Integrity at EAL6+
I rarely talk about products in this column, but have to applaud Green Hills for the recent certification of their Integrity RTOS to Common Criteria Evaluation Assurance Level (EAL) 6+. This is truly a remarkable feat.
This validation effort is not simply a Good Housekeeping Seal; it's a tremendous effort that has been on-going since 1999, with three years spent in the certification process itself. NSA, armed with Integrity's source code, spent two years in penetration testing. They were unable to find any security flaws in the RTOS.
It appears that only two or three other software products of any kind have met EAL6, and perhaps 4 are certified to EAL7 or better. Integrity is the only OS of any sort certified above EAL5. The vast majority of the over a thousand evaluated products are at EAL4+ or lower. Sometimes a lot lower.
EAL4 is considered protection only against casual or inadvertent penetration attempts. Both Windows XP and Linux are at EAL4+, which means certified to 4 with some aspects of 5. (The words "secure" and "EAL4+" probably shouldn't be used in the same sentence, despite my having just done so.)
The company claims that at EAL6+ the government is willing to connect a computer loaded with Top Secret information to the Internet. It's hard to believe anyone would actually be gutsy enough to try that, but with the increasing importance of virtualization one can see where such co-mingling of data might be attractive for a variety of reasons.
Boeing took a hit last year when it was alleged their 787's flight control computers were on the same network as the entertainment system. I think that's a really dumb idea. But perhaps that feeling is a relic of olden days, like those of the assembly fanatics who distrusted C. Maybe our paradigm of security via isolation is obsolete when provably-correct ways exist to safely isolate subsystems.
A number of RTOSes are certifiable to various safety critical standards like DO-178B. Integrity, uC/OS, flavors of VxWorks and others meet the most stringent of those requirements. The "safety critical" imprimatur is highly desirable even for non-critical applications since it's proof that these software products work as advertised. But that says nothing about security.
Unfortunately, when embedded people talk about computer security we usually immediately think about Windows or on-line banking and credit card fraud. In my opinion security is poised to become a huge issue in the embedded space. Our systems handle credit cards, move information globally, control factories and more.
The NSA claims that the Tylenol factory has been hacked. Automotive steer-by-wire systems will soon come to market, eventually as part of a vastly networked car with Internet access. Couple these integrated systems with an increasingly hostile cyber world and one hopes that for a number of embedded apps security will be as important as any other design requirement.
Jack G. Ganssle is a lecturer and consultant on embedded development issues. He conducts seminars on embedded systems and helps companies with their embedded challenges. Contact him at firstname.lastname@example.org. His website is www.ganssle.com.