Loading…
October 31 - November 1 - Co-Located Events
October 28-30 - Conference
Lyon Convention Centre - Lyon, France
More information for Open Source Summit + Embedded Linux Conference Europe 2019

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security & Safety [clear filter]
Monday, October 28
 

11:30

Panel Discussion: Evolving for Today’s Security First Mindset - David C. Stewart & Hengameh James, Intel Corporation; Jon Masters, Red Hat; Jiri Kosina, SUSE; Ed Maste, FreeBSD Foundation
As the cybersecurity landscape continues to evolve, our industry remains focused on ways we can help protect developers and customers. Over the past two years, teams across the industry have continued to improve security throughout our portfolio of hardware and software, and taken our industry collaboration to new levels. We recognize however that no one company can do this alone. We see the value in collaboration that is driven by the structure of the industry and interdependency between layers in the stack. We have built an approach to engaging the ecosystem that features unprecedented levels of coordination. This approach is not only multi-party, it’s multi-lateral, and the goal is to create an environment where we’re all continuously learning. This allows us to drive the meaningful change that customers and end users are counting on. That mindset has improved how everyone develops the hardware and software we deliver. This panel will feature key contributors to this collaboration.

Speakers
avatar for David C. Stewart

David C. Stewart

Senior Director, Intel Corporation
David Stewart is Senior Director of Security Mitigation in Intel's System Software Products, a global team addressing CPU-based security attacks in cloud, dynamic languages, databases, middleware and virtualization. David partners with cloud service providers and operating system... Read More →
JK

Jiri Kosina

Distinguished Engineer and Director, SUSE
Jiri is a Linux Kernel developer, Distinguished Engineer and Director of "SUSE Labs Core" engineering department at SUSE.
avatar for Jon Masters

Jon Masters

Chief Arm Architect, Red Hat
Jon Masters is a Computer Architect specializing in high performance microarchitecture at Red Hat, where he is Chief Arm Architect, and works on cache coherent shared virtual memory workload acceleration, among many other topics. He also co-created the technical mitigation team for... Read More →
avatar for Hengameh James

Hengameh James

Sr Technical Program Manager, Intel Corporation
Hengameh James is a Senior Technical Program Manager leading Software Security projects for Intel Architecture Graphics Software (IAGS) organization. Her primary focus is protecting customers’ data security. Hengameh believes in a secure world that is built by collaboration across... Read More →
avatar for Ed Maste

Ed Maste

Director of Project Development, FreeBSD Foundation


Monday October 28, 2019 11:30 - 12:05
Bellecour 3

12:20

Verifying Device Identity with TPMs - Matthew Garrett & Brandon Weeks, Google
There are many cases where you'd like to know exactly which computer you're talking to. Sometimes it's because you're SSHing to a remote machine and you'd like to verify your connection isn't being intercepted. Sometimes it's because you're a VPN server and you'd like to ensure that the client is actually one of your computers, not just pretending to be one.

But what defines machine identity? You could just issue each machine with a key when it's initially enrolled, but what stops an attacker from copying it off the machine and creating as many fake computers as they want?

Most modern systems include a Trusted Platform Module, a small cryptographic device that has its own unique cryptographic identity and securely stores encryption keys. In this presentation we will demonstrate how the TPM can be used to solve the machine identity problem, making SSH trust on first use a thing of the past and ensuring that only trusted machines are able to gain access to your network infrastructure.

Speakers
MG

Matthew Garrett

Security developer, Google
Matthew is a security developer at Google, specialising in Linux security. He thinks computers were probably a mistake.
avatar for Brandon Weeks

Brandon Weeks

Security Engineer, Google
Brandon Weeks is a Security Engineer at Google. His focus is on client device security, public key infrastructure and remote attestation.



Monday October 28, 2019 12:20 - 12:55
Bellecour 3
  • Session Slides Included Yes

14:25

In-and-out - Security of Copying to and from Live Containers - Ariel Zelivansky & Yuval Avrahami, Twistlock
Nowadays mature container platforms (such as Docker, Kubernetes and LXD) provide users a way to extract files from a running container. There are several different design approaches for implementing such a copy feature. In this talk, Yuval and Ariel will present the ups and downs of the different implementations with a focus on security and possible vulnerabilities.

Throughout the presentation, different vulnerabilities that affected the major container engines will be reviewed. A live proof of concept of a vulnerability in the Docker copy comman will be presented.

Speakers
AZ

Ariel Zelivansky

Security Research Team Lead, Palo Alto Networks
Ariel Zelivansky is a security researcher and the head of research at Twistlock, dealing with hacking and securing anything related to containers.
avatar for Yuval Avrahami

Yuval Avrahami

Security Researcher, Palo Alto Networks



Monday October 28, 2019 14:25 - 15:00
Bellecour 3
  • Session Slides Included Yes

15:15

Confidential Computing with Enarx - Mike Bursell & Nathaniel McCallum, Red Hat
We've known for a long time that we need encryption for data at rest and in transit: the Linux Foundation recently formed the Confidential Computing Consortium to encourage use of technologies to help you do encryption for data in use.

Enarx is an application deployment system enabling applications to run within Trusted Execution Environments (TEEs) without rewriting for particular platforms or SDKs. You will learn why confidential computing is so important, why it is so hard, and how Enarx is designed to make it easier and more manageable without sacrificing security. Technologies include Rust, virtualization, WebAssembly, Trusted Execution Environments. We will examine the architecture and workflow, and provide a demo of the existing state of the project, which is currently targeting AMD and Intel hardware.

Speakers
avatar for Nathaniel McCallum

Nathaniel McCallum

Senior Principal Software Engineer, Red Hat, Inc.
Nathaniel is a Principal Software Engineer for Red Hat's Security and Identity group. By day, he tackles tough security problems. By night, he tackles his five children. He is the author of a variety of security related technologies, including: 2FA for Fr
avatar for Mike Bursell

Mike Bursell

Chief Security Architect, Red Hat
I've been in and around Open Source since around 1997, and have been running (GNU) Linux as my main desktop at home and work since then: not always easy... I'm a security bod and architect, and am currently employed as Chief Security Architect for Red Ha



Monday October 28, 2019 15:15 - 15:50
Bellecour 3
  • Session Slides Included Yes

16:20

Analysis of Speculative and Traditional Execution Side Channel and Protection Mechanisms - Antonio Gomez, Intel Corporation
This presentation focuses on the common characteristics of speculative execution side-channel methods, how they compare to traditional side channel methods and the mitigations that Intel is implementing for these methods. We introduce some of the architectural concepts and optimizations that microprocessor designers have created over the years to enhance performance, and then discuss how security researchers have used those same concepts and optimizations to show how malicious actors could potentially infer secret data. We review some common execution environments and where those environments may be exposed to speculative execution side channel methods, and then enumerate and describe a set of techniques that developers can implement to better safeguard their systems, code, and secrets. Developers can use this information to perform risk assessments for their own applications. We provide an overview of the different approaches that Intel is taking to mitigate these potential attacks.

Speakers
AG

Antonio Gomez

Software Engineer, Intel
Antonio is a software engineer in Intel where he focuses on security software mitigations. He holds a Ph.D. in computer science and has worked in different roles in the areas of performance, computer architecture, parallel programming, and security for the last 15 years.


Monday October 28, 2019 16:20 - 16:55
Bellecour 3

17:10

A Story About Common Sense, Functional Safety and Software Development - Nicole Pappler & Dr. Andreas Bärwald, TÜV SÜD Product Service GmbH
Today the added value in products is shaped not so much by hardware or even mechanical parameters, but mainly software. Software allows the use of diversified sources and wide choice of variants with release cycles simultaneously speeding up. Against the resistance of established industry mentality, even the development of safety critical software is not immune against this approach.

However, the current set of standards regarding functional safety currently puts a blind eye to most of the deployed methods, usage and contribution of/to open source software, agile development, DevOps, etc.

These standards ignore the flexibility and reusability already employed at software development.

This talk aims to start an open discussion what really should be considered relevant in modern software development, how state of the art proofs of safety might look like and which current staples of conformity might even impair the reliability, safety and security of nowadays software products.

Speakers
avatar for Nicole Pappler

Nicole Pappler

Principal Smart Software, TÜV SÜD Product Service GmbH
Nicole Pappler is a Senior Software Expert. She has worked in different projects developing safety relevant embedded software before starting as an independent safety assessor for TÜV SÜD. With now more than eight years of experience as a Functional Safety Expert, she supported... Read More →
avatar for Dr. Andreas Bärwald

Dr. Andreas Bärwald

Head of Software Solutions, TÜV SÜD Product Service GmbH
Andreas Bärwald is a Senior Manager and Senior Expert for Software with more than 15 years professional experience in different positions. Over the years he worked as Vice President, Business Unit Manager, Business Line Manager, Team Manager, Project Manager, Technical Certifier... Read More →



Monday October 28, 2019 17:10 - 17:45
Bellecour 3
  • Session Slides Included Yes

18:00

BoF: Addressing Safety Aspects in Open-Source Software - Kate Stewart, The Linux Foundation; Aymeric Rateau, Toyota Motor Europe & Christopher Temple, Arm Germany GmbH
Recently, there is an emergent need of the industry building complex software systems with high performance, safety and security requirements.

In the complex software systems, various open-source software components, such as the Linux kernel, the ROS middleware and other standard open-source libraries, are foreseen to be employed as they form the de-facto standard of current software systems.

In safety-critical systems, these open-source software components however also require special consideration, as malfunctions can lead to hazards and harm to people.

The Linux Foundation has recently initiated the ELISA (Enabling Linux In Safety Applications) Project.
This BoF session shall allow interested engineers and project managers to discuss together on the challenges of addressing safety aspects in open-source software and allow them to exchange and identify suitable areas of collaboration.

Speakers
avatar for Christopher Temple

Christopher Temple

Lead Safety & Reliability Architect, Arm Germany GmbH
As Lead Safety & Reliability Architect Dr. Chris Temple develops the safety and reliability technology roadmap, and drives thought leadership in next generation cost effective safety systems at Arm. Temple is active in the ELISA open source project, where he is investigating inter-dependencies... Read More →
AR

Aymeric Rateau

Senior engineer, Toyota Motor Europe
I started to work at Toyota developing cleaner engines in 2006. I then switched in 2018 to electronic and software engineering related to Advanced Driving Assistance. I actually have a long time interest in computer science and Linux ecosystem, for instance running an open source... Read More →
avatar for Kate Stewart

Kate Stewart

Senior Director of Strategic Programs, Linux Foundation
Kate Stewart is a Senior Director of Strategic Programs, responsible for Embedded and Open Compliance programs. Since joining The Linux Foundation, she has launched Real-Time Linux, Zephyr Project, CHAOSS, and ELISA.


Monday October 28, 2019 18:00 - 18:35
Bellecour 3

18:00

BoF: Webserver Security - Nightmares of a Sysadmin - Sven Rath, REIFF
In this BoF session it's all about common conflicts between developers and sysadmins regarding security requirements in small to mid-size webserver environments.

Every website or code has its own special requirements in how it should be executed and therefore it can become very tricky in regard of how to make your webserver compatible to the code a developer is using and make it secure at the same time. You could turn off most of the security features to get the application working. Sure that's the easy way but as a sysadmin, you are also responsible to prevent script-kiddies, bots and other bad guys from injecting malicious code into your environment. So I would like to point out some topics about webserver security from an admin point of view and I'd like to learn about your experience with web security.

Speakers
avatar for Sven Rath

Sven Rath

Linux-SysAdmin, REIFF Management & Service GmbH
Currently i'am working as a linux-sysadmin for REIFF Management & Service GmbH (inhouse service provider for the REIFF-Group) located in Germany managing a broad range of open-source tools and operating systems.



Monday October 28, 2019 18:00 - 18:35
St. Clair 3
  • Session Slides Included Yes
 
Tuesday, October 29
 

11:30

ELISA: Enabling Linux in Safety Applications - Priyanka Viswanthan, Arm & Jochen Kall, ITK Engineering
There is a current industry trend to build fully autonomous systems. To reach this goal, industry must manage complex software systems with high performance, safety and security requirements.
The operating system is non-differentiating in these systems and it is intended to be used multiple times over the whole product portfolio for a long time span. These conditions make it appealing to use Linux as robust open-source operating system. Based on the results of the SIL2LinuxMP project, the Linux Foundation has recently initiated the ELISA (Enabling Linux In Safety Applications) Project.

The talk shall sketch goals of this collaboration, the first identified challenges of addressing safety aspects in the Linux kernel and the plan how to tackle them. Beyond the Linux kernel, these points can also apply to open-source software in general. The project calls interested companies to participate in this new collaborative project to provide an attractive solution to the overall industry.

Speakers
JK

Jochen Kall

Development Engineer, ITK Engineering
Dr. rer. Nat. Jochen Kall is a development engineer in the field of functional safety at ITK Engineering since 2016. As part of his work, he is involved in the Linux Foundation ELISA project (Enabling Linux in Safety Applications) which aims for establishing Linux as a valid option... Read More →
avatar for Priyanka Viswanthan

Priyanka Viswanthan

Functional Safety Manager, Arm
Priyanka Viswanathan is a Functional Safety Manager at Arm, and part of the Functional Safety Centre of Excellence. As part of her role, she contributes to defining Functional Safety processes for the development of products aimed at safety critical applications. She works with various... Read More →


Tuesday October 29, 2019 11:30 - 12:05
Roseraie 1 & 2

12:20

Supply Chain Implications of Open Source Safety Elements - Christopher Temple, Arm Germany GmbH
There is a growing interest to deploy Linux, as a safety element within safety critical systems. The safety capability of a safety element is expressed in terms safety claims with associated safety integrity levels. The safety manual summarizes the safety capability and defines a contractual relationship within the supply chain. This presentation addresses the necessity of stated safety capabilities and how they can be stated in light of open source development as currently under investigation in the ELISA (Enabling Linux in Safety Applications) project. Two example system architectures are introduced to discuss the extent to which it is possible for Linux to take assumptions on the design external to Linux itself and of “assumption of use requirements” originating from other safety elements in the safety system into consideration. The presentation considers the role of open source and third-party tools in this context and summarizes the difference towards qualified software.

Speakers
avatar for Christopher Temple

Christopher Temple

Lead Safety & Reliability Architect, Arm Germany GmbH
As Lead Safety & Reliability Architect Dr. Chris Temple develops the safety and reliability technology roadmap, and drives thought leadership in next generation cost effective safety systems at Arm. Temple is active in the ELISA open source project, where he is investigating inter-dependencies... Read More →



Tuesday October 29, 2019 12:20 - 12:55
Roseraie 1 & 2
  • Session Slides Included Yes

14:25

Open Source and Functional Safety: Two Approaches to Bridge the Culture Clash - Kate Stewart, The Linux Foundation
Linux and Zephyr are both operating systems that are working towards being able to be confidently used in Safety Critical Applications. This talk will summarize the current state of Zephyr and the project’s plans for going after Functional Safety certifications, while still handling any potential security issues. This will be contrasted with the ELISA project and how the team on ELISA is working towards new processes and tools to help Linux be confidently used in functional safety applications.

Speakers
avatar for Kate Stewart

Kate Stewart

Senior Director of Strategic Programs, Linux Foundation
Kate Stewart is a Senior Director of Strategic Programs, responsible for Embedded and Open Compliance programs. Since joining The Linux Foundation, she has launched Real-Time Linux, Zephyr Project, CHAOSS, and ELISA.



Tuesday October 29, 2019 14:25 - 15:00
Roseraie 1 & 2
  • Session Slides Included Yes

14:25

The State of Open-Source Security - Liran Tal, Snyk
This session will take a lively look at the open source security landscape, focusing on findings from a recent report revealing that vulnerabilities in RHEL, Debian and Ubuntu rose four-fold in 2018, as compared to 2017. It also revealed that of the top ten most popular default Docker images contained at least 30 vulnerable system libraries. We'll talk about the importance of shifting security left and where bugs tend to exist in a dependency tree, as well as more insights. There will also be some live hacking of vulnerable open source libraries!

Speakers
LT

Liran Tal

Developer Advocate, Snyk
Liran Tal is a Developer Advocate at Snyk and a member of the Node.js Foundation Security working group. He is a JSHeroes ambassador, passionate about building communities and the open source movement and greatly enjoys pizza, wine, web technologies, and CLIs. Liran is also the author... Read More →


Tuesday October 29, 2019 14:25 - 15:00
Bellecour 3

15:15

S2OPC, a Secure and Open-source OPC UA Implementation - Vincent Lacroix, Systerel & Charles Schulz, ANSSI
Supported by the ANSSI, S2OPC is an open-source implementation of OPC UA, an industry 4.0 protocol with cybersecurity natively included.

Started five years ago, publicly released at the beginning of 2018, S2OPC is already deployed on several industrial equipment such as PLC, SCADA or Gateway.

It is available under the non contaminating open-source licence Apache 2.0, in order to foster its dissemination.

The S2OPC's economic model is based on integration, maintenance and certification support.
S2OPC is based on Open Security. It is hardened thanks to the use of formal methods, advanced analyzing techniques (static analysis, fuzzing) and a rigorous development process.

The ANSSI is currently working with Systerel on cybersecurity certifications of S2OPC.

The Open-Source model also gives access to very valuable resources to help our development such as Gitlab, Coverity or Visual Studio CE.

Speakers
CS

Charles Schulz

Technologist and Security Expert, Agence nationale de la sécurité des systems
Charles-H. is a French technologist and a Free Software and Open Standards advocate. He is a long-time contributor to free and open source projects such as Document Foundation and the LibreOffice. He is considered a renowned expert promoting the adoption of the OpenDocument Format... Read More →
VL

Vincent Lacroix

Deputy Team Lead, Systerel
About Systerel (http://www.systerel.fr/en/): - Distributive System Engineering: multi-computer, network - Critical software development: Embedded & Real Time, Formal methods - Safety and Cyber-security: Member of standards board, Certification of devices, Independent Safety Assessor... Read More →



Tuesday October 29, 2019 15:15 - 15:50
Bellecour 3
  • Session Slides Included Yes

15:15

The Road to Safety Certification: Overcoming Community Challenges to Enable Safety Certification - Lars Kurth, Citrix / Xen Project
Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project.

In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.

Speakers
avatar for Lars Kurth

Lars Kurth

Director, Open Source, Citrix Systems UK Ltd
Lars Kurth is a highly effective, passionate community manager with strong experience of working with open source communities (Symbian, Symbian DevCo, Eclipse, GNU) and currently is the community manager for the Xen Project. Lars has 12 years of experience building and leading engineering... Read More →



Tuesday October 29, 2019 15:15 - 15:50
Roseraie 1 & 2
  • Session Slides Included Yes

16:20

Catch the Uncatchable Bugs with Property Based Testing - Łukasz Skotarek, Independent
In recent years OOP world started to embrace more and more functional ideas. Immutability, lambdas, functions as first class citizens etc., so I think it's a good time to take a look on another functional idea: Property based testing. We test on every level, writing a lot of unit, integration, e2e etc tests. It's repetetive and boring, but very useful. But with all this test coverage - we still get errors. Can we protect ourselves from hard-to-find bugs? Can testing be less time consuming? In this talk I'll show other way of writing tests that will answer those questions.

Speakers
avatar for Łukasz Skotarek

Łukasz Skotarek

Software Engineer, BlockFi
Former OOP dev that joined FP side of the force.I am passionate about software engineering and music - that's what takes most of my time.Will easily engage in long conversations about both those topics.



Tuesday October 29, 2019 16:20 - 16:55
Roseraie 1 & 2
  • Session Slides Included Yes

17:10

Exploiting Buffer Overflows on RISC-V - Christina Quast, Independent
Almost 10 years ago, work on the RISC-V ISA specification began. Since around a year, we had the first hardware showing up, and since this year, this hardware is even affordable. With this development, the first products and also the first exploits will show up.

This talk will give an introduction to the RISC-V architecture and how exploitation differs from Intel and ARM. Afterward, examples of how to overflow a buffer, create shellcode in assembler language, and finally, how to perform ret2libc are shown. Basic understanding of assembly and C is a plus.

Speakers
avatar for Christina Quast

Christina Quast

Embedded Linux Engineer, NULL
Christina has recently finished her Master's Degree in Electrical Engineering at TU Berlin and is since working as an Embedded Systems Engineer. She has been attending IT Security Conferences and playing IT Security CTFs for several years, and is currently working as an Embedded Systems... Read More →



Tuesday October 29, 2019 17:10 - 17:45
Bellecour 3
  • Session Slides Included Yes

17:10

Security in Smart Vehicle - Loy Theophile, KNG Network
The automotive industry is facing major transformation, nowadays, a car embedded at least 80 equipment control unit shared on a number of LAN (local aera network). The connectivity of car through V2X protocol enable a lot possibility as many security problems. In this presentation, Loïc Théophile will review principle of car new architecture (drivers, bus, system syze...), discuss the risk for car owner along the use of car lifecycle, and look forward to how the use of linux may address security challenges.

Speakers
avatar for Loy Theophile

Loy Theophile

Managing director, KNG Network
Loy Theophile is a cybersecurity engineer since 10 years. He contribute to SMSI audit for vital interest organism in France by driving penetration test to define security policy for company. He also worked for the data privacy regulation authority CNIL, and for company like Decathlon... Read More →



Tuesday October 29, 2019 17:10 - 17:45
Roseraie 1 & 2
  • Session Slides Included Yes
 
Wednesday, October 30
 

11:30

European Union Free and Open Source Software Auditing - Lessons Learned - Saranjit Arora & Marek Przybyszewski, European Commission - DIGIT
The EU-FOSSA project, initiated in 2016 by the European Parliament, aims to improve the security of the open source software that is used by the European institutions. EU-FOSSA is a pilot project, and that means that it intends to find out what are the most-efficient methods for a large organization such as ours to work with very diverse open source communities. How do we fit these specific needs in strict procurement and budgeting procedures? How do we make open source development methods our own? All of this to improve the internal security while making recurrent external contributions. In 2019, we ran 15 bug bounty programmes, organised 3 hackathons, and reached out to a handful of other open source projects. We are ready to share the results and lessons learned from the activities of the EU-FOSSA project: bug bounties, hackathons and communication outreach. We will talk about the future perspectives, and aim to encourage other organisations that consider running similar projects.

Speakers
avatar for Marek Przybyszewski

Marek Przybyszewski

Information Systems Architect, European Commission - DIGIT
Marek Przybyszewski finished Computer Science studies at the Warsaw University and in the past worked as developer, project manager and software architect in various sectors, including banking, accountancy, NGO and market research, as well as in a start-up delivering IPTV solutions... Read More →
avatar for Saranjit Arora

Saranjit Arora

Project Manager, European Commission - DIGIT
After graduating from the University of Nottingham with Mathematics with Computing, Saranjit worked at Esso, PwC and FileNet before venturing into Entrepreneurship. Besides setting up and managing several businesses over the last 20+ years, Saranjit is an experienced Prince 2 certified... Read More →



Wednesday October 30, 2019 11:30 - 12:05
Bellecour 3
  • Session Slides Included Yes

12:20

Security 101 for Cloud-native Applications - Cindy Blake, GitLab
Cloud native applications rely on a more dynamic operational environment that can introduce new security challenges. While most developers are familiar with traditional application security vulnerabilities, they may be less familiar with those that accompany the new attack surfaces introduced by containers and infrastructure orchestration. This session will cover the new attack surfaces introduced by developing, deploying, and running cloud-native applications. We will offer practical advice for securing the software development lifecycle, infrastructure and operations, along with changes required from the more traditional application security testing model. After attending, you will be prepared to identify gaps in your security program with pragmatic advice for how to reduce your risks.

Speakers
avatar for Cindy Blake

Cindy Blake

Sr Security Evangelist, GitLab
Cindy Blake is the Senior Security Evangelist at GitLab, a tech Unicorn that started in 2015. GitLab is leading the explosive DevOps market with an innovative single application approach for the entire software development lifecycle. Cindy Blake collaborates around best practices... Read More →



Wednesday October 30, 2019 12:20 - 12:55
Bellecour 3
  • Session Slides Included Yes

14:25

Firmware Security Methodologies from A to Z - Shyam Saini & Jagan Teki, Amarula Solutions
System Security is one of the critical elements of modern era software & hardwares. There are many security solutions implemented in operating systems both at kernel level and user space level. But these security solutions are incomplete without the security mechanisms implemented at hardware initialization and boot time and lack of these could cause the whole system to be compromised. Given that fact the embedded devices are deployed for many mission critical operations there is huge risk of safety and security of users and devices.

To make systems completely secure, security at firmware and bootloader level should be implemented. So, In this talk the authors will discuss various boot and firmware security mechanisms such as Secure Boot, OP-TEE, Secure Boot Chain, Arm Trusted Firmware (ATF). The authors will also discuss different security solutions based on aforementioned security mechanisms and how these mechanisms could be integrated with uboot for the different applications.

Speakers
avatar for Jagan Teki

Jagan Teki

CEO | Embedded Linux Engineer, Amarula Solutions
Jagan is an Embedded Linux Engineer and CEO of Amarula Solutions India. His work involves to provide Mainline Linux and related ecosystem projects to run on customer hardware devices/boards. He is an active contributor for U-Boot, Linux, Buildroot, Yocto and maintainer of Allwinner... Read More →
avatar for Shyam Saini

Shyam Saini

Freelance Linux Kernel and Embedded Engineer, Independent
Shyam Saini is 2017 graduate and foss enthusiast. He is currently working as Linux Kernel Engineer at Amarula Solutions. In past, he was participant in Google Summer of Code 2017 in Netfilter Project. He was volunteer and one of the organiser of India Linux User Group Delhi meetups... Read More →



Wednesday October 30, 2019 14:25 - 15:00
Bellecour 3
  • Session Slides Included Yes

15:15

Secure OTA Updates For Rich-IoT Rity Platform Using Mender Update Modules - Bartosz Golaszewski, BayLibre
Mender is an open source update manager for embedded devices. Rich-IoT is Mediatek's initiative for rapid development of voice assistant, connected display and smart camera solutions products based on a series of AI-supported chipset platforms. Rity is an open source software stack developed by BayLibre for Rich-IoT featuring a full chain-of-trust implementation including integrity assurance for the root filesystem using dm-verity.

Mender is often preferred by product designers for its intuitive web UI, hosting services and ease of integration but until the release of version 2.0 using encryption or integrity checking was difficult due to the built-in limitations of the client and artifact format.

Version v2.0 (released in May 2019) addresses these issues by providing Update Modules - a flexible way of extending mender functionality.

During this talk I'll present the new features in mender and give an overview of how easy it is to prototype a secured system using them.

Speakers
BG

Bartosz Golaszewski

Embedded Linux Engineer, BayLibre
Bartosz Golaszewski has over 10 years of engineering experience in the embedded systems domain ranging from low-level, real-time operating systems, through the linux kernel to user-space programs, libraries and build systems. He has worked on international projects in a broad range... Read More →


Wednesday October 30, 2019 15:15 - 15:50
Bellecour 3

16:15

How Secure is Your Edge with EdgeX? - Tingyu Zeng, Dell/RSA & Malini Bhandaru, VMware
IoT presents a large attack surface, stemming from the number of connected components, physical distribution, and bugs in hardware and software. In this talk we focus on the Edge, systems close to the IoT sensors and actuators to reduce network bandwidth needs yet lower response latencies. EdgeX Foundry, an open source LF project, is a collection of microservices that collect, process, and respond to sensor data along with various support services. We review its threat model and the security best practices it adopts, such as code scans for known CVEs and security anti-patterns, use of Kong for secure gateway/proxy, use of Vault for secure storage of keys and authentication credentials, audit logging, and deployment prescriptions to limit privilege escalation and stolen media type attacks, and incidence response. Lastly, we touch on security roadmap items such as PKI for authenticated secure inter-service interaction and Trusted Platform Modules for secure boot and encrypted storage .

Speakers
avatar for Malini Bhandaru

Malini Bhandaru

Senior Staff, VMware
Malini Bhandaru leads open source IoT efforts at VMware, actively contributing to LF Edge's EdgeX Foundry, and serving as co-chair of its Security Work Group, first working on IoT and AI long before they were hot. Prior to VMware, during her decade long career at Intel, she worked... Read More →
TZ

Tingyu Zeng

Sr. Principal Engineer, Dell/RSA
Tingyu Zeng, Senior Principal Software Engineer and Security Lead for Dell Technologies’ IoT Platform Development Team. Tingyu is a co-chair of the Security Work Group of EdgeX Foundry, an open framework for building industrial IoT edge computing system under Apache 2 license project... Read More →



Wednesday October 30, 2019 16:15 - 16:50
Bellecour 3
  • Session Slides Included Yes

17:05

Can Artificial Intelligence Secure Your Infrastructure? - A. S. M. Shamim Reza , Link3 Technologies Limited
While intrusion detection systems are the basis of every security aware organization and most of the network based threats have been successfully mitigated in the past; it has a major drawback. And that is, the system is always one step behind the newest threats.

In depth analysis over a larger set of Network data has the advantage of detecting different types of anomalies. And if it is about a Largest Nation wide ISP, then the SOC team has to adopt the Anomaly Detection system to mitigate the infrastructure threats in a pro-active way.

This talk is about the research work to detect well known attacks in DNS infrastructure. And the years of experience has been deployed in to the system to build a robust Machine Learning model.

Mr. Shamim will share about the lesson learned with the conventional method that they have used and the Machine Learning approach that they have tested.

The final goal of this project is to produce ML based tools and share it to the community.

Speakers
avatar for A. S. M. Shamim Reza

A. S. M. Shamim Reza

Deputy Manager, Link3 Technologies Limited
I am an Open source Software enthusiast, system solution architect and Linux System expert with over 10 years of extensive experience. I am an Information Security professional with over 8 years of diverse Information Security experience; from the evolving enterprise needs of large... Read More →



Wednesday October 30, 2019 17:05 - 17:40
Bellecour 3
  • Session Slides Included Yes