Zephyr Project Security Status - Recent and Ongoing Work

Explore recent and ongoing security work in the Zephyr Project, an open-source real-time embedded operating system optimized for resource-constrained devices, in this 40-minute conference talk by David Brown from Linaro. Gain insights into Core Infrastructure Initiative Best Practices, static analysis, various certifications, API design, and fuzzing. Learn about the project's security subcommittee, code repository management, and ongoing initiatives such as randomness framework updates and crypto driver development. Discover the aims for FIPS 140-2/3 certification and fuzzing research, including QEMU-based approaches and potential challenges in applying existing fuzzers to Zephyr's unique environment.

Intro
Ok, What is Zephyr • Open Source: Apache 2.0 Open Linux Foundation project, in git github-style, maintainers, mailing list, and meetings
Key differences from Linux • Generally single address-space (maybe MPU) . Usually no dynamic code Many things are compile-time, not dynamic . Intended for microcontrollers. Think 1003 KB and 10s
Zephyr Security Past What is done Present: What we're doing Future: What we want to do
Zephyr Security Subcommittee . One person from each platinum member silver members by invitation • A security Chair elected by the subcommittee Responsible for running bi-weekly meeting Sets ogenda and takes notes . A security architect elected by the subcommittee • Responsible for overall project security . Maintainers to seek signoff for significant changes
Code repositories: Auditable • Stable branches off of LTS Subset of the code Frozen in time
Ongoing work • Described in project documents Code guidelines How to report vulnerabilities • Process for a security bug JIRA instance to manage bugs during embargo
Ongoing example: randomness • Open PR updating entropyrandom framework • Addresses multiple security issues Discussed within subcommittee meeting In this case worked on by someone in team . Goal clearer API and docs so it is easier to do things
Aims: Crypto Drivers . Same API for different implementations • Provided by hardware, e.g. Atmel ATAES132A . Provided by software
Aims: FIPS 140-2/3 . Common for cryptographic modules Generally, certifies products But, certification of ouditable helps that process • Focus is on crypto operations
Aims: Fuzzing . Most fuzzing work done on bigger systems than Zephyr targets Research into QEMU-based fuzzer . Other possibilities Existing fuzzers often assure lots of memory Pasix Native part can help with some areas • Open area for research