Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

RTOS girded up against cyberattacks

Posted: 16 Jan 2007 ?? ?Print Version ?Bookmark and Share

Keywords:RTOS? operating system? security? OS? Green Hills Software?

With network vulnerability looming as "the next great crisis our society is going to confront," in the words of security expert Aaron Turner, providers of RTOS are boring in on solutions.

"We can't live without our networks. That's our vulnerability," said Dan O'Dowd, CEO of Green Hills Software Inc. "The biggest vulnerability is the security of the OS at the endpoints." Moreover, "there is no perfect security, only levels of assurance," said Rob Hoffman, VP and general manager of aerospace and defense for embedded-software vendor Wind River. Specifically, he cited "life- and asset-critical environments such as the defense, transportation, banking and energy industries" as particularly at risk.

Green Hills has rolled out its Platform for Secure Networking as well as Integrity 10, the latest release of its RTOS. The company said its existing Integrity-178B, aimed at safety-critical applications such as avionics, was the first RTOS to undergo U.S. National Security Agency (NSA) testing for an ISO/IEC 15408 Common Criteria EAL beyond the penultimate level, EAL6.

Green Hills is not the only supplier thinking along these lines. LynuxWorks Inc. in November announced LynxSecure, an OS that offers a Multiple Independent Levels of Security (MILS) architecture. It will be certifiable to EAL7, the highest standardized assurance level, the company said. In announcing the product, Gurjot Singh, LynuxWorks' CEO, called security "the key to the future of the embedded space."

Microsoft Corp.'s Windows CE is built from the ground up to avoid security vulnerabilities typically found in embedded software, said Mike Hall, senior technical product manager for Microsoft Windows Embedded. "Security is always an important concern for any customer whose product touches a network," he said.

O'Dowd noted that networks handle all business and financial transactions; hold personal data, including medical and financial records; run the entire transportation system; maintain the electric-power grid; and are responsible for much of the U.S. defense capability.

"If an adversary can disrupt our networks, our entire system falls apart, because we're so dependent on them," he said. Potential adversaries, O'Dowd said, are not so dependent on networksand may thus gain an advantage in a conflict.

The next generation of the Internet will up the ante, said Christopher Harz, VP of strategic planning at IPv6 Summit Inc. IPv6 will bring about an orders-of-magnitude increase in the number of Internet addresses available. As the number of nodes increases, he said, so do vulnerabilities. And because IPv6 is new, Harz said, it will require a new generation of firewalls.

'Not sufficient'
Many embedded-software applications support security protocols such as Secure Sockets Layer (SSL), Secure Shell (SSH), IP Security (IPsec) and Internet Key Exchange, among others. Some also support encryption algorithms such as AES or RSA. These are necessary but not sufficient, said Joe Fabbre, technical-solutions manager for Green Hills Software. While security protocols are relatively good at securing data as it travels across a network, Fabbre said, they don't protect the endpoints of the network, and that's critical too. Moreover, he said, security flaws have been found in protocols like SSL and SSH.

Green Hills' Integrity OS uses protected partitions to help prevent errors and attacks.

"The important part of building a secure network device is that the device itself must be secure," Fabbre said. "And you can only accomplish this by partitioning the application components, the device drivers and the stack."

That's the idea behind MILS, a "separation-kernel architecture" in which different software components reside in protected address spaces. MILS provides data isolation, information flow control and damage limitation, Fabbre said. "The only damage that can be done to anything is in a protected address space, and it's limited and it won't take down the whole system."

Green Hills' Integrity, for instance, promises a "brick wall separation" in which the TCP/IP stack, secure shell and system application run in their own protected address spaces. This allows for stack and application isolation, and containment of errors and attacks.

Integrity 10 claims several new security features. One is a "pure virtual" device driver model that moves device driver code outside the kernel. Mike Santos, director of engineering for Integrity, said this moves driver code to a protected address space, controls denial-of-service attacks and eases verification of kernel code.

Integrity 10 also claims to bolster security through an enhanced partition scheduler and a new memory "lending" capability that can allow one process to lend memory to another. A process can be protected, Santos said, because it can repossess memory at any time. Green Hills' new Platform for Secure Networking includes the Integrity RTOS along with a GHNet dual-mode IPv4/IPv6 networking stack, and extensive security protocol support that includes IPSec, SSL and SSH.

What O'Dowd seemed proudest of, however, was the continuing NSA EAL6+ certification process for Integrity-178B, which the company hopes will be completed early this year. Several commercial OS have achieved EAL4, which calls for software to be "methodically designed, tested and reviewed." But that's not good enough, O'Dowd said, because it only resists inadvertent or casual attempts to breach system security. "A determined hacker can take control of an EAL4 system," he said.

Virtual device drivers add security. Integrity 10 separates driver, kernel code.

'Semi-formally verified'
EAL6 calls for software to be "semi-formally verified, designed and tested," while EAL7 demands formal verification, design and test. EAL6+, a hybrid between these two, is the level the NSA wants for military systems, O'Dowd said. An EAL6+ system, he maintained, cannot be hacked.

LynuxWorks' Singh said LynxSecure would be certified to EAL6+ based on its use of the separation-kernel protection profile (SKKP). Green Hills' Integrity uses SKPP as well.

"Having a separation kernel that has been designed and built from the ground up using formal methods rather than re-architecting existing technology is, we believe, the only way to offer a solution that can be used in the highest-security applications," Singh said.

"No system can be hacker-proof," said Wind River's Hoffman. "EAL6+ is no different. The problem of network security is far from being solved."

- Richard Goering
EE Times

Article Comments - RTOS girded up against cyberattacks
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top