Security Is Important
No matter what industry you’re in, maintaining the security of your software is vital. It may be obvious that medical devices need to protect patients and their privacy, but a range of consumer gadgets fueling the IoT have also been targeted and used to cause real damage.
When security is an afterthought and products are near release, and especially when they are already in the field, addressing vulnerability issues becomes a lot riskier and much more costly. This is one reason that we advocate for designing with security in mind from the beginning. Since most open source vulnerabilities are fixed by upgrading to a new version or applying a patch, it’s important to make scanning for Common Vulnerabilities and Exposures (CVEs) and applying their fixes a regular part of the development process.
The Challenge with Monitoring CVEs Yourself
Thousands of CVEs that are published every year affect open source software, including the Linux kernel and other software that your products depend on (from down in the C Library, to video codecs, and up through web servers). In fact, some CVEs may even affect the very components designed to make your product more secure in the first place (e.g. libgcrypt / GnuPG or OpenSSL).
Continuously monitoring security databases and mailing lists for vulnerabilities is time-consuming work. Every day you need to keep up with newly issued notices to make sure you do not miss anything for any component included in your system. Keeping this up manually is an enormous challenge, and yet there is still more work to do. What do you do with that information? Your time would be better spent determining the real impact each CVE potentially has on your product, and taking the corrective action. Is it a component your application uses? If not, can it be disabled at build or run time? If it is used, should you move to an updated version, or patch it? And do you need to backport the fix, or is a patch already available for your version? How will you test it once it’s applied? What about deploying it?
The Timesys Solution
Timesys helps reduce the time and costs associated with maintaining software security through its automated Security Vulnerability Monitoring and Notification Service.
Our Threats Response Security Team (TRST) constantly monitors security issues that impact open source software being used by our customers, proactively updates the Factory repository with patches and updates, and maintains Yocto patches and updates for recipes across multiple Yocto releases.
We have developed tools for Yocto and Factory, for both the desktop and web, which make tracking relevant security vulnerabilities easy. Since we do the monitoring, all you need to do is consume the notifications.
Subscribers can pull a report on-demand using the current build configuration for up-to-date notification that is relevant to the build. Whether uploaded on the web initially, or checked from the command line, those configurations and reports will also be stored under your LinuxLink account. This allows you to see how the threats to your product are changing over time. Customers can optionally choose to subscribe to notifications for any configuration, which will have a new report generated and emailed weekly.
To address the CVEs, Timesys provides patches, which will be discussed more in depth in future blog posts.
How to Use It
Yocto Project images
Three easy steps are all that you need to try on-demand notifications for Yocto using the meta-timesys layer. To use subscription and history features, you will also need to set up your LinuxLink API Keyfile. If you don’t have a subscription, only a short summary will print to the console. You can still view the full report online with a free account, but without a subscription, reports will not remain accessible for more than one day.
The instructions below pull meta-timesys and poky to set up a minimal Yocto environment for demonstration purposes. Feel free to try inserting meta-timesys into your own BSP as well. It supports custom machines, distros, and images just fine!
- Clone poky and meta-timesys
$ git clone git://git.yoctoproject.org/poky.git -b rocko $ git clone https://github.com/TimesysGit/meta-timesys.git -b rocko
- Activate yocto build environment (needed for manifest creation)
$ source poky/oe-init-build-env
- Check an Image for CVEs
When you run the following script without any arguments, you will be prompted to select an image to check (one can also be provided with a “-i” argument to skip the GUI).
You can view a full sample report online here. With your LinuxLink API key set, you can subscribe to updates simply by passing the subscribe argument to the script:
$ ../meta-timesys/scripts/checkcves.py [-s | --subscribe ]
With an active subscription and your LinuxLink API key set, a recent Desktop Factory will run the cvecheck by default when you run make, or by running either of the following targets:
- make checkupdates
- make checkcves
The checkupdates target also provides information about any newer Factory version and what updates it has for your selected packages (including CVE fixes). The CVE results in any case break down into the following categories:
- Unfixed — Known to affect the package at this version, which no solution available at this time
- Unfixed, Patch not Applied — A fix is available in the local Factory, but it hasn’t been applied to your workorder. Usually this means you should run make menuupdate and accept the new patch list.
- Unfixed, Upgrade Available — Can be fixed by upgrading to a newer Factory which provides an updated version or a patch.
- Fixed — Known to affect the package this version, but already fixed or mitigated by a patch applied in the Workorder.
You can view a full sample report online here. To subscribe for notifications, enable the option in the Workorder using make menuconfig under the “Advanced Build Configuration” menu, and then run any of the commands that trigger a report (make, make checkupdates, make checkcves).
The Security Notification Management dashboard is where you will find stored Yocto and Factory configs, view past reports, generate new reports on-demand, and manage subscription settings for push notifications via email.
When you log in to LinuxLink, click the “Security” menu on the top navigation, then click the “Notifications” item. A demo version of this page is available here. If you are already logged in to LinuxLink, you’ll be redirected to your own version, so make sure you are logged out if you want the demo.
The most recent report is available from the latest link in the config row, or as the top row in the list of reports linked to by the all link in that same row.
To submit a config online, you can click the Upload button and submit a Yocto Image Manifest (created with meta-timesys) or a Factory Workorder. It will take you to the initial CVE report after the upload.
Toggle the subscription checkboxes and click the “Update Subscriptions” button to save pull notification settings.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.