Skip to content
This repository has been archived by the owner on Jun 25, 2019. It is now read-only.

intel/isafw

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
integration/yocto
integration/yocto
 
 
isafw
isafw
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
MANIFEST.in
MANIFEST.in
 
 
README.md
README.md
 
 
setup.py
setup.py
 
 

Repository files navigation

Image Security Analyser Framework

The purpose of ISA FW is to provide an extensible framework for analysing different security aspects of OS images during the build process. The design intention of FW is to stay build system independent and have a minimal interface towards it. The actual functional logic of the framework can be found in its plugins that can be created independently from each other.

The interface towards a build system is defined in set of classes in the isafw.py file. The data passed from a build system to the ISA FW is in a form of python class objects.

Currently supported objects

  • ISA_package. Represents a source package/receipe data for each package being build by a build system
  • ISA_pkg_list. Represents a list of binary packages information, such as package names and versions, that are being included into the OS image
  • ISA_kernel. Represents an information about the kernel to be included into the OS image, such as kernel configuration location.
  • ISA_filesystem. Represents an information about the filesystem to be included into the OS image, such as its location and type.

The framework supports a number of callbacks that are invoked by a build system during different stages of package and OS image build. These callbacks are then forwarded for processing to the avaliable ISA FW plugins that have registered for these callbacks. Plugins can do their own analyzing on each stage of the build process and produce security reports.

Currently supported callbacks

  • process_package(self, ISA_package). Called per each source package that is being assembled by a build system
  • process_pkg_list(self, ISA_pkg_list). Called once per each image assembled by a build system
  • process_kernel(self, ISA_kernel). Called once per each image assembled by a build system
  • process_filesystem(self, ISA_filesystem). Called once per each filesystem that is being included into the image

Currently supported plugins

  • ISA_cve_plugin. Plugin for checking CVE information for packages. Works on top of cve-check-tool (https://github.com/ikeydoherty/cve-check-tool)
  • ISA_la_plugin. Plugin for verifying licensing information for packages.
  • ISA_cf_plugin. Plugin for analysing binary compilation flags on rootfs. Works on top of checksec.sh script (http://www.trapkit.de/tools/checksec.html)
  • ISA_kca_plugin. Plugin for analysing security aspects of kernel configuration.
  • ISA_fsa_plugin. A basic plugin for analysing image filesystem.

Build system integration status

The OE layer for isafw can be found at

http://layers.openembedded.org/layerindex/branch/master/layer/meta-security-isafw/

Github repository is

https://github.com/01org/meta-security-isafw

Test Suite

Please run the whole test suite with root priviledges in order for the test setup to work:

sudo python TestSuiteISAFW.py

License

ISA FW and its plugins are available under the terms of the BSD 3-Clause License. Please check the LICENSE file for further details. The integration of ISA FW is licensed under the license specified in each corresponding file under integration folder. Copyright (C) 2015 Intel Corporation

About

No description, website, or topics provided.

Resources

Readme

License

View license

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

8 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages