Hacking an endpoint, such as a mobile device, may only result in a loss for one user. Hacking a server can result in loss for thousands. IT professionals rely on security appliances–firewalls, filters, unified threat management (UTM) devices, intrusion protection systems (IPS), and intrusion detection systems (IDS)–to protect critical servers from Internet hackers and from hijacked computers within their Internet-facing “demilitarized zone.”. The amount spent to purchase and maintain these security appliances is staggering, expected to reach over $10 billion annually by 2011.
One common appliance function is to analyze and filter communications or operating systems for malware. Information Security Magazine 's recent study of leading anti-malware products, using 8,114 different malware specimens, found that the best performing product was unable to correctly identify 7.9%, or approximately 640 types, of malware.
David Leonard, former CTO of Infocrossing and current server security consultant has dedicated his career to managing outsourced data centers utilizing the state-of-the-art in security appliances. Leonard has stated that a top hacker can get into practically any network, even the most stringently protected banks and data centers. And these hackers will perform this service for as low as $25,000.
Virtualization is one of the hottest trends in server computing. It enables server consolidation and dynamic provisioning, saving precious size, weight, power, and cost. VMware and Xen are two commercial hypervisor technologies that have been deployed extensively. However, as virtualization deployments have grown, security experts have voiced concerns about the implications of “VM sprawl” and the ability of virtualization technologies to ensure security.
On June 2, 2008, VMware attempted to allay this concern by announcing that its ESX server products had achieved a Common Criteria EAL 4+ security certification. VMware's press release claimed that its virtualization servers could now be used “for sensitive, government environments that demand the strictest security.”
On June 5, just three days later, several severe vulnerabilities in the certified VMware products were posted to the National Vulnerability Database. Among other pitfalls, the vulnerabilities “allow guest operating system users to execute arbitrary code.”
At the 2008 Black Hat conference in Las Vegas, Joanna Rutkowsa, security researcher and renowned author of the “Blue Pill” hypervisor-based rootkit, presented her organization's findings of a project to locate vulnerabilities in Xen. One hypothesis was that Xen would be less likely to have serious vulnerabilities, compared to VMware, due to the fact that Xen is an open-source technology and therefore benefits from “many-eyes” exposure of its software.
Rutkowka's team discovered three different, fully exploitable, vulnerabilities that the researchers used to commandeer the computer via the hypervisor. Ironically, one of these attacks took advantage of a buffer overflow defect in Xen's Flask layer. Flask is a security framework, the same one used in SELinux.
Breaking the security logjam
As Bruce Schneier, BT's Chief Security Technology Officer and arguably the most famous security personality on the planet, has said, “The only path towards security is through high assurance.” Security experts are well aware that the EAL 4 level to which general-purpose IT products, such as Windows, Linux, and VMware, have been certified, is practically meaningless.
In contrast, the NSA has put forth a Common Criteria operating-system profile, informally known as the SKPP, which specifies a high assurance level (EAL 6+), designed to address “high robustness” computer systems that manage and protect high value resources against resourceful adversaries. According to Department of Defense guidance, high robustness refers to “security services and mechanisms that provide the most stringent protection and rigorous security countermeasures.”
The requirements of the SKPP are far more stringent than any other OS security standard. The resulting assurance, or confidence, that developers, users, and other stakeholders are therefore able to derive from a certification against this specification is extremely high and unprecedented in the world of computer security. SKPP requires an extremely rigorous development process, formal methods that provide mathematical proof of the security, and penetration testing by the NSA's security experts who have access to the source code. The table shows a list of operating-system and hypervisor technologies and their associated certifiability levels.
Of course, the operating system is only one, albeit important, piece of the security puzzle. Weaknesses in middleware and applications can also be disastrous. Green Hills Software recently applied its secure development process to create a high assurance web server. The company's engineers were able to create the HTML 1.1 compliant web server in just a few hundred lines of code, as compared to the hundreds of thousands of lines of code in today's typical commercial web servers. The web server was deployed on the Internet, and Netragard, a leading white hat hacker organization, was invited to attack the web site. Netragard CTO Adriel Desautels reported that the web site, running on the high assurance web server and Integrity OS, had “no attack surface whatsoever.”Supporting legacy systems
Rewriting the world's software and applications is not feasible, and thus high-assurance technologies must be applied creatively. Security-critical portions of servers can run natively on a high-assurance OS, but securely separated from legacy systems using secure virtualization technology which enables general-purpose OSs, like Windows and Linux, and their hosted applications, to be reused.
Another option is to port legacy server applications, such as the ubiquitous Apache web server, to the high-assurance OS whose secure resource management capabilities ensure that vulnerabilities in a ported server are less likely to be exploitable. For example, buffer overflows are often fatal, not because of the software defect per se, but rather because of the typical OS's weak access control model which permits maliciously inserted overflow payload to launch arbitrary programs, execute code from the run-time stack segment, access arbitrary files, etc. Running under the control of a secure OS, Apache doesn't have the ability to access arbitrary programs, and thus damage from a buffer overflow is limited.
Embedded systems are increasingly reliant on server technologies that are accessible from the Internet. As evidenced by the growth of trends such as cloud computing and Software as a Service (SaaS), the security impact of successful cyber attacks is likely to grow as well. The good news is that high assurance methodology and certified high robustness technologies can break the insecurity logjam, and do so without sacrificing the world's legacy operating systems and applications. The only thing we need is the determination to think outside the box to apply these new techniques effectively.
David Kleidermacher is chief technology officer at Green Hills Software where he has been designing compilers, software development environments, and real-time operating systems for the past 16 years. David frequently publishes articles in trade journals and presents papers at conferences on topics relating to embedded systems. He holds a BS in computer science from Cornell University, and can be reached at .