Getting a lock on RTOS security

Getting a lock on RTOS security
Getting a lock on RTOS security 

By Richard Goering 	
EE Times

San Jose, Calif.-- Why would a manufacturer of kitchen ovens choose a 
real-time operating system first deployed in the flight-navigation 
system of a nuclear bomber? It's all part of a drive toward network 
security in an increasingly connected world.

The demand for greater RTOS security was one theme that emerged at last 
week's Embedded Systems Conference here. LynuxWorks Inc. held an 
Embedded Technology Symposium that addressed that issue, and QNX 
Software Systems announced a secure memory- and CPU-partitioning 
capability for multicore systems. Many real-time operating systems 
currently employ partitioning technol- ogy that places different 
software components in protected address spaces, so that a bug or attack 
in one part of an application doesn't bring down the entire system.

Technologies developed for the military/aerospace world are marching 
into commercial applications, some say. Among them is multiple 
independent levels of security (MILS), which provides a "separation 
kernel architecture" with partitions that ensure data isolation, 
information flow control and damage limitation. Gurjot Singh, 
LynuxWorks' CEO, predicted that MILS will move beyond defense 
applications into such areas as industrial automation, medical devices, 
banking and automotive.

"All these areas will eventually adopt the MILS architecture and the 
components of the subsystems that are built into it," Singh said. "We 
see this over and over, where money spent on defense results in things 
that are very widely accepted in the commercial world." MILS, Singh 
said, will even come to mobile devices such as PDAs, whose vulnerability 
was illustrated in 2005, when someone hacked into Paris Hilton's cell 
phone address book.

"The need for partitioning is fairly well-established in a number of 
markets where you need guarantees for CPU time and memory," said Kerry 
Johnson, product manager at QNX. "However, those implementations were 
typically designed around single-processor environments." QNX is 
offering a new capability in which partitions can be mapped across 
multiple cores (see April 2, page 42).

"The industry is in the middle of a transformation from smart devices to 
smart connected devices," said Ilya Bukshteyn, director of Windows 
Embedded marketing at Microsoft Corp. "In this next phase, 
personalization, identification and security will become key."

Green Hills Software's Integrity RTOS has been using the separation 
kernel concept for 10 years, said Dan O'Dowd, Green Hills' CEO. He said 
that Integrity-178B was the first RTOS to undergo testing by the 
National Security Agency for the ISO/IEC Common Criteria Evaluation 
Assurance Level (EAL) 6, which requires validation by formal methods. 
First deployed on the B-1 bomber, Integrity is a MILS-based RTOS that's 
being used today in industrial, automotive and medical applications, 
O'Dowd said.

It's also being used by a manufacturer of kitchen ovens that can be 
turned on remotely over the Internet, a dangerous proposition if the 
wrong person hacks into such a system. Which brings up O'Dowd's 
argument--that "any connected device" has a need for a separation kernel 
architecture. "It's the right way to design software, and what people 
are now recognizing is that it's the only way, unless you have something 
very small and simple with no security requirement," he said.

Not so fast, others say. "There's no land rush that says the next set of 
designs won't happen without security," said Jim Ready, founder and CTO 
of MontaVista Software Inc. "It's still very, very early." He disclosed, 
however, that MontaVista, a provider of Linux operating systems, is 
developing a "security architecture" with several of its large 

Checking the connections

The LynuxWorks symposium made it clear that the company is looking 
beyond its traditional military/aerospace niche. "For mobile devices and 
for medical and financial applications, protection is essential," said 
Joe Wlad, LynuxWorks' director of product management. "Every time a 
system is connected, you're downloading mobile code. You don't know what 
it is. You're just acting on faith that it's not going to do something 

Dan Mender, director of business development at Green Hills, noted that 
the problem gets worse with IPv6, the next generation of the Internet. 
That will potentially allow billions of Internet Protocol addresses for 
each person on earth, he said, creating a situation in which "every 
device on the planet has the right to send a message to every other 
device." Conventional data security and encryption schemes like Secure 
Sockets Layer and IPsec are insufficient, he said, because they only 
protect data that's in transit, not data at the "endpoints" of the 

LynuxWorks is developing a new RTOS for security-critical systems. Based 
on MILS, LynxSecure is designed from the ground up to conform to the 
highest possible assurance level, EAL 7, the company said. Along with a 
separation kernel, it includes a virtual-machine monitor that can run 
multiple operating systems. LynxSecure is expected to ship this fall.

John Rushby, program director at SRI International and a speaker at the 
LynuxWorks symposium, noted that while MILS dates back to 1981, it was 
"rediscovered" by the NSA around 2000. With MILS, he said, the only job 
that the kernel has is separation: The kernel creates partitions and 
installs tightly controlled connections between the partitions. A MILS 
system also identifies "system-level properties" that determine how 
components of the program interact, he said.

But do commercial applications really need a full-blown MILS RTOS? Many 
providers who serve the commercial sectors would say no, and would 
dispute the need for formal certification, be it Common Criteria EAL 
levels or the DO-178B security certification for avionics systems.

The QNX Neutrino RTOS uses time and space partitioning but does not have 
formal certification, said Darrin Shewchuk, director of media and 
analyst relations at QNX. Moreover, he said, the "adaptive partitioning" 
scheme it uses is more flexible than a statically partitioned MILS 
approach. With adaptive partitioning, Neutrino can reallocate idle CPU 
time from partitions, thus making more efficient use of system 

"A hard, padded-cell approach to partitioning is heavy-handed at best," 
Shewchuk said. "It assumes you have a lot of resources available and can 
afford to have them underutilized for the sake of secure applications."

Wind River Systems offers a version of its VxWorks RTOS that's 
compatible with the Arinc 653 specification standard for time and system 
partitioning, as well as DO-178B. CTO Tomas Evensen said it's used by a 
minority of customers in military/aerospace markets, and not by 
commercial applications. "People are going in that direction, but most 
applications don't need it yet," he said.

Security has its costs, Evensen noted. Independent partitions, he said, 
usually involve performance overhead and require additional memory, thus 
making the footprint larger. The plain-vanilla version of VxWorks has 
memory protection to ensure that applications and their threads can't 
overwrite memory management unit (MMU) tables, he said, adding that 
VxWorks also offers error detection and recovery.

View from Windows

Microsoft added new security features in its Windows CE 6.0 release, 
said senior technical product manager Mike Hall. "We changed the kernel 
architecture so there's a very clean division between kernel space and 
user space," he said. "Applications that run in the user space can't 
touch the kernel space." Hall said every process has a unique 2 Gbytes 
of address space, and a failed device driver will affect only the device 
driver manager.

Mentor Graphics Corp.'s Nucleus RTOS partitions each application with 
respect to MMU, and has a user mode and a protected supervisory mode, 
said Neil Henderson, general manager of Mentor's embedded-systems 
division. He said Mentor offers space partitioning, in which 
applications execute in certain areas of memory, but not time 
partitioning, in which the timing of processes is tightly controlled.

Henderson also noted that when security certification is required, the 
software application, not just the RTOS, needs to be certified. Mentor, 
however, plans to start providing the documentation "artifacts" that 
will ease RTOS certification. "In general, we leave certification up to 
the customer," Henderson said. "The charge for a certified kernel is 
considerably more."

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods