Paul Parkinson

DSEi 2011: submarine periscopes and invisible tanks

2011-09-19T02:51:04-07:00

Last week, I attended the DSEi defence & security exhibition in London. As usual, it was an enormous event with a huge number of exhibitors, and it seemed to be even better attended than the 2009 event.

I visited some of Wind River's customers and partners, and I was really pleased to see a demo of the VxWorks-powered Astute submarine optronic mast on Thales' stand, which showed the huge difference that the 3-axis image stabilisation makes when using the periscope in rough seas.

While I was at the event, I also took the opportunity to look around at some of the state-of-the-art technologies on display. There were lots of new systems which were focused on 'cyber security', and 'cyber defence', and the application of military-grade cyber security for protecting critical national infrastructure.

However, the system which seemed the most revolutionary to me, was BAE SYSTEMS' ADAPTIV camouflage. There is a long-established problem of military vehicles being vulnerable to detection, and whilst covering tanks with traditional camouflage material can help disguise them in the visible spectrum, this doesn't prevent their detection from infrared (IR) sensors.

BAE SYSTEMS has developed an innovative solution to this problem using state-of-the-art technologies, which is being reported in the media as an 'infrared invisibility cloak'. ADAPTIV provides the ability to hide, blend, disrupt, and disguise the appearance of military targets, and also provides Identification Friend-or-Foe (IFF) for coalition operations to prevent friendly fire.

Unfortunately, the CV90 tank on display at DSEi didn't perform a live demo of ADAPTIV, but the official video teaser on YouTube is so impressive, that I decided to embed it below:

Linux, Common Criteria, and OS Protection Profiles

2011-09-16T02:19:07-07:00

In 2011, computer and network security news stories, which were previously the preserve of specialist journals and blogs, have become commonplace in the mainstream media. There are now many different types of threat, which are sometimes categorised into hacktivist, e-crime and most recently,advanced persistent threats (APT). Whilst some of these attacks have exploited zero day vulnerabilities, many of these attacks have simply taken advantage of the fact that systems have not been configured securely for their deployment environment.

To use an easy–to-understand analogy, consider a wireless router. This device will generally be shipped from the factory in the most flexible, open communication configuration, which will have many or all of the security options disabled. This will be fine if the wireless router is intended to be used as a free public Wi-Fi access point (e.g., cyber cafe), but not for a private business or home office if you want to prevent drive-by wireless hacks). In these cases, wireless encryption such as WPA2 will need to be enabled for the router and clients, and access may even need to be restricted to specific clients via MAC addresses, etc.

For the developer wanting to create a secure product using embedded Linux, the wealth of configurable functionality and security packages can seem overwhelming. In the critical device space, the key question is, "How can one create a Linux configuration for their product which can be secure and meet the security requirements of the product's targeted international markets?" The answer is straightforward and well defined - use standards-based approaches to both configure and prove security robustness.

For IT security, there is one globally-recognised standard, Common Criteria, that a product can be evaluated against, and this evaluation ensures that connected IT products are performed to high and consistent standards. Because Common Criteria is now recognized by 26 countries, product security evaluation using this standard eliminates the burden of duplicating security evaluations in multiple countries by providing international mutual recognition of evaluated products.

To accelerate the Common Criteria evaluation, the product can be developed according to the approved Protection Profile (PP) to ensure that it meets the accepted security requirements for that class of product. A Protection Profile is a document that defines the combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales for a specific security target (ST). The PP is used to substantiate vendors' claims of a given family of information system products. The PP for a particular device typically specifies the Evaluation Assurance Level (EAL), a number 1 through 7, indicating the depth and rigour of the security evaluation, usually in the form of supporting documentation and testing, that a product meets the security requirements specified in the PP. In the United Kingdom, CESG supports Common Criteria evaluation and the use of PPs; in the United States, the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have agreed to cooperate on the development of validated US government PPs.

Common Criteria testing and evaluation can be quite expensive, and adds significant risk to any programme. To help eliminate much of this risk, Wind River has taken this approach for the development of Wind River Linux Secure, a commercial-off-the-shelf (COTS) product which has been certified by NIAP under the US Common Criteria Evaluation Scheme to Evaluation Assurance Level (EAL) 4+ (EAL4 being the highest level which is mutually recognised internationally under the Common Criteria Recognition Arrangement, and "+" referring to the evaluation being augmented with the Security Assurance Requirement ALC_FLR.3, the highest level of systematic flaw remediation).

Wind River Linux Secure was evaluated against the US Government Protection Profile for General Purpose Operating Systems in a Networked Environment (US GP-OSPP). This is a new protection profile which was published by the US National Security Agency's Information Assurance Directorate in August 2010, and supersedes the earlier Role-Based Access Control Protection Profile (RBAC) which was 'sunsetted' from 1st September 2011.

With this COTS GP-OSPP foundation, we expect that evaluating Linux products under similar PPs, like the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) General Purpose Operating System Protection Profile (BSI GP-OSPP) can also be undertaken. The BSI OSPP is also published on the Common Criteria portal, and defines the specific requirements for the German security market. Although there are two separate general-purpose operating system protection profiles, with some specific differences in Security Functional Requirements, there is a lot of commonality, and Wind River’s experience in evaluating a full-featured Linux distribution from kernel.org removes considerable risk from other programmes requiring Common Criteria certification using the US GP-OSPP, BSI GP-OSPP, or other evaluation scheme.

IDEF 2011

2011-05-20T14:37:06-07:00

Last week, I attended the IDEF 2011 defence trade show in Instanbul as part of the Wind River team exhibiting on the Tektronik (Turkish distributor) stand.

Our partner, Curtiss-Wright, who were also exhibiting at the event, had kindly lent me a VPX chassis and VPX6-185 board, which I used to demonstrate a Cross-Domain Solution (CDS) demo running on VxWorks MILS. The demo filters packets of data between black and red networks based on the security classification of the data, and uses multiple partitions to implement sender and receiver on different interfaces.

The demo currently uses a simple encryption algorithm for data passed over the black network (which wouldn't present much of a challenge to GCHQ/CESG or NSA), so I decided to replace it with a stronger encryption algorithm which is more appropriate for real world systems. I initially considered using an open source implementation of AES-256, but then I remembered the export controls on 256-bit AES, so I decided to use a public domain implementation of the Russian GOST 28147-89 (which also uses a 256-bit keys).

I managed to get the GOST encrypt and decrypt routines running fine natively under Windows, and also on the VxWorks Simulator running on the Windows host, but I could not get the GOST decrypt routine to work correctly on the PowerPC target board. It turns out that the GOST algorithm assumes that it's running on a little-endian processor! So, I had to stick with the simple encryption algorithm for the time being, and will have to wait until the Cross-Domain demo is running on VxWorks MILS on Intel architecture before I can use GOST.

Finally, some of my colleagues have been blogging about Wind River's 30th anniversary recently, and some of the things that they have got up to at Wind River. As I've spent my time at Wind working in the Aerospace & Defence sector, there are plenty of cool projects which I've worked on over the years which I can't discuss, but there a some highlights which can mention. For example, it's not every day you get the opportunity to sit in the cockpit of an F-16!

Fun with VxWorks MILS 2.1

2011-04-21T05:51:03-07:00

It’s been a while since my previous blog, as I have been rather preoccupied with responding to a number of RFPs. However, I’ve managed to find some time to work on some demos for VxWorks MILS 2.1, which has been fun.

VxWorks MILS 2.1 introduced support for Wind River Linux as a Guest OS (VxWorks Guest OS and High Assurance Environment (HAE) having been supported in the earlier VxWorks MILS 2.0 release). I wanted to get some more hands-on experience of using Wind River Linux as a Guest OS (GOS) running on the VxWorks MILS 2.1 Separation Kernel (SK). So, I started with a version of the Blaster Blastee demo which had been modified by one of my colleagues in Engineering to use a Linux GOS partition for the Blaster. (Blaster Blastee is a well-known Wind River demo which provides a nice flexible framework for blasting TCP or UDP packets between nodes, testing network connectivity and performance).

I thought it would be an interesting exercise to extend the demo to also use Linux in a second partition as the Blastee (receiver), to demonstrate the scalability and determinism of the MILS SK with multiple Linux virtual boards (VB).

This proved to be quite easy to configure, as I was able to use the same Linux kernel image as the Blaster virtual board, but with different boot parameters (as this virtual board was using a separate dedicated Gigabit Ethernet device on my target board, with its own IP address), and I just invoked the Blastee executable which had been built into the Linux GOS filesystem. Once I had added a timeslot allocation for the Blastee VB into the MILS system schedule, I was able to build and run the system and send packets between the two partitions via external Gigabit Ethernet interfaces.

(Side note: Alternatively, I could have sent packets directly between the two partitions either by using Secure IPC ports via the MILS SK according to pre-defined security policy, or even via an IP tunnel over SIPC, but I used the external Ethernet interfaces, as I wanted to extend the demo further).

The next step was to configure this Linux GOS-based system to send and receive packets via the two Ethernet ports to corresponding VxWorks GOS-based Blaster and Blastee virtual boards on a second board. This configuration can be used to simulate a Public Network and a Secure Network connection between two nodes (see diagram above). The original MILS Blaster Blastee demo also includes a trusted Security Audit partition, running in a High Assurance Environment, which monitors the audit log for each partition, and also a Rogue partition which attempts to illegally access the Secure Network interface to intercept traffic (which is of course prevented by the MILS SK). When this demo is running freely, the link lights on my Gigabit switch flicker away furiously, and the VxWorks MILS partitions report output via the multiplexed serial I/O output to a host console.

To really see inside the system, and to step through the interactions of the sender and receiver (Linux Blaster to VxWorks Blastee over the Secure Network, and VxWorks Blaster to Linux Blastee on the Public Network), I used Wind River Workbench to debug all four connections concurrently, using Linux user-mode agents in each of the Linux VBs, and On-Chip Debugging (OCD) via JTAG to debug the VxWorks Blaster and Blastee. In this way, I could step through the sending and receiving of packets in both directions over the two networks (rather than having to rely on printf(), which would have been difficult to correlate across multiple partitions). The screen shot shows the point at which I am stepping through send and receive (the size of the screen shot is constrained by my 19” monitor).

So, this demo shows how the High Assurance Environment, VxWorks GOS and Linux GOS can all run on top of the MILS Separation Kernel and still provide good network performance despite being in a time-partitioned environment.

Safety-Critical Systems Symposium 2011

2011-02-02T03:27:19-08:00

I'm looking forward to the 19th annual Safety-Critical Systems Symposium which is being held in held in the UK next week.

The conference programme covers a range of subjects including safety cases, testing of safety-critical systems, updates to safety standards, and technologies. On the Thursday afternoon, I will be presenting a paper 'Safety, Security and Multicore'.

Wind River will be participating in the exhibition which is being held on the Wednesday, and we will have a live demo of VxWorks MILS 2.0 running on the stand. So why not pop by to discuss your safety & security requirements?

Farewell to Del.icio.us

2010-12-17T04:40:18-08:00

I was disappointed to read in TechCrunch this morning that Yahoo has decided to shut down the Del.icio.us social bookmarking website (or should I say service?).

I started using Delicious a few years ago after I had become fed up trying to organise my website bookmarks. I often want to bookmark A&D news stories, blog articles, technical papers and standards, etc., so that I can easily find them again when I want to read through them at a more convenient time or when I need to do research for a Wind River article or presentation.

The problem with web browser-based bookmarks is that this approach doesn't scale well for a large number of bookmarks. Web browser bookmarks can be sorted into hierarchical folders, but this can be counter-intuitive if you have inter-related subjects (e.g. safety and security). Also, if you also use more than one web browser as I do, then keeping bookmarks up to date in mulitple places becomes tedious. (I alternate between Firefox and IE depending on which I think is the least insecure at any particular time, Firefox is my current choice due to the NoScript plugin).

Social bookmarking overcomes these issues by allowing you to associate multiple tags with individual bookmarks, e.g. cyber, infosec, safety-critical. This make it much easier to order subjects and inter-related subjects without having to store them hierarchically (e.g. cyber+security+UK). The cloud computing approach also means that instead of tying my bookmarks to one web browser on one computer, I can access them from any computer. (This short video clip from Common Craft explains it much better I than I can). I've found the Delicious bookmarks to be so useful that I even embed them on my personal website so that other people can access them easily.

Sadly, one job I'll need to do over Christmas is to migrate my Delicious bookmarks to another social bookmarking service.

Cybersecurity Testing & Trusted Platforms

2010-12-15T10:58:50-08:00

In 2009, security concerns were raised about the use of Chinese telecoms equipment in the UK's critical national infrastructure ('Spy chiefs fear Chinese cyber attack', The Times), and the potential for the equipment to be inadvertently or deliberately subverted in a cyber attack.

So, I was interested to read a ZDNet UK news article last week about the Chinese telecoms company Huawei opening a cybersecurity testing centre in the UK to certify its products for use in the UK's critical national infrastructure. The centre will be staffed entirely by security-cleared UK nationals who will work in collaboration with CESG (part of the UK government intelligence agency GCHQ) as part of the certification process to ensure that the evaluations meet the government's highest security standards. The ZDNet article also mentions that "the results of evaluations may be made available to operators and governments outside the UK", and although the Common Criteria security evaluation process is mentioned, it has been previously suggested that this more open approach to security would help Huawei to overcome security concerns in some countries.

Of course, the potential for equipment to contain vulnerabilities, either unintentionally or deliberately is not something new (as illustrated by the counterfeit CISCO routers episode in the US, which were believed to contain backdoors).

This got me thinking about the general subject of trusted platforms and the following questions:

How do you know that the software you are running is the software that you are supposed to be running?
How do you know that the hardware you are running on is the hardware that you are supposed to be running on?
How do you know that the system and has not been counterfeited, or intercepted and modified during the supply chain?

These are fundamental security questions which are often overlooked and could have disastrous consequences for a system deployed within critical national infrastructure.

However, these fundamental issues are addressed by the MILS architecture and the Separation Kernel Protection Profile (SKPP) through the use of trusted hardware, attestation and trusted delivery using cryptographic signatures. These techniques can be used with VxWorks MILS to develop high assurance systems for critical national infrastructure, as well as multilevel secure and Cross-Domain Systems.

So what are you running, and do you trust it?

Military Aerospace & Electronics Show UK

2010-11-22T11:55:30-08:00

I am looking forward to attending the UK's Military, Aerospace & Electronics Show, which will take place on 30th November.

This year's conference programme has a strong emphasis on open systems architectures, but there is also an increasing focus on Information Security. To complement these themes, there will be a live demonstration of the VxWorks MILS separation kernel on the Wind River exhibition stand, so if you are planning to attend the event, please drop by.

During the afternoon session, my colleague Stuart Gray & I will be running a workshop 'A Practical Foundation for Safety Innovation'. As an introduction, I will be giving a brief overview on the capabilities of the VxWorks 6 Cert Platform and explaining how it can be used to develop mission-critical and safety-critical systems requiring certification up to DO-178B Level A, but most of the session will be spent providing delegates with hands-on access to the VxWorks 6 Cert Platform. We recommend that you sign up in advance to avoid disappointment as workshop places are limited.

High Assurance Systems Development Using the MILS Architecture

2010-11-13T13:53:55-08:00

When I'm discussing VxWorks MILS with Wind River customers, I often find that in addition to wanting hear about the capabilities and features of the platform, they are also interested in the rationale for the MILS architecture and the implementation approach for the VxWorks MILS separation kernel.

So, I've recently written a technical white paper "High Assurance Systems Development using the MILS architecture" with my colleague Arlen Baker. This provides a technical deep-dive on the implementation approach taken for the VxWorks MILS separation kernel, and discusses how MILS technologies can be used to develop sophisticated Cross Domain Solutions (CDS) and Multi-Level Secure (MLS) systems, such as MILS-based gateways.

This MILS technical white paper is now available in PDF for download from the Wind River website (registration required). I hope you find it interesting and informative, and I look forward to receiving feedback.

National Cybersecurity Strategy

2010-10-20T13:40:36-07:00

On Monday, the UK government published its new national security strategy (PDF). This outlines the current and emerging security threats to the UK national interests, ranked by priority based on likelihood and impact. What caught my attention was the fact that the Tier 1 (highest priority) threats include:

'Hostile attacks on UK cyber space by other states and large scale cyber crime'

Until fairly recently, the threat of cyberwarfare has mainly been discussed in defence and security journals (see 'Evaluating Cyber Security', Digital Battlespace, Aug 2009), but there has been a growing focus on this in the mainstream media (although whether this is due to an increasing threat or an increasing media appetite is subjective).

However, recent events have shown that it is now possible for cyberwarfare attacks to be directed at specific targets, rather than being undirected and indiscriminate. This has been illustrated by the Stuxnet worm incident, which has been alleged to be a a state directed cyber attack ('The Stuxnet worm heralds new era of global cyberwar', The Guardian).

Cyberwarfare provides the the potential to bypass a nation's conventional forces and strike at specific targets including critical national infrastructure whilst remaining invisible and providing the prospect of plausible deniability. The types of cyberwarfare threats were discussed by Iain Lobban, Director of the UK's GCHQ security agency in an unusual public speech.

The UK government's response will be to invest £500m in cyber defences to bolster the UK's critical national infrastructure. At present, few details have emerged on how this will be implemented or how the security of systems will be evaluated. However, if you're using a system which has undergone a security evaluation under conditions which assume that it's connected to a benign network, then you might as well shutdown and pull out your network card now. Instead, we should be basing our critical national infrastructure systems on platforms which are designed to achieve the highest levels of assurance with real-world protection profiles and be resilient against network-based attacks.

http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg/@en/documents/digitalasset/dg_191639.pdf?CID=PDF&PLA=furl&CRE=nationalsecuritystrategy