introducing: vigiles – linux security monitoring tool€¦ · challenges with keeping devices...
TRANSCRIPT
EXTERNAL USE
DECEMBER 2019
INTRODUCING: VIGILES – LINUX SECURITY MONITORING TOOL
INTRODUCTION AND OVERVIEW
NXP External Use
EXTERNAL USE2
Agenda
▪ Keeping your product secure• Why do I care?• What is a CVE?
▪ Challenges with CVEs and keeping secure▪ Vigiles – tools for finding CVEs and fixes
• NXP Yocto – starting point• Security reports with analysis
▪ Q&A
EXTERNAL USE3
Security risk on critical applications
City Kiosk
Medical
Government
Military
EXTERNAL USE4
CVE – Publicly recognized security issue
▪ CVE-ID▪ Description of the issue▪ Estimated severity (CVSS - Common Vulnerability Scoring System )
• Low to Critical, 0.0 to 10.0▪ Estimated impact and domain scores
• e.g. “Attack Vector”, “User Interaction”, “Scope”, “Confidentiality”, …▪ Affected products, version numbers (CPEs - Common Platform Enumeration)
• eg: cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:*– Key piece for automation
▪ List of reference links• Exploits, patches, bug entry, mitigation, advisories...
▪ Vulnerability Type (CWE - Common weakness enumeration)• e.g. “buffer overflow”, “pointer issues”
EXTERNAL USE5
Example: CVE-2018-18074
ImpactCVSS v3.0 Severity and Metrics:Base Score: 9.8 CRITICAL Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HImpact Score: 5.9 Exploitability Score: 3.9Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): High Integrity (I): High Availability (A): High
Current DescriptionThe Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Known Affected Software Configurationscpe:2.3:a:python-requests:requests:*:*:*:*:*:*:*:*Up to (excluding) 2.20.0
EXTERNAL USE6
Source: cvedetails
Vulnerabilities are increasing!• How do we keep
devices secure?− Companies must
integrate additional governance into development processes
Issue severity scores(all issues) Avg. = 6.1
Vulnerabilities By Year
Reported vulnerabilities have reached 14558+ in 2019 (avg. 280 a week)
Vulnerability Distribution By CVSS Scores
EXTERNAL USE7
Options for product developersWith 280+ vulnerabilities reported each week, product developers can …
Ignore themIncrease security risk for
customers, liability for themselves
Adopt automated monitoring & tracking and mitigation tool
Vigiles cuts security management & mitigation
burden by 90%
Use open source vulnerability assessment tools
Reduce time spent but chase many false positives, miss issues, does not help fixes
Deal with them via manual process
Consume many hours of key staff time, still miss many issues, fixes are difficult
EXTERNAL USE8
Manual monitoring process is expensive and error-prone
• There is no unified name for open sources. CVE can be reported for linux-kernel, Linux, kernel, etc.
Name Version
Linux kernel 4.4.15 LTS
openssl 1.0.2o
bash 4.4.19
… …
Software manifest
• Difficult to identify which open source are used/maintained
Challenges
EXTERNAL USE9
Manual process of finding & analyzing patches is time-consuming
Release
Find Patch
Find Version with a Fix
APPLY PATCHES
RETEST ENTIRE BSP
Unf
ixed
CV
E L
ist
• Difficult to find correct patches for all CVEs
• Finding software versions that could be used and are maintained is very time-consuming
• Testing patches • Retesting entire BSP
Challenges
EXTERNAL USE10
Challenges with keeping devices secure – CVE data quality(False positives and misses)▪ Inconsistent naming
• arm-trusted-firmware, arm_trusted_firmware, trusted_firmware-a ▪ Typos
• Version number– CVE-2016-1234: 2.2.3 instead of 2.23 (corrected now)
• CVE product name– CVE-2016-1494: python instead of rsa (corrected now)
▪ Incorrect/incomplete analysis• CVE-2018-14618: up to 7.61.1 instead of 7.15.4 to 7.61.1
▪ Outdated information• Kernel CVEs (more later)
▪ No version or cpe information• CVE-2018-10845:
cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*
EXTERNAL USE11
*approx numbers: As of 7/30/2019
Challenges with keeping devices secure – Linux kernel CVEs▪ Typically, new CVE is listed as affecting all versions till latest▪ Kernel maintainers do a fantastic job at backporting fixes to LTS
• NVD CPE info not updated when patches backported
EXTERNAL USE12
Challenges with keeping devices secure – delays in CVE reporting / analysis
CVE-2019-6690 (python-gnupg)1/19: Vulnerability discovered (private) 1/20: PoC created1/22: Applied for CVE, vendor notified1/23: CVE-2019-6690 assigned1/23: Vendor responded, fix committed1/25: Disclosed on oss-security (public)3/21: NVD publishes CVE4/2 : NVD analysis - adds cpe tags
68 days from being public to NVD analysis
CVE-2019-5436 (libcurl)4/29: Reported on hackerone (private)4/29: Fix developed (private)5/15: Disclosed on distros list (private)5/20: Fix appears on github5/22: Disclosed on oss-security (public)5/28: NVD publishes CVE5/29: NVD analysis - adds cpe tags
7 days from being public to NVD analysis
EXTERNAL USE13
NXP Presents Vigiles*: Keeping your Linux BSP Securewww.nxp.com/vigiles
Features • On-demand vulnerability reports• Automatic alerts for newly discovered CVEs• Filtering CVEs by severity and whitelisting
non-issues• Provides direct link to fixes• Can be bundled with Pro-Support for assistance
Benefits• Maintain strong product security throughout
your product lifecycles• Bring more secure products to market faster• Make security a key product differentiator• Works with ANY Yocto based BSP• Start for free
* Vigiles is powered by a third-party vendor
On-demand security monitoring for more secure systems• NXP takes great care to ensure the BSP releases use recent software
when rolled out− As time goes on, new CVEs are reported, and developers customize BSPs
to meet product requirements, resulting in possible exposure to security issues
− Staying secure is a process that must be implemented by your engineering team
• Vigiles enables you to quickly and efficiently analyze security issues and take action− Automatically scans for and identifies vulnerabilities specific to your projects
and software components− Produces highly accurate security reports, which combined with a very low
false positive rate provides you with product ongoing security management that is streamlined and highly efficient
EXTERNAL USE14
Customer BSPOr Source
Component List
Vigiles
Yocto-Layermeta-timesys
Vulnerability Scanner
Notification service
Patch Notifier
BSP Maintenance Patch/Update Manager
For NXP Pro-Support customers
Web Dashboard
CVE Reports
Yocto manifest
Results
End user
CVE Manager
FeedsCVE Analyzer
NVD feed
Canonical
NVD Analyzer
Kernel Analyzer
Curated CVE
Database
Conflict NotifierUI
Security bulletins
Issue trackers
Vigiles team
Automatic filter & disambiguation
Status tracker
Patch /Version
DatabaseBuildroot
Component List
Vigiles Technology Architecture
EXTERNAL USE15
How to start with Vigiles – www.nxp.com/vigiles
Register for 30-day Vigiles trial
EXTERNAL USE16
NXP Yocto – Vigiles starting point
• Vigiles is enabled with a Yocto metalayer (meta-timesys)• Easily used with NXP Yocto Project
− Can be added to any NXP Yocto BSP (https://github.com/TimesysGit/meta-timesys)
RELEASE=thud
git clone https://github.com/TimesysGit/meta-timesys.git -b $RELEASE
− Comes pre-integrated into NXP’s Yocto BSP - starting from Yocto “Thud”(https://source.codeaurora.org/external/imx/imx-manifest/)
EXTERNAL USE17
Vigiles process for Yocto Project
• Step 1: Configure your Yocto build for scanning with Vigiles (in conf/local.conf)INHERIT += "vigiles"
VIGILES_KEY_FILE = "/tools/timesys/linuxlink_key"
• Step 2: Fine tune the scanning results by pointing to your Linux kernel configuration
VIGILES_KERNEL_CONFIG = "/projects/kernel/linux-4.14-ts+imx-1.0/.config"
• Step 3: Run the scan$ bitbake -c vigiles_check core-image-minimal
• Step 4: Look at the report locally• Step 5: Look at the details, analyze, and triage using Vigiles online UI
EXTERNAL USE18
Vigiles demonstration
EXTERNAL USE19
Vigiles Solution
Notification Management
Upload Yocto, Buildroot, Factory, or CSV manifests
Yocto – Command-line Capable
Unfixed and Fixed CVE Trend
Team Sharing for Triage Collaboration
EXTERNAL USE20
Vigiles: BASIC – On-Demand Report
EXTERNAL USE21
Vigiles: PLUS – adds collaboration, sorting and filtering
Configuration specific Security Reports
Product Source Configuration
Team Sharing of Product Configuration and Reports
EXTERNAL USE22
Vigiles: PRIME – Includes links to patches and more filtering
Link to the patch in kernel
mainline
Team collaboration and triage notes (PLUS)
Minimum version with
a fix Link to CVE
details(PLUS)
Filter by CVSS(PLUS)
Filter by CVE Vector
Filter by kernel Config
Not Relevant - Move to whitelist (PLUS)
EXTERNAL USE23
Three options for a more secure solution
NXP Pro-Support can be added to any package to assist with patch assistance and/or a semi-annual BSP maintenance package
EXTERNAL USE24
DIY vulnerability mitigation cost: $96k vs. $10k
• Monitoring − $20K = weekly review of CVEs to stay on top — Less accurate and more false positives
• Finding patches and fixed versions − $20K = average BSP requires 50 patches/year − $8K = toolchain patches to fix C/C++ runtime security issues
• $48K per configuration • # of configurations in a product family • 3 (2 deployed and 1 in-development) • 50% redo (assume same software components with 50% different versions and kernel version) • $96K is hidden cost for keeping the product family secure
− Not including patching and testing
Do It Yourself: $96,000 / year Vigiles: Starts at $10,000 / year
Monitoring Finding Patching and Testing
EXTERNAL USE25
Layered approach
▪ Secure by design – one time implementation• Hardware lockdown (serial console, jtag)• Secure boot, chain of trust• Secure storage and communications• Access control and hardening• Secure OS – OP-TEE / Arm TrustZone• Secure firmware update• Reduce attack surface• Security audit / pen testing
▪ Stay secure – ongoing process• Vulnerability monitoring and patching• Periodic upgrade• Audit log monitoring
EXTERNAL USE26
Benefits of using NXP Vigiles
• Improved security − more coverage, better accuracy, early notification
• Time saved in monitoring − Identifies/notifies on newly discovered CVEs AND fixes
• Reduced triage burden − fewer false positives, identifies already fixed CVEs, advanced filtering
• Workflow management − history, collaboration tools, notes, whitelist, exported reports
• Integrates into your engineering process− plugs into Yocto, security scan can be triggered for every build
EXTERNAL USE27
Q & A