IETF Logo Mail Archive

Re: [saag] draft-moore-iot-bcp-00 (Best Current Practices for Securing Internet of Things (IoT) Devices)

Ben Laurie <ben@links.org> Tue, 08 November 2016 21:17 UTC

Return-Path: <benlaurie@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 372D8129AB7 for <saag@ietfa.amsl.com>; Tue, 8 Nov 2016 13:17:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJ8oONFOExBw for <saag@ietfa.amsl.com>; Tue, 8 Nov 2016 13:17:42 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA2EE129493 for <saag@ietf.org>; Tue, 8 Nov 2016 13:17:41 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id a197so270840744wmd.0 for <saag@ietf.org>; Tue, 08 Nov 2016 13:17:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=gETlr5MpW/Shw2Moohb35BZAHRFD1Dcyx4kGueirqHc=; b=t94Kkkn8r2RDGpJHkl2Pinyaedwi5uKegBqAwSlhM+nqf3kun7te3tKhTvfdljZSn1 VWxO6ejpXd7Jwj6ZPadHtotdkGFkmIPQ0OcE8oHdz+p2S7EdodPfo5PhNpgFm/d10k9m ABOZ3wcK7noWEpfQuw9zEYGnNzBYzcM/LBUUOCSu3E9BVcX1AKPnDghQ187DFCOQjkv/ Upb8lAY+La0nVIsIrlV6IFbNZk1Xad1OR3HVEituFavHS/yI4usbZTYrP7Wjf4FCLSrK 8tFqfJRZAkNgvPtyKECyO9dMaL3hL/7X9aKmzzHLR4zmzMMUuoIh8evUCp1ZjeOVaJWN iGjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=gETlr5MpW/Shw2Moohb35BZAHRFD1Dcyx4kGueirqHc=; b=dyn+9eLyQbOZ8z8Xi308fGezJCaUnII2vKPbEBK/JYRnYWDj3LqU2yZ+seqHug6U5m DPkapgi3cAmPYcepAp3rK/tzkNKl7WkvCWVTtbBJCTzhxVHg0tHV9Yhmsvp3kUWhJhZd j2LiwpLS2H7Kaz5TlwlQNBNrxNNOAvzJMfJJG2kuuFgQPAnmQg9qmk0iFJunYgRvKe8y R2KYoWB5ea6rSsVhwgPLCvZnpBHzzZyunZHFABBrkUGsYMncgPkBFnhSZj4LaMgIbo/Z 17m1U1GVo0No/S+OiikyyO87fd2evEh0JmZW78jWq0tjx8z6a6JtuuSWcvMwDvFBw86C sLpQ==
X-Gm-Message-State: ABUngvccKaPY3rLlOeDh9JV4r6IyKZaj4tSSRAo60c8YQk9Q2umo9keQ7fIuWpxF+JuN/zBvvY4yXXsJ76bRLQ==
X-Received: by 10.194.14.196 with SMTP id r4mr15302995wjc.54.1478639860399; Tue, 08 Nov 2016 13:17:40 -0800 (PST)
MIME-Version: 1.0
Sender: benlaurie@gmail.com
Received: by 10.28.68.66 with HTTP; Tue, 8 Nov 2016 13:17:39 -0800 (PST)
In-Reply-To: <CACsn0cmce8ZpDThPGA01PgnLfkyD3GyjJJVayiCaFikDUnZ77w@mail.gmail.com>
References: <63ae04d9-9a31-498c-3333-2801a72338f0@network-heretics.com> <99b43920-ee16-3cb2-731b-941718749cf5@afrinic.net> <CACsn0cmce8ZpDThPGA01PgnLfkyD3GyjJJVayiCaFikDUnZ77w@mail.gmail.com>
From: Ben Laurie <ben@links.org>
Date: Tue, 08 Nov 2016 21:17:39 +0000
X-Google-Sender-Auth: WnmxDRK8W51BIbG_IjkGjlRssjI
Message-ID: <CAG5KPzyGRErBNdZ6mWuv28LyenNU9Wr0_wqce0pSf5JiVEySvg@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/2N08IMR2hx4PirGaGcOJtdchp28>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] draft-moore-iot-bcp-00 (Best Current Practices for Securing Internet of Things (IoT) Devices)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 21:17:44 -0000

On 8 November 2016 at 15:02, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Mon, Nov 7, 2016 at 11:42 PM, Loganaden Velvindron <logan@afrinic.net> wrote:
>>
>>
>> On 11/5/16 5:25 AM, Keith Moore wrote:
>>> Stephen Farrell suggested I bring this draft to your attention. This
>>> was a rush job as the authors just started talking about this last
>>> Friday, but it was written in response to recent DDoS attacks that
>>> utilized easily-compromised IoT devices.   I'm sure there are missing
>>> pieces (I've identified a few since -00) and sections that could be
>>> stated better (like the title of section 2.3.2), but hopefully this is
>>> a useful start.
>>>
>>> https://datatracker.ietf.org/doc/draft-moore-iot-security-bcp/
>> [Speaking for myself]
>>
>> That's a great start.
>>
>> Can you please consider adding section 2.6.3. Sandboxing techniques
>> Device firmware SHOULD be designed to restrict processes attack surface
>> by isolating them in sandboxing, in addition to privilege minization. In
>> case of compromise, the attack surface is significantly reduced,
>> particularly in the case of privilege minimization.
>>
>> [I'm thinking about OpenSSH and Linux seccomp-bpf sandbox, and also
>> techniques like OpenBSD's pledge]
>
> Does OS sandboxing actually work?
>
> Real attackers attack. That means they have carefully studied the
> system call interface of operating systems to find bugs, which they
> can use to escape from running arbitrary code to violating all
> security properties. They don't break the sandbox layer but exploit
> the kernel instead.

Nothing works perfectly, but sandboxing is not completely pointless:
it reduces the attack surface, including (at least for some sandboxes)
the kernel attack surface. Certainly seccomp-bpf claims this property,
as does Capsicum.

Also, even if we fixed every bug in the kernel, we'd still have
security vulnerabilities in applications, which could be mitigated by
sandboxing. Note that this is what the OP claims, not that it defends
the kernel - which I agree is also useful.

v2.23.0 | Report a Bug | By Email