By Richard Goering
San Jose, Calif.-- Why would a manufacturer of kitchen ovens choose a
real-time operating system first deployed in the flight-navigation
system of a nuclear bomber? It's all part of a drive toward network
security in an increasingly connected world.
The demand for greater RTOS security was one theme that emerged at last
week's Embedded Systems Conference here. LynuxWorks Inc. held an
Embedded Technology Symposium that addressed that issue, and QNX
Software Systems announced a secure memory- and CPU-partitioning
capability for multicore systems. Many real-time operating systems
currently employ partitioning technol- ogy that places different
software components in protected address spaces, so that a bug or attack
in one part of an application doesn't bring down the entire system.
Technologies developed for the military/aerospace world are marching
into commercial applications, some say. Among them is multiple
independent levels of security (MILS), which provides a "separation
kernel architecture" with partitions that ensure data isolation,
information flow control and damage limitation. Gurjot Singh,
LynuxWorks' CEO, predicted that MILS will move beyond defense
applications into such areas as industrial automation, medical devices,
banking and automotive.
"All these areas will eventually adopt the MILS architecture and the
components of the subsystems that are built into it," Singh said. "We
see this over and over, where money spent on defense results in things
that are very widely accepted in the commercial world." MILS, Singh
said, will even come to mobile devices such as PDAs, whose vulnerability
was illustrated in 2005, when someone hacked into Paris Hilton's cell
phone address book.
"The need for partitioning is fairly well-established in a number of
markets where you need guarantees for CPU time and memory," said Kerry
Johnson, product manager at QNX. "However, those implementations were
typically designed around single-processor environments." QNX is
offering a new capability in which partitions can be mapped across
multiple cores (see April 2, page 42).
"The industry is in the middle of a transformation from smart devices to
smart connected devices," said Ilya Bukshteyn, director of Windows
Embedded marketing at Microsoft Corp. "In this next phase,
personalization, identification and security will become key."
Green Hills Software's Integrity RTOS has been using the separation
kernel concept for 10 years, said Dan O'Dowd, Green Hills' CEO. He said
that Integrity-178B was the first RTOS to undergo testing by the
National Security Agency for the ISO/IEC Common Criteria Evaluation
Assurance Level (EAL) 6, which requires validation by formal methods.
First deployed on the B-1 bomber, Integrity is a MILS-based RTOS that's
being used today in industrial, automotive and medical applications,
It's also being used by a manufacturer of kitchen ovens that can be
turned on remotely over the Internet, a dangerous proposition if the
wrong person hacks into such a system. Which brings up O'Dowd's
argument--that "any connected device" has a need for a separation kernel
architecture. "It's the right way to design software, and what people
are now recognizing is that it's the only way, unless you have something
very small and simple with no security requirement," he said.
Not so fast, others say. "There's no land rush that says the next set of
designs won't happen without security," said Jim Ready, founder and CTO
of MontaVista Software Inc. "It's still very, very early." He disclosed,
however, that MontaVista, a provider of Linux operating systems, is
developing a "security architecture" with several of its large
Checking the connections
The LynuxWorks symposium made it clear that the company is looking
beyond its traditional military/aerospace niche. "For mobile devices and
for medical and financial applications, protection is essential," said
Joe Wlad, LynuxWorks' director of product management. "Every time a
system is connected, you're downloading mobile code. You don't know what
it is. You're just acting on faith that it's not going to do something
Dan Mender, director of business development at Green Hills, noted that
the problem gets worse with IPv6, the next generation of the Internet.
That will potentially allow billions of Internet Protocol addresses for
each person on earth, he said, creating a situation in which "every
device on the planet has the right to send a message to every other
device." Conventional data security and encryption schemes like Secure
Sockets Layer and IPsec are insufficient, he said, because they only
protect data that's in transit, not data at the "endpoints" of the
LynuxWorks is developing a new RTOS for security-critical systems. Based
on MILS, LynxSecure is designed from the ground up to conform to the
highest possible assurance level, EAL 7, the company said. Along with a
separation kernel, it includes a virtual-machine monitor that can run
multiple operating systems. LynxSecure is expected to ship this fall.
John Rushby, program director at SRI International and a speaker at the
LynuxWorks symposium, noted that while MILS dates back to 1981, it was
"rediscovered" by the NSA around 2000. With MILS, he said, the only job
that the kernel has is separation: The kernel creates partitions and
installs tightly controlled connections between the partitions. A MILS
system also identifies "system-level properties" that determine how
components of the program interact, he said.
But do commercial applications really need a full-blown MILS RTOS? Many
providers who serve the commercial sectors would say no, and would
dispute the need for formal certification, be it Common Criteria EAL
levels or the DO-178B security certification for avionics systems.
The QNX Neutrino RTOS uses time and space partitioning but does not have
formal certification, said Darrin Shewchuk, director of media and
analyst relations at QNX. Moreover, he said, the "adaptive partitioning"
scheme it uses is more flexible than a statically partitioned MILS
approach. With adaptive partitioning, Neutrino can reallocate idle CPU
time from partitions, thus making more efficient use of system
"A hard, padded-cell approach to partitioning is heavy-handed at best,"
Shewchuk said. "It assumes you have a lot of resources available and can
afford to have them underutilized for the sake of secure applications."
Wind River Systems offers a version of its VxWorks RTOS that's
compatible with the Arinc 653 specification standard for time and system
partitioning, as well as DO-178B. CTO Tomas Evensen said it's used by a
minority of customers in military/aerospace markets, and not by
commercial applications. "People are going in that direction, but most
applications don't need it yet," he said.
Security has its costs, Evensen noted. Independent partitions, he said,
usually involve performance overhead and require additional memory, thus
making the footprint larger. The plain-vanilla version of VxWorks has
memory protection to ensure that applications and their threads can't
overwrite memory management unit (MMU) tables, he said, adding that
VxWorks also offers error detection and recovery.
View from Windows
Microsoft added new security features in its Windows CE 6.0 release,
said senior technical product manager Mike Hall. "We changed the kernel
architecture so there's a very clean division between kernel space and
user space," he said. "Applications that run in the user space can't
touch the kernel space." Hall said every process has a unique 2 Gbytes
of address space, and a failed device driver will affect only the device
Mentor Graphics Corp.'s Nucleus RTOS partitions each application with
respect to MMU, and has a user mode and a protected supervisory mode,
said Neil Henderson, general manager of Mentor's embedded-systems
division. He said Mentor offers space partitioning, in which
applications execute in certain areas of memory, but not time
partitioning, in which the timing of processes is tightly controlled.
Henderson also noted that when security certification is required, the
software application, not just the RTOS, needs to be certified. Mentor,
however, plans to start providing the documentation "artifacts" that
will ease RTOS certification. "In general, we leave certification up to
the customer," Henderson said. "The charge for a certified kernel is
Subscribe to InfoSec News