|
Secure by Design: Using a Microkernel RTOS to Build Secure, Fault-Tolerant Systems
|
|
By
Paul Leroux and Bill Graham, QNX Software Systems
|
|
Courtesy of
Industrial Control Designline
(05/26/2009 11:43 AM EDT)
|
|
Strong boundaries
Virtually every embedded system today is connected, either physically
or wirelessly, to the outside world. This network connectivity allows
users to perform remote monitoring and control, and enables systems to
download new software features or content on the fly. Unfortunately, it
also makes systems vulnerable to infiltration by a growing cadre of
cyber terrorists and extortionists. In fact, malicious hackers have
already compromised a variety of SCADA systems, HVAC control systems,
networking routers, mobile devices, and nuclear safety systems, using
viruses, denial-of-service (DoS) attacks, and other networked-based
exploits.
To thwart such attacks, many companies and organizations surround their
systems with a protective barrier that consists of network security,
cryptographic security, and even physical security. But as experience
shows, malicious hackers can often break through this barrier to attack
the system within. Consequently, the system itself must also be
designed to survive assaults, without loss of service or corruption of
data. In other words, developers must imple-ment security not only
around the system, but also within the system.
As the software that provides centralized access to the CPU, memory,
and other resources, the realtime operating system (RTOS) can play a
major role in achieving this goal of building secure, survivable
embedded systems. In particular, it can enforce strong boundaries
between software processes to prevent any process from affecting the
performance, behavior, or data of other processes. Processes can damage
one another intentionally (via malware) or uninten-tionally (via bugs);
a well-designed RTOS will provide mechanisms to prevent such damage and
to keep the system in a healthy state.
The reference monitor
James Anderson established the core principles of computer security in
his Computer Security Technology Planning Study, published in 1972. Two
years later, Jerome Saltzer and Michael Schroeder expanded upon these
principles in The Protection of Information in Computer Systems.
In his study, Anderson introduced the concept of the reference monitor,
a mechanism implemented in the OS kernel that validates every request
for data, peripherals, and other resources. The reference monitor
ensures that every resource is accessed not only by the appropriate
software process, but also by the right process operating against the
correct data in the correct context.
To fulfill this role, the reference monitor must possess three key
attributes:
- Tamper resistant
- Always invoked
- Small and simple enough to be easily verifiable
Click here to read the full paper
|
|
|
|
CAREER CENTER
|
Ready to take that job and shove it?
|
|
SPONSOR
|
|
|
|
RECENT JOB POSTINGS
|
|
|
For more great jobs, career related news, features and services, please visit EETimes' Career Center. |
|
