September 16, 2011

Linux, Common Criteria, and OS Protection Profiles

In 2011, computer and network security news stories, which were previously the preserve of specialist journals and blogs, have become commonplace in the mainstream media. There are now many different types of threat, which are sometimes categorised into hacktivist, e-crime and most recently,advanced persistent threats (APT). Whilst some of these attacks have exploited zero day vulnerabilities, many of these attacks have simply taken advantage of the fact that systems have not been configured securely for their deployment environment.

To use an easy–to-understand analogy, consider a wireless router. This device will generally be shipped from the factory in the most flexible, open communication configuration, which will have many or all of the security options disabled. This will be fine if the wireless router is intended to be used as a free public Wi-Fi access point (e.g., cyber cafe), but not for a private business or home office if you want to prevent drive-by wireless hacks).  In these cases, wireless encryption such as WPA2 will need to be enabled for the router and clients, and access may even need to be restricted to specific clients via MAC addresses, etc.

For the developer wanting to create a secure product using embedded Linux, the wealth of configurable functionality and security packages can seem overwhelming. In the critical device space, the key question is, "How can one create a Linux configuration for their product which can be secure and meet the security requirements of the product's targeted international markets?"  The answer is straightforward and well defined - use standards-based approaches to both configure and prove security robustness.

For IT security, there is one globally-recognised standard, Common Criteria, that a product can be evaluated against, and this evaluation ensures that connected IT products are performed to high and consistent standards. Because Common Criteria is now recognized by 26 countries, product security evaluation using this standard eliminates the burden of duplicating security evaluations in multiple countries by providing international mutual recognition of evaluated products.

To accelerate the Common Criteria evaluation, the product can be developed according to the approved Protection Profile (PP) to ensure that it meets the accepted security requirements for that class of product. A Protection Profile is a document that defines the combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales for a specific security target (ST). The PP is used to substantiate vendors' claims of a given family of information system products. The PP for a particular device typically specifies the Evaluation Assurance Level (EAL), a number 1 through 7, indicating the depth and rigour of the security evaluation, usually in the form of supporting documentation and testing, that a product meets the security requirements specified in the PP. In the United Kingdom, CESG supports Common Criteria evaluation and the use of PPs; in the United States, the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have agreed to cooperate on the development of validated US government PPs.

Common Criteria testing and evaluation can be quite expensive, and adds significant risk to any programme. To help eliminate much of this risk, Wind River has taken this approach for the development of Wind River Linux Secure, a commercial-off-the-shelf (COTS) product which has been certified by NIAP under the US Common Criteria Evaluation Scheme to Evaluation Assurance Level (EAL) 4+ (EAL4 being the highest level which is mutually recognised internationally under the Common Criteria Recognition Arrangement, and "+" referring to the evaluation being augmented with the Security Assurance Requirement ALC_FLR.3, the highest level of systematic flaw remediation).

Wind River Linux Secure was evaluated against the US Government Protection Profile for General Purpose Operating Systems in a Networked Environment (US GP-OSPP). This is a new protection profile which was published by the US National Security Agency's Information Assurance Directorate in August 2010, and supersedes the earlier Role-Based Access Control Protection Profile (RBAC) which was 'sunsetted' from 1st September 2011.

With this COTS GP-OSPP foundation, we expect that evaluating Linux products under similar PPs, like the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) General Purpose Operating System Protection Profile (BSI GP-OSPP) can also be undertaken. The BSI OSPP is also published on the Common Criteria portal, and defines the specific requirements for the German security market. Although there are two separate general-purpose operating system protection profiles, with some specific differences in Security Functional Requirements, there is a lot of commonality, and Wind River’s experience in evaluating a full-featured Linux distribution from kernel.org removes considerable risk from other programmes requiring Common Criteria certification using the US GP-OSPP, BSI GP-OSPP, or other evaluation scheme.

Posted by Paul Parkinson at 02:19 AM in Aerospace & Defense, Certification, Linux, Open Standards, Security | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| | | | |

November 22, 2010

Military Aerospace & Electronics Show UK

MAE logo I am looking forward to attending the UK's Military, Aerospace & Electronics Show, which will take place on 30th November.

This year's conference programme has a strong emphasis on open systems architectures, but there is also an increasing focus on Information Security. To complement these themes, there will be a live demonstration of the VxWorks MILS separation kernel on the Wind River exhibition stand, so if you are planning to attend the event, please drop by.

During the afternoon session, my colleague Stuart Gray & I will be running a workshop 'A Practical Foundation for Safety Innovation'.  As an introduction, I will be giving a brief overview on the capabilities of the VxWorks 6 Cert Platform and explaining how it can be used to develop mission-critical and safety-critical systems requiring certification up to DO-178B Level A, but most of the session will be spent providing delegates with hands-on access to the VxWorks 6 Cert Platform. We recommend that you sign up in advance to avoid disappointment as workshop places are limited.

Posted by Paul Parkinson at 11:55 AM in Aerospace & Defense, Certification, Open Standards, Security, VxWorks | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

| | | | |

September 09, 2010

VxWorks MILS 2.1 Platform hands-on

Last week, I visited Wind River headquarters in Alameda, California, to learn about VxWorks MILS Platform 2.1 and to get hands-on experience with the release.

I had been looking forward to the trip, as the 2.1 release adds some significant new capabilities: Wind River Linux as a guest operating system and the new High Assurance Network Stack (see Bill Graham's recent blog for a more detailed overview).

So, the VxWorks MILS separation kernel (SK) can now host Wind River Linux, VxWorks and a High Assurance Environment as guest operating systems in a virtualised environment (as shown below).

VxWorks MILS architecture

To me this is a very significant development, as it extends the depth and breadth of applications which can be run in on top of VxWorks MILS. This enables existing applications to he hosted securely in a high robustness system, but also enables new systems to be developed using the most appropriate technologies for a given component.

Of course, learning the theory is great, but it is not as much fun as hands-on experience, so I was glad to have the opportunity to run some Wind River Linux demo applications on top of VxWorks MILS and run and debug them using Wind River Workbench while I was in Alameda.

The screenshot below shows Workbench debugging a multi-threaded Linux application running on top of VxWorks MILS 2.1 on my PowerPC 8548-based demo board. There's a thread-specific breakpoint on a line of shared code, which can be used to halt one thread while the other thread(s) run free. 

Workbench debug of Linux GOS application running on VxWorks MILS SKThe next step will be to incorporate these new capabilities into some MILS demos. Stay tuned.

Posted by Paul Parkinson at 06:32 AM in Aerospace & Defense, Linux, Open Standards, Security, Software Engineering, Virtualization, VxWorks, Workbench | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

| | | | |

June 16, 2010

EGNOS Satellite Navigation System Safety Certification

In case you missed it, yesterday Wind River announced that VxWorks has been selected for the European Geostationary Navigation Overlay Service (EGNOS), and has been chosen to run the Integrity Processing Facility (IPF) check set.

The IPF, developed and delivered by Logica, is the crucial element that validates the information broadcast by the satellites to safety-critical users such as aircraft in flight or ships navigating through narrow channels. This is essential, because satellite navigation systems alone do not provide sufficient positional accuracy to be used in safety-critical applications.

The IPF is really good example of a critical system which needs to consistently provide hard real-time performance and total reliability, and this posed some interesting challenges for development and safety certification to the joint avionics software safety standards RTCA DO-178B and EUROCAE ED-12B at Level B.

Logica and the European Space Agency (ESA) have kindly allowed us to produce a case study which discusses the development and certification challenges and how they were successfully overcome, and this has just been published on the Electronics Weekly website. (Update: the case study can now also be downloaded in PDF from the Wind River website)

I hope you'll find this interesting, and the next time you are on a European flight on a landing approach in very poor visibility conditions, you'll know how VxWorks is helping to guide the aircraft to a safe landing.

Posted by Paul Parkinson at 01:25 AM in Aerospace & Defense, Certification, Open Standards, Software Engineering, VxWorks | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

| | | | |

May 07, 2010

The Open Group: Real-Time Embedded Systems Forum, Rome

Last week, I attended the The Open Group, Rome 2010 conference, specifically the Real-Time Embedded Systems Forum track (agenda), in order to participate in the MILS API standardization working group sessions.

The goal of the working group is to produce a standardized API for a Minimal Runtime (MRT) environment which is suitable for High Assurance systems, which will enable portability of middleware between MILS platforms and aid interoperability. The working group wrestled with some fundamental aspects of the MRT, including goals/objectives, characteristics and implementation architecture, but these were productive sessions. There's still a long way to go, but these were important steps in the right direction. Watch this space for further developments!

It was also useful to have the opportunity to attend the RTES Forum presentations. Some of the highlights for me were Ed Roberts of Elparazim's presentations on AADL, Olaf Tetteo of Brightsight's presentation on 'Certification & Mutual Recognition above EAL-4 in Europe', and my colleague Alex Wilson's presentation on 'Challenges of Multicore, potential impact on Safety Critical and High Assurance Security Environments'. Open Group members can download the proceedings from here (login required).

With such a packed agenda, I was worried that we might not have an opportunity to see the delights of Rome, but fortunately for the Tuesday evening, The Open Group had arranged a tour of the stunning Capitoline Museum followed by the conference dinner on the rooftop terrace which had a spectacular view of the city skyline.

TOG_Rome2010

Posted by Paul Parkinson at 12:22 PM in Aerospace & Defense, Open Standards, Security, Software Engineering | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

| | | | |

February 19, 2010

Police Drone: Episode 2

On Thursday last week, I read that an unmanned air vehicle (UAV) had been recently used by the UK's Merseyside Police in the tracking and arrest of two suspected car thieves (BBC News:'Merseyside police drone tracks car theft suspects').

A quick Google search revealed some additional details in the Liverpool Echo ('Merseyside police make UK's first ever flying drone arrest'), specifically that the UAV had been used in thick fog.

I was really surprised when I read this, because this type of UAV is remotely-piloted, requiring line-of-sight operation, and does not have autonomous 'see and avoid' capabilities (unlike some more sophisticated autonomous military UAVs). So how could it be remotely-piloted safely in poor visibility conditions and in an urban environment?

I was struggling to reconcile this with the fact that the UK Civil Aviation Authority is carefully researching the integration of UAVs into civil airspace, and there are still a number of safety issues to be addressed. I had even discussed some of these, urban environments in particular, in the blog post 'Police Drone' in May 2007 when the media had been reporting the Merseyside Police's UAV trials (BBC News: 'Pilotless Police Drone Takes Off').

However, things began to make more sense when I read about more recent developments of the story, which were reported earlier this week (BBC News: 'Unlicensed Merseyside Police drone grounded' and Guardian: 'Eye in the sky arrest could land Police in the dock'). These reveal that the UAV was being flown by Merseyside Police without a CAA license, and this breach of regulations could lead to prosecution.

So Merseyside Police could be involved in a different type of UAV trial soon...

Posted by Paul Parkinson at 08:39 AM in Open Standards, Software Engineering | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

| | | | |

December 21, 2009

Case study: Ultra Datel safety-critical avionics upgrade using COTS

GE Intelligent Platforms rugged VME chassis I recently had the privilege of working with one of our partners, LDRA, and one of our customers, Ultra Datel, on writing a case study of their experiences of a mid-life upgrade of an existing avionics system.

What caught my attention was the fact that the existing system was uncertified, and the upgrade involved migrating the existing system to a commercial-off-the-shelf (COTS) and undertaking DO-178B Level B safety certification.

As a result, the project faced a number of development challenges because the pre-existing software and device drivers were not developed with safety certification in mind, and the code needed to be re-engineered and modified to meet safety certification requirements.

In the case study, we discuss the following development challenges and how they were overcome using the LDRA Tool Suite during the development of the safety-critical VxWorks application running on a GE Intelligent Platforms ruggedised PowerPC platform:

  1. Porting to the VxWorks DO-178B safety-critical subset
  2. Reduction of high cyclomatic complexity
  3. Programming language subset compliance
  4. Code coverage to meet DO-178B Level B objectives

The case study has now been published on the Wind River website on the Aerospace & Defence customers page (and the PDF file can be accessed directly here).

Posted by Paul Parkinson at 01:00 AM in Certification, Open Standards, Software Engineering, Testing, VxWorks | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

| | | | |

December 15, 2009

First flight of the Boeing 787

Today, the Boeing 787 Dreamliner made its first flight from Everett, Washington. One of our Wind River colleagues, Chip Downing, was able to attend this historic event in person, and shot the following video:

This is the culmination of years of development of a completely new aircraft which uses many state-of-the-art technologies to significantly improve efficiency, operating range and passenger comfort.

For instance, the 787 employs an Integrated Modular Avionics (IMA) architecture using VxWorks 653, Wind River's world-class ARINC 653 compliant RTOS. This approach which drastically reduces the amount of space, weight and power (SWaP) required for the aircraft's on-board avionics systems. The reduction in weight of avionics systems and cabling results in a reduced fuel load requirement, or increased range for the same fuel load, and of course reduced CO2 emissions. Similarly, the reduction in the space required for the avionics systems can increase the space available for passengers, luggage and cargo.

(If you want to know more about the 787 development and DO-178B safety certification approach, read Alex Wilson's recent blog, and for details of VxWorks 653, there's a white paper available for download here).

In addition, the composite fuselage not only helps to make the aircraft lighter (improving fuel consumption further), but also enables higher cabin pressures to be used, which will result in passengers feeling more relaxed and less fatigued. When coupled with the advanced air-conditioning systems and state-of-the-art Rolls-Royce Trent 1000 jet engines and noise-reductions technologies, this provides the promise of greater passenger comfort on long haul flights.

This is of course, just the start, as the 787 will continue to evolve through its operational lifetime, just as the 747 has done over the last forty years. So, I wonder what other technologies will appear in the future?

In the meantime, I'm looking forward to seeing the 787 grace the skies above the Farnborough Air Show and taking a flight on one with British Airways in the near future. Congratulations, Boeing!

Posted by Paul Parkinson at 02:53 PM in Certification, Open Standards, Software Engineering, VxWorks | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

| | | | |

October 08, 2009

Ada & C mixed language development

Last week, I downloaded AdaCore's GNAT Pro 6.2.2 and the latest GNATbench 2.3.1 release (which was announced yesterday), as I wanted to port an Ada & C mixed-language application to VxWorks 6.7.

I wanted to do this to show a customer how they can develop new Ada applications (as well as reusing existing intellectual property) and integrate them with network protocol stacks, graphics libraries and other middleware which are often implemented in C or C++.

Whilst the Ada 95 and Ada 2005 language standards provide inter-language compatibility with C and C++ respectively, close integration between the development tools is needed in order to really exploit these capabilities fully, for example being able to debug communication modules and/or tasks implemented in different languages.

My mixed language application consists of two VxWorks tasks (written in C), and two Ada tasks. One of the VxWorks tasks sends messages to an Ada task via a VxWorks message queue, and I wanted to step through the sending and receiving of the messages in a debugger to confirm that individual messages were sent and received correctly. This would not be a very user-friendly activity if I had to use two different debuggers to debug the Ada and C code separately. In addition, I also wanted to check that the inter-language calls that I had made (C function calling an Ada procedure and vice versa) had passed parameters using the correct language types and the data values were interpreted correctly.

Workbench provides an open and extensible framework based on Eclipse, so this has enabled AdaCore to integrate capabilities of GNAT Pro seamlessly through the GNATbench plugin. This enabled me to develop and run my mixed language application in Workbench. I was able concurrently debug multiple tasks in mixed languages (see below), and set task specific breakpoints on the Ada and C tasks individually and step over the calls to msgQSend() and msgQReceive() respectively, and confirm that the messages were passed correctly; and I was able to walk up and down the stackframes in the Workbench Debug View and confirm that parameters had been passed correctly between C function and Ada procedure and vice versa.

Workbench 3.1 Ada & C Mixed Language debugging screenshot

I also used Workbench's analysis tools System Viewer, Memory Analyser and Performance Profiler to verify the behaviour of Ada & C tasks at system level, and monitor memory & CPU utilisation of each of the Ada procedures and C functions in the mixed language application.

Even after many years working with these technologies, I am still excited by advances in capabilities which make the complex tasks of embedded software development easier. I just wish I was able to spend more time in Workbench and less time in PowerPoint!

Posted by Paul Parkinson at 04:40 PM in Aerospace & Defense, Open Standards, Software Engineering, VxWorks, Workbench | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , ,

| | | | |

May 02, 2008

nEUROn UCAV programme

nEUROn UCAV In case you missed the news, the article 'COTS for unmanned flights' (Electronic Product Design, 22nd April 2008) describes how the nEUROn UCAV programme (Airforce Technology) has standardized on the VxWorks 653 RTOS.

nEUROn is a technology demonstrator programme involving five European companies, which in itself is not unusual, but it does have a significant objective - to demonstrate the maturity of technologies by producing modular safety-critical avionics systems running on COTS-based on-board computers. The development of avionics systems for a UCAV are in some ways even more challenging than for a military fast jet, given that it will provide a similar level of capability, but yet has less Space, Weight and Power (SWaP) available. This is one of the driving factors behind the ARINC 653 software architecture, enabling multiple applications to be hosted on a common computing platform (see 'ARINC 653 software weighs less' for background).

However, this advance results in a further challenge, that of being able to support modular and incremental certification of the IMA platform. This is necessary because of the very significant costs of safety certification under RTCA/DO-178B and EUROCAE ED-12B, especially at the higher software integrity levels (SIL). If an avionics platform comprising, say ten applications and several million source lines of code (SLOC) has been developed, and one of the applications undergoes an upgrade, it would be very time-consuming and prohibitively expensive to re-certify the whole platform. Alex Wilson covers these issues in more depth in his webcast 'Towards Incremental Certification with ARINC653'.

Fortunately, the experiences gained on recent IMA programmes in conjunction with the evolution of ARINC 653 standard has resulted in the mature VxWorks 653 implementation which fulfills these requirements and will provide a critical foundation for the objectives of the nEUROn programme.

I'll look forward to the nEUROn taking off in 2010.

Posted by Paul Parkinson at 12:52 PM in Aerospace & Defense, Open Standards, VxWorks | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , ,

| | | | |

Next »

Paul Parkinson

  • Paul Parkinson is a Principal Systems Architect with Wind River in the UK, working with Aerospace, Defence and Security customers across EMEA. Paul's professional interests include Information Security (InfoSec), Integrated Modular Avionics (IMA) and Intelligence Surveillance Target Acquisition Reconnaissance (ISTAR) systems.

    Subscribe to RSS feed.

Search

External Links

Wind River Blogs

Categories

Disclaimer

Blog powered by TypePad