ossf / wg-securing-critical-projects

Helping allocate resources to secure the critical open source projects we all depend on.
Apache License 2.0
332 stars 40 forks source link

Critical projects from the low-level/embedded space #36

Open mrybczyn opened 2 years ago

mrybczyn commented 2 years ago

When reviewing the current list of critical projects, I find some important low-level and embedded ones missing. Could you please consider adding those to the list:

Updated to add descriptions and include projects from the list of @jbmaillet

Distributions:

Bootloaders:

Low level system tools:

Standard libraries:

Crypto libraries:

Platform-specific:

Trusted Firmware-A: https://developer.trustedfirmware.org/w/tf_a/ A reference implementation of secure world software for Arm A-Profile systems (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor. It leverages Arm TrustZone technology; this is different for A and M profile systems, which is why the project has two separate codebases. Runs on every ARM based Android device.

Trusted Firmware M: https://developer.trustedfirmware.org/w/tf_m/ - A reference implementation of secure world software for Arm M-Profile systems (Armv8-M).

Networking:

david-a-wheeler commented 2 years ago

Can you please provide URLs for each? (Home page and/or repos)? That way we ensure we're talking about the same thing :-).

Ideally, a short 1-3 sentence statement for each on why it's important would be great, specifically justifying/giving examples to show that it's widely used or dépended on. Low-level utilities often have privileged access, so it's usually easy to argue that vulnerabilities or subversions can be bad, but we also need to argue that they're widely used. We need to record this information better in our spreadsheet for the existing ones, too.

On Dec 22, 2021, at 12:12 PM, Marta Rybczynska @.***> wrote:

When reviewing the current list of critical projects, I find some important low-level and embedded ones missing. Could you please consider adding those to the list:

Distributions:

• the Yocto Project Bootloaders:

• u-boot • grub Low level system tools:

• barebox Standard libraries:

• musl • dietlibc Crypto libraries:

• mbedTLS • Mozilla nss • libreSSL Networking:

• libwebsockets • lwIP — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you are subscribed to this thread.

jbmaillet commented 2 years ago

To the list above, I would add off the top of my head:

busybox (https://www.busybox.net/): for its ubiquity, used in virtually any embedded Linux vanilla devices, for example in every domestic SOHO DSL / cable boxes, Wi-Fi routers. Most issues can be avoided by using a seriously trimmed down build configuration, but it has its bugs/CVE too.

buildroot (https://buildroot.org/): often used when you don't want to use the corporate-sized Yocto, and there are reasons for this. (The company I work for did a 1-ear long industrial PoC for a major French carmaker using Yocto, and everyone one hated it with a deep passion.) (We don't use buildroot anymore either, but something similar developed in-house.)

OP-TEE (https://www.op-tee.org/): Arm Trusted Execution Environment, implementing the Arm TrustZone technology.. Run in every Android smartphone, enough said. Note that they are other implementations, commercial or not, such as the new Google's Trusty TEE, but OP-TEE, managed by Linaro IIRC, is still the reference point. OP-TEE security advisories are here.

Arm Trusted Firmware: part of ARM boot chain, exist in 2 flavors depending in the architecture used:

Trusted Firmware-A: A reference implementation of secure world software for Arm A-Profile systems (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor. It leverages Arm TrustZone technology; this is different for A and M profile systems, which is why the project has two separate codebases. Advisories here, but most reliable and up to date source is here. Runs on every ARM based Android device.

Trusted Firmware M: A reference implementation of secure world software for Arm M-Profile systems (Armv8-M). Advisories here.

mrybczyn commented 2 years ago

Updated the initial post. Big thanks to @jbmaillet for additions

jbmaillet commented 2 years ago

@mrybczyn you're welcome. Now that I think of it, there may be more to add to the list, for the various interfaces (= attack surface) stacks of embedded devices. But it seems difficult to identify vastly deployed software handling these. Again, from the top of my head:

I think at last Wi-Fi and Bluetooth could require a careful examination.

Amir-Montazery commented 2 years ago

suggestions have been added to "Community/OpenSSF Member Additions" portion for discussion and consideration at a future workgroup meeting.