OpenBMC Learning Series - list of security topics

Joseph Reynolds jrey at linux.ibm.com
Fri Oct 16 05:55:16 AEDT 2020


On 10/9/20 12:33 PM, Joseph Reynolds wrote:
> On 7/24/20 7:13 PM, Sai Dasari wrote:
>>
>> Team,
>>
>> Thanks to all volunteer speakers stepping up to share their expertise 
>> with community. For speaker convenience, the sessions will be held on 
>> two *TimeZones* (USA/PDT and INDIA/IST) on *Thursdays at 10AM* starting 
>> from 8/20 onwards.
>>
>> I encourage you to take a look at the shared doc @ 
>> https://docs.google.com/spreadsheets/d/1RRO5cgutKE7zRPcjcFjrNn-GI5AYoW0FivEZJe_EyWs/edit?usp=sharing 
>> for more information regarding this series. If you would like to see 
>> more topics (either as speakers or new community members), please 
>> feel free to add them for extending the topics in future sessions.
>>
> ...snip...
>
>
> Sai and the OpenBMC community,
>
> Here is my big-picture idea to organize OpenBMC's security effort. I 
> hope this material will guide the project's overall security effort, 
> including the learning series.
...snip...
> For the learning series presentation, I suggest picking up a dozen or 
> so categories from below, including authentication and user 
> management, testing and coding, documentation and threat models, 
> incident response, etc.  Does that sound right?

Sai, thanks for helping to push this forward.


OpenBMC community,

We agreed [1] to a list "security topics" drawn from Microsoft Security 
Engineering, Common Criteria, and IBM Secure Engineering. The idea is 
that a project that uses OpenBMC and follows a similar security approach 
should be able to find what they need in the OpenBMC security topics, 
but the topics themselves are not tightly coupled to any specific 
approach.  Then each of the OpenBMC security topics will give whatever 
the project offers.

[1]: General agreement at the 2020-10-14 OpenBMC security working group 
meeting.  Notes here: 
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 


To clarify, I intend for these topics to be the organizing principle for 
the security working group and the learning series.  I am not announcing 
any intention to meet any guidelines, follow any specific practices, or 
perform any security assessments.  One step at a time.

Here is my initial proposal for topics.  This most certainly reflects my 
bias.  Feel free to suggest corrections, changes, and additions.
- Education and awareness
- Threat model
- Code scans
- Security tests (includes dynamic scans and penetration testing)
- Vulnerability management and incident response
- Development process (include planning, designs, reviews, secure coding)
- Documentation (includes specs, architecture, designs, code, and 
configuration) - see breakout below
- Incident response
- Guidance documentation (for downstream projects and for BMC admins)
- Supply chain (includes source code from Yocto and projects built into 
the image)

BMC security function documentation:
- Audit logs
- Communication paths
- Cryptographic support
- User data protection
- Authentication
- Security Management
- Privacy
- Protection of the BMC
- Resource Utilization
- BMC access, Trusted paths

Excluded topics:
- Threat assessment - varies between use cases
- Supply chain (physical) - not applicable

For the learning series presentation I propose one slide to motivate why 
security focus is important, and another explain how OpenBMC security 
topics relate to high-level security schemes and to more focused 
guidance from OWASP, OCP, and CSIS.  Then slides for each security 
topic.  My feeling is that even professional developers need help to 
understand how everything relates back to security. :-)

Let me know if you expect the learning series presentation to have any 
specific content.

- Joseph

>
> - Joseph
>
> ## Footnote 1 - How we can use the world's best security schemes
>
> I foresee several difficulties in trying to apply the schemes:
> 1. The project has not agreed to any particular security scheme and is 
> unlikely to choose one, because...
> 2. Performing any security evaluation is expensive in terms of 
> person-hours investment by subject matter experts and we have limited 
> resources, and...
> 3. The big-picture security schemes apply to an entire IT project 
> (like a server) while OpenBMC is only source code for one part of any 
> such project, so we cannot apply the full methodology.
>
> Why a big-picture scheme?  Security schemes that have a smaller scope 
> will not take the project security to the highest levels. The OpenBMC 
> project itself should perform security work needed by various 
> big-picture security schemes (such as listed above).  This includes 
> not only features like transport security and authentication, but also 
> documentation, evidence of design and code reviews, testing, and bug 
> fixes, as required by big-picture secure engineering mandates.  Yes, 
> the project does all that already, but that work does not have a 
> security context.  I would like to help define that context.
>
> Would it be helpful to show how more targeted guidelines from OWASP, 
> OCP, and CSIS fit into the big-picture schemes?
> [OWASP]: https://www.owasp.org/
> [OCP]: https://www.opencompute.org/wiki/Security
> [CSIS]: 
> https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md
>
> NOTE: This is a refresh of the effort started in the [security working 
> group][] under the headings of "security assurance workflow" and 
> "applicable standards".
> [security working group]: 
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> ## Footnote 2 - Elements of high-level security schemes
>
> Here are three high-level security schemes.  Is this the right set of 
> schemes?
> I've started to break these down.
>
> ==> Microsoft Security Engineering
> https://www.microsoft.com/en-us/securityengineering
> Security Development Lifecycle (SDL)
> Operational Security Assurance (OSA)
> Open Source Security
> (Will someone help articulate which elements apply to OpenBMC?)
>
> ==> Common Criteria
> https://www.commoncriteriaportal.org/cc/
> Functional requirements:
> - Security Audit (audit logs)
> - Communication
> - Cryptographic Support
> - User data protection
> - Authentication
> - Security Management
> - Privacy
> - Protection of the BMC
> - Resource Utilization
> - BMC access, Trusted paths
> Assurance requirements:
> - Document BMC architecture and configuration
> - Development (architecture, functions spec, implementation)
> - Internal representation (source code)
> - Guidance documentation
> - Life-cycle support
> - Tests
> - Vulnerability Assessment.
> Note: I've annotated and substituted some terminology to make this 
> more readable (for example, TOE means BMC).  Also, I've skipped over 
> some topics and grossly oversimplified others.  My goal is to make 
> this list understandable to the BMC community and the organize OpenBMC 
> work so it can be understood by security folks who do not have a BMC 
> background.
>
> ==> IBM Secure Engineering
> ibm.com/redbooks: Security in Development, The IBM Secure Engineering 
> Framework
> Development process: protect source code, planing, testing
> Product lifecycle management: vulnerabilities, fixes
> Secure Engineering Framework:
> - Education and awareness
> - Project Planning
> - Risk assessment and threat modeling
> - Security requirements
> - Secure coding
> - Test and vulnerability assessment
> - Documentation
> - Incident response
> - Supply chain
>
> Includes https://www.ibm.com/trust/security-spbd
> - Assessment
> - Threat Model
> - Code Scan
> - Security Tests
> - Penetration Test
> - Vulnerability Management
>



More information about the openbmc mailing list