Linux Security

Linux Security

Objective

This training is designed for embedded software developers seeking to build secure embedded Linux systems.

While the primary focus is on embedded Linux, the concepts and techniques covered are broadly applicable across various platforms, including bare-metal systems, RTOS-based devices, and Android.

Participants will explore a wide range of topics, including security fundamentals, secure coding practices, cryptographic concepts, data-at-rest and data-in-transit encryption, secure boot, access control mechanisms, sandboxing and isolation, Trusted Execution Environments (TEE), network security, Over-the-Air update strategies, hardware security, and an overview of relevant security certifications and regulatory standards.


Detailed agenda

  • Introduction to security concepts: an overview of foundational security concepts including confidentiality, integrity, authenticity, privacy, and non-repudiation. The session introduces risk management, common threat categories, and security design principles (e.g., least privilege, defense-in-depth). It explores the types of attackers (script kiddies, hacktivists, state actors, etc.), hardware vs software threat models, and common attack vectors in embedded systems. Participants will also learn about threat modeling techniques such as STRIDE and DREAD, including hands-on modeling examples for real-world devices.
  • Secure coding I - exploiting vulnerabilities: this module teaches how attackers exploit software vulnerabilities in C/C++ based embedded systems. Topics include buffer overflows, use-after-free, format string vulnerabilities, and other memory corruption bugs. Participants will explore shellcode, exploit development basics, return-to-libc, and return-oriented programming (ROP). Practical demonstrations using GDB and penetration testing tools such as Metasploit and radare2 will reinforce how these flaws can be exploited.
  • Secure coding II - mitigation techniques: covers compiler-based and runtime security mitigations to protect against common vulnerabilities. Learn about ASLR, stack canaries, DEP/NX, RELRO, FORTIFY, stack-smashing protection (SSP), and other mitigation techniques. Discuss sanitizers like AddressSanitizer and Electric Fence for runtime bug detection. The session also includes an overview of Linux kernel hardening options, secure coding guidelines from CERT C, MISRA C, and ISO/IEC TS 17961, as well as static analysis tools, fuzz testing, and the role of memory-safe languages like Rust and Ada in embedded development.
  • Cryptography concepts: a practical introduction to cryptographic fundamentals, including symmetric (AES, ChaCha20) and asymmetric (RSA, ECC) encryption. Learn about public key infrastructures (PKI), X.509 certificates, digital signatures, hash functions, and secure random number generation. This session also explores key storage and management, with a focus on the Linux Trusted Keys subsystem, keyrings, and integration with hardware trust sources (CAAM, TPM, Secure Element, etc).
  • Secure data storage: techniques for protecting data-at-rest in embedded systems. Covers file-based encryption (e.g., eCryptFS, fscrypt) vs partition-based encryption (e.g., dm-crypt, LUKS). Discusses best practices for storing credentials, secrets, and logs, how to manage encryption keys securely, and how to integrate these mechanisms into embedded systems development.
  • Secure Boot: understanding the secure boot process, including boot-time integrity verification and chain of trust from SoC ROM code to user space. Topics include SoC-level root-of-trust, key provisioning, bootloader and kernel signing (U-Boot with FIT images), and protecting root filesystems using dm-verity, IMA/EVM, and fs-verity. Discuss platform-specific implementations (NXP, TI, etc.) and common pitfalls.
  • Access control mechanisms: an in-depth look at access control in Linux, Discretionary Access Control (DAC), POSIX permissions, password and credential management, and Linux capabilities. Discuss Access Control Lists (ACLs) and extended attributes, followed by an overview of Linux Security Modules (LSMs), including SELinux, AppArmor and SMACK. Logging and auditing via auditd and journald are also covered in this session.
  • Sandboxing and isolation: techniques to isolate applications and reduce the attack surface. Covers chroot, seccomp-bpf, Linux namespaces (PID, network, mount, etc.), and capabilities. Introduces containerization with LXC, Docker, and systemd-nspawn, and sandboxing techniques for systemd services. Wraps up with a high-level overview of hardware virtualization using QEMU/KVM in embedded contexts.
  • Trusted Execution Environment (TEE): covers the need for TEEs in embedded systems and their typical use cases. Participants will learn about popular TEE implementations such as OP-TEE, Google Trusty, and Keystone (RISC-V). In-depth exploration of OP-TEE and ARM TrustZone architecture, secure world vs normal world separation, communication mechanisms (e.g., RPC and TEE Client API), and steps to port and use OP-TEE in embedded Linux platforms.
  • Network security: focus on securing data-in-transit using SSL/TLS, HTTPS, IPsec, and VPNs. Discuss common network attacks like MITM, DoS, and port scanning, and how to mitigate them. Learn to secure embedded network services (sshd, httpd, MQTT brokers, etc.), configure firewalls using iptables, nftables, ufw, and firewalld, and integrate intrusion detection systems like Snort or Suricata. Covers remote authentication and SSH hardening.
  • Over-The-Air updates: explore secure Over-The-Air (OTA) firmware update mechanisms, from full image-based to delta-based approaches. Learn about authenticity and integrity checks of update images and rollback protection. Overview of open-source frameworks like Mender, SWUpdate, RAUC, OSTree, and Hawkbit, along with best practices for CVE tracking and security patching.
  • Hardware Security: this session explores the physical dimension of embedded security. Topics include protection from physical tampering (enclosures, fuses, anti-tamper switches, etc), reverse engineering resistance (code obfuscation, secure boot fuses), and the role of secure elements and TPMs. Learn how to identify and restrict debug interfaces (JTAG, UART), and understand the threat posed by side-channel attacks (timing, power analysis) and their mitigation techniques.
  • Closing session: wrap-up with relevant security certifications and regulatory standards like OWASP’s Embedded Application Security Project, PCI DSS, FIPS 140-3, IEC 62443, ISO/SAE 21434 and many others, including emerging regulations like the EU Cyber Resilience Act (CRA). The session ends with Q&A, a summary of key learnings, and a curated list of books and resources for continued learning.

Additional information

Students, engineers, developers and team leaders who work with software development for embedded systems.

Experience developing software for embedded systems (bare-metal, RTOS, embedded Linux), comfortable using a Linux shell environment, understanding of Linux system architecture (user space vs kernel space), solid understanding of C and C++ programming languages, familiarity with cross-compilation and build systems (e.g., GCC, Make, Buildroot, Yocto Project).

The course material contains the slides of the presentations, the book of activities and exercises, reference guides, and additional reference documents. All materials will be provided in an electronic format at the start of the training session.

Training exercises are conducted on either the Verdin iMX8MM SoM from Toradex or an emulated environment using QEMU. When using the development kit, it is provided on loan to participants for hands-on activities during the training. If needed, and depending on the contracting company’s requirements, the training can also be adapted to run on a different hardware platform.

The training can be presented in the following languages: Brazilian Portuguese and English.

If you plan to train your team or a group of people, consider a training session inside your company. In an in-company training session, the company is responsible for providing the necessary resources needed for the training, including the training room, data projector and development machines. This model also brings big advantages for the company, since the cost of transportation and accommodation of several employees is reduced only to the instructor. If your company has a special requirement, we can study a program that meets your needs, like preparing the training material for a specific hardware platform or developing additional content. Don’t hesitate to get in touch via email or the contact page .

Open training sessions are presented in a pleasant environment, with a properly equipped laboratory and Internet access. Classes are usually presented full-time, with a stop for lunch and a coffee break in the morning. If you are interested in attending an open session but there are no classes available, send a message via the contact page and we will notify you as soon as new classes open.

This training can be executed in a remote/online environment. Online training is presented live on a virtual meeting platform like Google Meet or Zoom. In the online modality, students use the emulator (QEMU) to execute the training exercises.


Some pictures from previous training sessions:

images/training-photos/01.jpg
images/training-photos/02.jpg
images/training-photos/03.jpg
images/training-photos/04.jpg
images/training-photos/05.jpg
images/training-photos/06.jpg
images/training-photos/07.jpg
images/training-photos/08.jpg
images/training-photos/09.jpg
images/training-photos/10.jpg

Customers testimonials

Testimonials from companies and students who have already attended an Embedded Labworks training session

highlight shape

Samsung is a company leader in the market of high technology and digital media

“One of the best training courses I have ever attended. The instructor has total control of the training agenda and excellent teaching skills”

Adriano Saviolli, Samsung

LG Electronics is a South Korean multinational company and one of the largest electronics companies in Brazil

“I am used to being very critical and it’s been some time since I don’t evaluate a training course with high scores in all aspects. Congratulations on the training!”

Vitor de Paula, LG Electronics

AOC International is the brand of TPV Technology Limited, a manufacturer of LCD and LED displays for computers and televisions

“Unique training and no doubt much more valuable than many university degrees we have today on the subject”

Lucas Tadeu Portela, AOC International

CTEx is a Brazilian military organization subordinate to the science and technology department of the Brazilian government

“The Embedded Labworks training fully met all objectives, as well as being motivating for us to continue learning embedded Linux. I recommend it!”

José Antonio de Sousa Fernandes, CTEx

Inatel is a center of excellence in teaching and research in telecommunications engineering

High-quality training, very helpful and with a highly structured agenda"

Luis Gustavo, Inatel

Intelbrás is a 100% Brazilian company that operates in the areas of security, telecom and networking, being a leader in several market segments

“An excellent professional applying a very good practical training session with a rich study material. Thanks!”

Paulo Morgado, Intelbrás

Still have questions?

Send an email to info@e-labworks.com or leave a message by filling out the form below:

Newsletter

Subscribe to the Embedded Labworks newsletter to receive messages about training, services and news from the embedded systems industry.

highlight shape