The embedded Linux ELinOS Security paradigm is simple but effective: Keep it small. Whenever plenty of services are running and libraries are involved there is much surface to attack. If you spare resources, you also reduce the amount of vectors, thus lowering the chance to be attacked by malware, viruses, worms and other cyber threats. This is why Debian-based embedded Linux ELinOS comes with its unique approach to choose target features, configurating both, kernel and user space at once.
This is the basis for target devices that only run services that are actually required to fulfill their functions. Most Linux distributions integrate a huge number of applications and libraries to provide maximum flexibility. Depending on the requested functionality those libraries may not be used at all. This is where embedded Linux ELinOS shoots the bold. ELinOS’ unique library dependency resolver automatically ensures that the target system includes only those libraries that are actually required for their services – for every program whether it is selected via primary configuration or it is a custom application.
Unlike other Linux distributions, ELinOS doesn’t deploy unnecessary services such as a HTTP or SSH server by default, but keeps them optional. This leads to a custom-tailored system that is small, lean, effective and well-protected.
Additionally, ELinOS supports all Linux standard Security mechanisms to harden an embedded system such as user privilege separation, read-only file system, kernel memory protection and address space layout randomization (ASLR).
Security on Embedded Targets that run Guest OSs
Embedded Linux ELinOS can run as a so-called partition on an embedded target that is separated in time and space from its host operating system. PikeOS as host system ensures that its guest operating systems don’t access resources that aren't allocated. Only predefined memory and I/O spaces can be controlled in ELinOS.
On top of embedded Linux ELinOS Security approach, its host operating system encapsulates the Linux system in a way that attackers can’t break out of the shell. Interrupt control is managed by the host operating system PikeOS - ELinOS can’t access the hardware independently. This mechanism also applies to the Memory Management Unit (MMU).
Embedded Linux ELinOS Security Services
ELinOS Security services is an optional offer for our customers. It allows ELinOS customers to improve and maintain the Security of their ELinOS systems by receiving regular customized Security advisories about newly identified Security issues and early access to updated software packages.
We identify potential Security issues in third party software components supplied with ELinOS. This includes monitoring services such as the coverage of the Common Vulnerabilities and Exposures (CVE) list and also Security advisories by open-source community. We deliver impact analyses and the identification of potential Security issues as well as regular Security fixes in a quarterly time frame.
Benefits
Identification of potential Security issues in the 3rd party software components
Impact analysis based on Security advisory bulletin and advice on further actions
Early access to updated software packages developed for future ELinOS versions
