Design Article
Secure by Design: Using a Microkernel RTOS to Build Secure, Fault-Tolerant Systems
Paul Leroux and Bill Graham, QNX Software Systems
5/26/2009 11:43 AM EDT
Strong boundaries
Virtually every embedded system today is connected, either physically or wirelessly, to the outside world. This network connectivity allows users to perform remote monitoring and control, and enables systems to download new software features or content on the fly. Unfortunately, it also makes systems vulnerable to infiltration by a growing cadre of cyber terrorists and extortionists. In fact, malicious hackers have already compromised a variety of SCADA systems, HVAC control systems, networking routers, mobile devices, and nuclear safety systems, using viruses, denial-of-service (DoS) attacks, and other networked-based exploits.
To thwart such attacks, many companies and organizations surround their systems with a protective barrier that consists of network security, cryptographic security, and even physical security. But as experience shows, malicious hackers can often break through this barrier to attack the system within. Consequently, the system itself must also be designed to survive assaults, without loss of service or corruption of data. In other words, developers must imple-ment security not only around the system, but also within the system.
As the software that provides centralized access to the CPU, memory, and other resources, the realtime operating system (RTOS) can play a major role in achieving this goal of building secure, survivable embedded systems. In particular, it can enforce strong boundaries between software processes to prevent any process from affecting the performance, behavior, or data of other processes. Processes can damage one another intentionally (via malware) or uninten-tionally (via bugs); a well-designed RTOS will provide mechanisms to prevent such damage and to keep the system in a healthy state.
The reference monitor
James Anderson established the core principles of computer security in his Computer Security Technology Planning Study, published in 1972. Two years later, Jerome Saltzer and Michael Schroeder expanded upon these principles in The Protection of Information in Computer Systems.
In his study, Anderson introduced the concept of the reference monitor, a mechanism implemented in the OS kernel that validates every request for data, peripherals, and other resources. The reference monitor ensures that every resource is accessed not only by the appropriate software process, but also by the right process operating against the correct data in the correct context.
To fulfill this role, the reference monitor must possess three key attributes:
Click here to read the full paper
Virtually every embedded system today is connected, either physically or wirelessly, to the outside world. This network connectivity allows users to perform remote monitoring and control, and enables systems to download new software features or content on the fly. Unfortunately, it also makes systems vulnerable to infiltration by a growing cadre of cyber terrorists and extortionists. In fact, malicious hackers have already compromised a variety of SCADA systems, HVAC control systems, networking routers, mobile devices, and nuclear safety systems, using viruses, denial-of-service (DoS) attacks, and other networked-based exploits.
To thwart such attacks, many companies and organizations surround their systems with a protective barrier that consists of network security, cryptographic security, and even physical security. But as experience shows, malicious hackers can often break through this barrier to attack the system within. Consequently, the system itself must also be designed to survive assaults, without loss of service or corruption of data. In other words, developers must imple-ment security not only around the system, but also within the system.
As the software that provides centralized access to the CPU, memory, and other resources, the realtime operating system (RTOS) can play a major role in achieving this goal of building secure, survivable embedded systems. In particular, it can enforce strong boundaries between software processes to prevent any process from affecting the performance, behavior, or data of other processes. Processes can damage one another intentionally (via malware) or uninten-tionally (via bugs); a well-designed RTOS will provide mechanisms to prevent such damage and to keep the system in a healthy state.
The reference monitor
James Anderson established the core principles of computer security in his Computer Security Technology Planning Study, published in 1972. Two years later, Jerome Saltzer and Michael Schroeder expanded upon these principles in The Protection of Information in Computer Systems.
In his study, Anderson introduced the concept of the reference monitor, a mechanism implemented in the OS kernel that validates every request for data, peripherals, and other resources. The reference monitor ensures that every resource is accessed not only by the appropriate software process, but also by the right process operating against the correct data in the correct context.
To fulfill this role, the reference monitor must possess three key attributes:
- Tamper resistant
- Always invoked
- Small and simple enough to be easily verifiable
Click here to read the full paper
|
|
|
|
|
Navigate to related information
