Software/Firmware images, including those with third-party components, can be hardened even after the build
Taking Seamless Integration Further
XGuard – Karamba Security’s IoT security software – offers a set of security controls that can be applied live (“Bolt-On”) to any IoT device running a Linux or Android operating system. The benefits of bolt-on integration lie in incorporating XGuard security controls into a final image, without requiring additional build measures. As always, XGuard doesn’t require R&D changes or source code changes.
XGuard security controls include:
- Application Access Control (Allow Lists) – set of whitelisted executables or “known good”
- Mandatory Access Control (File Protection) – Protecting file operations and ensuring that files can only be accessed by specific applications
- Behavioral Monitoring via a set of fine-grained metrics and indicators
Application Access Control (Allow Lists)
XGuard’s device hardening includes a whitelist enforcement component that protects the device against tampering legitimate binaries or dropping malware that may be used for remote code execution. All executables are checked against the XGuard whitelist, including OS and application files, shared objects (libraries), scripts, and Kernel objects.
Each time any binary is loaded to be executed, its unique signature is calculated, based on the content of the file, and compared to a list of approved application signatures and constraints.
Whitelist information is secured via a cryptographic key-pair by signing the policy file with an RSA private key. Policy signing is done either locally or remotely via a dedicated signing server. There’s also an option to integrate with customer’s key infrastructure to obtain the key pair.
Mandatory Access Control (File Protection)
XGuard’s file-protection configuration file allows specifying files that will have restricted operations and access during runtime. Certain operations are always blocked – remove / rename / chmod / chown – and others are restricted on a per-file basis or by wildcarded expressions.
XGuard also offers configuration of “Associative Execution” for each whitelisted executable: definition of a set of processes (i.e., executables) that are allowed to run it. Any process not in the list that will try to execute such a protected executable will be blocked from doing so.
Behavioral Monitoring
Data on various security and system-health events is collected from the device, as configured, and analyzed by a backend system in the cloud. For Linux systems, this can include indicators such as: Loading of an XGuard whitelist policy; Start-up, mount and login events; System and network indicators; Resource utilization; File operations; Application crashes; and Specific monitored commands, as defined in a configuration file.
Download the full white paper using the Download button below, to learn more about these controls and XGuard’s ease of use and integration options.
