* openbmc-specific dynamic security scanner
@ 2020-03-17 15:01 Joseph Reynolds
2020-03-17 18:20 ` Lee Fisher
0 siblings, 1 reply; 5+ messages in thread
From: Joseph Reynolds @ 2020-03-17 15:01 UTC (permalink / raw)
To: openbmc
Team,
The OpenBMC security working group "end of release checklist" [1] calls
for a report of basic security facts. I would like to create a dynamic
scan tool (okay, it's a shell script) to scan a running OpenBMC system
and report these facts. It would not reveal any vulnerabilities that
are not already well-known. I believe it would not be much of a head
start to attackers.
Once the tool was published, the idea is to run it on various platforms,
fix any issues that need fixing (typically tightening a configuration),
and reporting to the email list so folks could give their opinions for
the OpenBMC release process [2].
[1]:
https://github.com/openbmc/openbmc/wiki/Security-working-group#security-end-of-release-checklist
[2]: https://github.com/openbmc/docs/blob/master/release/release-process.md
Tool operation:
The tool would be given an admin account and use that probe the BMC, and
create additional accounts for Operator and ReadOnly access.
It would report items such as which network services are running, what
transport layer security is offered, which accounts can access various
services, what URLs are accessible, etc.
For web access, it can report on HTTP port 80 redirection, HTTP
headers, etc.
With access to the BMC's shell, it can report which files are readable,
writable, and which have sensitive data (like private keys).
In summary, a catalog of OpenBMC security settings.
I realize a tool like this may fall under the test team's province. I
want this to be *trivial* for someone with limited OpenBMC experience to
be able to use. Setting up a robot environment may be a barrier for
some, and running a shell script to connect to the BMC may be much easier.
I realize there are existing open source scanners. Once again, I want
this to be very easy to use, and be customized for OpenBMC. I would be
happy to abandon this project if such a scanner meets my needs. It
would need to be customized for OpenBMC, and be very easy to use. If
that ever happens, the tool I am proposing today would be a good start.
And if you did not already guess, I've already cobbled together a number
of shell commands for this, so making the script would be relatively easy.
I think the script would help further the security awareness of the project.
And I am looking for your feedback.
- Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openbmc-specific dynamic security scanner
2020-03-17 15:01 openbmc-specific dynamic security scanner Joseph Reynolds
@ 2020-03-17 18:20 ` Lee Fisher
2020-03-17 19:57 ` Joseph Reynolds
0 siblings, 1 reply; 5+ messages in thread
From: Lee Fisher @ 2020-03-17 18:20 UTC (permalink / raw)
To: openbmc
On 3/17/20 8:01 AM, Joseph Reynolds wrote:
> [...] And I am looking for your feedback.
Perhaps, instead of creating a new OpenBMC-centric security tool, add
OpenBMC-centric tests to an existing firmware security testing tool.
IMO, there are basically two existing firmware security tools, FWTS and
CHIPSEC.
FirmWare Test Suite (FWTS) is from Canonical to run diagnostics (not
necessarily security-centric) to see if a system (HW/FW) is capable of
running an OS. Runs on multiple ISAs. Has security tests, but not
security-centric. Probably has the best set of ACPI tests available,
recommended by UEFI Forum for PC vendors doing ACPI testing. GPL C codebase.
https://launchpad.net/fwts
CHIPSEC is a firmware security-centric tool from Intel. It has existing
security checks that OpenBMC could use. Main downside -- IMO -- is that
it only works on Intel hardware, no support for
AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
https://github.com/chipsec/chipsec
HTH,
Lee
blog: https://firmwaresecurity.com/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openbmc-specific dynamic security scanner
2020-03-17 18:20 ` Lee Fisher
@ 2020-03-17 19:57 ` Joseph Reynolds
2020-03-18 15:25 ` Alexander Tereschenko
0 siblings, 1 reply; 5+ messages in thread
From: Joseph Reynolds @ 2020-03-17 19:57 UTC (permalink / raw)
To: Lee Fisher, openbmc
On 3/17/20 1:20 PM, Lee Fisher wrote:
> On 3/17/20 8:01 AM, Joseph Reynolds wrote:
>> [...] And I am looking for your feedback.
> Perhaps, instead of creating a new OpenBMC-centric security tool, add
> OpenBMC-centric tests to an existing firmware security testing tool.
> IMO, there are basically two existing firmware security tools, FWTS and
> CHIPSEC.
>
> FirmWare Test Suite (FWTS) is from Canonical to run diagnostics (not
> necessarily security-centric) to see if a system (HW/FW) is capable of
> running an OS. Runs on multiple ISAs. Has security tests, but not
> security-centric. Probably has the best set of ACPI tests available,
> recommended by UEFI Forum for PC vendors doing ACPI testing. GPL C codebase.
>
> https://launchpad.net/fwts
Lee,
Thanks for responding.
The tests I am proposing are specifically for OpenBMC firmware features,
not for its hardware or platform features. So I don't the fwts suite is
appropriate.
>
> CHIPSEC is a firmware security-centric tool from Intel. It has existing
> security checks that OpenBMC could use. Main downside -- IMO -- is that
> it only works on Intel hardware, no support for
> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
>
> https://github.com/chipsec/chipsec
I've been advised before to use CHIPSEC, but my use case is OpenPOWER,
and I want this work to be accessible to everyone.
I would be okay if someone else to incorporate the checks I want check
into CHIPSEC, but I don't think I could use the results.
- Joseph
>
> HTH,
> Lee
> blog: https://firmwaresecurity.com/
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openbmc-specific dynamic security scanner
2020-03-17 19:57 ` Joseph Reynolds
@ 2020-03-18 15:25 ` Alexander Tereschenko
2020-03-18 16:46 ` Lee Fisher
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Tereschenko @ 2020-03-18 15:25 UTC (permalink / raw)
To: openbmc
On 17-Mar-20 20:57, Joseph Reynolds wrote:
>> CHIPSEC is a firmware security-centric tool from Intel. It has existing
>> security checks that OpenBMC could use. Main downside -- IMO -- is that
>> it only works on Intel hardware, no support for
>> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
>>
>> https://github.com/chipsec/chipsec
>
> I've been advised before to use CHIPSEC, but my use case is OpenPOWER,
> and I want this work to be accessible to everyone.
> I would be okay if someone else to incorporate the checks I want check
> into CHIPSEC, but I don't think I could use the results.
But the BMC itself is ARM (I've just glanced at the IBM OpenBMC recipes,
looks like it's ol' good ASPEED), right? If so, looks like there's some
work being done in CHIPSEC for enabling that [1]. Also, AFAIU those
architecture-specific pieces are not necessarily required, they're just
there as helpers to read memory, ports, etc. If all you need is to run a
bunch of commands, I guess just writing a module in Python would do.
A simple script may be okay initially, but I guess over time it will
grow and people will want to have modularity, fancy logging, whatnot -
and there using an established framework like CHIPSEC could be a save of
time and effort. And it being an open source project would only help
others reuse it, which is one of your goals here. I personally haven't
used CHIPSEC much so far, but I think the idea behind was to make it a
generic framework for namely this sort of checks, so at the first glance
it looks like a perfect location, if only the one that'd require some
initial assistance from the project maintainers to make sure you can run
it on ARM - but then again, you'll anyway need to do some foundational
work in the "script" approach anyway.
regards,
Alexander
[1] https://github.com/chipsec/chipsec/issues/461
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openbmc-specific dynamic security scanner
2020-03-18 15:25 ` Alexander Tereschenko
@ 2020-03-18 16:46 ` Lee Fisher
0 siblings, 0 replies; 5+ messages in thread
From: Lee Fisher @ 2020-03-18 16:46 UTC (permalink / raw)
To: openbmc
> [...] But the BMC itself is ARM [...]
Intel CHIPSEC team has expressed interest in accepting patches from
non-Intel systems.
I think there might be an issue for the first non-Intel ISA to try to
port CHIPSEC to their chip: CHIPSEC supports the public interfaces of
Intel systems, but may require an NDA to access equivalent info on some
systems. That might be why there's no AMD port.
ARM (Linaro) has been porting the Yocto-based LUV (Linux UEFI
Validation) distro, a test distros for UEFI vendors, which includes
CHIPSEC They've not ported CHIPSEC yet, but they have expressed an
interest. Perhaps ARM-based OpenBMC and Linaro UEFI teams could share
resources and port CHIPSEC to ARM. A former Intel CHIPSEC team, now at
Eclypsium, did a quick port of parts of CHIPSEC to ARM, but never
upstreamed the patch, I think that may've caused Linaro to block on
attempting a CHIPSEC port.
Regardless of the complications, industry NEEDS to have tool like
CHIPSEC on ALL processors -- CPUs or BMCs -- other non-Intel chip
vendors should have something similar. Maybe it makes sense to share
same codebase as CHIPSEC, maybe simpler for a new codebase and duplicate
some of the security tests.
FWIW, there's only 1 or 2 Intel business class laptops that pass all the
CHIPSEC security tests. All the others fail miserably, and the non-Intel
systems can't be tested. Having tests doesn't mean the vendors will do
anything about fixing their security issues. :-( Hopefully you can
incentivise your OpenBMC vendors to pass security tests.
> [...] A simple script may be okay initially[...]
There is a script that calls CHIPSEC to gather multiple things:
https://github.com/ANSSI-FR/chipsec-check
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-18 16:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-17 15:01 openbmc-specific dynamic security scanner Joseph Reynolds
2020-03-17 18:20 ` Lee Fisher
2020-03-17 19:57 ` Joseph Reynolds
2020-03-18 15:25 ` Alexander Tereschenko
2020-03-18 16:46 ` Lee Fisher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.