INTRODUCING: VIGILES – LINUX SECURITY MONITORING TOOL INTRODUCTION AND OVERVIEW DECEMBER 2019 EXTERNAL USE NXP External Use
Agenda ▪ Keeping your product secure • Why do I care? • What is a CVE? ▪ Challenges with CVEs and keeping secure ▪ Vigiles – tools for finding CVEs and fixes • NXP Yocto – starting point • Security reports with analysis ▪ Q&A 2 EXTERNAL USE
Security risk on critical applications City Kiosk Government Medical Military 3 EXTERNAL USE
CVE – Publicly recognized security issue ▪ CVE-ID ▪ Description of the issue ▪ Estimated severity (CVSS - Common Vulnerability Scoring System ) • Low to Critical, 0.0 to 10.0 ▪ Estimated impact and domain scores • e.g. “Attack Vector”, “User Interaction”, “Scope”, “Confidentiality”, … ▪ Affected products, version numbers (CPEs - Common Platform Enumeration) • eg: cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:* – Key piece for automation ▪ List of reference links • Exploits, patches, bug entry, mitigation, advisories... ▪ Vulnerability Type (CWE - Common weakness enumeration) • e.g. “buffer overflow”, “pointer issues” 4 EXTERNAL USE
Example: CVE-2018-18074 Impact Current Description The Requests package before 2.20.0 for Python CVSS v3.0 Severity and Metrics: sends an HTTP Authorization header to an http URI Base Score: 9.8 CRITICAL upon receiving a same-hostname https-to-http Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H redirect, which makes it easier for remote attackers Impact Score: 5.9 to discover credentials by sniffing the network. Exploitability Score: 3.9 Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Known Affected Software Configurations Scope (S): Unchanged cpe:2.3:a:python-requests:requests:*:*:*:*:*:*:*: Confidentiality (C): High * Integrity (I): High Up to (excluding) 2.20.0 Availability (A): High 5 EXTERNAL USE
Vulnerabilities are increasing! Vulnerabilities By Year • How do we keep devices secure? Reported vulnerabilities have reached − Companies must 14558+ in 2019 (avg. 280 a week) integrate additional governance into development processes Vulnerability Distribution By CVSS Scores Issue severity scores (all issues) Avg. = 6.1 Source: cvedetails 6 EXTERNAL USE
Options for product developers With 280+ vulnerabilities reported each week, product developers can … Increase security risk for Ignore them customers, liability for themselves Consume many hours of key Deal with them via manual staff time, still miss many process issues, fixes are difficult Reduce time spent but chase Use open source vulnerability many false positives, miss assessment tools issues, does not help fixes Vigiles cuts security Adopt automated monitoring management & mitigation & tracking and mitigation tool burden by 90% 7 EXTERNAL USE
Manual monitoring process is expensive and error-prone Software manifest Name Version Linux kernel 4.4.15 LTS openssl 1.0.2o bash 4.4.19 … … Challenges • Difficult to identify which open • There is no unified name for open source are used/maintained sources. CVE can be reported for linux-kernel, Linux, kernel, etc. 8 EXTERNAL USE
Manual process of finding & analyzing patches is time-consuming Find Version with a Fix Release Unfixed CVE List APPLY PATCHES RETEST ENTIRE BSP Find Patch Challenges • Finding software versions • Difficult to find correct • Testing patches that could be used and patches for all CVEs • Retesting entire BSP are maintained is very time-consuming 9 EXTERNAL USE
Challenges with keeping devices secure – CVE data quality (False positives and misses) ▪ Inconsistent naming • arm-trusted-firmware, arm_trusted_firmware, trusted_firmware-a ▪ Typos • Version number – CVE-2016-1234: 2.2.3 instead of 2.23 (corrected now) • CVE product name – CVE-2016-1494: python instead of rsa (corrected now) ▪ Incorrect/incomplete analysis • CVE-2018-14618: up to 7.61.1 instead of 7.15.4 to 7.61.1 ▪ Outdated information • Kernel CVEs (more later) ▪ No version or cpe information • CVE-2018-10845: cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:* 10 EXTERNAL USE
Challenges with keeping devices secure – Linux kernel CVEs ▪ Typically, new CVE is listed as affecting all versions till latest ▪ Kernel maintainers do a fantastic job at backporting fixes to LTS • NVD CPE info not updated when patches backported *approx numbers: As of 7/30/2019 11 EXTERNAL USE
Challenges with keeping devices secure – delays in CVE reporting / analysis CVE-2019-6690 (python-gnupg) CVE-2019-5436 (libcurl) 1/19: Vulnerability discovered (private) 4/29: Reported on hackerone (private) 1/20: PoC created 4/29: Fix developed (private) 1/22: Applied for CVE, vendor notified 5/15: Disclosed on distros list (private) 1/23: CVE-2019-6690 assigned 5/20: Fix appears on github 1/23: Vendor responded, fix committed 5/22: Disclosed on oss-security (public) 1/25: Disclosed on oss-security (public) 5/28: NVD publishes CVE 3/21: NVD publishes CVE 5/29: NVD analysis - adds cpe tags 4/2 : NVD analysis - adds cpe tags 7 days from being public to NVD 68 days from being public to NVD analysis analysis 12 EXTERNAL USE
NXP Presents Vigiles*: Keeping your Linux BSP Secure www.nxp.com/vigiles On-demand security monitoring for more secure systems Features • NXP takes great care to ensure the BSP releases use recent software when rolled out • On-demand vulnerability reports • Automatic alerts for newly discovered CVEs − As time goes on, new CVEs are reported, and developers customize BSPs • Filtering CVEs by severity and whitelisting to meet product requirements, resulting in possible exposure to security non-issues issues • Provides direct link to fixes − Staying secure is a process that must be implemented by your engineering • Can be bundled with Pro-Support for assistance team • Vigiles enables you to quickly and efficiently analyze security issues Benefits and take action • Maintain strong product security throughout − Automatically scans for and identifies vulnerabilities specific to your projects your product lifecycles and software components • Bring more secure products to market faster − Produces highly accurate security reports, which combined with a very low • Make security a key product differentiator false positive rate provides you with product ongoing security management • Works with ANY Yocto based BSP that is streamlined and highly efficient • Start for free * Vigiles is powered by a third-party vendor 13 EXTERNAL USE
Vigiles Technology Architecture End user Web Conflict Dashboard Notifier UI CVE Reports NVD Analyzer NVD feed Automatic filter & Notification disambiguation service Curated Yocto-Layer Yocto manifest CVE meta-timesys Database Vulnerability Scanner Patch Buildroot /Version Canonical Kernel Analyzer Database Results Feeds Patch Notifier Status CVE Analyzer Component tracker List Vigiles CVE Manager Customer BSP Or Source Component List BSP Maintenance Patch/Update Manager Security bulletins For NXP Pro-Support customers Issue trackers Vigiles team 14 EXTERNAL USE
How to start with Vigiles – www.nxp.com/vigiles Register for 30-day Vigiles trial 15 EXTERNAL USE
NXP Yocto – Vigiles starting point • Vigiles is enabled with a Yocto metalayer (meta-timesys) • Easily used with NXP Yocto Project Can be added to any NXP Yocto BSP (https://github.com/TimesysGit/meta-timesys) − RELEASE=thud git clone https://github.com/TimesysGit/meta-timesys.git -b $RELEASE Comes pre-integrated into NXP’s Yocto BSP - starting from Yocto “Thud” − (https://source.codeaurora.org/external/imx/imx-manifest/) 16 EXTERNAL USE
Vigiles process for Yocto Project • Step 1: Configure your Yocto build for scanning with Vigiles (in conf/local.conf) INHERIT += "vigiles" VIGILES_KEY_FILE = "/tools/timesys/linuxlink_key" • Step 2: Fine tune the scanning results by pointing to your Linux kernel configuration VIGILES_KERNEL_CONFIG = "/projects/kernel/linux-4.14-ts+imx-1.0/.config" • Step 3: Run the scan $ bitbake -c vigiles_check core-image-minimal • Step 4: Look at the report locally • Step 5: Look at the details, analyze, and triage using Vigiles online UI 17 EXTERNAL USE
Vigiles demonstration 18 EXTERNAL USE
Vigiles Solution Upload Yocto, Buildroot, Factory, or CSV manifests Yocto – Command-line Capable Team Sharing for Triage Collaboration Notification Management Unfixed and Fixed CVE Trend 19 EXTERNAL USE
Vigiles: BASIC – On-Demand Report 20 EXTERNAL USE
Vigiles: PLUS – adds collaboration, sorting and filtering Team Sharing of Product Configuration and Reports Product Source Configuration Configuration specific Security Reports 21 EXTERNAL USE
Vigiles: PRIME – Includes links to patches and more filtering Link to the patch in kernel Filter by CVSS Minimum mainline (PLUS) version with a fix Link to CVE details (PLUS) Filter by Filter by kernel Config CVE Vector Team collaboration and triage notes (PLUS) Not Relevant - Move to whitelist (PLUS) 22 EXTERNAL USE
Three options for a more secure solution NXP Pro-Support can be added to any package to assist with patch assistance and/or a semi-annual BSP maintenance package 23 EXTERNAL USE
Recommend
More recommend