A Timesys Deep Dive Embedded Systems Newsletter

March 2023

Cybersecurity in the News: "NULL pointer dereference may lead to code execution"

According to SUSE, “In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.”

SUSE additionally warns that “the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: ‘In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.'”

Need more info on these vulnerabilities?

With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?

We launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Take me to the CVE Dashboard

New Timesys Product Announcement!

VigiToast: Eat Breakfast Like A King – Secure In Your Castle.

Breakfast is the most important meal of the day. With our brand-new product, VigiToast, you can start your morning off on secure footing knowing you have the most up-to-date information on relevant CVEs.

VigiToast is a Timesys embedded Linux IoT smart toaster that leverages best-in-practice cybersecurity software to keep you ahead of cyber threats and vulnerability risks – and protect you from burnt toast! The most essential and critical CVE details are seared onto your slices of toast, so you know what’s on the horizon for the day.

Want a patch with that? No worries! Just add more toast and VigiToast will print all the details out for you in nanoseconds.

  • What else can VigiToast do? Everything! (Nearly)
    • Over-the-air (OTA) updates of the software on your embedded system
    • Best-in-class ciphers and secure communication to protect device certificates and keys
    • Customizable policies for recording security incidents
    • Linux kernel hardening that focuses on system configurations needed to reduce your product’s attack surface, decrease risk of compromise, and minimize breach impacts
    • SBOM and vulnerability reporting for end-to-end software supply chain security

The 4-day crash course will begin on Tuesday, March 7th. If you miss a day, no worries! We’ll be sending daily recordings of the sessions to anyone that registers along with bonus materials.

New Mandate from the Whitehouse

National Cybersecurity Strategy Places Responsibility of Security on Manufacturers

Earlier this month, the Whitehouse released a National Cybersecurity Strategy to “rebalance the responsibility to defend cyberspace” and “realign incentives to favor long-term [security] investments.”

What does this mean for the cybersecurity and embedded communities?

In essence, this new strategy issued by the President moves the responsibility for defending cyberspace away from individuals and onto the organizations and stakeholders most capable of taking action to prevent security risks. That means manufacturersdevelopers, and software publishers like you are now the stewards of embedded IoT device security.

This new strategy highlights the importance of implementing secure-by-design principles throughout the product lifecycle. As daunting a task as that may seem, there’s good news! VigiShield Secure By Design enables you to implement the core security features your device needs to stay ahead of security risks and compliant with executive mandates with an easy-to-understand, PSA certified, maintainable Yocto security layer.

Product Update

Vigiles 1.0 Enterprise Release

Timesys is proud to announce the Vigiles Enterprise 1.0 release was launched earlier this month! The latest update to our industry-leading Software Composition Analysis (SCA) tool includes features such as a Single Sign-On (SSO) functionality, Groups Functionality, Role-Based Access Control, and more.

Vigiles Enterprise 1.0 makes it easier than ever for your team to collaborate securely within your organization and with external clients. With our new group structure, you’re able to restrict access on an as-needed-basis and with our Role-Based Access Control, you can manage user permissions with ease.

In addition, Vigiles Enterprise 1.0 comes equipped with SBOM support for CycloneDX, SPDX, and SPDX-Lite and a new CVE search feature, providing you with even more powerful analysis tools than before.

  • Single sign-on (SSO): Companies that use identity management systems can leverage SSO, and have employees sign in to Vigiles using their corporate identity. This facilitates easy provisioning of Vigiles to users. Vigiles Enterprise 1.0 currently supports Azure AD and OKTA as the Identity Provider (IdP) for SAML SSO.
  • Groups functionality: Groups make it easier for you to collaborate within teams (internal and external) while allowing you to restrict access on a need basis. The group structure includes Organization (highest level), Groups (second highest), Sub-Group, and Folders. Members of the organization can be added to multiple groups or subgroups based on the desired level of visibility/access
  • Role-Based Access Control: Vigiles Enterprise offers four different types of members/users: Admins which can manage Vigiles instances, organizations ,and add/remove members to organization and include all of the privileges of Maintainers. Maintainers which can create/manage groups and add/remove members to groups and include all of the permissions of Developers. Developers, who can upload and manage SBOMs and CVE reports, use integrations, and have all of the Guest permissions. And Guests; users that have access to SBOMs and CVE reports.

4-Day Crash Course

APAC & EMEA: Timesys hosting the “Sick and Tired of Vulnerabilities” Embedded Linux Yocto Developer SBOM & CVE Webinar Crash Course

The Timesys 4-day crash course webinar series on how to combat false-positive CVEs, bad SBOM data, and a tedious mitigation process was so popular, that we’re excited to announce we will be hosting it again in APAC and EMEA time zones!

Across the four days, in less than an hour each day, we’ll go over:

    • Different SBOM options, how you can generate them, and which methods and formats actually matter for embedded Linux devices
    • How to master the data presented in CVE listings, find all the relevant and related information, know what to look out for in the data that will mess up your process, and keep up with new CVEs
    • A three-step process for prioritizing vulnerabilities with frameworks for efficiently classifying your CVEs, and a workflow that you can use for your initial triage and ongoing maintenance as well
    • And how to leverage automation and see what kind of impact your tool choice has on your process

The 4-day crash course for APAC and EMEA will begin on Monday, April 10th. If you miss a day, no worries! We’ll be sending daily recordings of the sessions to anyone that registers along with bonus materials.

You can find out more details about the series and save your free seat below:

Thursday Tech Tip

Thursday Tech Tip: Kernel Panic (at the disco)

Have a niche embedded Linux or Yocto problem that you can’t find the solution for? Curious about what discoveries or solutions other engineers have made? We’re happy to introduce a brand-new monthly series: Thursday Tech Tips! On the last Thursday of each month, we’ll be sharing bite-sized technical content generated by our team of embedded platform and cybersecurity engineer experts.

Our team is dedicated to staying up-to-date on the latest trends and advancements in the embedded industry, and we’re excited to share our knowledge with you. These tips will cover a wide range of topics, from hardware and software design to cybersecurity best practices. Whether you’re a seasoned engineer or just starting out in the field, these tips are sure to provide valuable insights and practical advice. Have a niche question you’d like to solve? Ask away, and we’ll let you know what our team says!

For this month’s Thursday Tech Tip, one of our engineers was asked how to reproduce a kernel crash and diagnosis the issue:

When encountering a kernel panic error message, an important first-step to take is to identify the root cause in order to prevent future occurrences. The virtual address provided in the error message can help trace the driver impacting the current kernel panic.

How can you analyze the root cause? By loading kernel modules in the default order, using their code size, and observing their load address, you can calculate which module text segment resides at the virtual address. Subtracting the virtual address from the module load address gives the offset into the module binary of the instruction that caused the panic.

With objdump on the kernel module binary, search for that offset and check which function it belongs to. This should point to the function and even line number of the instruction that caused the panic.

Additionally, in order to capture an “oops!” from startup to the serial console, use ftrace at boot and place the necessary parameters on the kernel command line.

For example: 
root=/dev/mmcblk0p5 rootwait rw console=ttyS3,115200 ftrace=function ftrace_dump_on_oops

When the “oops!” occurs, the ftrace buffer will be automatically dumped on the console message.

If you’ve encountered something like the above issue and but have a unique situation that requires a more custom answer, don’t hesitate to ask our team for advice!

Learn with Timesys

Vulnerability Management and Triaging

How do you stay on top of vulnerabilities?

With more than 300 vulnerabilities being reported each week in the US National Vulnerability Database (NVD), it is more challenging than ever to maintain the security of open source and third-party software used in embedded system products. How can adopting a risk-based vulnerability management strategy, in which vulnerabilities that pose the highest risk to your organization are remediated first, help? This blog outlines the benefits of such a strategy along with how to establish this process as part of your software development lifecycle, all while keeping the maintenance cost and risk of exposure low.

 

Vulnerability Management for Embedded

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

April 20 @ 12 PM EDT / 9 AM PT

In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:

– Why you need to manage your open-source software risks
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!

 

Subscribe to our newsletter so you don’t miss a thing.