A recent report describes potential security vulnerabilities in devices running VxWorks. Researcher HD Moore claimed during a recent talk (slides) that a quarter million devices accessible directly from the Internet were found to be vulnerable.
VxWorks has a very strong track record of offering secure products. However, we also realize that vulnerabilities can affect VxWorks, even if very infrequently. In those cases, Wind River will act quickly to address any issues. Regarding recent vulnerabilities, Wind River responded rapidly with patches and remediation steps in conjunction with a public announcement by the CERT Coordination Center on August 2, 2010. Once CERT notified Wind River, Wind River immediately assessed the alert and was instructed by CERT to release a synchronous public response. We’re confident that our customers know that Wind River is committed to supporting its products with the highest quality and security standards.
VxWorks continues to be the most widely deployed real-time operating system in mission-critical embedded systems. I am sure you will agree that security is not just about the underlying technology and features, how the technology is configured and deployed is equally important. VxWorks is a highly configurable RTOS. Device builders can fine-tune which features to add or remove from the RTOS. This includes debug services such as WDB. To efficiently debug embedded devices, developers must have full access to the entire device. They must be able to read, write to any memory location, as well as interact with the I/O controllers. Without this powerful tool, developers would not be able to build highly reliable devices in a short period of time. However, this powerful and valuable tool can be manipulated for more malicious intents. By changing the RTOS configuration, these debug services could be removed. Wind River’s response for the debug agent vulnerability references the VxWorks Kernel Programmer's Guide regarding removal of the WDB agent for deployed systems. As explained in Wind River’s response, the hooks/agents included in the kernel are to enable connectivity for the developer and should either be removed prior to deployment in line with the security policy for the customer's product/system or appropriate firewall rules be used to restrict access to the debug service. Wind River’s response for the default hashing algorithm recommends customers use a trusted encryption API instead along with patches for various VxWorks versions. VxWorks can easily be configured to be highly secure.
Let me also take a moment to shed additional light around the various security components provided by VxWorks. Below, I will cover security monitoring and response policies, network security, operating system security and testing/certifications.
Security monitoring and response policy
Wind River is committed to delivering secure reliable products and offerings. To combat vulnerabilities, Wind River is committed to active threat monitoring, rapid assessment, threat prioritization, expedited remediation, response and proactive customer contact in each of the detected cases.
Wind River has a Security Response team to monitor, assess and address security vulnerabilities. The team follows a proven policy for tracking, categorizing, and responding quickly to security vulnerabilities. The overall process is broken into four stages:
- Monitoring: Active monitoring of security alerts from reliable external sources, customers and any other external submitters.
- Assessment / Prioritization: Assess and prioritize vulnerabilities based on severity, difficulty and avoid’ ability of alert.
- Notification: Notify customers and submitter of the level of susceptibility within short time target.
- Remediation: Posting of remediation action based on classification of susceptibility and within short time target.
As shown in the graphic below, let’s now review the various components within VxWorks network security that deliver security to developers and device manufacturers who use the VxWorks networking stack.
- Device Drivers: Enhanced Network Drivers (END) use their own isolated transmit and receive buffer pools. These descriptors are loaned to the network stack. Each END driver pool is private and isolated from another END driver pool.
- Multiplex (MUX) Layer: The MUX is a useful isolation layer between the network stack and the END drivers. This layer also provides a framework for developers to write their own custom packet filter or network sniffer that can be used to prevent packet storms or filter packets based on incoming IP address, MAC address, port number, etc.
- Firewall: VxWorks platforms include a full-featured firewall that may be used out of the box without any additional code development. For instance, it may be used to filter traffic based on many different rule-sets, and it also includes logging features and Stateful Packet Inspection (SPI) for either TCP or UDP traffic. There are optional reference packet filters available as an alternative to customers who opt not to use the firewall.
- IPsec/IKE: VxWorks platforms also provide IP Security (IPsec) and Internet Key Exchange (IKEv1/v2) support. These protocols may be easily configured and used without any additional code development. IPsec/IKE allows users to setup security associations between various end-points. Some or all traffic may be encrypted, while other traffic types may be bypassed which gives developers flexibility.
- Secure Sockets Layer (SSL): VxWorks platforms include a cryptographic library utilizing OpenSSL. This provides developers with the ability to secure individual TLS (over TCP), or DTLS (over UDP) applications.
- FIPS 140-2: VxWorks platforms support FIPS 140-2 mode. When compiled in FIPS 140-2 mode, a number of algorithms including the MD5 hash algorithm are compiled out because they are not FIPS approved.
- Secure Shell (SSH) & Secure FTP (SFTP) : SSH server and SFTP are also supplied with the networking stack. These protocols are secure replacements for Telnet, FTP or TFTP. Again, these protocols may be used out-of-the box without any additional code development.
- Network Applications: Traditional network applications may be used in either kernel tasks or run in memory protected user-space within Real-Time processes. They may run as secure applications (e.g. SSL), or they may be run as traditional socket applications. The security may be provided via either IPSec/IKE or Firewall.
- Cryptography: VxWorks platforms include a variety of cryptographic algorithms and supporting utilities that can be used in developing secure applications. These include algorithms such as AES, SHA, MD5, DES, etc.
Operating System Security
The slides from HD Moore includes remarks such as "little memory protection" and "everything runs with the highest privileges." On the contrary, VxWorks enables manufacturers to increase their device reliability through MMU-based state-of-the-art memory protection. VxWorks introduced process-based, user-mode application execution in addition to its traditional kernel-mode execution. There are customers who prefer to run applications in kernel space for the sheer advantage of better performance, responsiveness and other real-time characteristics. The kernel is protected from user-mode applications running in VxWorks real-time processes (RTPs). User-mode applications are also protected from each other.
Features of memory protection include the following:
- MMU-based memory protection provides isolation of the kernel from user-mode applications and of applications from each other, increasing device reliability.
- The standard, process-based programming model simplifies application development.
- VxWorks' preemptive, priority-based global task scheduler ensures real-time deterministic behavior.
- The ability to create private or public objects in the kernel and in RTPs offers flexibility to use objects that are protected from manipulation or that can easily be shared among kernel and process tasks.
- The extensible system call interface enables application developers to employ custom-developed kernel services from user-mode execution.
- Support for shared libraries among RTPs improves code efficiency and re-usability as well as speeding code development and debugging.
Testing and Certifications
Wind River realizes that no matter how robust security features may be, there is tremendous value in also testing and certifying capabilities. This gives our customers peace of mind that the networking stack is con-formant to standards and interoperable with other network devices. For this reason, the VxWorks networking stack is regularly tested against some of the industry’s top security test suites and has consistently achieved certifications that assure customers of its interoperability.
Let’s explore additional details through the above graphic and following text:
- Nessus Scans/Reports readily available for our customers.
- Independent Achilles Certification, along with Application Note 400 readily available for customers to configure/certify their systems. My colleague Bill Graham described the details in his informative post available here.
- Independent certification by the VPNC (Virtual Private Network Consortium) on basic, AES ad IKEv2 interoperability assuring customers that the stack is interoperable with other leading vendors and solutions.
- Network Stack is one of the first few TCP/IP stacks in the industry to receive the IPv6 Ready Phase II logo certifications.
I hope this helps to clarify some questions, although it’s always good to hear your comments. Please feel free to chime in.