The Zephyr Developer Summit, hosted under the first-ever Embedded Open Source Summit in Prague, Czech Republic, on June 27-30 included presentations, BoFs, and training designed for real time problem solving and deep discussions. More than 1,300 people registered for the EOSS conference – representing 375 organizations across 56 countries around the globe. Zephyr had 75+ technical sessions (in-person and on-demand) for 3 tracks focused on users of Zephyr, developers contributing upstream, and maintainer-specific topics.
All of the videos from the Zephyr Developer Summit can be found on the Zephyr Youtube Channel. Each week, we’ll highlight a few videos in a blog for easy access. Today, we’re featuring a few security sessions including: “Outsmarting the IoT Defense – the Hacker’s Perspective,” “Integration of a CA Certificate Store Into Zephyr RTOS,” and “Introduce Hardware-Level Device Isolation to Zephyr.”
Outsmarting the IoT Defense – the Hacker’s Perspective – Natali Tshuva, Co-Founder & CEO at Sternum IoT
Endless patching is a race that cannot be won. To build sustainable, secure IoT solutions we must change that ineffective paradigm. To appreciate what we can do differently, we should start by considering both the defender’s and attacker’s perspectives. This session will provide a unique view of that attacker’s perspective, from former exploit/attack experts within the IDF Unit 8200. We will review the impossible task of identifying and mitigating all vulnerabilities – and will demonstrate the inadequacies of current IoT security practices focused on continuous patching, static analysis, encryption, and risk controls. We will also explain how attackers can easily evade such barriers. By contrast, the session will explore methods for achieving embedded, on-device runtime exploits protection to immunize devices from all underlying vulnerabilities, and provide zero-day protection as well. These methods, commonplace in IT endpoint detection and response, are just now finding their way into heretofore unprotected and unmanaged IoT edge devices. See the presentation here.
Integration of a CA Certificate Store Into Zephyr RTOS – Jared Baumann, Software Engineer at T-Mobile
This presentation briefly covers a proposed CA certificate store for Zephyr RTOS. This addition to Zephyr could greatly improve the development process for IoT applications by allowing for the utilization of a large number of CA certificates in Zephyr without requiring manual management. The utility of such as system is obvious, as it would allow for the storage of many certificates for whenever they’re needed, much like many modern operating systems. It should greatly improve developer experience for new developers entering the Zephyr ecosystem, particularly those with interest in IoT applications. See the presentation here.
Introduce Hardware-Level Device Isolation to Zephyr – Jaxson Han, Senior Software Engineer and Huifeng Zhang, Software Engineer, at Arm
Most architectures in Zephyr use MMU/MPU to isolate the thread memory regions so that the system is protected from buggy or malicious code. However, MMU/MPU can only limit memory accesses from CPUs. Memory accesses such as those from DMA are not protected by MMU/MPU, which may cause critical security issues. This issue should be brought to attention because Zephyr has been adding more DMA devices to the code, while many DMA devices might be buggy or even malicious. Therefore, without taking actions, Zephyr would be under increasing security risk. RichOSes use IOMMU/SMMU to protect the device memory accesses in general, and likewise, Zephyr can mitigate the above-mentioned security issue by introducing the IOMMU/SMMU technology. Additionally, the introduction of IOMMU/SMMU makes Zephyr possible to support more PCI and DMA devices or even features such as virtualization. Because of the variety of hardware-level solutions provided by different architectures, it is necessary to add a new IOMMU/SMMU Subsys framework for Zephyr so it can be easily extended in the future. This talk will cover the Zephyr Arm SMMUv3 support based on the Subsys framework. A live demo will be presented to showcase using SMMUv3 to protect memory access from a PCI AHCI device on the Arm FVP platform. See the presentation here.
For more information about the 2024 event, stay tuned by subscribing to the Zephyr quarterly newsletter or connect with us on @ZephyrIoT, Zephyr Project LinkedIn or the Zephyr Discord Channel to talk with community and TSC members.