SYSTEM DEVELOPMENT Security Issues for Military Systems
Separation Kernels Enable Rapid Development of Trustworthy Systems By using separation kernel technology and a security abstraction design approach, military system developers can use off-the-shelf components and tools to rapidly build and maintain high security systems. Will Keegan, Security Software Specialist, LynuxWorks
n the early days of high security defense computing systems, security vendors would build hardware and software from scratch, ensuring they had full knowledge of the platformâ€™s design and a strong degree of confidence that their platforms were built without security flaws. These systems would then be evaluated by government agencies to validate that the systemâ€™s design and implementation have no security flaws and meet the security requirements of the target deployment environment. Today, this model faces significant challenges. Building systems from the ground up is very expensive and takes too much time to meet pressing schedules. Furthermore, modern computing platforms have gotten extremely complex to the point where it is close to impossible to fully evaluate a system. Security systems that used to go through detailed software analysis to prove the system is correctly designed and implemented are now evaluated at a shallower depth and tested against a generic set of security requirements.
In response, security vendors are encouraged to integrate off-the-shelf hard26
COTS Journal | February 2014
ware and software to speed up production schedules and reduce product costs. But this is only a partial solution, creating a bigger challenge in security evaluations because systems are now being built with third-party components that have very little design documentation and were built for purposes that have little concern for security flaws. The use of separation kernel technology and a security abstraction design approach allows high security system developers to use off-the-shelf components and tools to rapidly build and maintain high security systems, while giving security evaluators a framework to cost-effectively evaluate systems and ultimately increase the level of confidence that a system is trustworthy to defend against nation state adversaries.
Supporting Security Abstraction
Integrating off-the-shelf hardware and software components to build high security systems can certainly reduce manufacturing costs and time-to-market. Using general purpose CPUs, operating systems and development tools allow vendors to focus on end-user solutions instead of reinventing the wheel. But security vendors must be very careful
when integrating off-the-shelf components. In security systems, it is important to understand whether an off-the-shelf component has a vulnerability that can compromise the security of the overall system. This can be very difficult when off-the-shelf parts are typically black box components that come with limited documentation or any form of assurance evidence. This is particularly true with general purpose hardware components, and even when source and design doc is available for software, the complexity of the software makes it impractical to understand. A good way to cope with using low assurance off-the-shelf parts on high security systems is to create system architectures that limit the amount of trust in off-the-shelf components. For instance, if a secure system requires confidential transportation network packets, an architect can use software encryption to encrypt all the packets before network cards, and network infrastructure to ensure network devices cannot leak cleartext packets. Taking the example further, an architect can also separate the software encryption from other software that could potentially corrupt or subvert the software encryption.