By Bill Graham
Trying to address a long list of security requirements for a device on a case-by-case basis is time consuming, costly and frankly not the best way to approach the problem. Two important architectural approaches to consider are separation of concerns and component reuse. Separation of concerns means separating out significant portions of a system into separate subsystems so they can be dealt with on their own (with well defined boundaries and interfaces). The reasons for this are many but for security design, it might be better to separate out the portion of the system that requires higher security from the rest of the system. This provides many benefits in terms of simplifying the system design, the security assessment and most importantly testing and validation (see a technical paper on this here).
Embedded virtualization is gaining popularity in embedded systems because it provides flexibility in system design and allows designers to get more out of their hardware than with single-OS systems. An important feature of virtualization is the ability to partition a system into separate (and secure and isolated if need be) systems. An example of this is illustrated below:
For systems that require high information assurance it’s imperative that the high assurance portion of the system is separated from the rest of the system. Making the secure portion of the system smaller and simpler means significantly less development and testing time. In fact, the verification and validation required for certification, such as the Common Criteria, is immense so partitioning in this fashion is critical. For other systems, partitioning is useful in separating safety critical portions from the less important functions. For example, a multi-OS system might partition an RTOS from the General Purpose OS (GPOS) such as Microsoft Windows or Linux. Vulnerabilities and attacks on the GPOS have no impact of the RTOS partition, thus keeping the device operational (see this article I wrote about securing Smart Grid devices using partitioning).
Leveraging component reuse includes more than just reusing your own code in system design, at a higher level it means using existing components that are already secure such as operating systems, embedded virtualization, networking and middleware stack and tools. Commercial-off -the-shelf (COTS) software is an example of component reuse at a high level - a proven way to reduce costs, time to market, and most importantly budget and schedule risks. COTS products that have gone through extensive security testing, validation and certification make for excellent reuse opportunities in device software design. Not only are you not reinventing the wheel you are also leveraging the enhanced security features of these products. We discuss this further in the next blog post.