Timesys is now offering a great solution in order to manage software vulnerabilities in your embedded project.This post will describe the solution and its advantages leveraging two articles from Timesys:
- Managing vulnerabilities: The importance of security notification and how to leverage Timesys’ solution
- Managing vulnerabilities: Understanding patch notifications and fixing CVEs
We encourage you to read the above if you are interested in such solution.
What are vulnerabilities?
As Wikipedia puts it:In computer security, a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.Now more than ever we need to be aware of vulnerabilities. Many have made the news in the past years such as:
Behind those funny names reside serious threats that you need to take care of for your system to be secure.
Why should I care?
Well it depends on each project, but as soon as your platform has any kind of access you need to think about the consequences of being attacked.
Are all vulnerabilities equal?
No, that is why they all are referenced and a degree of severity is provided to each one of them.For instance, the previous examples have CVE numbers associated to them with details:
- Heartbleed = CVE-2014-0160
- Dirty Cow = CVE-2016-5195
- Spectre = CVE-2017-5753 & CVE-2017-5715
How to be vulnerability-proof?
Vulnerabilities are discovered all the time, so you need to check regularly for new vulnerabilities and see if you system can be affected by it.That's where Timesys' solution makes a real difference, it helps you with that process of staying secure!
Timesys' Security Solution
Timesys' solution can actually be split in 3 distincts steps:
- Monitoring
- Threats Response Security Team (TRST) constantly monitors security issues that impact open source software
- Notification
- Customers can choose to subscribe to notifications which will have a new report generated and emailed weekly
- Patching
- Provides patches to address the CVEs
The solution target either any Yocto-based or Timesys Desktop Factory projects.
How does it work?
Let's take the case of a Yocto project, testing the current Nitrogen8M build based on Yocto master branch.After adding the meta-timesys
layer to our project, it simply requires to run a script in order to have the first results:
$ ../sources/meta-timesys/scripts/checkcves.py -i core-image-minimal ... Requesting image analysis from LinuxLink ... ... -- CVE Summary -- Unfixed: 38 Unfixed, Patch Available: 0 Fixed: 14 CPU: 0 ... View the complete report online at: https://linuxlink.timesys.com/cves/reports/xxxx
Here is what the online report looks like:You can then check each section for details, such as the list of unfixed vulnerabilities.Each vulnerability links to the National Vulnerability Database (NVD) CVE number for more details.After that monitoring process, you can subscribe for notifications of new CVEs affecting your project as well as patches to apply in order to fix them.We find this solution easy-to-use yet very efficient to keep a system secure!Therefore we hope you enjoyed that blog post. For more details on this solution, please make sure to contact Timesys: