The hackers have your PlayBook

In my last blog, I wrote about the Duqu worm, as an example of how secure computing systems must be built from microkernels, not monolithic operating systems. One reader responded that secure systems depend on more than just the kernel, and must include middleware and applications. I answered in vehement agreement. The microkernel "attitude"--minimal implementation, componentization, least privilege, secure development process--needs to be applied holistically to the entire system.

To build on that theme, let's talk about the recent news of the RIM PlayBook being rooted. For those unfamiliar, the PlayBook tablet uses a microkernel-based operating system that has been touted as the heir apparent for all RIM devices. RIM has had a stellar reputation for providing secure smartphones for enterprises. The decision to switch from the original BlackBerry OS to this microkernel was certainly not a decision taken lightly.

So how does the new RIM microkernel fare in terms of security vulnerabilities? While numerous vulnerabilities in the RIM microkernel have been reported in the National Vulnerability Database, the hacker community has had little impetus to exploit its vulnerabilities.

Until now: when RIM decided to incorporate the microkernel into the PlayBook and next generation smartphones, this let slip the dogs of war (or maybe just some kids having fun with their toys…).

In contrast to Android devices and iPhones that are rooted/jailbroken early and often, Blackberry has had the mystique of being untouchable. The founder of Blackberry news site N4BB.COM stated, "This [PlayBook] is the first time a Blackberry product has ever been rooted." The first time a Blackberry device has ever been rooted is the first time a Blackberry device has used the new microkernel.

The root was caused by a flaw in the RIM OS, based on the new microkernel, which is now documented in the National Vulnerability Database as CVE-2011-0291, stating that the vulnerability "allows local users to gain privileges via a crafted configuration file in a backup archive." The database entry describes the impact as follows: "Provides administrator access, allows complete confidentiality, integrity, and availability violation; allows unauthorized disclosure of information; allows disruption of service." NIST has assigned the vulnerability a "HIGH" severity rating.

On December 6, RIM issued a security patch for this vulnerability. A few hours later, the same hacker demonstrated he could root the device using another vulnerability.

Lessons learned

• Not all microkernels are created equal: independent high assurance evaluation is necessary to establish meaningful security claims
• Microkernels (assuming they were developed for high assurance) are a necessary but insufficient requirement to achieve total system security; high assurance design must be applied to all critical aspects of the system. One example of doing it the right way can be found here (and based on a microkernel).

Dave Kleidermacher is CTO of Green Hills Software. He writes about security issues, sharing his insights on techniques to improve the security of software for highly critical embedded systems.