SANTA BARBARA, Calif. The computer networks that control business transactions, transportation, electric power, defense, and confidential personal data are increasingly vulnerable to attack, according to speakers at the Green Hills Software Inc. Technology Conference here Dec. 4 and 5. Networks can only be secure, company representatives said, when the devices at the “endpoints” use secure operating systems.
Green Hills used the event to roll out its new Platform for Secure Networking, as well as Integrity 10, the next release of its Integrity real-time operating system (RTOS). Green Hills also claimed that its existing Integrity-178B, aimed at safety-critical applications such as avionics, is the first RTOS to undergo National Security Agency (NSA) testing for an ISO/IEC 15408 Common Criteria Evaluation Assurance Level (EAL) beyond EAL6.
O'Dowd noted that networks handle all business and financial transactions, hold personal data including medical and financial records, run the entire transportation system, maintain the electric power grid, and are responsible for much of the U.S. defense capability. “If an adversary can disrupt our networks, our entire system falls apart, we're so dependent on them,” he said.
Potential adversaries, O'Dowd said, are not so dependent on networks. They use cash for business transactions, typically live in countries without reliable power or transportation, and their militaries use more primitive electronics. And this may give them an advantage. “In combat, a blind man will turn out the lights,” O'Dowd noted.
O'Dowd presented various disaster scenarios, such as terrorists programming large numbers of traffic lights to turn green at the same time during rush hour, or hackers inserting viruses into automotive control systems through Bluetooth infotainment systems. He cited an incident in which a call center worker in India sold bank account details for 1,000 U.K. customers. He also pointed to a long list of Cisco vulnerabilities available on line.
Things aren't getting any safer. Christopher Harz, vice president of strategic planning at IPv6 Summit Inc., noted that IPv6 will bring about an orders-of-magnitude increase in the number of Internet addresses available. “Right now, there are a maximum of a couple of billion nodes in the world,” he said. With IPv6, Harz said, “there may be a couple of billion nodes in your neighborhood.”
As the number of nodes increases, he said, so do vulnerabilities. There will be many more network-centric operations, he said, and a much greater emphasis on mobile, wireless communications. Because the U.S. is behind on IPv6, Harz said, there will be a “massive infusion” of foreign-built hardware and software. And because IPv6 is new, he said, it will require a new generation of firewalls.
Aaron Turner, cyber security strategist for national and homeland security at Idaho National Laboratory (INL), started his talk by noting that there's much he can't say. “The list of vulnerabilities I can talk about is not very long, because there are no solutions today,” he said.
While terrorists and unfriendly nations remain a threat, Turner said that the fastest-growing type of cyber-attack today comes from criminals out for financial gain. He said INL is investigating reports of criminal extortion from operators of SCADA (supervisory control and data acquisition) systems. “The adversary capability is growing tremendously versus our security capability,” he said.
The INL, said Turner, has developed a very sophisticated simulation capability to predict the impact of possible cyber-attacks. But the economic impact of these attacks is very real, he said. Network vulnerability, Turner said, “is the next great crisis our society is going to confront.”
Digital, personal authentication is one solution to the network security problem, said Gregory Youngblood, director of marketing for the security line of business at Broadcom Inc. He described the Broadcom Integrity Platform, based on Broadcom's BCM5890 “secure processor,” as a system that can provide hardware security for any type of authentication system. The first application is a personal biometric device from Privaris Inc.
But the main focus at the Green Hills Technology Conference was software, and Green Hills had two new offerings to talk about. The company's Platform for Secure Networking includes the Integrity RTOS, which features a separation kernel architecture for fault isolation and containment, and claims to support requirements and policies of Multiple Independent Levels of Security (MILS).
Aside from the Integrity separation kernel, the platform includes an advanced file system, a GHNet dual mode IPv4/IPv6 networking stack, IPSec, secure web server including SSL/TLS client and server, and secure shell client and server (SSH). While it's largely a packaging of existing Green Hills technology, David Kleidermacher, Green Hills CTO, said that new technology includes the IPv6 support, new encryption algorithms, and SSL/TSL.
Green Hills' Integrity 10 release claims several new security features. One is a “pure virtual” device driver model that moves device driver code outside the kernel, easing certification costs. Another is an enhanced partition scheduler for defining execution windows for each partition. A third feature is a new memory “lending” capability that can recover resources and revoke access to resources from other processes.
The new release also steps up support for multicore debugging. It supports symmetric multiprocessing (SMP), in which the operating system will automatically load-balance applications across multiple cores on SMP-capable microprocessors. Integrity 10 also supports non-uniform memory architecture (NUMA) systems in which applications are allocated across multiple cores.
What O'Dowd seemed proudest of, however, is the pending EAL6+ certification for Integrity-178B. Several commercial operating systems have achieved EAL4, which calls for software to be “methodically designed, tested and reviewed.” But that's not good enough, O'Dowd said, because it only resists inadvertent or casual attempts to breach system security. “A determined hacker can take control of an EAL4 system,” he said.
EAL6 calls for software to be “semi-formally verified, designed and tested,” while EAL7 ups the ante for formal verification, design and test. EAL6+, a hybrid between these two, is the level the NSA wants for military systems, O'Dowd said. An EAL6+ system, he maintained, cannot be hacked by anyone.
Integrity-178B is the only RTOS actively undergoing evaluation above EAL4, O'Dowd claimed. He pointed to a National Information Assurance Partnership (NIAP) web site listing software products currently under evaluation, including Integrity-178B.
O'Dowd agreed with one conference participant who noted that devices at both ends of a network have to be secure. “The only way to get denial of service protection is to make sure every node is secure,” he said.