Building middleware for security and safety critical systems

Gordon M. Uchenick, Objective Interface

July 11, 2006

Gordon M. Uchenick, Objective InterfaceJuly 11, 2006

Whether you are designing a nuclear fusion ignition system, an advanced weapons system, an unmanned robotics vehicle or an integrated avionics suite, safety or security critical systems typically require certifications that their software content meets all of its requirements.

Certification efforts can be risky to both cost and schedule, especially in the most important applications where the consequences of failure are unacceptably high. Certification can also be an arduous task, often taking more time and costing more money than the original software development itself. Embedded systems developers benefit from software architectures that make high levels of certification more achievable.

One such architecture, Multiple Independent Levels of Security (MILS), is intended to simplify the certification process at high levels of assurance, making it practical and affordable. It also enables code and artifact reuse to leverage investment. MILS is a layering architecture with the primary goal of minimizing the amount of code that needs the most rigorous inspection. Its layers are the Separation Kernel, Middleware, and Application.

MILS approach to middleware
Traditional operating system architectures have a large body of code running in privileged mode. Because nothing constrains the behavior of privileged code, it can violate the system safety and security policies such as data isolation and controlled information flow. Considerable effort is required to rigorously prove all of this code is well behaved, that it does not violate or weaken policy enforcement. The time, cost, and risk of failure for this proof increases exponentially as the code base gets bigger and more complex.

The MILS architecture simplifies high assurance certifications by moving system functions from the Separation Kernel layer to the Middleware layer. The resultant Separation Kernel is significantly smaller and simpler, much more conducive to certification at a high level of assurance. The increased confidence that the Separation Kernel will always enforce the system safety and security policies correctly reduces assurance requirement levels for the Middleware and Application layers.

The MILS approach is to move as much system code as possible to the Middleware layer where it runs in unprivileged mode. I/O services, file systems, and communications protocol stacks are large and complex code bases. Instead of being able to violate the system policies, all of that code is now strictly subject to them.

Because of this fundamental difference, a basic to moderate level of rigor of inspection for that code is now appropriate. Basic to moderate level code evaluations are achievable, practical, and affordable for large code bases and have been done many times. MILS Middleware, typically linked with the applications that it supports, can be grouped into three general categories: System Services, the Partitioning Communications System, and Network Middleware.

System services as middleware
Embedded application developers are accustomed to using a full-featured real-time operating system (RTOS). Most of the code in an RTOS implements the complex services described above. The MILS Separation Kernel has a sparse application programming interface (API); it does very few things but it does them very well.

An effective way to bridge this gap is to port an entire RTOS, a familiar environment friendly to the application developer, to run as Middleware in a user mode MILS partition. Although it may be perceived as a signifi- cant engineering task, the path to this transition is surprisingly straightforward.

One of the key objectives for any commercial RTOS is portability to a wide range of processors. For this reason, RTOS code is written to the greatest extent possible in a processor independent manner. Processor-independent implementation mandates the RTOS designer to minimize the number of operations requiring privileged instructions because privileged instructions are processor specific. The bulk of RTOS code maintains control blocks, manipulates queues, executes scheduling algorithms, and performs services as requested.

Almost none of these activities require the use of privileged instructions. Privileged instructions can't be entirely avoided. Memory Management Units (MMUs) must be configured and interrupt systems must be controlled, etc. These undertakings are necessarily processor specific.

Balance between portability and the need to perform processor specific activities is achieved by isolating the processor specific code into a few small modules. This set of modules is called the Hardware Abstraction Layer (HAL). RTOS developers are adept at writing new HALs; it is how they can quickly and economically offer their platform on the latest and greatest processors. They are providing their standard RTOS with a new HAL.

If a HAL can abstract a physical processor, it can also abstract a MILS Separation Kernel. Instead of executing processor specific privileged instructions, a HAL can use system services to request these operations be performed on its behalf by the Separation Kernel. The high assurance Separation Kernel can be trusted to enforce the system safety and security policies as it executes requested system services and returns the results to the HAL. The HAL translates those results as necessary and then gives control back to the RTOS.

The end result is that the RTOS does not know that it is running in a user mode partition as the Separation Kernel's "Guest." Each partition in a MILS node can contain its own RTOS. The net effect of this architecture is a single microprocessor running multiple virtual microprocessors, each of them robustly separated in time and in space with tightly controlled communications among them.

The Guest RTOS architecture has many benefits. Legacy applications written for the RTOS can be readily ported to the safe, secure and highly robust MILS environment with minimal change. Software engineers enhancing legacy applications or developing new ones have the familiar RTOS environment and development tool set.

Actual target hardware is often not available during the early to middle stages of a project, creating potential development and testing bottlenecks. If some of the embedded applications do not require specialized hardware, or if that hardware can be emulated, unit testing can be done on any COTS board supported by the RTOS.

Network stacks as middleware
Middleware often requires private execution and threading contexts. Network protocol stacks often fall into this category and are built to run in their own private MILS partitions. Strong separation is a significant benefit of this architecture.

The application and the protocol stack are protected from each other, considerably reducing total system vulnerability. Fortunately, moving protocol stacks out of the kernel into their own partitions can be completely transparent to the applications that use them.

Let's use TCP/IP as an example. The semantics of the socket library (or its equivalent for non-IP based networking) are unchanged from the application's perspective. All modifications are hidden "under the hood." A traditional socket library implementation of data transmission via send() copies data from the application to network buffers.

The copy procedure is necessary because the scope (i.e., lifetime) of the data to be sent is unknown. Once the data is copied, it is handed over to the stack's transport layer via either a function call or a system service, depending on how the stack was implemented.

Alternatively, a MILS implementation of the send() function uses the Separation Kernel's tightly controlled information flow facilities to move outbound data from the application partition to the protocol stack running in its private partition (Figure 1, below).

Figure 1. MILS network implementation

The Separation Kernel guarantees that there is no other way for the data to get there. The most important point is that the application just called send() in either case. What send actually does with the data is irrelevant to the application as long as the data gets to wherever it should be going.

Partitioning communications system middleware
All of the COTS components that are used to connect one machine to another are a source of vulnerability. The protocol stacks, interface cards, routers, switches and media were all originally designed to move data optimally.

Safety or security may not have been original requirements and were often bolted on as a series of emergency patches issued as amateur hackers and professional attackers succeeded in penetrating distributed systems. This reactive approach is always one step behind, countering threats only after the damage has been done.

Why not start over, developing protocol stacks with safety and security as a key requirement? TCP/IP protocol stacks are large and complex bodies of code. This assertion is proven by noting that it took Richard Stevens three substantial volumes to explain what they do and how they do it in the masterwork TCP/IP Illustrated.

Putting robust safety and/or security policy enforcement into a protocol stack is suboptimal because the resultant code body size and complexity conflict with the rigorous inspection necessary to verify enforcement is adequate.

The amount of code that must be trusted to enforce the security policy among distributed nodes can be significantly reduced in the same manner as MILS significantly reduces the amount of trusted code that enforces the security policy within a single node. MILS simplifies large problems by dividing them into small problems that can interact only in predictable ways " divide and conquer. This methodology can also be applied to distributed systems.

A security policy enforcement module, the Partitioning Communications System (PCS), can be interposed between the application and protocol stack partitions instead of adding security functions to the stacks themselves. The PCS can perform its security policy enforcement functions transparently with respect to both the applications and the protocol stacks (Figure 2, below).

Figure 2. The Partitioning Communications System (PCS)

PCS: The MILS Architecture Enforcer
The policy enforcement functions performed by the PCS are: flow separation, strong authentication, bandwidth provisioning and partitioning, covert channel separation, and secure configuration.

Flow Separation: Providing trustworthy separation of the individual flows (e.g., TCP port connections) on a shared medium (e.g., Ethernet). These flows are to or from multiple application partitions in the node local to the PCS. Because the separation is trustworthy, these flows can be at different security levels (i.e., TOP SECRET vs. SECRET) or different safety levels (i.e., CRITICAL vs. NON-CRITICAL). In the past, separate physical links were required to provide trustworthy "air gap" separation.

Strong Authentication: Identifying the node, the application, and the application instance at the "other end" of each flow. High value data should not be transmitted until the sender can verify that the recipient is identified, authorized, and in a safety or security preserving state.

Bandwidth Provisioning and Partitioning: Controlling the portion of total channel capacity that can be used by each flow. This useful security function enforces the designer's targets for allocation of shared bandwidth which shortens system integration time and increases total system reliability. Denial of Service attacks from malicious or errant software in the transmitting node are also suppressed.

Covert Channel Suppression: Link level encryption is not enough. Significant characteristics of the data and the applications can be discerned by analyzing traffic patterns, especially in response to external events which may have been caused by the malicious observer himself. The PCS controls message length and timing to counter this threat, transparent to the applications.

Secure Configuration: One cause of failure a distributed system is errors or attacks that effectively get each node to enforce different versions of the overall safety or security policy. Because the different versions are not necessarily compatible and consistent with each other, each node can be correctly enforcing its local policy but total enforcement for the enclave can be compromised. The PCS validates that proper versions of the system policy are being enforced for each flow.

Trusted Image Loading: It is a common requirement to either load or update applications "over the air" after a distributed system has been deployed. The PCS controls this operation, validating that the software originates from an authenticated source, that the software has not been modified, that the download or update itself has been authorized, and that the resources required by the downloaded module conform to the safety or security policy.

PCS communications policy enforcement has a very important characteristic which is required for high assurance. It is NEAT, an acronym for:

Non-bypassable: The MILS Separation Kernel's data isolation and controlled information flow guarantee that all data must pass through the PCS. It can't be circumvented. The PCS guarantees that data will always flow through downgraders, guards, and firewalls, never around them.

Evaluatable: The PCS is small enough and simple enough to enable the mathematical proof of correctness that is required for high assurance verification, certification, and accreditation. The "trusted plumbing" that the PCS provides simplifies distributed safety and security modules, enabling their high assurance evaluations and validations.

Always Invoked: The safety and security policy is enforced each and every time that data is transferred. The distributed system does not transmit data unless and until all protection is in place.

Tamper Proof: Trustworthy data isolation prevents erroneous or malicious applications from modifying the PCS code or the data that defines the safety and security policy. The PCS assumes that both the applications and the network are hostile, protecting itself from invalid structure or sequences in the data that it handles. Attacks based on modifying policy data can't succeed.

Putting It all together. Revisit Figure 2, above. Application 1 and Application 2 need to communicate with their counterparts in an external system. It is important that their data flows not interfere with each other in either content or Quality of Service.

Application 1 could be handling SECRET classified data and Application 2's traffic could be unclassified; Application 1 could be safety critical and Application 2 could be of lesser importance to the total system.

The PCS is interposed between these applications and the communications partitions in both the sending and receiving nodes. In this arrangement, the PCS, because of its high assurance, can be trusted to maintain the required separation and bandwidth allocations when the communications facilities can't be trusted to do this by themselves.

Network middleware
Network Middleware such as CORBA, DDS, and Web Services offer many features mostly aimed at providing location transparency. Applications aren't required to know where their input data comes from and where their output data is going. This transparency conflicts with safety and security requirements. In safe and secure communications systems we need to know exactly where data comes from and exactly where it is going.

Why is porting Network Middleware to MILS desirable? MILS/PCS communications resolves the conflict. Legacy applications can continue to use their existing Middleware foundations. And new applications can be developed in those familiar environments because MILS/PCS communications allows only authorized information flows to occur between authenticated sources and destinations at specified maximum rates.

This communications safety and security policy enforcement is transparent to both the application and its Middleware. Once again, the implementation path is straightforward. Network Middleware resides above the transport level. Since the socket (or other communications) API remain intact as explained earlier, minimal impact upon Network Middleware is expected.

A system is useful to application developers because of its Middleware. Middleware is the bridge between the rudimentary services such as "wait for an event" and desirable higher level features such as "extend a file on disk" or "send this data by TCP/IP."

The MILS architecture moves these complex functions out of privileged mode. Running Middleware in user mode, where it is subject to the Separation Kernel's policy enforcement, reduces the level of rigor required for its safety and security evaluation and certification. At the same time, total system robustness is increased.

Evaluation and certification of large code bodies at medium levels of assurance is achievable, practical, and affordable. The guarantees of strong data isolation and controlled information flow suppress undesirable side effects, and ensure that the Middleware itself and its evaluation and certification artifacts are reusable.

Gordon M. Uchenick is Sr. Mentor/Principal Engineer at Objective Interface Systems, Inc.

To read a PDF version of this story, go to Middleware For Security And Safety Critical Systems at

Loading comments...