Global Sources
EE Times-India
Stay in touch with EE Times India
 
EE Times-India > Embedded
 
 
Embedded  

RTOS ready for cyber attacks

Posted: 16 Jan 2007     Print Version  Bookmark and Share

Keywords:RTOS  operating system  security  OS  Green Hills Software 

With network vulnerability looming as "the next great crisis our society is going to confront," in the words of security expert Aaron Turner, providers of RTOS are boring in on solutions.

"We can't live without our networks. That's our vulnerability," said Dan O'Dowd, CEO of Green Hills Software Inc. "The biggest vulnerability is the security of the OS at the end-points." Moreover, "there is no perfect security, only levels of assurance," said Rob Hoffman, VP and general manager of aerospace and defence for embedded-software vendor Wind River. Specifically, he cited "life- and asset-critical environments such as the defence, transportation, banking and energy industries" as particularly at risk.

Green Hills has rolled out its Platform for Secure Networking as well as Integrity 10, the latest release of its RTOS. The company said its existing Integrity-178B, aimed at safety-critical applications such as avionics, was the first RTOS to undergo U.S. National Security Agency (NSA) testing for an ISO/IEC 15408 Common Criteria EAL beyond the penultimate level, EAL6.

Green Hills is not the only supplier thinking along these lines. LynuxWorks Inc. in November announced LynxSecure, an OS that offers a Multiple Independent Levels of Security (MILS) architecture. It will be certifiable to EAL7, the highest standardised assurance level, the company said. In announcing the product, Gurjot Singh, LynuxWorks' CEO, called security "the key to the future of the embedded space."

Microsoft Corp.'s Windows CE is built from the ground up to avoid security vulnerabilities typically found in embedded software, said Mike Hall, senior technical product manager for Microsoft Windows Embedded. "Security is always an important concern for any customer whose product touches a network," he said.

O'Dowd noted that networks handle all business and financial transactions; hold personal data, including medical and financial records; run the entire transportation system; maintain the electric-power grid; and are responsible for much of the U.S. defence capability.

"If an adversary can disrupt our networks, our entire system falls apart, because we're so dependent on them," he said. Potential adversaries, O'Dowd said, are not so dependent on networks—and may thus gain an advantage in a conflict.

The next generation of the Internet will up the ante, said Christopher Harz, VP of strategic planning at IPv6 Summit Inc. IPv6 will bring about an orders-of-magnitude increase in the number of Internet addresses available. As the number of nodes increases, he said, so do vulnerabilities. And because IPv6 is new, Harz said, it will require a new generation of firewalls.

'Not sufficient'
Many embedded-software applications support security protocols such as Secure Sockets Layer (SSL), Secure Shell (SSH), IP Security (IPsec) and Internet Key Exchange, among others. Some also support encryption algorithms such as AES or RSA. These are necessary but not sufficient, said Joe Fabbre, technical-solutions manager for Green Hills Software. While security protocols are relatively good at securing data as it travels across a network, Fabbre said, they don't protect the end-points of the network, and that's critical too. Moreover, he said, security flaws have been found in protocols like SSL and SSH.

"The important part of building a secure network device is that the device itself must be secure," Fabbre said. "And you can only accomplish this by partitioning the application components, the device drivers and the stack."

That's the idea behind MILS, a "separation-kernel architecture" in which different software components reside in protected address spaces. MILS provides data isolation, information flow control and damage limitation, Fabbre said. "The only damage that can be done to anything is in a protected address space, and it's limited and it won't take down the whole system."

Green Hills' Integrity, for instance, promises a "brick wall separation" in which the TCP/IP stack, secure shell and system application run in their own protected address spaces. This allows for stack and application isolation, and containment of errors and attacks.

Integrity 10 claims several new security features. One is a "pure virtual" device driver model that moves device driver code outside the kernel. Mike Santos, director of engineering for Integrity, said this moves driver code to a protected address space, controls denial-of-service attacks and eases verification of kernel code.

Integrity 10 also claims to bolster security through an enhanced partition scheduler and a new memory "lending" capability that can allow one process to lend memory to another. A process can be protected, Santos said, because it can repossess memory at any time. Green Hills' new Platform for Secure Networking includes the Integrity RTOS along with a GHNet dual-mode IPv4/IPv6 networking stack, and extensive security protocol support that includes IPSec, SSL and SSH.

What O'Dowd seemed proudest of, however, was the continuing NSA EAL6+ certification process for Integrity-178B, which the company hopes will be completed early this year. Several commercial OS have achieved EAL4, which calls for software to be "methodically designed, tested and reviewed." But that's not good enough, O'Dowd said, because it only resists inadvertent or casual attempts to breach system security. "A determined hacker can take control of an EAL4 system," he said.

'Semi-formally verified'
EAL6 calls for software to be "semi-formally verified, designed and tested," while EAL7 demands formal verification, design and test. EAL6+, a hybrid between these two, is the level the NSA wants for military systems, O'Dowd said. An EAL6+ system, he maintained, cannot be hacked.

LynuxWorks' Singh said LynxSecure would be certified to EAL6+ based on its use of the separation-kernel protection profile (SKKP). Green Hills' Integrity uses SKPP as well.

"Having a separation kernel that has been designed and built from the ground up using formal methods rather than re-architecting existing technology is, we believe, the only way to offer a solution that can be used in the highest-security applications," Singh said.

"No system can be hacker-proof," said Wind River's Hoffman. "EAL6+ is no different. The problem of network security is far from being solved."

- Richard Goering
EE Times




Comment on "RTOS ready for cyber attacks"
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top