With homeland security a national priority in post 9/11 America, the growing use of embedded devices in sensitive systems represents a major area of vulnerability. The proliferation of Internet connected embedded devices has created opportunities for malicious users to exploit security weaknesses in embedded software to gain access to sensitive systems. For example, intruders can access classified information, bring down a critical system, or gain control and modify its behavior in dangerous ways. Even embedded devices not directly on the Internet can be accessible through dial-up ports or through local private networks, all of which can be accessible through PCs with networks possibly connected to the Internet. As a result, developing highly secure embedded systems is imperative to ensure the safety of our country’s critical infrastructures.
Many embedded devices are located in areas critical for homeland security, from the power grid and the communications infrastructure to power utilities, railroads, and chemical and nuclear plants. These embedded devices include Supervisory Control and Data Acquisition Systems (SCADA), Programmable Logic Controllers (PLCs), digital controllers, communications switches, and intelligent devices of many kinds.
Bullet-proof OS
Clearly, there is an urgent need to ensure that the embedded software in such devices is highly secure. For this, it is essential that the embedded operating system (OS), which provides the foundation for all embedded application software, be bullet proof. Otherwise, any added security mechanisms implemented in the embedded software, such as encryption or biometric authentication, could be bypassed or compromised.
The traditional approach to commercial operating system security has been “Penetrate and Patch.” Hackers discover OS vulnerabilities and exploit them with attacks such as viruses, worms, and Trojan horses. OS vendors then scramble to develop and release patches to fix the vulnerabilities, which must then be applied expeditiously to all deployed systems. “Penetrate and Patch” is even more challenging for embedded devices, many of which have the software embedded in Read Only Memory (ROM) and are intended to be treated by users as dumb boxes rather than intelligent computers. A solution is to provide “Protection in Depth,” where systems are designed to be highly secure and a methodology is in place for providing measurable assurance against vulnerabilities.
An internationally accepted standard approach to specifying and evaluating security assurance is provided by Common Criteria (see www.commoncriteriaportal.org). The evaluation of security software through the Common Criteria standard defines Evaluation Assurance Levels (EAL 1-7) that indicate the process rigor associated with the development of an information technology product, as shown below:
- EAL-1: Functionally tested
- EAL-2: Structurally tested
- EAL-3: Methodically tested and checked
- EAL-4: Methodically designed, tested, and reviewed
- EAL-5: Semi formally designed and tested
- EAL-6: Semi formally verified, designed, and tested
- EAL-7: Formally verified, designed, and tested
The level of assurance rigor increases from EAL-1 (lowest) to EAL-7 (highest). Assurance to EAL-7 involves formal verification of the software product using mathematical models and theorem proving.
Operating systems have been getting progressively larger and security related mechanisms are intermixed with many other kinds of functionality, all of which run in privileged mode and, if flawed, can be a cause of serious vulnerabilities. The higher levels of assurance (EAL-5 through EAL-7) require mathematical or formal/semi-formal verification. This is not possible with today’s formal methods technology, especially for large systems that can consist of millions of lines of source code. To formally verify such a system, it would take millions of man-hours and an enormous budget. As a result, there is no operating system today that has been certified to EAL-7, which is needed for critical systems.
Brick-wall partitioning
A way around this dilemma is provided by the Multiple Independent Levels of Security/Safety MILS architecture (see Figure 1). The MILS architecture is based on the concept of a small Partitioning Kernel, sometimes referred to as a separation kernel, which is the only software that runs in supervisor mode and that provides brick-wall partitioning of memory, time, and I/O resources. The partitioning kernel provides only the basic functionality needed to support the underlying hardware and provides the partitions that essentially implement isolated virtual machines. Each partition is guaranteed a fixed share of required resources including memory, CPU time, and internal kernel buffers, eliminating denial-of-service vulnerabilities between partitions. Within each partition, the traditional OS functionality is implemented in user mode completely isolated from other partitions. The middleware and applications make up the rest of the components that may execute in a single partition.
The partitioning kernel in the MILS architecture is the policy enforcing entity that has foundational security functions that are non-bypassable, always invoked, evaluatable (through mathematical verification), and tamper-proof. The partitioning kernel itself must be small enough to be certifiable to EAL-7. The separation provided by the partitioning kernel enables any additional security functions to be implemented in one or more dedicated partitions and to be certifiable to EAL-7 as well. At the same time, user mode versions of Linux or current POSIX-compliant RTOSs, such as LynxOS from LynuxWorks, can run in other partitions to support the rest of the embedded applications software. This approach enables reuse of existing software and reduces the time and cost it would take to provide the highest levels of security assurance.
. . . . .
 Dr. Inder M. Singh is the CEO and Chairman of LynuxWorks. He founded Excelan, an early leader in local area networks in 1982 and served as its Chairman, CEO, and President until 1985. Excelan later merged with Novell. Dr. Singh was a co-founder of Kalpana, which pioneered Ethernet switching technology, and was one of Cisco's early acquisitions. Dr. Singh is Board Chairman and ELC President for the Embedded Linux Consortium. He holds Ph.D. and M.Phil. degrees in Computer Science from Yale University, and an MSEE from Polytechnic Institute of New York.
LynuxWorks, Inc. is a pioneer and a proven leader in the embedded systems industry with more than 15 years of experience. LynuxWorks’ embedded operating systems are based on open standards and are used in products made for markets such as communications, aerospace and defense, medical, and automotive. For more information, visit www.lynuxworks.com.
Brand or product names are registered trademarks or trademarks of their respective holders.
For further information, contact Dr. Singh at:
LynuxWorks, Inc.
855 Embedded Way
San Jose, CA 95138-1018
Tel: 408-979-3900
Fax: 408-979-3920
E-mail: inside@lnxw.com
Website: www.lynuxworks.com
Copyright © 2004 Embedded Computing Design. All rights reserved. Reproduction in whole or part is prohibited. An OpenSystems Publication. |
