Re: OpenBMC Learning Series - security

[Joseph Reynolds <jrey@linux.ibm.com>]

On 7/24/20 7:13 PM, Sai Dasari wrote:
>
> Team,
>
> Thanks to all volunteer speakers stepping up to share their expertise 
> with community. For speaker convenience, the sessions will be held on 
> two *TimeZones* (USA/PDT and INDIA/IST) on *Thursdays@10AM* starting 
> from 8/20 onwards.
>
> I encourage you to take a look at the shared doc @ 
> https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing 
> for more information regarding this series. If you would like to see 
> more topics (either as speakers or new community members), please feel 
> free to add them for extending the topics in future sessions.
>
...snip...


Sai and the OpenBMC community,

Here is my big-picture idea to organize OpenBMC's security effort. I 
hope this material will guide the project's overall security effort, 
including the learning series.

I want to take this process one step at a time to help build consensus 
for my approach.

My big idea is to apply the world's best publicly available security 
schemes to the OpenBMC project.  Schemes like Microsoft Security 
Engineering, IBM Secure Engineering, and the Common Criteria evaluation 
have been developed over decades of experience and give us the most 
complete guidance for the OpenBMC project and its users.  We should use 
them.

Does this seem like the right approach?  See discussion in footnote 1.

These schemes have a lot in common.  For example, they all advocate for 
threat modeling, security testing, and development process steps like 
design and code reviews.  I am trying to get at that common portion and 
I would like to hear your ideas.

The elements of each scheme are listed in footnote 2 below.  Which of 
these seem most important?  It is so easy (and fun) to focus on security 
functions like authentication and transport layer security algorithms.  
But we might be served better by documenting BMC's architecture to 
understand where its weaknesses are, or making better security tests.  I 
would like to hear your ideas, and I can help sort them into the 
big-picture.


For the learning series presentation, I suggest picking up a dozen or so 
categories from below, including authentication and user management, 
testing and coding, documentation and threat models, incident response, 
etc.  Does that sound right?

- Joseph

## Footnote 1 - How we can use the world's best security schemes

I foresee several difficulties in trying to apply the schemes:
1. The project has not agreed to any particular security scheme and is 
unlikely to choose one, because...
2. Performing any security evaluation is expensive in terms of 
person-hours investment by subject matter experts and we have limited 
resources, and...
3. The big-picture security schemes apply to an entire IT project (like 
a server) while OpenBMC is only source code for one part of any such 
project, so we cannot apply the full methodology.

Why a big-picture scheme?  Security schemes that have a smaller scope 
will not take the project security to the highest levels.  The OpenBMC 
project itself should perform security work needed by various 
big-picture security schemes (such as listed above).  This includes not 
only features like transport security and authentication, but also 
documentation, evidence of design and code reviews, testing, and bug 
fixes, as required by big-picture secure engineering mandates.  Yes, the 
project does all that already, but that work does not have a security 
context.  I would like to help define that context.

Would it be helpful to show how more targeted guidelines from OWASP, 
OCP, and CSIS fit into the big-picture schemes?
[OWASP]: https://www.owasp.org/
[OCP]: https://www.opencompute.org/wiki/Security
[CSIS]: 
https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md

NOTE: This is a refresh of the effort started in the [security working 
group][] under the headings of "security assurance workflow" and 
"applicable standards".
[security working group]: 
https://github.com/openbmc/openbmc/wiki/Security-working-group

## Footnote 2 - Elements of high-level security schemes

Here are three high-level security schemes.  Is this the right set of 
schemes?
I've started to break these down.

==> Microsoft Security Engineering
https://www.microsoft.com/en-us/securityengineering
Security Development Lifecycle (SDL)
Operational Security Assurance (OSA)
Open Source Security
(Will someone help articulate which elements apply to OpenBMC?)

==> Common Criteria
https://www.commoncriteriaportal.org/cc/
Functional requirements:
- Security Audit (audit logs)
- Communication
- Cryptographic Support
- User data protection
- Authentication
- Security Management
- Privacy
- Protection of the BMC
- Resource Utilization
- BMC access, Trusted paths
Assurance requirements:
- Document BMC architecture and configuration
- Development (architecture, functions spec, implementation)
- Internal representation (source code)
- Guidance documentation
- Life-cycle support
- Tests
- Vulnerability Assessment.
Note: I've annotated and substituted some terminology to make this more 
readable (for example, TOE means BMC).  Also, I've skipped over some 
topics and grossly oversimplified others.  My goal is to make this list 
understandable to the BMC community and the organize OpenBMC work so it 
can be understood by security folks who do not have a BMC background.

==> IBM Secure Engineering
ibm.com/redbooks: Security in Development, The IBM Secure Engineering 
Framework
Development process: protect source code, planing, testing
Product lifecycle management: vulnerabilities, fixes
Secure Engineering Framework:
- Education and awareness
- Project Planning
- Risk assessment and threat modeling
- Security requirements
- Secure coding
- Test and vulnerability assessment
- Documentation
- Incident response
- Supply chain

Includes https://www.ibm.com/trust/security-spbd
- Assessment
- Threat Model
- Code Scan
- Security Tests
- Penetration Test
- Vulnerability Management