How to Produce Secure Embedded Linux Distributions and Reduce Attack Surfaces by 50-70% while Reducing Support and Patching Costs

Posted on June 30, 2020
Author: RunSafe Security

You’re only a few steps away from deploying Alkemist:Code into your Yocto environment!

RunSafe Security’s Alkemist:Code for Yocto reduces attack surfaces and costs associated with frequent security updates and releases of IOT and embedded systems.  Without changing a line of code – or slowing down product releases – you and your development teams can immunize your software by simply adding a layer into your Yocto build environment’s bblayers.conf file.  The contents for that layer are accessible, for each Yocto release version (ARM and x86), via RunSafe’s Alkemist’s Self Service Portal (SSP).

What is Yocto?

The Yocto project is a game-changing developer environment that streamlines the creation of custom embedded linux distributions for any hardware architecture. Yocto uses “layers” and “recipes” to provide easy configuration management and a reliable and reproducible build process. This toolchain has opened the door to inserting security easily into the build process, reducing operational burdens downstream while increasing protection from cyberattacks for software built with Yocto.

What are the Benefits of Using Alkemist to Secure Embedded Linux Distributions?

For Engineers

  • Implement a consistent security experience across every package in Yocto when you build with Alkemist, reducing support costs
  • Inoculate software without slowing down software developers
  • Give yourself additional time to push software updates to fielded, hard to reach systems

For Product Managers

  • Dramatically reduce attack surface without slowing down developers increase the supply chain integrity of open source components
  • Reduce overall support costs resulting from patch madness and security incidents
  • Differentiate product offering by immunizing code from known and unknown vulnerabilities

Secure Yocto in Seven Easy Steps

Click here to follow along with this easy procedure.

  1. Select A Yocto Distribution
  2. Clone Repos: The RunSafe maintained meta-lfr layer contains all of the necessary configuration files to integrate LFR into a yocto build environment
  3. Customize LFR layer.conf: The LFR_PACKAGE contains pre-built binaries cross-compiled for different CPU targets. Currently supported is 32-bit ARM with support for 32- and 64-bit Intel and 64-bit ARM coming soon.
  4. Prepare Build Environment: Sourcing oe-init-build-env prepares the environment for building yocto recipes and images. Adding meta-lfr to the list of layers will result in all recipes being built with Alkemist protections in place.
  5. Customize LFR local.conf: The binaries contained in the package provided from LFR_PACKAGE in the step 3 cooridinate with the qemuarm MACHINE target.
  6. Build Yocto Image: This command will build the core-image-minimal image with Alkemist protections. The resulting image can be run using runqemu qemuarm. The bitbake command can be run to build other images, or individual recipes with LFR protection using bitbake <recipe/image>.
  7. Verify LFR Protection: This shows how to confirm that LFR has been applied to a given binary using the readelf tool from the binutils package. You must have binutils on your system for it to work, but it is commonly available.

How Does Alkemist Work?

Alkemist uses remotely deployable binary runtime application self-protection (RASP) and Moving Target Defense (MTD) methods to immunize organizations from the biggest threat to software today, memory corruption exploits. Significantly reduce risk by eliminating the exploitation of vulnerabilities and precluding exploits from spreading across multiple devices and networks. 

Originally born out of a research project for the Advanced Research Projects Agency of the Department of Defense (DARPA), Alkemist is the only automated cyberhardening tool to protect open source, in-house developed code, and third-party binaries while leaving each system functionally identical, but logically unique.

Click to learn more about RunSafe’s Alkemist technology.

Security and Memory Threats

Resources for Yocto Developers

Webinar

3 Steps to Reduce IOT Security Update Frustration, While Increasing Deployment Velocity.

Video

Watch an Introduction into the Benefits of Yocto and RunSafe

Frequently Asked Questions PDF

Yocto Project and Alkemist Integration: What do you need to know?

Blog Post

3 Easy Steps in Just Five Minutes to Inoculate Your Software.

Alkemist Portal

Visit the Self Service Portal for Demos, Deployment Guides and Getting Started for Free.

RunSafe Security’s 2025 Product Security Predictions

RunSafe Security’s 2025 Product Security Predictions

Product security has come a long way since  the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory...

read more