Security Matrix

QNX SDP8.0QNX OS System Security GuideAPIConfiguration

The following table describes security problems and cyberattacks and the QNX OS security features that can mitigate them.


Security problem/Attack	Description	Solutions
Data confidentiality at rest	Prevent an attacker from seeing, modifying, or exfiltrating sensitive data on the system while it is inoperative.	File-based encryption (see Filesystem security)
Data integrity and code signing	Allow packaging of system assets in an integrity-protected container that can be mounted at any time on the system for access.	QNX Trusted Disk (see Filesystem security) Secure boot
Unrestricted access to system resource managers	Prevent unauthorized system components from accessing system resource manager channels, or restrict what operations they can request after they connect.	Security Policies POSIX permissions/ACLs (see Access control)
Filesystem object access control	Restrict access to filesystem objects by various processes.	POSIX permissions/ACLs (see Access control)
Untrusted code execution	Prevent an attacker from running or loading an untrusted binary from a filesystem.	Pathtrust
Redirect control flow	Prevent an attacker from modifying executable control flow.	RELRO
Repeatability of attacks	Make it harder for an attacker to guess where code is loaded in memory for exploit abuse.	Address space layout randomization (ASLR)
Buffer overflows	Instrument code to mitigate potential buffer overflow attacks.	Compile code with fortified function support (see Fortified System Functions)
Stack overflows	Instrument code to mitigate stack overflow attacks.	Compile code with stack canaries (see Compiler defenses)
Revealing sensitive system information	Prevent an attacker from being able to inspect the private information of other processes on the system.	Secure the /proc filesystem (see The /proc filesystem) Security Policies
Process execution with least privileges	Configure the system to restrict privileges on processes to make sure that they execute with the least required privileges necessary for their tasks.	Security policies Process manager abilities POSIX permissions/ACL (see Access control)
Device hardware access to kernel memory	Prevent an attacker from using a device to DMA to arbitrary addresses.	QNX System Memory Management Unit Manager (SMMUMAN; see the SMMUMAN User's Guide)
Denial of service	Prevent an attacker from: preventing critical systems from running by exhausting system resources clogging up a network with unexpected traffic	Resource limits (see the setrlimit() entry in the C Library Reference) Use network jails to isolate sets of processes to a specific interface, IP address, or protocol (see the jail entry in the Utilities Reference)
Man-in-the-middle attack	Prevent an attacker from intercepting traffic between networks.	Use network jails to isolate sets of processes to a specific interface, IP address, or protocol (see the jail entry in the Utilities Reference)
Network snooping	Monitor network for sensitive data.

Page updated: May 17, 2024