. Currently, focus is put on functional security
|
|
and code quality assurance, although additional security features are
|
|
scoped.
|
|
|
|
The three major security measures currently implemented are:
|
|
|
|
- **Security** **Functionality** with a focus on cryptographic
|
|
algorithms and protocols. Support for cryptographic hardware is
|
|
scoped for future releases.The Zephyr runtime architecture is a
|
|
monolithic binary and removes the need for dynamic loaders ,
|
|
thereby reducing the exposed attack surface.
|
|
|
|
- **Quality Assurance** is driven by using a development process that
|
|
requires all code to be reviewed before being committed to the
|
|
common repository. Furthermore, the reuse of proven building
|
|
blocks such as network stacks increases the overall quality level
|
|
and guarantees stable APIs. Static code analyses are planned for
|
|
the near future.
|
|
|
|
- **Execution Protection** including thread separation, stack and
|
|
memory protection is currently not available in the upstream
|
|
Zephyr RTOS but is planned for future releases.
|
|
|
|
These topics are discussed in more detail in the following subsections.
|
|
|
|
Security Functionality
|
|
======================
|
|
|
|
The security functionality in Zephyr hinges mainly on the inclusion of
|
|
cryptographic algorithms, and on its monolithic system design.
|
|
|
|
The cryptographic features are provided through a set of cryptographic
|
|
libraries. Applications can choose TinyCrypt2 or mbedTLS based on their
|
|
needs. TinyCrypt2 supports key cryptographic algorithms required by the
|
|
connectivity stacks. Tinycrypt2, however, only provides a limited set of
|
|
algorithms. mbedTLS supports a wider range of algorithms, but at the
|
|
cost of additional requirements such as malloc support. Applications can
|
|
choose the solution that matches their individual requirements. Future
|
|
work may include APIs to abstract the underlying crypto library choice.
|
|
|
|
APIs for vendor specific cryptographic IPs in both hardware and software
|
|
are planned, including secure key storage in the form of secure access
|
|
modules (SAMs), Trusted Platform Modules (TPMs), and
|
|
Trusted Execution Environments (TEEs).
|
|
|
|
The security architecture is based on a monolithic design where the
|
|
Zephyr kernel and all applications are compiled into a single static
|
|
binary. System calls are implemented as function calls without requiring
|
|
context switches. Static linking eliminates the potential for
|
|
dynamically loading malicious code. Memory protection and task
|
|
separation techniques are in scope for future releases.
|
|
|
|
Quality Assurance
|
|
=================
|
|
|
|
The Zephyr project uses an automated quality assurance process. The goal
|
|
is to have a process including mandatory code reviews, feature and issue
|
|
management/tracking, and static code analyses.
|
|
|
|
Code reviews are documented and enforced using a voting system before
|
|
getting checked into the repository by the responsible subsystem's
|
|
maintainer. The main goals of the code review are:
|
|
|
|
- Verifying correct functionality of the implementation
|
|
|
|
- Increasing the readability and maintainability of the contributed
|
|
source code
|
|
|
|
- Ensuring appropriate usage of string and memory functions
|
|
|
|
- Validation of the user input
|
|
|
|
- Reviewing the security relevant code for potential issues
|
|
|
|
The current coding guidelines focus mostly on coding styles and
|
|
conventions. Functional correctness is ensured by the build system and
|
|
the experience of the reviewer. Especially for security relevant code,
|
|
concrete and detailed guidelines need to be developed and aligned with
|
|
the developers (see: :ref:`secure code`).
|
|
|
|
Static code analyses are run on the Zephyr code tree on a regular basis
|
|
using the open source Coverity Scan tool. Coverity Scan now includes
|
|
complexity analysis.
|
|
|
|
Bug and issue tracking and management is performed using Jira. The term
|
|
"survivability" was coined to cover pro-active security tasks such as
|
|
security issue categorization and management. Initial effort has been
|
|
started on the definition of vulnerability categorization and mitigation
|
|
processes within Jira.
|
|
|
|
Issues determined by Coverity should have more stringent reviews before
|
|
they are closed as non issues (at least another person educated in
|
|
security processes need to agree on non-issue before closing).
|
|
|
|
A security subcommittee has been formed to develop a security process in
|
|
more detail; this document is part of that process.
|
|
|
|
Execution Protection
|
|
====================
|
|
|
|
Execution protection is planned for future releases and is roughly
|
|
categorized into the following tasks:
|
|
|
|
- **Memory separation:** Memory will be partitioned into regions and
|
|
assigned attributes based on the owner of that region of memory.
|
|
Threads will only have access to regions they control.
|
|
|
|
- **Stack protection:** Stack guards would provide mechanisms for
|
|
detecting and trapping stack overruns. Individual threads should
|
|
only have access to their own stacks.
|
|
|
|
- **Thread separation:** Individual threads should only have access to
|
|
their own memory resources. As threads are scheduled, only memory
|
|
resources owned by that thread will be accessible.Topics such as
|
|
program flow protection and other measures for tamper resistance
|
|
are currently not in scope.
|
|
|
|
System Level Security (Ecosystem, ...)
|
|
======================================
|
|
|
|
System level security encompasses a wide variety of categories. Some
|
|
examples of these would be:
|
|
|
|
- Secure/trusted boot
|
|
- Over the air (OTA) updates
|
|
- External Communication
|
|
- Device authentication
|
|
- Access control of onboard resources
|
|
|
|
- Flash updating
|
|
- Secure storage
|
|
- Peripherals
|
|
|
|
- Root of trust
|
|
- Reduction of attack surface
|
|
|
|
Some of these categories are interconnected and rely on multiple pieces
|
|
to be in place to produce a full solution for the application.
|
|
|
|
Secure Development Process
|
|
**************************
|
|
|
|
The development of secure code shall adhere to certain criteria. These
|
|
include coding guidelines and development processes that can be roughly
|
|
separated into two categories related to software quality and related to
|
|
software security. Furthermore, a system architecture document shall be
|
|
created and kept up-to-date with future development.
|
|
|
|
System Architecture
|
|
===================
|
|
|
|
.. figure:: media/security-zephyr-system-architecture.png
|
|
|
|
Figure 2: Zephyr System Architecture
|
|
|
|
A high-level schematic of the Zephyr system architecture is given in
|
|
Figure 2. It separates the architecture into an OS part (*kernel + OS
|
|
Services*) and a user-specific part (*Application Services*). The OS
|
|
part itself contains low-level, platform specific drivers and the
|
|
generic implementation of I/O APIs, file systems, kernel-specific
|
|
functions, and the cryptographic library.
|
|
|
|
A document describing the system architecture and design choices shall
|
|
be created and kept up to date with future development. This document
|
|
shall include the base architecture of the Zephyr OS and an overview of
|
|
important submodules. For each of the modules, a dedicated architecture
|
|
document shall be created and evaluated against the implementation.
|
|
These documents shall serve as an entry point to new developers and as a
|
|
basis for the security architecture. Please refer to the
|
|
:ref:`Zephyr Kernel subsystem documentation <subsystems>` for
|
|
detailed information.
|
|
|
|
Secure Coding Guidelines
|
|
========================
|
|
|
|
Designing an open software system such as Zephyr to be secure requires
|
|
adhering to a defined set of design standards. These standards are
|
|
included in the Zephyr Project documentation, specifically in its
|
|
:ref:`secure code` section. In [SALT75]_, the following, widely
|
|
accepted principles for protection mechanisms are defined to prevent
|
|
security violations and limit their impact:
|
|
|
|
- **Open design** as a design guideline incorporates the maxim that
|
|
protection mechanisms cannot be kept secret on any system in
|
|
widespread use. Instead of relying on secret, custom-tailored
|
|
security measures, publicly accepted cryptographic algorithms and
|
|
well established cryptographic libraries shall be used.
|
|
|
|
- **Economy of mechanism** specifies that the underlying design of a
|
|
system shall be kept as simple and small as possible. In the
|
|
context of the Zephyr project, this can be realized, e.g., by
|
|
modular code [PAUL09]_ and abstracted APIs.
|
|
|
|
- **Complete mediation** requires that each access to every object and
|
|
process needs to be authenticated first. Mechanisms to store
|
|
access conditions shall be avoided if possible.
|
|
|
|
- **Fail-safe defaults** defines that access is restricted by default
|
|
and permitted only in specific conditions defined by the system
|
|
protection scheme, e.g., after successful authentication.
|
|
Furthermore, default settings for services shall be chosen in a
|
|
way to provide maximum security. This corresponds to the "Secure
|
|
by Default" paradigm [MS12]_.
|
|
|
|
- **Separation of privilege** is the principle that two conditions or
|
|
more need to be satisfied before access is granted. In the
|
|
context of the Zephyr project, this could encompass split keys
|
|
[PAUL09]_.
|
|
|
|
- **Least privilege** describes an access model in which each user,
|
|
program and thread shall have the smallest possible
|
|
subset of permissions in the system required to perform their
|
|
task. This positive security model aims to minimize the attack
|
|
surface of the system.
|
|
|
|
- **Least common mechanism** specifies that mechanisms common to more
|
|
than one user or process shall not be shared if not strictly
|
|
required. The example given in [SALT75]_ is a function that should
|
|
be implemented as a shared library executed by each user and not
|
|
as a supervisor procedure shared by all users.
|
|
|
|
- **Psychological acceptability** requires that security features are
|
|
easy to use by the developers in order to ensure its usage and
|
|
the correctness of its application.
|
|
|
|
In addition to these general principles, the following points are
|
|
specific to the development of a secure RTOS:
|
|
|
|
- **Complementary Security/Defense in Depth:** do not rely on a single
|
|
threat mitigation approach. In case of the complementary security
|
|
approach, parts of the threat mitigation are performed by the
|
|
underlying platform. In case such mechanisms are not provided by
|
|
the platform, or are not trusted, a defense in depth [MS12]_
|
|
paradigm shall be used.
|
|
|
|
- **Less commonly used services off by default**: to reduce the
|
|
exposure of the system to potential attacks, features or services
|
|
shall not be enabled by default if they are only rarely used (a
|
|
threshold of 80% is given in [MS12]_). For the Zephyr project,
|
|
this can be realized using the configuration management. Each
|
|
functionality and module shall be represented as a configuration
|
|
option and needs to be explicitly enabled. Then, all features,
|
|
protocols, and drivers not required for a particular use case can
|
|
be disabled. The user shall be notified if low-level options and
|
|
APIs are enabled but not used by the application.
|
|
|
|
- **Change management:** to guarantee a traceability of changes to the
|
|
system, each change shall follow a specified process including a
|
|
change request, impact analysis, ratification, implementation,
|
|
and validation phase. In each stage, appropriate documentation
|
|
shall be provided. All commits shall be related to a bug report
|
|
or change request in the issue tracker. Commits without a valid
|
|
reference shall be denied.
|
|
|
|
Based on these design principles and commonly accepted best practices, a
|
|
secure development guide shall be developed, published, and implemented
|
|
into the Zephyr development process. Further details on this are given
|
|
in the `Secure Design`_ section.
|
|
|
|
Quality Assurance
|
|
=================
|
|
|
|
The quality assurance part encompasses the following criteria:
|
|
|
|
- **Adherence to the Coding Guidelines** with respect to coding style,
|
|
naming schemes of modules, functions, variables, and so forth.
|
|
This increases the readability of the Zephyr code base and eases
|
|
the code review. These coding guidelines are enforced by
|
|
automated scripts prior to check-in.
|
|
|
|
- **Adherence to Deployment Guidelines** is required to ensure
|
|
consistent releases with a well-documented feature set and a
|
|
trackable list of security issues.
|
|
|
|
- **Code Reviews** ensure the functional correctness of the code base
|
|
and shall be performed on each proposed code change prior to
|
|
check-in. Code reviews shall be performed by at least one
|
|
independent reviewer other than the author(s) of the code change.
|
|
These reviews shall be performed by the subsystem maintainers and
|
|
developers on a functional level and are to be distinguished from
|
|
security reviews as laid out in Chapter 4. Please refer to the
|
|
`development model documentation`_ on the Zephyr project Wiki.
|
|
|
|
- **Static Code Analysis** tools efficiently detect common coding
|
|
mistakes in large code bases. All code shall be analyzed using an
|
|
appropriate tool prior to merges into the main repository. This
|
|
is not per individual commit, but is to be run on some interval
|
|
on specific branches. It is mandatory to remove all findings or
|
|
waive potential false-positives before each release. To process
|
|
process documentation. Waivers shall be documented centrally and
|
|
in form of a comment inside the source code itself. The
|
|
documentation shall include the employed tool and its version,
|
|
the date of the analysis, the branch and parent revision number,
|
|
the reason for the waiver, the author of the respective code, and
|
|
the approver(s) of the waiver. This shall as a minimum run on the
|
|
main release branch and on the security branch. It shall be
|
|
ensured that each release has zero issues with regard to static
|
|
code analysis (including waivers). Please refer to the
|
|
`development model documentation`_ on the Zephyr project Wiki.
|
|
|
|
- **Complexity Analyses** shall be performed as part of the development
|
|
process and metrics such as cyclomatic complexity shall be
|
|
evaluated. The main goal is to keep the code as simple as
|
|
possible.
|
|
|
|
- **Automation:** the review process and checks for coding rule
|
|
adherence are a mandatory part of the precommit checks. To
|
|
ensure consistent application, they shall be automated as part of
|
|
the precommit procedure. Prior to merging large pieces of code
|
|
in from subsystems, in addition to review process and coding rule
|
|
adherence, all static code analysis must have been run and issues
|
|
resolved.
|
|
|
|
Release and Lifecycle Management
|
|
================================
|
|
|
|
Lifecycle management contains several aspects:
|
|
|
|
- **Device management** encompasses the possibility to update the
|
|
operating system and/or security related sub-systems of Zephyr
|
|
enabled devices in the field.
|
|
|
|
- **Lifecycle management:** system stages shall be defined and
|
|
documented along with the transactions between the stages in a
|
|
system state diagram. For security reasons, this shall include
|
|
locking of the device in case an attack has been detected, and a
|
|
termination if the end of life is reached.
|
|
|
|
- **Release management** describes the process of defining the release
|
|
cycle, documenting releases, and maintaining a record of known
|
|
vulnerabilities and mitigations. Especially for certification
|
|
purposes the integrity of the release needs to be ensured in a
|
|
way that later manipulation (e.g. inserting of backdoors, etc.)
|
|
can be easily detected.
|
|
|
|
- **Rights management and NDAs:** if required by the chosen
|
|
certification, the confidentiality and integrity of the system
|
|
needs to be ensured by an appropriate rights management (e.g.
|
|
separate source code repository) and non-disclosure agreements
|
|
between the relevant parties. In case of a repository shared
|
|
between several parties, measures shall be taken that no
|
|
malicious code is checked in.
|
|
|
|
These points shall be evaluated with respect to their impact on the
|
|
development process employed for the Zephyr project.
|
|
|
|
Secure Design
|
|
*************
|
|
|
|
In order to obtain a certifiable system or product, the security process
|
|
needs to be clearly defined and its application needs to be monitored
|
|
and driven. This process includes the development of security related
|
|
modules in all of its stages and the management of reported security
|
|
issues. Furthermore, threat models need to be created for currently
|
|
known and future attack vectors, and their impact on the system needs to
|
|
be investigated and mitigated. Please refer to the
|
|
`secure coding guidelines`_ outlined in the Zephyr project documentation
|
|
for detailed information.
|
|
|
|
The software security process includes:
|
|
|
|
- **Adherence to the Secure Development Guidelines** is mandatory to
|
|
avoid that individual components breach the system security and
|
|
to minimize the vulnerability of individual modules. While this
|
|
can be partially achieved by automated tests, it is inevitable to
|
|
investigate the correct implementation of security features such
|
|
as countermeasures manually in security-critical modules.
|
|
|
|
- **Security Reviews** shall be performed by a security architect in
|
|
preparation of each security-targeted release and each time a
|
|
security-related module of the Zephyr project is changed. This
|
|
process includes the validation of the effectiveness of
|
|
implemented security measures, the adherence to the global
|
|
security strategy and architecture, and the preparation of audits
|
|
towards a security certification if required.
|
|
|
|
- **Security Issue Management** encompasses the evaluation of potential
|
|
system vulnerabilities and their mitigation as described in the
|
|
`Security Issue Management`_ Section.
|
|
|
|
These criteria and tasks need to be integrated into the development
|
|
process for secure software and shall be automated wherever possible. On
|
|
system level, and for each security related module of the secure branch
|
|
of Zephyr, a directly responsible security architect shall be defined to
|
|
guide the secure development process.
|
|
|
|
Security Architecture
|
|
=====================
|
|
|
|
The general guidelines above shall be accompanied by an architectural
|
|
security design on system- and module-level. The high level
|
|
considerations include
|
|
|
|
- The identification of **security and compliance requirements**
|
|
|
|
- **Functional security** such as the use of cryptographic functions
|
|
whenever applicable
|
|
|
|
- Design of **countermeasures** against known attack vectors
|
|
|
|
- Recording of security relevant **auditable events**
|
|
|
|
- Support for **Trusted Platform Modules (TPM)** and
|
|
**Trusted Execution Environments (TEE)**
|
|
|
|
- Mechanisms to allow for **in-the-field** **updates** of devices using
|
|
Zephyr
|
|
|
|
- Task scheduler and separation
|
|
|
|
The security architecture development is based on assets derived from
|
|
the structural overview of the overall system architecture. Based on
|
|
this, the individual steps include:
|
|
|
|
1. **Identification of assets** such as user data, authentication and
|
|
encryption keys, key generation data (obtained from RNG),
|
|
security relevant status information.
|
|
|
|
2. **Identification of threats** against the assets such as breaches of
|
|
confidentiality, manipulation of user data, etc.
|
|
|
|
3. **Definition of requirements** regarding security and protection of
|
|
the assets, e.g. countermeasures or memory protection schemes.
|
|
|
|
The security architecture shall be harmonized with the existing system
|
|
architecture and implementation to determine potential deviations and
|
|
mitigate existing weaknesses. Newly developed sub-modules that are
|
|
integrated into the secure branch of the Zephyr project shall provide
|
|
individual documents describing their security architecture.
|
|
Additionally, their impact on the system level security shall be
|
|
considered and documented.
|
|
|
|
Security Issue Management
|
|
=========================
|
|
|
|
In order to quickly respond to security threats towards the Zephyr RTOS,
|
|
a well-defined security issue management needs to be established.
|
|
|
|
Such issues shall be reported through the Zephyr Jira bug tracking
|
|
system. Some JIRA modifications will be necessary to accommodate
|
|
management of security issues. In addition, there will be guidelines
|
|
that govern visibility, control, and resolution of security issues. The
|
|
following is the current proposal:
|
|
|
|
- A boolean field shall be added to JIRA bugs to mark it security
|
|
sensitive (or any other name that makes sense). This renders the
|
|
entry invisible to anyone except as described below.
|
|
|
|
- Security sensitive bugs are only accessible (view/modify) to members
|
|
of the Security Group; members of this Security Group are:
|
|
|
|
- members of the Security Subcommittee
|
|
|
|
- other as proposed and ratified Security Subcommittee, who will
|
|
also have the authority to remove others
|
|
|
|
- the reporter
|
|
|
|
- Ability to add other users for individual issues
|
|
|
|
- Security Subcommittee meetings have to review the embargoed bugs on
|
|
every meeting with more than three people in attendance. Said
|
|
review process shall decide if new issues needs to be embargoed
|
|
or not.
|
|
|
|
- Security sensitive bugs shall be made public (by removing the
|
|
security sensitive indicator) after an embargo period of TBD
|
|
days. The Security Subcommittee is the only entity with authority
|
|
to extend the embargo period on a case by case basis; the JIRA
|
|
entry should be updated with the rationale for the embargo
|
|
extension so at some point said rationale will be made public.If
|
|
the Security Subcommittee does not act upon a security sensitive
|
|
bug after its TBD days of embargo are over, it shall be
|
|
automatically made public by removing the security sensitive
|
|
setting.
|
|
|
|
- Likewise, there shall be code repositories marked as security
|
|
sensitive, accessible only to the Security Group members where
|
|
the code to fix said issues is being worked on and reviewed. The
|
|
person/s contributing the fix shall also have access, but fix
|
|
contributors shall have only access to the tree for said fix, not
|
|
to other security sensitive trees.
|
|
|
|
- A CVE space shall be allocated to assign Zephyr issues when the SWG
|
|
decides such is needed.
|
|
|
|
- The severity of the issue with regard to security shall be entered by
|
|
the reporter.
|
|
|
|
- All security relevant issues shall trigger an automated notification
|
|
on the Zephyr security mailing list
|
|
(vulnerabilities@zephyrproject.org). Any member of the security
|
|
board can then triage the severity of the issue according to the
|
|
`Common Vulnerability Scoring System v3.0 <CVSS_>`_
|
|
|
|
- Depending on the resulting severity score of the issue, the issue is
|
|
prioritized and assigned to the owner of the affected module.
|
|
Additionally, the system security architect and the security
|
|
architect of the module are notified and shall take the
|
|
responsibility to mitigate the issue and review the solution or
|
|
counter-measure. In any case, the security issue shall be
|
|
documented centrally, including the affected modules, software
|
|
releases, and applicable workarounds for immediate mitigation. A
|
|
list of known security issues per public release of the Zephyr
|
|
shall be published and maintained by the security board after a
|
|
risk assessment.
|
|
|
|
Threat Modeling and Mitigation
|
|
==============================
|
|
|
|
The modeling of security threats against the Zephyr RTOS is required for
|
|
the development of an accurate security architecture and for most
|
|
certification schemes. The first step of this process is the definition
|
|
of assets to be protected by the system. The next step then models how
|
|
these assets are protected by the system and which threats against them
|
|
are present. After a threat has been identified, a corresponding threat
|
|
model is created. This model contains the asset and system
|
|
vulnerabilities, as well as the description of the potential exploits of
|
|
these vulnerabilities. Additionally, the impact on the asset, the module
|
|
it resides in, and the overall system is to be estimated. This threat
|
|
model is then considered in the module and system security architecture
|
|
and appropriate counter-measures are defined to mitigate the threat or
|
|
limit the impact of exploits.
|
|
|
|
In short, the threat modeling process can be separated into these steps
|
|
(adapted from `Application Thread Modeling`_:
|
|
|
|
1. Definition of assets
|
|
|
|
2. Application decomposition and creation of appropriate data flow
|
|
diagrams (DFDs)
|
|
|
|
3. Threat identification and categorization using the `STRIDE`_ and
|
|
`CVSS`_ approaches
|
|
|
|
4. Determination of countermeasures and other mitigation approaches
|
|
|
|
This procedure shall be carried out during the design phase of modules
|
|
and before major changes of the module or system architecture.
|
|
Additionally, new models shall be created or existing ones shall be
|
|
updated whenever new vulnerabilities or exploits are discovered. During
|
|
security reviews, the threat models and the mitigation techniques shall
|
|
be evaluated by the responsible security architect.
|
|
|
|
From these threat models and mitigation techniques tests shall be
|
|
derived that prove the effectiveness of the countermeasures. These tests
|
|
shall be integrated into the continuous integration workflow to ensure
|
|
that the security is not impaired by regressions.
|
|
|
|
Vulnerability Analyses
|
|
======================
|
|
|
|
In order to find weak spots in the software implementation,
|
|
vulnerability analyses (VA) shall be performed. Of special interest are
|
|
investigations on cryptographic algorithms, critical OS tasks, and
|
|
connectivity protocols.
|
|
|
|
On a pure software level, this encompasses
|
|
|
|
- **Penetration testing** of the RTOS on a particular hardware
|
|
platform, which involves testing the respective Zephyr OS
|
|
configuration and hardware as one system.
|
|
|
|
- **Side channel attacks** (timing invariance, power invariance, etc.)
|
|
should be considered. For instance, ensuring **timing
|
|
invariance** of the cryptographic algorithms and modules is
|
|
required to reduce the attack surface. This applies to both the
|
|
software implementations and when using cryptographic hardware.
|
|
|
|
- **Fuzzing tests** shall be performed on both exposed APIs and
|
|
protocols.
|
|
|
|
The list given above serves primarily illustration purposes. For each
|
|
module and for the complete Zephyr system (in general on a particular
|
|
hardware platform), a suitable VA plan shall be created and executed.
|
|
The findings of these analyses shall be considered in the security issue
|
|
management process, and learnings shall be formulated as guidelines and
|
|
incorporated into the secure coding guide.
|
|
|
|
If possible (as in case of fuzzing analyses), these tests shall be
|
|
integrated into the continuous integration process.
|
|
|
|
Security Certification
|
|
**********************
|
|
|
|
One goal of creating a secure branch of the Zephyr RTOS is to create a
|
|
certifiable system or certifiable submodules thereof. The certification
|
|
scope and scheme is yet to be decided. However, many certification such
|
|
as Common Criteria [CCITSE12]_ require evidence that the evaluation
|
|
claims are indeed fulfilled, so a general certification process is
|
|
outlined in the following. Based on the final choices for the
|
|
certification scheme and evaluation level, this process needs to be
|
|
refined.
|
|
|
|
Generic Certification Process
|
|
=============================
|
|
|
|
In general, the steps towards a certification or precertification
|
|
(compare [MICR16]_) are:
|
|
|
|
1. The **definition of assets** to be protected within the Zephyr RTOS.
|
|
Potential candidates are confidential information such as
|
|
cryptographic keys, user data such as communication logs, and
|
|
potentially IP of the vendor or manufacturer.
|
|
|
|
2. Developing a **threat model** and **security architecture** to
|
|
protect the assets against exploits of vulnerabilities of the
|
|
system. As a complete threat model includes the overall product
|
|
including the hardware platform, this might be realized by a
|
|
split model containing a precertified secure branch of Zephyr
|
|
which the vendor could use to certify their Zephyr-enabled
|
|
product.
|
|
|
|
3. Formulating an **evaluation target** that includes the
|
|
**certification claims** on the security of the assets to be
|
|
evaluated and certified, as well as assumptions on the operating
|
|
conditions.
|
|
|
|
4. Providing **proof** that the claims are fulfilled. This includes
|
|
consistent documentation of the security development process,
|
|
etc.
|
|
|
|
These steps are partially covered in previous sections as well. In
|
|
contrast to these sections, the certification process only requires to
|
|
consider those components that shall be covered by the certification.
|
|
The security architecture, for example, considers assets on system level
|
|
and might include items not relevant for the certification.
|
|
|
|
Certification Options
|
|
=====================
|
|
|
|
For the security certification as such, the following options can be
|
|
pursued:
|
|
|
|
1. **Abstract precertification of Zephyr as a pure software system:**
|
|
this option requires assumptions on the underlying hardware
|
|
platform and the final application running on top of Zephyr. If
|
|
these assumptions are met by the hardware and the application, a
|
|
full certification can be more easily achieved. This option is
|
|
the most flexible approach but puts the largest burden on the
|
|
product vendor.
|
|
|
|
2. **Certification of Zephyr on specific hardware platform without a
|
|
specific application in mind:** this scenario describes the
|
|
enablement of a secure platform running the Zephyr RTOS. The
|
|
hardware manufacturer certifies the platform under defined
|
|
assumptions on the application. If these are met, the final
|
|
product can be certified with little effort.
|
|
|
|
3. **Certification of an actual product:** in this case, a full product
|
|
including a specific hardware, the Zephyr RTOS, and an
|
|
application is certified.
|
|
|
|
In all three cases, the certification scheme (e.g. FIPS 140-2 [NIST02]_
|
|
or Common Criteria [CCITSE12]_), the scope of the certification
|
|
(main-stream Zephyr, security branch, or certain modules), and the
|
|
certification/assurance level need to be determined.
|
|
|
|
In case of partial certifications (options 1 and 2), assumptions on
|
|
hardware and/or software are required for certifications. These can
|
|
include [GHS10]_
|
|
|
|
- **Appropriate physical security** of the hardware platform and its
|
|
environment.
|
|
|
|
- **Sufficient protection of storage and timing channels** on
|
|
the hardware platform itself and all connected devices. (No mentioning of
|
|
remote connections.)
|
|
|
|
- Only **trusted/assured applications** running on the device
|
|
|
|
- The device and its software stack is configured and operated by
|
|
**properly trained and trusted individuals** with no malicious
|
|
intent.
|
|
|
|
These assumptions shall be part of the security claim and evaluation
|
|
target documents.
|
|
|
|
References
|
|
**********
|
|
|
|
See :ref:`security-citations`
|
|
|
|
.. _`RFC2119`: https://www.ietf.org/rfc/rfc2119.txt
|
|
.. _`Application Thread Modeling`: https://www.owasp.org/index.php/Application_Threat_Modeling
|
|
.. _`STRIDE`: https://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx
|
|
.. _`Zephyr Kernel subsystem documentation`: https://www.zephyrproject.org/doc/subsystems/subsystems.html
|
|
.. _`secure coding guidelines`: https://www.zephyrproject.org/doc/contribute/security.html
|
|
.. _`development model documentation`: https://github.com/zephyrproject-rtos/zephyr/wiki/Development-Model
|
|
.. _`CVSS`: https://www.first.org/cvss/specification-document
|