San Jose, Calif.-- Why would a manufacturer of kitchen ovens choose a real-time operating system first deployed in the flight-navigation system of a nuclear bomber? It's all part of a drive toward network security in an increasingly connected world.
The demand for greater RTOS security was one theme that emerged at last week's Embedded Systems Conference here. LynuxWorks Inc. held an Embedded Technology Symposium that addressed that issue, and QNX Software Systems announced a secure memory- and CPU-partitioning capability for multicore systems. Many real-time operating systems currently employ partitioning technol- ogy that places different software components in protected address spaces, so that a bug or attack in one part of an application doesn't bring down the entire system.
Technologies developed for the military/aerospace world are marching into commercial applications, some say. Among them is multiple independent levels of security (MILS), which provides a "separation kernel architecture" with partitions that ensure data isolation, information flow control and damage limitation. Gurjot Singh, LynuxWorks' CEO, predicted that MILS will move beyond defense applications into such areas as industrial automation, medical devices, banking and automotive.
"All these areas will eventually adopt the MILS architecture and the components of the subsystems that are built into it," Singh said. "We see this over and over, where money spent on defense results in things that are very widely accepted in the commercial world." MILS, Singh said, will even come to mobile devices such as PDAs, whose vulnerability was illustrated in 2005, when someone hacked into Paris Hilton's cell phone address book.
"The need for partitioning is fairly well-established in a number of markets where you need guarantees for CPU time and memory," said Kerry Johnson, product manager at QNX. "However, those implementations were typically designed around single-processor environments." QNX is offering a new capability in which partitions can be mapped across multiple cores (see April 2, page 42).
"The industry is in the middle of a transformation from smart devices to smart connected devices," said Ilya Bukshteyn, director of Windows Embedded marketing at Microsoft Corp. "In this next phase, personalization, identification and security will become key."
Green Hills Software's Integrity RTOS has been using the separation kernel concept for 10 years, said Dan O'Dowd, Green Hills' CEO. He said that Integrity-178B was the first RTOS to undergo testing by the National Security Agency for the ISO/IEC Common Criteria Evaluation Assurance Level (EAL) 6, which requires validation by formal methods. First deployed on the B-1 bomber, Integrity is a MILS-based RTOS that's being used today in industrial, automotive and medical applications, O'Dowd said.
It's also being used by a manufacturer of kitchen ovens that can be turned on remotely over the Internet, a dangerous proposition if the wrong person hacks into such a system. Which brings up O'Dowd's argument--that "any connected device" has a need for a separation kernel architecture. "It's the right way to design software, and what people are now recognizing is that it's the only way, unless you have something very small and simple with no security requirement," he said.
Not so fast, others say. "There's no land rush that says the next set of designs won't happen without security," said Jim Ready, founder and CTO of MontaVista Software Inc. "It's still very, very early." He disclosed, however, that MontaVista, a provider of Linux operating systems, is developing a "security architecture" with several of its large customers.
Checking the connections
The LynuxWorks symposium made it clear that the company is looking beyond its traditional military/aerospace niche. "For mobile devices and for medical and financial applications, protection is essential," said Joe Wlad, LynuxWorks' director of product management. "Every time a system is connected, you're downloading mobile code. You don't know what it is. You're just acting on faith that it's not going to do something wrong."
Dan Mender, director of business development at Green Hills, noted that the problem gets worse with IPv6, the next generation of the Internet. That will potentially allow billions of Internet Protocol addresses for each person on earth, he said, creating a situation in which "every device on the planet has the right to send a message to every other device." Conventional data security and encryption schemes like Secure Sockets Layer and IPsec are insufficient, he said, because they only protect data that's in transit, not data at the "endpoints" of the communication.
LynuxWorks is developing a new RTOS for security-critical systems. Based on MILS, LynxSecure is designed from the ground up to conform to the highest possible assurance level, EAL 7, the company said. Along with a separation kernel, it includes a virtual-machine monitor that can run multiple operating systems. LynxSecure is expected to ship this fall.
John Rushby, program director at SRI International and a speaker at the LynuxWorks symposium, noted that while MILS dates back to 1981, it was "rediscovered" by the NSA around 2000. With MILS, he said, the only job that the kernel has is separation: The kernel creates partitions and installs tightly controlled connections between the partitions. A MILS system also identifies "system-level properties" that determine how components of the program interact, he said.
But do commercial applications really need a full-blown MILS RTOS? Many providers who serve the commercial sectors would say no, and would dispute the need for formal certification, be it Common Criteria EAL levels or the DO-178B security certification for avionics systems.
The QNX Neutrino RTOS uses time and space partitioning but does not have formal certification, said Darrin Shewchuk, director of media and analyst relations at QNX. Moreover, he said, the "adaptive partitioning" scheme it uses is more flexible than a statically partitioned MILS approach. With adaptive partitioning, Neutrino can reallocate idle CPU time from partitions, thus making more efficient use of system resources.
"A hard, padded-cell approach to partitioning is heavy-handed at best," Shewchuk said. "It assumes you have a lot of resources available and can afford to have them underutilized for the sake of secure applications."
Wind River Systems offers a version of its VxWorks RTOS that's compatible with the Arinc 653 specification standard for time and system partitioning, as well as DO-178B. CTO Tomas Evensen said it's used by a minority of customers in military/aerospace markets, and not by commercial applications. "People are going in that direction, but most applications don't need it yet," he said.
Security has its costs, Evensen noted. Independent partitions, he said, usually involve performance overhead and require additional memory, thus making the footprint larger. The plain-vanilla version of VxWorks has memory protection to ensure that applications and their threads can't overwrite memory management unit (MMU) tables, he said, adding that VxWorks also offers error detection and recovery.
View from Windows
Microsoft added new security features in its Windows CE 6.0 release, said senior technical product manager Mike Hall. "We changed the kernel architecture so there's a very clean division between kernel space and user space," he said. "Applications that run in the user space can't touch the kernel space." Hall said every process has a unique 2 Gbytes of address space, and a failed device driver will affect only the device driver manager.
Mentor Graphics Corp.'s Nucleus RTOS partitions each application with respect to MMU, and has a user mode and a protected supervisory mode, said Neil Henderson, general manager of Mentor's embedded-systems division. He said Mentor offers space partitioning, in which applications execute in certain areas of memory, but not time partitioning, in which the timing of processes is tightly controlled.
Henderson also noted that when security certification is required, the software application, not just the RTOS, needs to be certified. Mentor, however, plans to start providing the documentation "artifacts" that will ease RTOS certification. "In general, we leave certification up to the customer," Henderson said. "The charge for a certified kernel is considerably more."
See related image