The Embedded Open Source Summit took place from April 16-18 in Seattle, Washington, alongside the Open Source Summit North America. The Zephyr Developer Summit was part of the EOSS, aimed at developers using or considering Zephyr in embedded products. This year, we concentrated on supporting topics relevant to Zephyr users, upstream contributors, and maintainers.
More than 860 individuals from 721 organizations across 46 countries registered for the EOSS conference. The Zephyr track featured over 50 technical sessions, both in-person and on-demand, focusing on users, upstream developers, and maintainers.
Videos from the Zephyr Developer Summit are available on the Zephyr Project YouTube channel. We will highlight a few videos each week in a blog for easy access.
Today we are featuring:
- A Root Canal Static Analysis Based Audit of Zephyr – Munawar Hafiz, OpenRefactory
- Insights from Zephyr Security Audit and Vulnerability Experiences – Flavio Ceolin, Intel & David Brown, Linaro, LTD
A Root Canal Static Analysis Based Audit of Zephyr – Munawar Hafiz, OpenRefactory
Munawar Hafiz from OpenRefactory presents a comprehensive evaluation of Zephyr’s security practices through static analysis. The talk highlights the integration of CodeChecker in Zephyr 3.5.0, which incorporates multiple linters and static analyzers like clang static analyzer, clang tidy, and CPPCheck. However, deeper analysis is essential as tools like CPPCheck detect only a limited set of issues.
OpenRefactory, collaborating with the Alpha Omega project under the Linux Foundation, conducted a thorough security audit on Zephyr. This audit, akin to a “root canal” procedure in its depth and rigor, goes beyond the “flossing” habits of regular CodeChecker use. The audit included interviews with maintainers, an evaluation of current practices, and additional analysis using advanced tools.
Key findings include:
- A significant number of bugs identified by CodeChecker and Coverity, with a notable fix rate.
- Challenges persist with false positives and gaps in current tools’ detection capabilities.
- The importance of replacing unsafe functions like sprintf with secure alternatives, highlighting an example where sprintf led to a buffer overflow.
- The role of manual triage and in-depth examination of the flagged issues to ensure accurate identification of true positives.
The talk also explores the effectiveness of newer tools like Snyk and Semgrep in identifying vulnerabilities, noting that while they sometimes catch issues missed by others, they also generate a high volume of false positives.
Hafiz emphasizes the need for tools that not only detect but also automatically fix bugs, leveraging advanced techniques such as path analysis and SAT solving to reduce false positives and enhance detection accuracy. He discusses the importance of community engagement and continuous improvement in security practices.
The session concludes with insights into the effectiveness of current static analysis tools, the importance of comprehensive audits, and the potential for advanced tools to significantly enhance security in embedded systems. Hafiz also mentions ongoing efforts to develop a new version of their C static analysis tool, expected to incorporate these advanced features and improve Zephyr’s overall security posture.
Insights from Zephyr Security Audit and Vulnerability Experiences – Flavio Ceolin, Intel & David Brown, Linaro, LTD
Flavio Ceolin from Intel and David Brown from Linaro present lessons learned from real-world vulnerabilities and an external third-party code audit of the Zephyr project. They highlight the critical importance of security in embedded systems, which often perform dedicated functions within larger, complex platforms.
The talk begins with an overview of historical vulnerabilities in Zephyr, providing context on the evolution of security measures within the framework. It covers the role of Zephyr’s security working groups, which handle security features and vulnerabilities, and discusses the process for identifying, reporting, and managing these vulnerabilities using CVEs.
A significant portion of the presentation is dedicated to the outcomes of a recent external code audit conducted by NCC Group. This audit, focusing on core kernel features and exploit mitigations, revealed a few minor vulnerabilities, reinforcing the importance of independent reviews for enhancing security and building trust.
Key lessons include the challenges of defining the audit scope, the benefits of a well-defined threat model, and the importance of comprehensive testing. Strategies for future improvements are also discussed, such as mandatory static analysis, community engagement for vulnerability reporting, and ongoing training to address common issues like buffer overflows.
The session concludes with a discussion on the practical steps taken to fix identified issues, the importance of continuous security assessments, and the need for community collaboration to maintain and enhance Zephyr’s security posture.
Watch the rest of the Zephyr Developer Summit videos here. The schedule and links to the PPT presentations can be found here. Photos from the EOSS can be found here.
For more information about the 2024 event, stay tuned by subscribing to the Zephyr quarterly newsletter or connect with us on @ZephyrIoT, Zephyr Project LinkedIn or the Zephyr Discord Channel to talk with community and TSC members.