By using separation kernel technology and a security abstraction design approach, military system developers can use off-the-shelf components and tools to rapidly build and maintain high security systems.

WILL KEEGAN, SECURITY SOFTWARE SPECIALIST, LYNUXWORKS

In the early days of high security defense computing systems, security vendors would build hardware and software from scratch, ensuring they had full knowledge of the platform’s design and a strong degree of confidence that their platforms were built without security flaws. These systems would then be evaluated by government agencies to validate that the system’s design and implementation have no security flaws and meet the security requirements of the target deployment environment.

Today, this model faces significant challenges. Building systems from the ground up is very expensive and takes too much time to meet pressing schedules. Furthermore, modern computing platforms have gotten extremely complex to the point where it is close to impossible to fully evaluate a system. Security systems that used to go through detailed software analysis to prove the system is correctly designed and implemented are now evaluated at a shallower depth and tested against a generic set of security requirements.

Off-the-Shelf Approach

In response, security vendors are encouraged to integrate off-the-shelf hardware and software to speed up production schedules and reduce product costs. But this is only a partial solution, creating a bigger challenge in security evaluations because systems are now being built with third-party components that have very little design documentation and were built for purposes that have little concern for security flaws.

The use of separation kernel technology and a security abstraction design approach allows high security system developers to use off-the-shelf components and tools to rapidly build and maintain high security systems, while giving security evaluators a framework to cost-effectively evaluate systems and ultimately increase the level of confidence that a system is trustworthy to defend against nation state adversaries.

Supporting Security Abstraction

Integrating off-the-shelf hardware and software components to build high security systems can certainly reduce manufacturing costs and time-to-market. Using general purpose CPUs, operating systems and development tools allow vendors to focus on end-user solutions instead of reinventing the wheel. But security vendors must be very careful when integrating off-the-shelf components. In security systems, it is important to understand whether an off-the-shelf component has a vulnerability that can compromise the security of the overall system. This can be very difficult when off-the-shelf parts are typically black box components that come with limited documentation or any form of assurance evidence. This is particularly true with general purpose hardware components, and even when source and design doc is available for software, the complexity of the software makes it impractical to understand.

A good way to cope with using low assurance off-the-shelf parts on high security systems is to create system architectures that limit the amount of trust in off-the-shelf components. For instance, if a secure system requires confidential transportation network packets, an architect can use software encryption to encrypt all the packets before network cards, and network infrastructure to ensure network devices cannot leak clear-text packets. Taking the example further, an architect can also separate the software encryption from other software that could potentially corrupt or subvert the software encryption.

Separating Duties

Separating and protecting security functions, such as data encryption, from application functions establishes a security abstraction, where security-critical functions run completely independent from non-security enforcing software and in many cases hardware components. Creating a security abstraction gives more freedom to developers to build applications and select general purpose hardware components without having to incur the cost of integrating security controls in the user environment.

For instance, if a secure chat system used a software encryptor with chat program that ran in the same operating system, special operating system rules and custom programming would be required to try and make sure the application or other applications would not leak chat conversations. Instead, a modular design can be made to pull the encryptor out of the operating system and place it in between the applications host OS and network card, ensuring all conversations are encrypted before they go over the network. If the chat encryptor was separated, a focused group of encryption developers can cleanly update crypto algorithms without having to rebuild all the chat applications and update any OS rule sets.

Establishing a security abstraction sounds simple but is non-trivial. In order to achieve true interdependence between security and non-security enforcing functions, all forms of shared resources and services must be severed. In general purpose operating systems like Windows and Linux, this is impossible by design. In order to achieve this security abstraction a unique technology is required to separate hardware and software called a separation kernel.

Separation Kernel Hypervisor

A separation kernel hypervisor (SKH) is a unique technology designed to isolate hardware resources and host software and guest operating systems in independent partitions, and to control information flow between all hardware components and partitions. The goal of an SKH is to host high security systems on general purpose computing platforms and support more cost-effective security evaluation compared to solutions running on monolithic operating systems or hypervisors (Figure 1).

Figure 1
Solutions running on monolithic operating systems or hypervisors are less cost-effective than those that use an SKH hosted on general purpose computing platforms.

With virtualization support, vendors now have more flexibility using hypervisors to host a variety of off-the-shelf OSs, applications and developments tools. It is important to remember that a separation kernel hypervisor is also an off-the-shelf component that will have varying internal design and degrees of assurance evidence. Because the separation kernel serves as the foundation to all security enforcing functions, it is extremely important to examine the internal design to ensure an SKH vendor can fulfill key security abstraction requirements (Figure 2).

Figure 2
A separation kernel hypervisor (SKH) is designed to isolate hardware resources and host software and guest operating systems in independent partitions, and to control information flow between all hardware components and partitions.

Controlling Evaluation Costs

In military defense systems a technical evaluation and acceptance process, generally known as a certification accreditation (CnA) process, is required before a system is trusted to operate in its target environment. CnA is a costly process that ranges from 5 to 8 figures depending on the complexity of the system and system risk level. Today information stakeholders face a harsh reality that systems are constantly increasing in complexity. And as complexity goes up, evaluations reach a point where either limited budgets or massive complexity will prevent systems from being fully analyzed, leaving them exposed to unknown vulnerabilities.

Furthermore, once a system is certified, the security enforcing codebase becomes frozen, meaning no changes to the system can be made that could impact the state of the security enforcing functions without causing a recertification. This creates a cost of maintenance issue where systems become very inflexible in the amount of capability enhancements that can be made. For instance, if a certified computing platform needed to upgrade a network card from a one gigabit card to ten gigabit card, the platform may need to be recertified because network configuration updates and privileged driver code would need to be inserted into the platform’s operating system, which can potentially subvert other certified security enforcing components. Applying separation kernels and security abstraction to security evaluated systems can greatly improve the effectiveness of the evaluation and reduce the cost of both the upfront evaluation exercise and the ongoing maintenance of a certified codebase.

Complexity Reduction

Using a separation kernel and security abstraction techniques, new architectures can be formed to limit the amount of complexity required to enforce security in a system. For example, if a system needed to separate two applications that ran at different security levels, a separation kernel can run the applications in separate partitions with access to separate hardware. Compared to trying to separate applications in an operating system, a separation kernel can remove roughly a million lines or more of complex code to achieve the same capabilities.

Flexibility: Flexibility is a challenging area with certified systems. Once a system is evaluated and certified, no modifications can be made to anything that can potentially change the trusted security functions. If security functions are integrated into applications, then any updates to the applications will require a recertification of the system. But if applications and hardware components were independent of critical security functions, then systems can be designed to support future upgrades without having to re-evaluate the trusted code because it has not changed.

Reuse: Another major upside in adopting a security abstraction is the ability to reuse security functions that run independent of hardware. The certified separation kernel can be reused for new solutions, and security functions like cryptographic algorithms or data filters can easily be repurposed to future systems. For example, encryption components used for a secure chat system can be repurposed to protect data streams in a combat simulation system (Figure 3).

Figure 3
The encryption components used for a secure chat system like this one can be repurposed to protect data streams in a combat simulation system.

Applying the Technology

The need for more user features, more management tools and more fault tolerance capabilities will continue to persist in making computing systems larger, more complex, and include third-party components of unknown assurances. High security vendors and government agencies need to realize these complexities pose an intractable problem for controlling costs of security evaluations and maintaining acceptable trustworthiness levels in their computing systems. As the cyber warfront escalates, lowering the quality and assurance of high security systems poses a significant threat. Using a separation kernel technology and adopting the described security abstraction techniques, shows a promising road ahead for both security vendors and governing agencies.

LynuxWorks
San Jose, CA.
(408) 979-3900
www.lynuxworks.com

By |March 6th, 2014|Articles|0 Comments

Leave A Comment

You must be logged in to post a comment.