By Richard Goering
SANTA BARBARA, Calif. -- The computer networks that control business
transactions, transportation, electric power, defense, and confidential
personal data are increasingly vulnerable to attack, according to
speakers at the Green Hills Software Inc. Technology Conference here
Dec. 4 and 5. Networks can only be secure, company representatives said,
when the devices at the "endpoints" use secure operating systems.
Green Hills used the event to roll out its new Platform for Secure
Networking, as well as Integrity 10, the next release of its Integrity
real-time operating system (RTOS). Green Hills also claimed that its
existing Integrity-178B, aimed at safety-critical applications such as
avionics, is the first RTOS to undergo National Security Agency (NSA)
testing for an ISO/IEC 15408 Common Criteria Evaluation Assurance Level
(EAL) beyond EAL6.
"We can't live without our networks. That's our vulnerability," said Dan
O'Dowd, Green Hills CEO. "The biggest vulnerability is the security of
the operating systems at the endpoints."
O'Dowd noted that networks handle all business and financial
transactions, hold personal data including medical and financial
records, run the entire transportation system, maintain the electric
power grid, and are responsible for much of the U.S. defense capability.
"If an adversary can disrupt our networks, our entire system falls
apart, we're so dependent on them," he said.
Potential adversaries, O'Dowd said, are not so dependent on networks.
They use cash for business transactions, typically live in countries
without reliable power or transportation, and their militaries use more
primitive electronics. And this may give them an advantage. "In combat,
a blind man will turn out the lights," O'Dowd noted.
O'Dowd presented various disaster scenarios, such as terrorists
programming large numbers of traffic lights to turn green at the same
time during rush hour, or hackers inserting viruses into automotive
control systems through Bluetooth infotainment systems. He cited an
incident in which a call center worker in India sold bank account
details for 1,000 U.K. customers. He also pointed to a long list of
Cisco vulnerabilities available on line.
Things aren't getting any safer. Christopher Harz, vice president of
strategic planning at IPv6 Summit Inc., noted that IPv6 will bring about
an orders-of-magnitude increase in the number of Internet addresses
available. "Right now, there are a maximum of a couple of billion nodes
in the world," he said. With IPv6, Harz said, "there may be a couple of
billion nodes in your neighborhood."
As the number of nodes increases, he said, so do vulnerabilities. There
will be many more network-centric operations, he said, and a much
greater emphasis on mobile, wireless communications. Because the U.S. is
behind on IPv6, Harz said, there will be a "massive infusion" of
foreign-built hardware and software. And because IPv6 is new, he said,
it will require a new generation of firewalls.
Aaron Turner, cyber security strategist for national and homeland
security at Idaho National Laboratory (INL), started his talk by noting
that there's much he can't say. "The list of vulnerabilities I can talk
about is not very long, because there are no solutions today," he said.
While terrorists and unfriendly nations remain a threat, Turner said
that the fastest-growing type of cyber-attack today comes from criminals
out for financial gain. He said INL is investigating situations in which
millions of dollars have been extorted from operators of SCADA
(supervisory control and data acquisition) systems. "The adversary
capability is growing tremendously versus our security capability," he
The INL, said Turner, has developed a very sophisticated simulation
capability to predict the impact of possible cyber-attacks. But the
economic impact of these attacks is very real, he said. Network
vulnerability, Turner said, "is the next great crisis our society is
going to confront."
Digital, personal authentication is one solution to the network security
problem, said Gregory Youngblood, director of marketing for the security
line of business at Broadcom Inc. He described the Broadcom Integrity
Platform, based on Broadcom's BCM5890 "secure processor," as a system
that can provide hardware security for any type of authentication
system. The first application is a personal biometric device from
But the main focus at the Green Hills Technology Conference was
software, and Green Hills had two new offerings to talk about. The
company's Platform for Secure Networking includes the Integrity RTOS,
which features a separation kernel architecture for fault isolation and
containment, and claims to support requirements and policies of Multiple
Independent Levels of Security (MILS).
Aside from the Integrity separation kernel, the platform includes an
advanced file system, a GHNet dual mode IPv4/IPv6 networking stack,
IPSec, secure web server including SSL/TLS client and server, and secure
shell client and server (SSH). While it's largely a packaging of
existing Green Hills technology, David Kleidermacher, Green Hills CTO,
said that new technology includes the IPv6 support, new encryption
algorithms, and SSL/TSL.
Green Hills' Integrity 10 release claims several new security features.
One is a "pure virtual" device driver model that moves device driver
code outside the kernel, easing certification costs. Another is an
enhanced partition scheduler for defining execution windows for each
partition. A third feature is a new memory "lending" capability that can
recover resources and revoke access to resources from other processes.
The new release also steps up support for multicore debugging. It
supports symmetric multiprocessing (SMP), in which the operating system
will automatically load-balance applications across multiple cores on
SMP-capable microprocessors. Integrity 10 also supports non-uniform
memory architecture (NUMA) systems in which applications are allocated
across multiple cores.
What O'Dowd seemed proudest of, however, is the pending ESL6+
certification for Integrity-178B. Several commercial operating systems
have achieved ESL4, which calls for software to be "methodically
designed, tested and reviewed." But that's not good enough, O'Dowd said,
because it only resists inadvertent or casual attempts to breach system
security. "A determined hacker can take control of an EAL4 system," he
EAL6 calls for software to be "semi-formally verified, designed and
tested," while EAL7 ups the ante for formal verification, design and
test. EAL6+, a hybrid between these two, is the level the NSA wants for
military systems, O'Dowd said. An EAL6+ system, he maintained, cannot be
hacked by anyone.
Integrity-178B is the only RTOS actively undergoing evaluation above
EAL4, O'Dowd claimed. He pointed to a National Information Assurance
Partnership (NIAP) web site listing software products currently under
evaluation, including Integrity-178B.
O'Dowd agreed with one conference participant who noted that devices at
both ends of a network have to be secure. But you can't get total
security, he noted, unless the entire system is "EAL10," which means
that you never turn it on in the first place.
Subscribe to InfoSec News