Technical Tactics: Embedded Linux Software BOM

right hope everyone had their coffee today I'm gonna go really really fast because I only have 10 minutes I'm talking about embedded Linux software bombs and some windows got in there too so you're not totally left out a little bit about me I'm co-founder of promenade software we're a boutique medical device software services for me we are the software development part of some small to medium sized manufacturers who don't have their own software teams so we touch a lot of different manufacturers I'm also the co-founder of medai which is an information sharing analysis organization specifically targeted to small and medium sized medical device manufacturers okay so here's the goal for this talk really really fast is to

solve the technical problems of generating and using software bombs not the managerial problems if you if you want a good talk about that I know Michael McNeil give us a good one talk to there's tons of people right here in the cavalry who can help talk to big organizations and how they implemented it in their organization to help answer those questions this is purely a technical talk and because I'm from a small company and we like saving money it's all using free tools free as in beer and mostly freezing labor - but not always ok so let's get some terms straight building materials it's from the hardware world doing supply chain stuff it's basically an ingredient list

of what is in your medical device or your IOT thing or whatever it have you software in the modern age is a magic box magic as no-one knows what's inside running a ten-year-old OS using out-of-date third-party libraries hard-coded credentials that is the industry standard and internet connection and it can actually affect the real world it can hurt you yeah so this is why we're trying to do a software bomb so we have we take that idea of a bomb from the hardware world and make that magic box not quite so magical so we actually know what's inside of it why do we want to do this really fast customer IT likes it this is the the industry standard right now

here's a black box attach it to your network hope hope it's secure thanks bye it helps you keep up to date how can you keep up to date with our third-party libraries if you don't know what third-party libraries are in your I owe t device makes sense right and most importantly your lawyers like it when your lawyer comes to you and says hey what open-source libraries are using in your IOT device your answer better not be I don't know because that makes Richard Stallman angry and your lawyers don't like it when Richard Stallman is angry okay so now that I've convinced you that you need one of these how do I actually generate one as with most technical

answers it depends depends on your build environment from easiest to hardest so the easiest way to generate a software bomb is to ask your software engineers to generate one anytime you use a third-party library make sure to go to this share drive and put the you're using it with its version there this is also the worst way because humans are lazy and error-prone me included it's better than nothing if it's all you got fine not really let's talk about some better ways of doing this right ask your build system your build system knows every dependency every dependencies dependency and every version number of your dependencies and their dependencies because it has to build your device has to build your IOT

thing it has to build your application so any any system worth its salt has a way of generating a list I say worth its salt because if you're using C or C++ make files get a little hard and if you have specific questions please see me after I have some ideas about how to make this easier for you guys but any modern modern ish language she sharp node Python Java here here's how you can generate a list of every dependency and the dependencies that those brought in without you even knowing and they're version numbers this all be online a might github by the way so you can you can check it out later if you're using an embedded Linux build

tool like Yocto or build root these are the two most common ones they also specifically have ways of listing out every single package that are included and it's version number this is for legal compliance issues with open source software licenses so the lawyers and the engineers are on the same page here for once you can ask your OS or your package manager you say I'm not really using out - I'm not using builder we have a consumer OS we're using some Debian variant or something like that ask your package manager they all have ways of telling you every dependency that's in there every package in all of its versions and this is where I said

the Windows came in here Windows even has a way of showing you using WM I see everything that's installed and it's version number so there's no excuse even if you're on Windows ask your file system so I wish I was exaggerating when I did when I said this but multiple times we've had clients come to us and say we can't ask our engineers they quit two or three years ago we don't have a build system anymore all we have is this all we have is a binary image that we flash on our device it's got a file system Ani you can read it but how are we supposed to generate a bomb from that good news and Linux libraries libraries

I'll have version numbers in their file names it's not exact usually it's just a major sometimes the major and minor but it's better than nothing it's a good start and if you're doing nothing right now baby steps okay and kind of look forward right okay so here's the how from easiest to hardest ask your software engineers ask your build system s grocery package manager ask your file system try not to do this if you can avoid it okay so now we have one hey our customers are happy our lawyers are happy what can we do that actually makes our life easier with making our devices more secure as opposed to just making people down the

supply chain happy well there's this cool thing called the nvd it's a list of vulnerabilities that are known in libraries and packages and xcs and stuff and you now have a list of everything that's in your device so let's search type in the first one version number see if anything pops up type in the version the second number see if anything pops up like it's really boring so like any good engineer I made a tool device vulnerability checker calm you can paste your bomb in here it supports a whole bunch of different formats and it will give you this snazzy little output searching the NVD for different vulnerabilities based on your bomb and this is good for more than just security

reasons but this is this is actually something we ran on one of our medical devices that was in development and it was the first time he ran the tool on it and I went Perl we're not using Perl why is Perl in there why did the octo bring pearl in it turns out one of our developers had put a flag in one of their libraries that brought in some optional dependencies that we weren't using and that brought in literally tens of megabytes of different packages there are hundreds of packages have brought in Perl being one of them just disable those flags it reduced our file size it will it increased our booth and increased our

speed the boot so decreased our boot time and it made us more secure because we why do we have pearl on there we don't eat it we're not using it and I can guarantee you any IOT system that doesn't have a software BOM has so many packages that no one is using and I just kind of got in there somehow okay so how can we make this even more because I don't want to every day or every week have to type this in copy and paste it it's going to some server who knows whether I'm logging it or not I'm telling you I'm not but do you trust me I don't know clone it on github there's a command

line version it's just Python you can read it if you want and where the output that gives you is this XML output this unit test output so you can integrate it into your unit test framework that you already have right all right guys so you take your unit test framework you put it in here and it fails a test if you fail an nvd if you have a vulnerability in the nvd that's not on your whitelist because there are false positives of course so here's an example off our build server of one of the first ones we did and we started implementing this you can see there's a lot of things that have known vulnerabilities a lot of open

SSL but there's Perl again B zip and basically this is a so this is a small list there are false positives and even if there aren't false positives there are ones where you can look at it and say well in this scenario it's not really exploitable it doesn't make sense but this is a very small list to go over to look at it and make an informed decision where before you were just saying yeah I mean I think we're secure I think there's no no ulnar abilities right so then that's a huge step up so there's fin and BOM France we have time for one question that was really fast so does anybody have a question and you

want to get set up well the question was where is your github reference that is a good point I should have put it at the end it's just Dan beard on github and I'm gonna upload it right now cool um have you taken the bomb file and tried to input it into a system to do license compliance checks against the versions well they switch out again I'd like to remind everybody to if you'd like to continue the conversation follow the presenters on pure list com