A Timesys Deep Dive Embedded Systems Newsletter

June 2022

Cybersecurity in the News: Technical Advisory – Multiple Vulnerabilities in U-Boot

According to the NCC Group Research: “U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with the associated technical advisories below:

  • Technical Advisory – Hole Descriptor Overwrite in U-Boot IP Packet Defragmentation Leads to Arbitrary Out of Bounds Write Primitive (CVE-2022-30790)
  • Technical Advisory – Large buffer overflow leads to DoS in U-Boot IP Packet Defragmentation Code (CVE-2022-30552)”

Need more info on these vulnerabilities?

Want to stay ahead of threats? Lucky you: we launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Take me to the CVE Dashboard
Recap: Embedded World 2022

All the latest security solutions in the Embedded World

From June 21 to June 23, Timesys showcased the latest security solutions as a featured partner with our friends at STMicroelectronics and AWS at Embedded World in Nuremberg, Germany.

Missed Embedded World this year? Check out this video with Kamel Kholti, MPU Product Marketing Manager, showcasing how Vigiles enriches the STM32MP1 ecosystem and how Timesys, Foundries.io, and STMicroelectronics are bringing solutions that provide you the support and security you need to get to market faster.

IoT Security Simplified with VigiShield Secure by Design

Why use PKCS#11?

PKCS#11 provides applications a platform independent manner of using keys securely and can also be configured to ensure the keys are never exposed to the application, hence vastly reducing the attack surface. For example, applications can request signing or encrypting data without ever needing to know the private keys.

For customers seeking enhanced security and key provisioning, VigiShield Secure by Design provides the core security features your device needs with an easy-to-understand, PSA certified, maintainable Yocto security layer.

For more information about securing IoT device keys with PKCS#11, read our PKCS#11 with OP-TEE: Securing IoT device keys article in our blog library.

Linux OS and BSP Maintenance

Can You Reduce the Cost of Long-Term Maintenance for Your Product AND Stay Secure?

This best-in-class vulnerability monitoring and remediation tool combines a curated CVE database, continuous security feed based on your SBOM, powerful filtering, and easy triage tools so you don’t get blindsided by vulnerabilities.

But at Timesys, we don’t stop there. We’ve been listing to the customer requests and feedback and are working on augmenting the APIs so you can implement your own dashboards and filter notes and alerts based on what’s most important to you.

This module update will also:

  1. Integrate with your existing SDLC software through a python package for interacting with the Vigiles API so that users are able to write scripts or integrate Vigiles into their own tools.
  2. Include all the most common tasks available through command line prompts. This will enable users to perform tasks such as applying a patch for a CVE, conducting a test build, and fetching a comparison between scans before and after to attach to the internal bug tracker.
  3. And add a reference implementation for users using their own code to interact with the API, in order to compare results and translate segments into your language of choice.

Timesys in the News: Atul Bansal of TimeSys Talks Open-Source Software on TechVibe Radio.

On Sunday, June 26, Timesys CEO Atul Bansal joined TechVibe Radio host Jonathan Kersting at 6 AM to “geek out” about the importance of Cybersecurity, especially for connected devices.

If you missed the segment and would like to hear the inside secrets of how Timesys’ expertise, OEMs, ODMs, and design houses cut development costs and accelerate time-to-market for devices and IoT systems, check out the recording of the discussion on TechVibe’s archive.

Listen to the TechVibe Radio segment with Timesys
Learn with Timesys

Read Up On Embedded Security With Our Blogs

DM-Verity Without an Initramfs

Learn how you can implement file system verification on your embedded system without the use of an initramfs. This can significantly save boot time and storage requirements in many situations.

Securing U-Boot: A Guide to Mitigating Common Attack Vectors

Learn about ways in which you can protect and secure U-Boot implementations on your embedded systems. This involves signed FIT images, environment protections, and serial console disablement methods.

Upcoming Events

Conferences Around the World You Don’t Want to Miss

NXP Tech Day Irvine

Global Training Program

June 30, Irvine, CA

Join us for an insightful presentation: Secure by Design – Building Secure IoT Solutions.

Security Vulnerability Management 101

Tool & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

In this monthly live webinar and Q&A session, you’ll learn:

– Why you need to manage your open-source software risks
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!

Subscribe to our newsletter so you don’t miss a thing.