Timesys University Webinar Series
Reduce Risk with RISC: Designing and Maintaining Secure Embedded Linux Devices with Advantech RISC Platforms
The security of your device systems and software is critical for your customers. Heightened cyber-attacks, stringent privacy requirements, and increased breach risks all demand that security is baked into your product design, not slapped on as an afterthought.
Too often, security is viewed as requiring performance or functional trade-offs, with impacts on boot times, file system performance and the firmware upgrade process. Choosing the correct security components can help avoid trade-offs and alleviate performance concerns.
Do you have a plan for defending your open source, embedded Linux based product against security threats?
Join us for this Timesys University five-part webinar series that will walk you through the process of building a security-focused, embedded Linux-based device using select Advantech RISC platforms powered by NXP i.MX 6 series applications processors. During this series, you’ll learn industry best practices for designing secure products and maintaining that security posture over time without hampering product performance. We’ll explore how to reduce the attack surface of the systems and software you use in your products, to lessen the risk of a breach or security incident. We’ll discuss how to bring products to market that enable your customers to meet essential security compliance requirements, and you’ll learn about the tools, techniques and services available to help you “Secure by Design” and “Stay Secure.”
This series consists of the following five 1-hour sessions:
Monitoring and patching security vulnerabilities throughout the embedded Linux product lifecycle
Last year, there were 9,000+ Common Vulnerabilities and Exposures (CVEs). How will you manage potential security gaps in your product? Since most open source vulnerabilities are fixed by upgrading to a new version or applying a patch, we begin this series by showing you why it’s important to make continuous monitoring of security vulnerabilities and applying their fixes a regular part of the development process. We’ll discuss the challenges with ongoing security maintenance and walk you through tools that help make managing open source software security a whole lot easier.
- Meeting the security expectations and compliance requirements of your customers
- Security in the ongoing product lifecycle
- Security vulnerability monitoring and notification
- Patch notification and update management
Verifying the authenticity of software running on your device
Verifying firmware authenticity is an essential part of designing and maintaining an effective device security posture. How will you protect your device from running tampered software? To ensure your device is protected against unauthorized access, you need to establish software authenticity before execution, all the way from the bootloader to user applications. In this session, we’ll identify the components of a Linux-based system that need to be protected, the many options available, and best practices. We’ll complete the session with a demo of a rejected/unsigned image boot.
- Secure boot
- Chain of trust
- Kernel verification (FIT image, SoC specific mechanisms)
- Root filesystem verification (dm-verity, IMA/EVM, FIT image)
Leveraging open source software to protect IP and data on the device
Hackers are proving highly adept at cloning devices to launch man-in-the-middle attacks and intercept sensitive user data. Is your device protected from being counterfeited and user data hacked? In this session, we’ll talk about how you can protect your IP and keep data securely stored on the device by encrypting data/software. In addition, we’ll discuss how to protect the key used for encryption using a secure storage mechanism. And lastly, we’ll discuss why software which handles confidential data should run from within in a hardware/software isolated environment.
- Anti-cloning (IP)
- Key Management and secure key storage
- Data protection using encryption — In use, in transit, at rest
- Trusted Platform Module (TPM)
- Trusted Execution Environment (TEE) using Arm TrustZone and OP-TEE
- Device identity and authentication
Security in production: Updating & deploying software OTA securely
Building a secure device is a good start. But maintaining a strong security posture over time is just as critical. How will you fix and deploy software/firmware updates in the field? In this session, you’ll earn about most commonly used approaches to field updates and the design considerations you should be aware of when building a product. We’ll discuss the importance of a software update server and other key considerations for securely deploying updates and denying unauthorized software installs.
- Over-the-air (OTA) updates of the software on your embedded system
- Incremental or full updates
- Signing of packages and images
- Server authentication
Auditing and hardening security best practices
The vast majority of successful cyber-attacks are the result of misconfigurations, deployment and user errors, and similar unintended exposures and security gaps. Is your software hardened to defend against attacks? By default, open source software is not configured to assist with security. In this fifth and final session of the series, you will learn how to look for — and how to prevent — common misconfigurations. The best practices part of the session will provide guidelines for how to perform a self-assessment based on your security requirements.
- Looking at a product design through security lens
- High-level security checklist and best practices for products
- Examples of security pitfalls