EXTERNAL USE

DECEMBER 2019

INTRODUCING: VIGILES – LINUX SECURITY MONITORING TOOL

INTRODUCTION AND OVERVIEW

NXP External Use

EXTERNAL USE2

Agenda

▪ Keeping your product secure• Why do I care?• What is a CVE?

▪ Challenges with CVEs and keeping secure▪ Vigiles – tools for finding CVEs and fixes

• NXP Yocto – starting point• Security reports with analysis

▪ Q&A

EXTERNAL USE3

Security risk on critical applications

City Kiosk

Medical

Government

Military

EXTERNAL USE4

CVE – Publicly recognized security issue

▪ CVE-ID▪ Description of the issue▪ Estimated severity (CVSS - Common Vulnerability Scoring System )

• Low to Critical, 0.0 to 10.0▪ Estimated impact and domain scores

• e.g. “Attack Vector”, “User Interaction”, “Scope”, “Confidentiality”, …▪ Affected products, version numbers (CPEs - Common Platform Enumeration)

• eg: cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:*– Key piece for automation

▪ List of reference links• Exploits, patches, bug entry, mitigation, advisories...

▪ Vulnerability Type (CWE - Common weakness enumeration)• e.g. “buffer overflow”, “pointer issues”

EXTERNAL USE5

Example: CVE-2018-18074

ImpactCVSS v3.0 Severity and Metrics:Base Score: 9.8 CRITICAL Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HImpact Score: 5.9 Exploitability Score: 3.9Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): High Integrity (I): High Availability (A): High

Current DescriptionThe Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Known Affected Software Configurationscpe:2.3:a:python-requests:requests:*:*:*:*:*:*:*:*Up to (excluding) 2.20.0

EXTERNAL USE6

Source: cvedetails

Vulnerabilities are increasing!• How do we keep

devices secure?− Companies must

integrate additional governance into development processes

Issue severity scores(all issues) Avg. = 6.1

Vulnerabilities By Year

Reported vulnerabilities have reached 14558+ in 2019 (avg. 280 a week)

Vulnerability Distribution By CVSS Scores

EXTERNAL USE7

Options for product developersWith 280+ vulnerabilities reported each week, product developers can …

Ignore themIncrease security risk for

customers, liability for themselves

Adopt automated monitoring & tracking and mitigation tool

Vigiles cuts security management & mitigation

burden by 90%

Use open source vulnerability assessment tools

Reduce time spent but chase many false positives, miss issues, does not help fixes

Deal with them via manual process

Consume many hours of key staff time, still miss many issues, fixes are difficult

EXTERNAL USE8

Manual monitoring process is expensive and error-prone

• There is no unified name for open sources. CVE can be reported for linux-kernel, Linux, kernel, etc.

Name Version

Linux kernel 4.4.15 LTS

openssl 1.0.2o

bash 4.4.19

… …

Software manifest

• Difficult to identify which open source are used/maintained

Challenges

EXTERNAL USE9

Manual process of finding & analyzing patches is time-consuming

Release

Find Patch

Find Version with a Fix

APPLY PATCHES

RETEST ENTIRE BSP

Unf

ixed

CV

E L

ist

• Difficult to find correct patches for all CVEs

• Finding software versions that could be used and are maintained is very time-consuming

• Testing patches • Retesting entire BSP

Challenges

EXTERNAL USE10

Challenges with keeping devices secure – CVE data quality(False positives and misses)▪ Inconsistent naming

• arm-trusted-firmware, arm_trusted_firmware, trusted_firmware-a ▪ Typos

• Version number– CVE-2016-1234: 2.2.3 instead of 2.23 (corrected now)

• CVE product name– CVE-2016-1494: python instead of rsa (corrected now)

▪ Incorrect/incomplete analysis• CVE-2018-14618: up to 7.61.1 instead of 7.15.4 to 7.61.1

▪ Outdated information• Kernel CVEs (more later)

▪ No version or cpe information• CVE-2018-10845:

cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*

EXTERNAL USE11

*approx numbers: As of 7/30/2019

Challenges with keeping devices secure – Linux kernel CVEs▪ Typically, new CVE is listed as affecting all versions till latest▪ Kernel maintainers do a fantastic job at backporting fixes to LTS

• NVD CPE info not updated when patches backported

EXTERNAL USE12

Challenges with keeping devices secure – delays in CVE reporting / analysis

CVE-2019-6690 (python-gnupg)1/19: Vulnerability discovered (private) 1/20: PoC created1/22: Applied for CVE, vendor notified1/23: CVE-2019-6690 assigned1/23: Vendor responded, fix committed1/25: Disclosed on oss-security (public)3/21: NVD publishes CVE4/2 : NVD analysis - adds cpe tags

68 days from being public to NVD analysis

CVE-2019-5436 (libcurl)4/29: Reported on hackerone (private)4/29: Fix developed (private)5/15: Disclosed on distros list (private)5/20: Fix appears on github5/22: Disclosed on oss-security (public)5/28: NVD publishes CVE5/29: NVD analysis - adds cpe tags

7 days from being public to NVD analysis

EXTERNAL USE13

NXP Presents Vigiles*: Keeping your Linux BSP Securewww.nxp.com/vigiles

Features • On-demand vulnerability reports• Automatic alerts for newly discovered CVEs• Filtering CVEs by severity and whitelisting

non-issues• Provides direct link to fixes• Can be bundled with Pro-Support for assistance

Benefits• Maintain strong product security throughout

your product lifecycles• Bring more secure products to market faster• Make security a key product differentiator• Works with ANY Yocto based BSP• Start for free

* Vigiles is powered by a third-party vendor

On-demand security monitoring for more secure systems• NXP takes great care to ensure the BSP releases use recent software

when rolled out− As time goes on, new CVEs are reported, and developers customize BSPs

to meet product requirements, resulting in possible exposure to security issues

− Staying secure is a process that must be implemented by your engineering team

• Vigiles enables you to quickly and efficiently analyze security issues and take action− Automatically scans for and identifies vulnerabilities specific to your projects

and software components− Produces highly accurate security reports, which combined with a very low

false positive rate provides you with product ongoing security management that is streamlined and highly efficient

EXTERNAL USE14

Customer BSPOr Source

Component List

Vigiles

Yocto-Layermeta-timesys

Vulnerability Scanner

Notification service

Patch Notifier

BSP Maintenance Patch/Update Manager

For NXP Pro-Support customers

Web Dashboard

CVE Reports

Yocto manifest

Results

End user

CVE Manager

FeedsCVE Analyzer

NVD feed

Canonical

NVD Analyzer

Kernel Analyzer

Curated CVE

Database

Conflict NotifierUI

Security bulletins

Issue trackers

Vigiles team

Automatic filter & disambiguation

Status tracker

Patch /Version

DatabaseBuildroot

Component List

Vigiles Technology Architecture

EXTERNAL USE15

How to start with Vigiles – www.nxp.com/vigiles

Register for 30-day Vigiles trial

EXTERNAL USE16

NXP Yocto – Vigiles starting point

• Vigiles is enabled with a Yocto metalayer (meta-timesys)• Easily used with NXP Yocto Project

− Can be added to any NXP Yocto BSP (https://github.com/TimesysGit/meta-timesys)

RELEASE=thud

git clone https://github.com/TimesysGit/meta-timesys.git -b $RELEASE

− Comes pre-integrated into NXP’s Yocto BSP - starting from Yocto “Thud”(https://source.codeaurora.org/external/imx/imx-manifest/)

EXTERNAL USE17

Vigiles process for Yocto Project

• Step 1: Configure your Yocto build for scanning with Vigiles (in conf/local.conf)INHERIT += "vigiles"

VIGILES_KEY_FILE = "/tools/timesys/linuxlink_key"

• Step 2: Fine tune the scanning results by pointing to your Linux kernel configuration

VIGILES_KERNEL_CONFIG = "/projects/kernel/linux-4.14-ts+imx-1.0/.config"

• Step 3: Run the scan$ bitbake -c vigiles_check core-image-minimal

• Step 4: Look at the report locally• Step 5: Look at the details, analyze, and triage using Vigiles online UI

EXTERNAL USE18

Vigiles demonstration

EXTERNAL USE19

Vigiles Solution

Notification Management

Upload Yocto, Buildroot, Factory, or CSV manifests

Yocto – Command-line Capable

Unfixed and Fixed CVE Trend

Team Sharing for Triage Collaboration

EXTERNAL USE20

Vigiles: BASIC – On-Demand Report

EXTERNAL USE21

Vigiles: PLUS – adds collaboration, sorting and filtering

Configuration specific Security Reports

Product Source Configuration

Team Sharing of Product Configuration and Reports

EXTERNAL USE22

Vigiles: PRIME – Includes links to patches and more filtering

Link to the patch in kernel

mainline

Team collaboration and triage notes (PLUS)

Minimum version with

a fix Link to CVE

details(PLUS)

Filter by CVSS(PLUS)

Filter by CVE Vector

Filter by kernel Config

Not Relevant - Move to whitelist (PLUS)

EXTERNAL USE23

Three options for a more secure solution

NXP Pro-Support can be added to any package to assist with patch assistance and/or a semi-annual BSP maintenance package

EXTERNAL USE24

DIY vulnerability mitigation cost: $96k vs. $10k

• Monitoring − $20K = weekly review of CVEs to stay on top — Less accurate and more false positives

• Finding patches and fixed versions − $20K = average BSP requires 50 patches/year − $8K = toolchain patches to fix C/C++ runtime security issues

• $48K per configuration • # of configurations in a product family • 3 (2 deployed and 1 in-development) • 50% redo (assume same software components with 50% different versions and kernel version) • $96K is hidden cost for keeping the product family secure

− Not including patching and testing

Do It Yourself: $96,000 / year Vigiles: Starts at $10,000 / year

Monitoring Finding Patching and Testing

EXTERNAL USE25

Layered approach

▪ Secure by design – one time implementation• Hardware lockdown (serial console, jtag)• Secure boot, chain of trust• Secure storage and communications• Access control and hardening• Secure OS – OP-TEE / Arm TrustZone• Secure firmware update• Reduce attack surface• Security audit / pen testing

▪ Stay secure – ongoing process• Vulnerability monitoring and patching• Periodic upgrade• Audit log monitoring

EXTERNAL USE26

Benefits of using NXP Vigiles

• Improved security − more coverage, better accuracy, early notification

• Time saved in monitoring − Identifies/notifies on newly discovered CVEs AND fixes

• Reduced triage burden − fewer false positives, identifies already fixed CVEs, advanced filtering

• Workflow management − history, collaboration tools, notes, whitelist, exported reports

• Integrates into your engineering process− plugs into Yocto, security scan can be triggered for every build

EXTERNAL USE27

Q & A