ac6-training, un département d'Ac6 SAS
 
Site displayed in English (GB)
Site affiché en English (GB)View the site in FrenchVoir le site en English (USA)
go-up

leftthintrapezium-20-bb9203 ac6 > ac6-training > Programming > Safety and security > Advanced Embedded Linux Security Inquire Download as PDF Call us Write us

SEC9 Advanced Embedded Linux Security

Objectives
  • Learn the basics of embedded Linux security
  • Understand Linux threat model
  • Discover the features in Linux kernel to harden security
  • Understand Linux Security Modules
  • Learn how sandboxing can harden your system’s security
Labs are conducted on QEMU ARM-based board
  • C Language knowledge (see for example our L2 training course)
  • Secured Embedded Linux Platform Build (see for example our D11 training course)
  • You may be interested also by the SEC8 Secured Embedded Linux Platform Build course
  • You may be interested also by the SEC1 Secure Development for Embedded System course
  • You may be interested also by the SEC2 Advanced Embedded Systems Security course
  • Training manuals and software exercises
  • One Linux PC for two trainees
  • One target platform for two trainees
  • Total: 3 days
  • From 40% to 50% of training time is devoted to practical activities
  • Theoretical course
    • PDF course material (in English) supplemented by a printed version.
    • The trainer answers trainees' questions during the training and provide technical and pedagogical assistance.
  • At the start of each session the trainer will interact with the trainees to ensure the course fits their expectations and correct if needed
  • Any embedded systems engineer or technician with the above prerequisites.
  • The prerequisites indicated above are assessed before the training by the technical supervision of the traineein his company, or by the trainee himself in the exceptional case of an individual trainee.
  • Trainee progress is assessed by quizzes offered at the end of various sections to verify that the trainees have assimilated the points presented
  • At the end of the training, each trainee receives a certificate attesting that they have successfully completed the course.
    • In the event of a problem, discovered during the course, due to a lack of prerequisites by the trainee a different or additional training is offered to them, generally to reinforce their prerequisites,in agreement with their company manager if applicable.

Course Outline

  • Potential security risks to an embedded system
  • Threat model for embedded Linux
    • Identifying Assets and Threats
    • Understanding Attack Vectors
    • Identifying Security Weaknesses and Risks
    • Analyzing Threats and Evaluating Impact
    • Countermeasures and Threat Mitigation
  • Reducing Attack Surface
  • Common Linux Vulnerabilities
  • Vulnerable Linux tools
  • Check for known vulnerabilities
  • User and Group Management
  • File Permissions and Ownership
    • Restrict access to sensitive information
    • Limit public access to system files
  • Adjusting Systems Services
  • Input Validation and Improper Input Handling
    • Overview of Input Validation and Its Importance
    • Input Validation Techniques
    • Preventing and Mitigating Input-Related Attacks
  • Stack buffer overflow
    • Understanding the impact and techniques for mitigating
    • Enabling stack protection mechanisms in the Linux kernel
    • Address Space Layout Randomization (ASLR)
    • Preventing Stack-based Attacks through code review
  • Privilege Escalation
    • Privilege Escalation Attack Vectors
    • Horizontal and Vertical Privilege Escalation
    • Exploiting SUID executables
    • Escalating privileges through misconfigured services
    • Multi-User Escalation
    • Buffer overflow attacks
    • Mitigating privilege escalation attacks
    • Best practices for preventing privilege escalation
  • Network Security Overview
  • Securing SSH
  • Encrypting network traffic
  • Using SSL/TLS certificates
  • Virtual Private Network (VPN)
  • Wireless Network Security
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
  • Firewall on Linux
    • Types of firewall available in Linux
    • Configuring firewall using iptables, firewalld or nftables
  • Restricting System Calls in Linux
    • Introduction to system call restrictions
    • Understanding the purpose and benefits of restricting system calls
    • How to use seccomp to restrict system calls in Linux
    • Analyzing the impact of system call restrictions on application functionality
    • Seccomp limitations
    • Best practices for creating a system call whitelist
    • Systemd system call filtering
  • Enhancing Security with Capabilities
    • Overview of capabilities in Linux
    • Understanding the significance of privilege separation in Linux
    • The different types of capabilities
    • Capability Commands
    • File System Capabilities
    • Implementing file system capabilities
    • Protecting SUID executables
    • Enhancing the security of Daemons
    • Setting default capabilities for newly created processes
    • Case studies and real-world examples
  • Methods to harden the Linux Kernel
  • Custom kernel configuration
  • Kernel hardening options
  • Kernel Self-Protection
  • Disabling unnecessary services
  • Limiting the available memory resources
  • Introduction to Linux Security Modules (LSMs)
    • Overview of LSMs and their purpose
    • Types of LSMs available in Linux
    • Understanding the Linux security model
  • Access permissions
    • Discretionary Access Control (DAC)
    • Mandatory Access Control (MAC)
  • Overview of the concepts, goals and principles of MAC security models
  • MAC Models
  • Implementation of MAC
    • access control lists (ACLs)
    • role-based access control (RBAC)
    • label-based access control (LBAC)
    • Managing MAC in a Multi-user Environment
    • DAC vs MAC
  • Overview of SELinux and its purpose
  • Enable SELinux
  • Architecture and Components
  • SELinux Contexts and Labels
  • Benefits of using SELinux
  • SELinux policies
    • Understanding SELinux Policies
    • Creating and managing SELinux policies
    • SELinux policy structure and language
  • Enforcing, Permissive, and Disabled Modes
  • User, Role, and Type Components
  • Defining Custom Domain Types
  • SELinux Boolean Values
  • SELinux Auditing and Logging
  • Troubleshooting SELinux
  • Advanced SELinux Configuration
    • Managing SELinux Port Contexts
    • Configuring SELinux for systemd Services
    • Managing SELinux for Containers
  • AppArmor
    • Overview of AppArmor features and capabilities
    • Implementing AppArmor in Linux
    • Creating and managing AppArmor profiles
    • Understanding and using AppArmor rules
    • AppArmor vs SELinux: Choosing the right solution for your needs
  • Simple Mandatory Access Control for Linux (SMACK)
    • Overview of SMACK and its purpose
    • Characteristics and features of SMACK
    • Configuration and Implementation of SMACK
    • Customizing SMACK policies
    • Combining SMACK with other security features
    • SMACK's strengths and weaknesses
  • TOMOYO
    • Overview of TOMOYO and its purpose
    • The difference between TOMOYO and other LSMs
    • TOMOYO policies
  • Yama
    • Explanation of Yama and its role in Linux security
    • Architecture of Yama and its interaction with other LSMs
    • Customizing the different rules and policies of Yama
  • SafeSetID
    • Importance of SafeSetID in enhancing security in Linux
    • Setting up SafeSetID rules and policies
    • Limitations and Challenges
  • Overview of key components involved in Module Signing
  • Key Concepts of Module Signing
  • Types of Module Signing Methods
    • Discussion of the pros and cons of each method
  • Module Signing steps
  • Verifying the Signature of a Loaded Module
  • Preventing malicious modules with LoadPin
  • Steps for integrating LoadPin into the Linux environment
  • Signing packages for package managers
  • Gnu Privacy Guard (GnuPG)
  • Integrity Measurement Architecture (IMA)
  • The Extended Verification Module (EVM)
  • evmctl tool
  • Overview of Sandboxing and its Importance
  • Understanding the Concept of Isolation and Resource Control
  • Control Groups (cgroups)
  • Chroot and its Security Benefits
  • Containerization with LXC (Linux Containers)
    • Securing Application and Daemons with LXC
  • Docker and its Security Features
  • Exploring Namespaces in Linux
  • Firejail overview
  • Scanning the Linux system
    • Scanning for known malware
  • Linux auditing and monitoring tools
  • Reviewing Logs for Suspicious Activity
  • Retention policies and archiving logs
  • Keeping logs secure and protected against tampering or deletion
Duration
3 days
Cost
2620 € HT
Calendar
Session calendar
Inquire

To book a training session or for more information, please contact us on info@ac6-training.com.

Registrations are accepted till one week before the start date for scheduled classes. For late registrations, please consult us.

You can also fill and send us the registration form

This course, designed for face-to-face delivery, can be provided either in our Paris training center or, worldwide, on your premises.

Scheduled classes are confirmed as soon as there is two confirmed bookings. Bookings are accepted until 1 week before the course start.

Last update of course schedule: 23 October 2023

Booking one of our trainings is subject to our General Terms of Sales