RTOSes step in to avert network vulnerability 'crisis'

Santa Barbara, Calif. -- With network vulnerability looming as "the next great crisis our society is going to confront," in the words of security expert Aaron Turner, providers of real-time operating systems are boring in on solutions. Vendors at the Green Hills Technology Conference here last week described application- and data-isolation techniques, upgrades to higher Evaluation Assurance Levels (EALs) and protocols such as Secure Sockets Layer and Secure Shell as ways to halt security breaches.

"The adversary capability is growing tremendously vs. our security capability," said Turner, the cybersecurity strategist for national and homeland security at Idaho National Laboratory. While terrorists and unfriendly nations remain a threat, Turner said the fastest-growing type of cyberattack comes from criminals out for financial gain. He said the lab is investigating situations in which millions of dollars have been extorted from operators of supervisory-control and data-acquisition systems.

Turner started his talk by noting that there was much he could not say. "The list of vulnerabilities I can talk about is not very long, because there are no solutions today," he said.

"We can't live without our networks. That's our vulnerability," said Dan O'Dowd, CEO of Green Hills Software Inc., the conference sponsor.

Moreover, "there is no perfect security, only levels of assurance," said Rob Hoffman, vice president and general manager of aerospace and defense for embedded-software vendor Wind River. Specifically, he cited "life-critical and asset-critical environments such as the defense, transportation, banking and energy industries" as particularly at risk.

Green Hills used the two-day event to roll out its Platform for Secure Networking as well as Integrity 10, the latest release of its real-time operating system. Green Hills also said that its existing Integrity-178B, aimed at safety-critical applications such as avionics, was the first RTOS to undergo National Security Agency testing for an ISO/IEC 15408 Common Criteria EAL beyond the penultimate level, EAL6.

Green Hills is not the only supplier thinking along these lines. LynuxWorks Inc. last month announced LynxSecure, an operating system that offers a Multiple Independent Levels of Security (MILS) architecture. It will be certifiable to EAL7, the highest standardized assurance level, the company said. In announcing the product, Gurjot Singh, LynuxWorks' CEO, called security "the key to the future of the embedded space."

Microsoft Corp.'s Windows CE is built from the ground up to avoid security vulnerabilities typically found in embedded software, said Mike Hall, senior technical product manager for Microsoft Windows Embedded. "Security is always an important concern for any customer whose product touches a network," he said.

Presentations at the Green Hills conference showed why security is such a concern. O'Dowd noted that networks handle all business and financial transactions; hold personal data, including medical and financial records; run the entire transportation system; maintain the electric-power grid; and are responsible for much of the U.S. defense capability.

"If an adversary can disrupt our networks, our entire system falls apart, because we're so dependent on them," he said. Potential adversaries, O'Dowd said, are not so dependent on networks--and may thus gain an advantage in a conflict.

The next generation of the Internet will up the ante, said Christopher Harz, vice president of strategic planning at IPv6 Summit Inc. Internet Protocol version 6 will bring about an orders-of-magnitude increase in the number of Internet addresses available. As the number of nodes increases, he said, so do vulnerabilities. Because the United States is behind on IPv6, Harz said, there will be a "massive infusion" of foreign-built hardware and software. And because IPv6 is new, he said, it will require a new generation of firewalls.

Solutions for security
Many embedded-software applications support security protocols such as Secure Sockets Layer (SSL), Secure Shell (SSH), IP Security (IPsec) and Internet Key Exchange, among others. Some also support encryption algorithms such as AES or RSA. These are necessary but not sufficient, said Joe Fabbre, technical-solutions manager for Green Hills Software. While security protocols are relatively good at securing data as it travels across a network, Fabbre said, they don't protect the endpoints of the network, and that's critical too. Moreover, he said, security flaws have been found in protocols like SSL and SSH.

"The important part of building a secure network device is that the device itself must be secure," Fabbre said. "And you can only accomplish this by partitioning the application components, the device drivers and the stack."

That's the idea behind MILS, a "separation-kernel architecture" in which different software components reside in protected address spaces. MILS provides data isolation, information flow control and damage limitation, Fabbre said. "The only damage that can be done to anything is in a protected address space, and it's limited and it won't take down the whole system."

Green Hills' Integrity, for instance, promises a "brick wall separation" in which the TCP/IP stack, secure shell and system application run in their own protected address spaces. This allows for stack and application isolation, and containment of errors and attacks.

Integrity 10 claims several new security features. One is a "pure virtual" device driver model that moves device driver code outside the kernel. Mike Santos, director of engineering for Integrity, said this moves driver code to a protected address space, controls denial-of-service attacks and eases verification of kernel code.

Integrity 10 also claims to bolster security through an enhanced partition scheduler and a new memory "lending" capability that can allow one process to lend memory to another. A process can be protected, Santos said, because it can repossess memory at any time. Green Hills' new Platform for Secure Networking includes the Integrity RTOS along with a GHNet dual-mode IPv4/IPv6 networking stack developed entirely by U.S. citizens, and extensive security protocol support that includes IPSec, SSL and SSH.

What O'Dowd seemed proudest of, however, was the continuing National Security Agency EAL6+ certification process for Integrity-178B, which the company hopes will be completed early next year. Several commercial operating systems have achieved EAL4, which calls for software to be "methodically designed, tested and reviewed." But that's not good enough, O'Dowd said, because it only resists inadvertent or casual attempts to breach system security. "A determined hacker can take control of an EAL4 system," he said.

EAL6 calls for software to be "semi-formally verified, designed and tested," while EAL7 demands formal verification, design and test. EAL6+, a hybrid between these two, is the level the NSA wants for military systems, O'Dowd said. An EAL6+ system, he maintained, cannot be hacked.

LynuxWorks' Singh said LynxSecure would be certified to EAL6+ based on its use of the separation-kernel protection profile. Green Hills' Integrity uses SKPP as well.

"Having a separation kernel that has been designed and built from the ground up using formal methods rather than rearchitecting existing technology is, we believe, the only way to offer a solution that can be used in the highest-security applications," Singh said.

"No system can be hacker-proof," said Wind River's Hoffman. "EAL6+ is no different. The problem of network security is far from being solved."

 See related image

 See related image