openbmc-specific dynamic security scanner

openbmc-specific dynamic security scanner

[Joseph Reynolds]

Team,

The OpenBMC security working group "end of release checklist" [1] calls 
for a report of basic security facts.  I would like to create a dynamic 
scan tool (okay, it's a shell script) to scan a running OpenBMC system 
and report these facts.  It would not reveal any vulnerabilities that 
are not already well-known.  I believe it would not be much of a head 
start to attackers.

Once the tool was published, the idea is to run it on various platforms, 
fix any issues that need fixing (typically tightening a configuration), 
and reporting to the email list so folks could give their opinions for 
the OpenBMC release process [2].

[1]: 
https://github.com/openbmc/openbmc/wiki/Security-working-group#security-end-of-release-checklist
[2]: https://github.com/openbmc/docs/blob/master/release/release-process.md

Tool operation:
The tool would be given an admin account and use that probe the BMC, and 
create additional accounts for Operator and ReadOnly access.
It would report items such as which network services are running, what 
transport layer security is offered, which accounts can access various 
services, what URLs are accessible, etc.
For web access, it can report on HTTP port 80 redirection,  HTTP 
headers, etc.
With access to the BMC's shell, it can report which files are readable, 
writable, and which have sensitive data (like private keys).
In summary, a catalog of OpenBMC security settings.

I realize a tool like this may fall under the test team's province. I 
want this to be *trivial* for someone with limited OpenBMC experience to 
be able to use.  Setting up a robot environment may be a barrier for 
some, and running a shell script to connect to the BMC may be much easier.

I realize there are existing open source scanners.  Once again, I want 
this to be very easy to use, and be customized for OpenBMC.  I would be 
happy to abandon this project if such a scanner meets my needs.  It 
would need to be customized for OpenBMC, and be very easy to use.  If 
that ever happens, the tool I am proposing today would be a good start.

And if you did not already guess, I've already cobbled together a number 
of shell commands for this, so making the script would be relatively easy.

I think the script would help further the security awareness of the project.

And I am looking for your feedback.

- Joseph

Re: openbmc-specific dynamic security scanner

[Lee Fisher]

On 3/17/20 8:01 AM, Joseph Reynolds wrote:
> [...] And I am looking for your feedback.

Perhaps, instead of creating a new OpenBMC-centric security tool, add
OpenBMC-centric tests to an existing firmware security testing tool.
IMO, there are basically two existing firmware security tools, FWTS and
CHIPSEC.

FirmWare Test Suite (FWTS) is from Canonical to run diagnostics (not
necessarily security-centric) to see if a system (HW/FW) is capable of
running an OS. Runs on multiple ISAs. Has security tests, but not
security-centric. Probably has the best set of ACPI tests available,
recommended by UEFI Forum for PC vendors doing ACPI testing. GPL C codebase.

https://launchpad.net/fwts

CHIPSEC is a firmware security-centric tool from Intel. It has existing
security checks that OpenBMC could use. Main downside -- IMO -- is that
it only works on Intel hardware, no support for
AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.

https://github.com/chipsec/chipsec

HTH,
Lee
blog: https://firmwaresecurity.com/

Re: openbmc-specific dynamic security scanner

[Joseph Reynolds]

On 3/17/20 1:20 PM, Lee Fisher wrote:
> On 3/17/20 8:01 AM, Joseph Reynolds wrote:
>> [...] And I am looking for your feedback.
> Perhaps, instead of creating a new OpenBMC-centric security tool, add
> OpenBMC-centric tests to an existing firmware security testing tool.
> IMO, there are basically two existing firmware security tools, FWTS and
> CHIPSEC.
>
> FirmWare Test Suite (FWTS) is from Canonical to run diagnostics (not
> necessarily security-centric) to see if a system (HW/FW) is capable of
> running an OS. Runs on multiple ISAs. Has security tests, but not
> security-centric. Probably has the best set of ACPI tests available,
> recommended by UEFI Forum for PC vendors doing ACPI testing. GPL C codebase.
>
> https://launchpad.net/fwts

Lee,

Thanks for responding.

The tests I am proposing are specifically for OpenBMC firmware features, 
not for its hardware or platform features.  So I don't the fwts suite is 
appropriate.

>
> CHIPSEC is a firmware security-centric tool from Intel. It has existing
> security checks that OpenBMC could use. Main downside -- IMO -- is that
> it only works on Intel hardware, no support for
> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
>
> https://github.com/chipsec/chipsec

I've been advised before to use CHIPSEC, but my use case is OpenPOWER, 
and I want this work to be accessible to everyone.
I would be okay if someone else to incorporate the checks I want check 
into CHIPSEC, but I don't think I could use the results.

- Joseph
>
> HTH,
> Lee
> blog: https://firmwaresecurity.com/
>

Re: openbmc-specific dynamic security scanner

[Alexander Tereschenko]

On 17-Mar-20 20:57, Joseph Reynolds wrote:
>> CHIPSEC is a firmware security-centric tool from Intel. It has existing
>> security checks that OpenBMC could use. Main downside -- IMO -- is that
>> it only works on Intel hardware, no support for
>> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.
>>
>> https://github.com/chipsec/chipsec
>
> I've been advised before to use CHIPSEC, but my use case is OpenPOWER, 
> and I want this work to be accessible to everyone.
> I would be okay if someone else to incorporate the checks I want check 
> into CHIPSEC, but I don't think I could use the results.

But the BMC itself is ARM (I've just glanced at the IBM OpenBMC recipes, 
looks like it's ol' good ASPEED), right? If so, looks like there's some 
work being done in CHIPSEC for enabling that [1]. Also, AFAIU those 
architecture-specific pieces are not necessarily required, they're just 
there as helpers to read memory, ports, etc. If all you need is to run a 
bunch of commands, I guess just writing a module in Python would do.

A simple script may be okay initially, but I guess over time it will 
grow and people will want to have modularity, fancy logging, whatnot - 
and there using an established framework like CHIPSEC could be a save of 
time and effort. And it being an open source project would only help 
others reuse it, which is one of your goals here. I personally haven't 
used CHIPSEC much so far, but I think the idea behind was to make it a 
generic framework for namely this sort of checks, so at the first glance 
it looks like a perfect location, if only the one that'd require some 
initial assistance from the project maintainers to make sure you can run 
it on ARM - but then again, you'll anyway need to do some foundational 
work in the "script" approach anyway.

regards,
Alexander

[1] https://github.com/chipsec/chipsec/issues/461

Re: openbmc-specific dynamic security scanner

[Lee Fisher]

> [...] But the BMC itself is ARM [...]

Intel CHIPSEC team has expressed interest in accepting patches from
non-Intel systems.

I think there might be an issue for the first non-Intel ISA to try to
port CHIPSEC to their chip: CHIPSEC supports the public interfaces of
Intel systems, but may require an NDA to access equivalent info on some
systems. That might be why there's no AMD port.

ARM (Linaro) has been porting the Yocto-based LUV (Linux UEFI
Validation) distro, a test distros for UEFI vendors, which includes
CHIPSEC They've not ported CHIPSEC yet, but they have expressed an
interest. Perhaps ARM-based OpenBMC and Linaro UEFI teams could share
resources and port CHIPSEC to ARM. A former Intel CHIPSEC team, now at
Eclypsium, did a quick port of parts of CHIPSEC to ARM, but never
upstreamed the patch, I think that may've caused Linaro to block on
attempting a CHIPSEC port.

Regardless of the complications, industry NEEDS to have tool like
CHIPSEC on ALL processors -- CPUs or BMCs --  other non-Intel chip
vendors should have something similar. Maybe it makes sense to share
same codebase as CHIPSEC, maybe simpler for a new codebase and duplicate
some of the security tests.

FWIW, there's only 1 or 2 Intel business class laptops that pass all the
CHIPSEC security tests. All the others fail miserably, and the non-Intel
systems can't be tested. Having tests doesn't mean the vendors will do
anything about fixing their security issues. :-( Hopefully you can
incentivise your OpenBMC vendors to pass security tests.

> [...] A simple script may be okay initially[...]

There is a script that calls CHIPSEC to gather multiple things:

https://github.com/ANSSI-FR/chipsec-check