Page 10 - cdm-2014
P. 10
attacker to gain access to the household network. From a defensive point of view, wouldn’t it be
prudent to make sure that a hacker could not run any unauthorized programs on any device in
the household? All that’s needed to prevent this is a whitelisting system that runs on embedded
Linux. Seems like an obvious solution, but it brings us back to my previous question about why
there is a lack of availability of such systems. While keeping up with Linux versions is difficult,
it’s not impossible.
An effective whitelisting system for Linux needs several things including but not limited to:
1.1. The ability to stop malware or unauthorized tools from running
1.2. The ability to stop unauthorized scripts and Java applications from running
In order to do this the system needs two key programs. The first is a Loadable Kernel Module
(LKM), which is a demand loaded device driver that runs in kernel space. While running inside
the kernel, the driver has access to everything that the kernel does and can execute code that
validates and authorizes executable code to run. The next component is a daemon, which is an
invisible program that runs in user space and can interpret scripting and byte code engines that
execute scripts or compiled programs external to the kernel. Examples are Python, Perl, PHP,
Java, Ruby and others. The combination of the two, if they communicate effectively, is a
whitelisting system that can trap and kill any unauthorized programs at launch time.
The barriers to constructing such a system is multi-fold. The most significant challenge is the
number of kernel versions that are out there. The Linux kernel is updated almost too frequently
and it’s internals change with every update. The speed at which problems are addressed and
functionality is added is impressive, but just because the kernel is updated often, it doesn’t
mean that people adopt the new ones immediately. This is especially true in embedded systems
where updates take significant effort and are only done every once in a while. For this reason,
kernels as old as version 2.6 (the current version at this writing is 3.14) still exist in embedded
systems and manufacturers have no intention of updating to a new kernel unless it’s absolutely
necessary or if some much needed functionality specific to their device comes available. For
developers, this means that an LKM needs to work on everything, or else it might miss out on
the spaces that need it most.
This extrapolates to an enormous development and testing effort, one whose cost may far
outweigh the revenues generated by such a product. This undermines the very reason that
there are only a few Linux whitelisting systems - it’s simply not a profitable business model. For
the near future, it appears that all those embedded systems in the family home, our critical
infrastructure, our transportation and shipping systems, our mobile devices and such will just
have to remain in self-defense mode.
Phooey to that I say. It’s our responsibility as vendors in the embedded and general IT space to
keep our customers safe. Safety means that devices they buy and use are secure from attack
and will not put other devices or systems in danger due to lack of security.
! " $ !
! # ! "
