LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Threat models for embedded devices

By Jake Edge
April 14, 2010

Understanding the threats that a system could be subjected to is a starting point for deciding on what countermeasures to use to protect it. That idea is the motivation behind the development of "threat models", which is a term used in various contexts including both military and computer security. It is impossible to defend against all possible threats, so understanding which threats are to be defended against helps focus the efforts to elements that will thwart those attacks—without getting lost in a wide variety of other possibilities.

In the embedded systems context, a threat model is the summation of the kinds of threats the device is meant to thwart. It is essentially a list of the attack types that will be defended against by all elements of the system: hardware and software. The good folks at the Embedded Linux Conference accepted my talk, "Understanding threat models for embedded devices", which I thought might best be organized around this article, effectively killing two birds with one stone.

The threat model can be considered long before specific software choices for a device are made, as it is largely determined by the intended function of the device. There are several things that need to be considered, including things like the connectivity of the device (wired, wireless, remote control, etc.), the data that the device has—or controls—access to, the kinds of environments where it will be installed, and the technical sophistication expected of its users. From a threat model perspective, those characteristics are interdependent, so they can't be analyzed in isolation.

What is being protected?

One of the first things that needs to be identified is what is being protected. At the most basic level, the proper functioning of the device likely requires protection, so that attackers cannot cause a denial-of-service, but there are often more assets to protect than that. Another way to look at the problem is to consider what the consequences are if the device is successfully attacked. Beyond just being able to disrupt the user's enjoyment of the device, the data stored in the device or protected by it—think router/firewall for example—needs to be considered.

The value of that data, both to the user and to a potential attacker, is a key factor in determining what threats are relevant. For something like a television or microwave, which either don't store much in the way of data or only store data that has a fairly low value (various settings, favorite channels, etc.), protecting the data from disclosure or erasure is probably not a high priority. But for other devices, a successful attack might drain a user's bank account, snoop on their phone calls, or permanently delete their family photo album. From a user—customer—perspective those differences are very important.

As the value of the data to an attacker increases, the sophistication of the attacks also increases. A basic tenet of security is that making attacks require more resources than an attacker gains if they are successful is an effective means of repelling attacks.

Inputs

One of the biggest factors that impacts a device's threat model is the kinds of connectivity it has to the external world. Devices like home wireless internet routers or network-attached storage servers have obvious network connections, but other devices, even some that might seem to be connection-free, often still have some means of interacting with users that might be a potential means for attack. Remote controls—or even front panel buttons, depending on the installation location—provide a means for providing input to a device. Any input can, of course, be used for good or ill.

There are very few devices that take no input at all, so identifying those inputs is important. There are obvious inputs, wired and wireless networking, bluetooth, GPS signals, cellular voice/data, etc. There are more subtle, and likely less useful, inputs that should also be considered. Cameras are being added to more devices these days, and depending on what kind of processing is done to an image, could become a vector for attack. There have certainly been enough exploits of flaws in image-handling libraries to give one pause.

Some inputs have much more potential for abuse than others, but as part of coming up with a threat model, all of the system inputs should at least be considered. It may make sense for business or other reasons to explicitly ignore certain kinds of attacks, especially if the input mechanism is protected in other ways. If the device is intended to be physically secure—locked up in someone's house or server room for instance—it may be reasonable to exclude attacks requiring physical access from the model. That doesn't mean that those attacks are impossible but that they require an attack focused on a particular individual or organization, which are some of the hardest attacks to thwart.

Installation location

Physical security is often assumed for servers, but embedded devices don't necessarily have that luxury. Depending on the function of the device and the technical knowledge of its owner, devices may be deployed in ways that are outside of the expectations of the developers. "Home" wireless routers are often used in small businesses and are sometimes explicitly set up for use by the general public, in coffee shops for example. Televisions and DVRs may be installed in bars and restaurants which expands the kinds of attacks those devices might be subjected to.

It is important to at least think about other ways that a device might be used. It is much easier to assume that a device will only be installed in a "friendly" environment, or that its owner will keep it physically safe, but those expectations may not be borne out in practice. It is also important to consider the target market for the device and the expected level of technical knowledge for its users.

Users

Technically savvy computer users would probably never even consider hooking up their NAS—with their music, photo, and movie collection—directly to the Internet, but less sophisticated users might. If they were trying to share photos with a relative, or some kind of photo printing service, it might seem to be far easier to just "put it on the net" without recognizing the privacy and security implications.

So some consideration should be given to the target market. Less sophisticated users probably need a higher level of security, at least for some types of devices. If the device is targeting the IT department at a company, some level of security knowledge can probably—hopefully—be assumed. But that same device in the hands of someone with no security training or awareness may be at much more risk.

Another consideration is how the device gets its updates in the event of a security flaw. These days, most devices have some means to update the firmware for security, other bugs, or to add—and sometimes subtract—functionality. In order for security updates to get installed, though, the user must know about the problem, and have the capability to perform the upgrade. Systems that do not plan to have an easy path for user upgrades will probably want to put more effort into ensuring that the firmware that ships has been carefully vetted based on the other factors in its threat model.

Examples

A television with HDMI, remote control, and front panel inputs is not susceptible to very many kinds of attacks. There are potentially denial-of-service attacks possible via the latter two input methods, but the data being protected is of fairly low value (if there is any data at all). The users are likely to have little security awareness, but since there is little of value and few ways to impact the device, the security needs are fairly minimal. The biggest problem might be someone surreptitiously changing the channel or volume via a universal remote—something that is completely outside of the scope of problems that a television manufacturer should be expected to thwart.

A NAS box targeted at home users to store various multimedia files throughout the home has an entirely different profile. Other than a power switch, there probably isn't any real front panel, but there is a network interface, which is where most of the exposure comes from. The data is of fairly high value to its owner, and while its value to an attacker is variable, it is probably fairly low. An attacker who could deny access to the device or its contents might be in a position to extract a ransom to restore it. If the system could be compromised, though, it is likely to be powerful enough to be of interest as a botnet participant, which may be the most likely attack scenario.

Targeting the home market means that users are not likely to have a lot of technical expertise, so they may install and use the device in unexpected ways. But even for those devices that are properly installed behind a router/firewall, there may be attacks via malware running on other computers in the network. Home networks are often considered to be "safe", but browser and other malware attacks against devices behind the firewall, or the firewall itself, are certainly not unknown. Probably one of the more common mistakes that is made with these kinds of devices is using a default administrative password that never gets changed—malware doesn't have to work very hard to exploit that flaw.

Other devices will have different characteristics, of course, but analyzing the device to determine the threats to defend against is similar. Using the value of the data, the kinds of inputs the device has, its users, and how it is intended to be installed, one can start prioritizing which functional areas of the device software need the most attention. Explicitly rejecting certain kinds of attack scenarios will also assist in cutting down on the work that needs to be done, as long as customer expectations are set correctly. Doing this analysis during product planning, rather than after there is working prototype or, worse yet, a shipping product, will make it much less disruptive resulting in a better, more secure device.

Conclusion

Device manufacturers, like software vendors, often see security problems as a public relations issue, which it is to some extent. But it is really more of a customer relations problem—if customers have been burned by security problems in a particular vendor's device, they are much less likely to purchase from that vendor again. As a large software vendor in the Pacific Northwest found out, once a reputation for poor security is established, it can be very hard to undo. It's much better to "bake security in" rather than just hope that no security issues arise.

Comments (7 posted)

Brief items

Apache.org services attacked

The Apache Infrastructure Team has reported a direct, targeted attack against the server hosting their issue-tracking software. "If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised. JIRA and Confluence both use a SHA-512 hash, but without a random salt. We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords. Bugzilla uses a SHA-256, including a random salt. The risk for most users is low to moderate, since pre-built password dictionaries are not effective, but we recommend users should still remove these passwords from use. In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them."

Comments (28 posted)

New vulnerabilities

acroread: multiple vulnerabilities

Package(s):acroread CVE #(s):CVE-2010-0190 CVE-2010-0191 CVE-2010-0192 CVE-2010-0193 CVE-2010-0194 CVE-2010-0195 CVE-2010-0196 CVE-2010-0197 CVE-2010-0198 CVE-2010-0199 CVE-2010-0201 CVE-2010-0202 CVE-2010-0203 CVE-2010-0204 CVE-2010-1241
Created:April 14, 2010 Updated:September 8, 2010
Description: From the Red Hat advisory:

This update fixes several vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-09 page. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened.

Alerts:
Gentoo 201009-05 2010-09-07
Red Hat RHSA-2010:0349-01 2010-04-14

Comments (none posted)

alienarena: denial of service

Package(s):alienarena CVE #(s):
Created:April 9, 2010 Updated:April 14, 2010
Description: From the Fedora advisory:

By supplying various invalid parameters to the download command, it is possible to cause a DoS condition by causing the server to crash. A path ending in . or / will crash on Linux. Supplying a negative offset will cause a crash on all platforms. - Fix buffer overflow identified in R1Q2 client code.

Alerts:
Fedora FEDORA-2010-6132 2010-04-09
Fedora FEDORA-2010-6068 2010-04-09

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2010-0098
Created:April 9, 2010 Updated:September 8, 2010
Description: From the Ubuntu advisory:

It was discovered that ClamAV did not properly verify its input when processing CAB files. A remote attacker could send a specially crafted CAB file to evade malware detection. (CVE-2010-0098)

It was discovered that ClamAV did not properly verify its input when processing CAB files. A remote attacker could send a specially crafted CAB file and cause a denial of service via application crash.

Alerts:
Gentoo 201009-06 2010-09-07
Mandriva MDVSA-2010:082-1 2010-05-20
SuSE SUSE-SR:2010:010 2010-04-27
Pardus 2010-55 2010-04-20
Mandriva MDVSA-2010:082 2010-04-18
Ubuntu USN-926-1 2010-04-08

Comments (none posted)

drupal-views: multiple vulnerabilities

Package(s):drupal-views CVE #(s):
Created:April 12, 2010 Updated:April 14, 2010
Description: From the Fedora advisory:

Views module provides a flexible method for Drupal site designers to control how lists of content are presented. Views accepts parameters in the URL and uses them in an AJAX callback. The values were not filtered, thus allowing injection of JavaScript code via the AJAX response. A user tricked into visiting a crafted URL could be exposed to arbitrary script or HTML injected into the page. In addition, the Views module does not properly sanitize file descriptions when displaying them in a view, thus the the file descriptions may be used to inject arbitrary script or HTML. Such cross site scripting [1] (XSS) attacks may lead to a malicious user gaining full administrative access. These vulnerabilities affect only the Drupal 6 version. The file description vulnerability is mitigated by the fact that the attacker must have permission to upload files. In both the Drupal 5 and Drupal 6 versions, users with permission to 'administer views' can execute arbitrary PHP code using the views import feature. An additional check for the permission 'use PHP for block visibility' has been added to insure that the site administrator has already granted users of the import functionality the permission to execute PHP.

Alerts:
Fedora FEDORA-2010-6356 2010-04-10
Fedora FEDORA-2010-6317 2010-04-10

Comments (none posted)

firefox: security bypass

Package(s):firefox CVE #(s):CVE-2010-0182
Created:April 12, 2010 Updated:August 9, 2010
Description: From the Ubuntu advisory:

Wladimir Palant discovered that Firefox did not always perform security checks on XML content. An attacker could exploit this to bypass security policies to load certain resources.

Alerts:
CentOS CESA-2010:0500 2010-08-06
Debian DSA-2075-1 2010-07-27
SuSE SUSE-SR:2010:013 2010-06-14
Mandriva MDVSA-2010:070-1 2010-04-20
Mandriva MDVSA-2010:070 2010-04-13
SuSE SUSE-SA:2010:021 2010-04-14
Ubuntu USN-921-1 2010-04-09
Red Hat RHSA-2010:0501-01 2010-06-22
CentOS CESA-2010:0501 2010-06-24
Gentoo 201301-01 2013-01-07

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2010-0164 CVE-2010-0165 CVE-2010-0167 CVE-2010-0168 CVE-2010-0170 CVE-2010-0172 CVE-2010-1122
Created:April 14, 2010 Updated:October 3, 2011
Description: From the Mandriva advisory:

Security researcher regenrecht reported (via TippingPoint's Zero Day Initiative) a potential reuse of a deleted image frame in Firefox 3.6's handling of multipart/x-mixed-replace images. Although no exploit was shown, re-use of freed memory has led to exploitable vulnerabilities in the past (CVE-2010-0164).

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2010-0165, CVE-2010-0167).

Mozilla developer Josh Soref of Nokia reported that documents failed to call certain security checks when attempting to preload images. Although the image content is not available to the page, it is possible to specify protocols that are normally not allowed in a web page such as file:. This includes internal schemes implemented by add-ons that might perform privileged actions resulting in something like a Cross-Site Request Forgery (CSRF) attack against the add-on. Potential severity would depend on the add-ons installed (CVE-2010-0168).

Mozilla developer Blake Kaplan reported that the window.location object was made a normal overridable JavaScript object in the Firefox 3.6 browser engine (Gecko 1.9.2) because new mechanisms were developed to enforce the same-origin policy between windows and frames. This object is unfortunately also used by some plugins to determine the page origin used for access restrictions. A malicious page could override this object to fool a plugin into granting access to data on another site or the local file system. The behavior of older Firefox versions has been restored (CVE-2010-0170).

Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.8 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly have unknown other impact via vectors that might involve compressed data, a different vulnerability than CVE-2010-1028 (CVE-2010-1122).

Alerts:
Mandriva MDVSA-2011:140 2011-10-01
Mandriva MDVSA-2011:141 2011-10-01
Mandriva MDVSA-2011:139 2011-10-01
Mandriva MDVSA-2010:070-1 2010-04-20
Mandriva MDVSA-2010:070 2010-04-13
Mageia MGASA-2012-0176 2012-07-21
Gentoo 201301-01 2013-01-07

Comments (none posted)

kdm: privilege escalation

Package(s):kdebase3 kde4-kdm CVE #(s):CVE-2010-0436
Created:April 14, 2010 Updated:June 1, 2010
Description: From the KDE advisory:

KDM contains a race condition that allows local attackers to make arbitrary files on the system world-writeable. This can happen while KDM tries to create its control socket during user login. This vulnerability has been discovered by Sebastian Krahmer from the SUSE Security Team.

Alerts:
CentOS CESA-2010:0348 2010-06-01
CentOS CESA-2010:0348 2010-06-01
Slackware SSA:2010-110-02 2010-04-21
CentOS CESA-2010:0348 2010-04-20
Ubuntu USN-932-1 2010-04-19
Pardus 2010-50 2010-04-20
Debian DSA-2037-1 2010-04-17
Fedora FEDORA-2010-6077 2010-04-09
Fedora FEDORA-2010-6096 2010-04-09
Mandriva MDVSA-2010:074 2010-04-15
Red Hat RHSA-2010:0348-01 2010-04-14
SuSE SUSE-SR:2010:009 2010-04-14

Comments (none posted)

MoinMoin: access restriction bypass

Package(s):moin CVE #(s):CVE-2010-1238
Created:April 8, 2010 Updated:April 14, 2010
Description: It was discovered that the TextCha protection in MoinMoin could be bypassed by submitting a crafted form request. This issue only affected Ubuntu 8.10. (CVE-2010-1238)
Alerts:
Ubuntu USN-925-1 2010-04-08
Gentoo 201210-02 2012-10-18

Comments (none posted)

spamass-milter: arbitrary code execution

Package(s):spamass-milter CVE #(s):CVE-2010-1132
Created:April 9, 2010 Updated:April 27, 2010
Description: From the Fedora advisory:

This update includes a fix for a problem where if the milter is running using the "-x" option to expand aliases before passing inbound mail through SpamAssassin, a malicious client using a carefully-crafted SMTP session could execute arbitrary code on the mail server. The fix avoids the use of a shell in the alias expansion and hence there is no longer a problem with having to sanitize input from the client.

Alerts:
Debian DSA-2021-2 2010-04-26
Fedora FEDORA-2010-5176 2010-03-23
Fedora FEDORA-2010-5096 2010-03-23

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds