Native IoT Hardening in Your BSP with RunSafe Alkemist: Part 2
- I AM NOT A SECURITY EXPERT AND NOTHING IN THIS SERIES OF BLOG POSTS SHOULD BE (MIS)CONSTRUED AS SECURITY ADVICE. I AM NOT RESPONSIBLE FOR ANY VULNERABILITIES IN YOUR SYSTEM.
- THIS SERIES OF BLOG POSTS ARE ONLY FOR EDUCATIONAL PURPOSES AND ARE NOT MEANT TO AID ANYONE IN ANY ILLEGAL ACTIVITY. I AM NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITY THAT’S CONDUCTED AS A RESULT OF ANYONE USING THE INFORMATION IN THESE POSTS. IF YOU DO NOT AGREE, LEAVE THIS SITE IMMEDIATELY.
In a previous post (https://mab-labs.com/native-iot-hardening-in-your-bsp-with-runsafe-alkemist-part-1/), I did a deep-dive into Runsafe’s Alkemist “meta-lfr” layer, to understand how support of load-time function randomization (LFR) in an embedded target is achieved for a Yocto-based BSP (Note: LFR will remain available as part of Runsafe’s Alkemist: Source product offering). In this post, I’m going to discuss my experience deploying the layer on a particular development kit. This post will go over some modifications that were needed to the BSP, and the overall impression of booting up an embedded target with Runsafe’s Alkemist LFR integrated into the BSP.
I chose the Phytec i.MX 6UL development kit (https://www.phytec.com/product/phyboard-imx6ul-development-kit/) for this exercise because it is relatively inexpensive (98 USD) and because I have prior experience with using a BSP from Phytec for a similar board. The initial steps to download the BSP are straightforward and outlined on Phytec’s website:
phytec_runsafe $> cd ~/yocto phytec_runsafe $> wget ftp://ftp.phytec.de/pub/Software/Linux/Yocto/Tools/phyLinux phytec_runsafe $> chmod +x phyLinux phytec_runsafe $> ./phyLinux init
When you’re asked “Please choose one of the available SoC Platforms”, select option 3 for “imx6ul”. Then, when you’re asked “Please choose one of the available Releases”, select option 4 for “PD-BSP-Yocto-i.MX6UL-PD19.1.0”. Finally, when you’re asked “Please choose one of the available builds”, select option 1 for “phyboard-segin-imx6ul-2”. You can ignore the fact that the target is listed as “phytec-qt5demo-image”. Instead, we’re simply going to build the headless image.
Once the download process is complete, you can go into the sources directory and retrieve the meta-lfr layer, making sure to checkout the Sumo branch (since the Phytec BSP is based off of Yocto Sumo).
Unfortunately, the LFR package listed on Runsafe’s website will not work with the Phytec BSP due to a mismatch in the floating point unit compiler settings. Instead, you will need to use the following configuration in your meta-lfr/conf/layer.conf file:
LFR_PACKAGE = "https://runsafesecurity.jfrog.io/artifactory/yocto/yocto-2.5.3/lfr-package-cortexa8hf-neon-2.5.3.tar.xz
One important thing that I would like to point out is that Runsafe was quick to acknowledge this issue and worked with me to resolve it. They actually created a new package that targeted Yocto Sumo, which worked for the Phytec i.MX 6 ULL SoC.
Then, you’re going to have to disable run-time randomization for the “barebox” package that Phytec uses as their bootloader, and the “linux-mainline” package that Phytec uses for their version of the Linux kernel. To do this, you’ll need to add the following lines to meta-lfr/classes/selfrandomize.class:
LFR_DISABLE_pn-barebox = "1" LFR_DISABLE_pn-linux-mainline = "1"
Finally, to confirm that randomization has occurred on the target, you’ll need to add the “binutils” package to the image so that you have the “readelf” utility on the Phytec development kit. To do this, modify meta-yogurt/recipes-image/images/phytec-headless-image.bb:
IMAGE_INSTALL = "\ . . . binutils \ "
(Note: There are more elegant ways of doing this, such as adding binutils to an appropriate package group, but this quick and dirty way will suffice for this exercise).
Then, set up your environment and build the phytec-headless-image:
phytec_runsafe $> source sources/poky/oe-init-env phytec_runsafe $> bitbake phytec-headless-image
Finally, dump the resulting .sdcard image onto an SD card using “dd”, short JP1 on the development kit to boot off of the SD card, login as root, and run “readelf” on busybox to confirm that the relocation section is present in the binary:
phytec_runsafe $> readelf -x .txtrp /bin/busybox | grep 0x -m3 0x00080a40 02570b00 20000000 510a0000 703f0000 .W.. ...Q...p?.. 0x00080a50 e00d0000 32010000 00000000 00504d00 ....2........PM. 0x00080a60 00a40100 00030400 00000100 0000f44e ...............N
And that’s it! You have Runsafe’s Alkemist LFR applied to your binaries, running on an embedded target.
Overall, I didn’t notice any major performance issues with Runsafe’s Alkemist run-time LFR, and was pleasantly surprised with the ease in integrating it with a BSP for development.