Talk Title:

Zephyr Security: Breezing Through Internals, Threats, and Hardening

Abstract:

Zephyr aims to be a best-in-class, small, scalable, real-time operating system (RTOS) optimized for resource-constrained devices across multiple architectures. Since its initial launch in 2016, it has become widely adopted in embedded systems, ranging from the embedded controllers in laptops to large-scale wind turbines. As more silicon vendors provide Zephyr support for their devices, we anticipate further growth in its use.

In this talk, we will cover what we have learned from performing security reviews of Zephyr-based systems. We will also cover security issues identified within Zephyr itself and provide guidelines for ensuring the security of a Zephyr-based system.

Unlike many other RTOS options, Zephyr provides security features, including the isolation of userspace tasks and a secure storage API. While these features can be very useful in developing a secure product, developers must correctly configure and implement them for them to be effective. We will discuss common issues that arise when developing a Zephyr product and provide recommendations for hardening.

This talk will bring attendees up to speed on the state of security in Zephyr, provide recommendations to those using the RTOS in their product development, and help researchers get started with reviewing Zephyr-based systems.

Speaker Bio:

Eric Evenchick is a co-founder and Managing Partner at Tetrel Security, specializing in embedded device security and bespoke tool development. His journey into embedded systems began with the development of research vehicles at the University of Waterloo in collaboration with General Motors and the US Environmental Protection Agency.

This experience propelled him into roles involving the development of automotive firmware and reverse engineering vehicle systems at companies including Tesla Motors. Prior to co-founding Tetrel Security in 2023, Eric served as Technical Director at NCC Group and as Principal Research Consultant at Atredis Partners. In these capacities, he conducted security assessments on diverse hardware and software targets, encompassing automotive systems, medical devices, cloud infrastructure, and mobile devices.

Eric holds a Bachelor of Applied Science in Electrical Engineering from the University of Waterloo. He has been a featured presenter at numerous technology and security conferences, including Black Hat, escar, SecTor, ToorCon, NorthSec, and PyCon USA. His work has garnered recognition in publications such as Wired and Forbes. Since 2019, Eric has been delivering training sessions on reverse engineering embedded systems at Black Hat conferences worldwide.