1.. _secure code:
2
3Secure Coding
4#############
5
6Traditionally, microcontroller-based systems have not placed much
7emphasis on security.
8They have usually been thought of as isolated, disconnected
9from the world, and not very vulnerable, just because of the
10difficulty in accessing them.  The Internet of Things has changed
11this.  Now, code running on small microcontrollers often has access to
12the internet, or at least to other devices (that may themselves have
13vulnerabilities).  Given the volume they are often deployed at,
14uncontrolled access can be devastating [#attackf]_.
15
16This document describes the requirements and process for ensuring
17security is addressed within the Zephyr project.  All code submitted
18should comply with these principles.
19
20Much of this document comes from [CIIBPB]_.
21
22Introduction and Scope
23**********************
24
25This document covers guidelines for the `Zephyr Project`_, from a
26security perspective.  Many of the ideas contained herein are captured
27from other open source efforts.
28
29.. todo: Reference main document here
30
31.. _Zephyr Project: https://www.zephyrproject.org/
32
33We begin with an overview of secure design as it relates to
34Zephyr.  This is followed by
35a section on `Secure development knowledge`_, which
36gives basic requirements that a developer working on the project will
37need to have.  This section gives references to other security
38documents, and full details of how to write secure software are beyond
39the scope of this document.  This section also describes
40vulnerability knowledge that at least one of the primary developers
41should have.  This knowledge will be necessary for the review process
42described below this.
43
44Following this is a description of the review process used to
45incorporate changes into the Zephyr codebase.  This is followed by
46documentation about how security-sensitive issues are handled by the
47project.
48
49Finally, the document covers how changes are to be made to this
50document.
51
52Secure Coding
53*************
54
55Designing an open software system such as Zephyr to be secure requires
56adhering to a defined set of design standards. In [SALT75]_, the following,
57widely accepted principles for protection mechanisms are defined to
58help prevent security violations and limit their impact:
59
60- **Open design** as a design guideline incorporates the maxim that
61  protection mechanisms cannot be kept secret on any system in
62  widespread use. Instead of relying on secret, custom-tailored
63  security measures, publicly accepted cryptographic algorithms and
64  well established cryptographic libraries shall be used.
65
66- **Economy of mechanism** specifies that the underlying design of a
67  system shall be kept as simple and small as possible. In the context
68  of the Zephyr project, this can be realized, e.g., by modular code
69  [PAUL09]_ and abstracted APIs.
70
71- **Complete mediation** requires that each access to every object and
72  process needs to be authenticated first. Mechanisms to store access
73  conditions shall be avoided if possible.
74
75- **Fail-safe defaults** defines that access is restricted by default
76  and permitted only in specific conditions defined by the system
77  protection scheme, e.g., after successful authentication.
78  Furthermore, default settings for services shall be chosen in a way
79  to provide maximum security.  This corresponds to the "Secure by
80  Default" paradigm [MS12]_.
81
82- **Separation of privilege** is the principle that two conditions or
83  more need to be satisfied before access is granted. In the context
84  of the Zephyr project, this could encompass split keys [PAUL09]_.
85
86- **Least privilege** describes an access model in which each user,
87  program, and thread, shall have the smallest possible subset
88  of permissions in the system required to perform their task. This
89  positive security model aims to minimize the attack surface of the
90  system.
91
92- **Least common mechanism** specifies that mechanisms common to more
93  than one user or process shall not be shared if not strictly
94  required. The example given in [SALT75]_ is a function that should be
95  implemented as a shared library executed by each user and not as a
96  supervisor procedure shared by all users.
97
98- **Psychological acceptability** requires that security features are
99  easy to use by the developers in order to ensure their usage and the
100  correctness of its application.
101
102In addition to these general principles, the following points are
103specific to the development of a secure RTOS:
104
105- **Complementary Security/Defense in Depth**: do not rely on a single
106  threat mitigation approach. In case of the complementary security
107  approach, parts of the threat mitigation are performed by the
108  underlying platform. In case such mechanisms are not provided by the
109  platform, or are not trusted, a defense in depth [MS12]_ paradigm
110  shall be used.
111
112- **Less commonly used services off by default**: to reduce the
113  exposure of the system to potential attacks, features or services
114  shall not be enabled by default if they are only rarely used (a
115  threshold of 80% is given in [MS12]_). For the Zephyr project, this can
116  be realized using the configuration management. Each functionality
117  and module shall be represented as a configuration option and needs
118  to be explicitly enabled. Then, all features, protocols, and drivers
119  not required for a particular use case can be disabled. The user
120  shall be notified if low-level options and APIs are enabled but not
121  used by the application.
122
123- **Change management**: to guarantee a traceability of changes to the
124  system, each change shall follow a specified process including a
125  change request, impact analysis, ratification, implementation, and
126  validation phase. In each stage, appropriate documentation shall be
127  provided. All commits shall be related to a bug report or change
128  request in the issue tracker. Commits without a valid reference
129  shall be denied.
130
131Secure development knowledge
132****************************
133
134Secure designer
135===============
136
137The Zephyr project must have at least one primary developer who knows
138how to design secure software.
139
140This requires understanding the following design principles,
141including the 8 principles from [SALT75]_:
142
143- economy of mechanism (keep the design as simple and small as
144  practical, e.g., by adopting sweeping simplifications)
145
146- fail-safe defaults (access decisions shall deny by default, and
147  projects' installation shall be secure by default)
148
149- complete mediation (every access that might be limited must be
150  checked for authority and be non-bypassable)
151
152.. todo: Explain better the constraints of embedded devices, and that
153   we typically do edge detection, not at each function. Perhaps
154   relate this to input validation below.
155
156- open design (security mechanisms should not depend on attacker
157  ignorance of its design, but instead on more easily protected and
158  changed information like keys and passwords)
159
160- separation of privilege (ideally, access to important objects should
161  depend on more than one condition, so that defeating one protection
162  system won't enable complete access. For example, multi-factor
163  authentication, such as requiring both a password and a hardware
164  token, is stronger than single-factor authentication)
165
166- least privilege (processes should operate with the least privilege
167  necessary)
168
169- least common mechanism (the design should minimize the mechanisms
170  common to more than one user and depended on by all users, e.g.,
171  directories for temporary files)
172
173- psychological acceptability (the human interface must be designed
174  for ease of use - designing for "least astonishment" can help)
175
176- limited attack surface (the set of the
177  different points where an attacker can try to enter or extract data)
178
179- input validation with whitelists (inputs should typically be checked
180  to determine if they are valid before they are accepted; this
181  validation should use whitelists (which only accept known-good
182  values), not blacklists (which attempt to list known-bad values)).
183
184Vulnerability Knowledge
185=======================
186
187A "primary developer" in a project is anyone who is familiar with the
188project's code base, is comfortable making changes to it, and is
189acknowledged as such by most other participants in the project. A
190primary developer would typically make a number of contributions over
191the past year (via code, documentation, or answering questions).
192Developers would typically be considered primary developers if they
193initiated the project (and have not left the project more than three
194years ago), have the option of receiving information on a private
195vulnerability reporting channel (if there is one), can accept commits
196on behalf of the project, or perform final releases of the project
197software. If there is only one developer, that individual is the
198primary developer.
199
200At least one of the primary developers **must** know of common kinds of
201errors that lead to vulnerabilities in this kind of software, as well
202as at least one method to counter or mitigate each of them.
203
204Examples (depending on the type of software) include SQL
205injection, OS injection, classic buffer overflow, cross-site
206scripting, missing authentication, and missing authorization. See the
207`CWE/SANS top 25`_ or `OWASP Top 10`_ for commonly used lists.
208
209A free class from the nonprofit OpenSecurityTraining2 for C/C++ developers
210is available at `OST2_1001`_. It teaches how to prevent, detect, and
211mitigate linear stack/heap buffer overflows, non-linear out of bound writes,
212integer overflows, and other integer issues. The follow-on class, `OST2_1002`_,
213covers uninitialized data access, race conditions, use-after-free, type confusion,
214and information disclosure vulnerabilities.
215
216.. Turn this into something specific. Can we find examples of
217   mistakes.  Perhaps an example of things static analysis tool has sent us.
218
219.. _CWE/SANS top 25: http://cwe.mitre.org/top25/
220
221.. _OWASP Top 10: https://owasp.org/www-project-top-ten/
222
223.. _OST2_1001: https://ost2.fyi/Vulns1001
224
225.. _OST2_1002: https://ost2.fyi/Vulns1002
226
227Zephyr Security Subcommittee
228============================
229
230There shall be a "Zephyr Security Subcommittee", responsible for
231enforcing this guideline, monitoring reviews, and improving these
232guidelines.
233
234This team will be established according to the Zephyr Project charter.
235
236Code Review
237***********
238
239The Zephyr project shall use a code review system that all changes are
240required to go through.  Each change shall be reviewed by at least one
241primary developer that is not the author of the change.  This
242developer shall determine if this change affects the security of the
243system (based on their general understanding of security), and if so,
244shall request the developer with vulnerability knowledge, or the
245secure designer to also review the code.  Any of these individuals
246shall have the ability to block the change from being merged into the
247mainline code until the security issues have been addressed.
248
249Issues and Bug Tracking
250***********************
251
252The Zephyr project shall have an issue tracking system (such as GitHub_)
253that can be used to record and track defects that are found in the
254system.
255
256.. _GitHub: https://www.github.com
257
258Because security issues are often sensitive, this issue tracking
259system shall have a field to indicate a security issue.  Setting this
260field shall result in the issue only being visible to the Zephyr Security
261Subcommittee. In addition, there shall be a
262field to allow the Zephyr Security Subcommittee to add additional users that will
263have visibility to a given issue.
264
265This embargo, or limited visibility, shall only be for a fixed
266duration, with a default being a project-decided value.  However,
267because security considerations are often external to the Zephyr
268project itself, it may be necessary to increase this embargo time.
269The time necessary shall be clearly annotated in the issue itself.
270
271The list of issues shall be reviewed at least once a month by the
272Zephyr Security Subcommittee.  This review should focus on
273tracking the fixes, determining if any external parties need to be
274notified or involved, and determining when to lift the embargo on the
275issue.  The embargo should **not** be lifted via an automated means, but
276the review team should avoid unnecessary delay in lifting issues that
277have been resolved.
278
279Modifications to This Document
280******************************
281
282Changes to this document shall be reviewed by the Zephyr Security Subcommittee,
283and approved by consensus.
284
285.. [#attackf]  An attack_ resulted in a significant portion of DNS
286   infrastructure being taken down.
287
288.. _attack: http://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause-outage-status-explained
289