VME: What was the motivation behind Green Hills certifying its
INTEGRITY-178B RTOS to EAL6+? I understand it was NSA [National Security
Agency] driven?
KLEIDERMACHER: So
there have always been people in the government interested in seeing if an
operating system could be certified at this high a level of assurance. But the
actual programs of record that made it happen were the F-22 and F-35 because of
the expectation that these fighters are communicating over networks to battle
commanders, to assets on the ground, and so on. So these aircraft indeed act as
network nodes and are a very important part of the GIG or net-centric
operations.The government is concerned about protecting sensitive
information on the aircraft and across the network. This led to the security
evaluation of INTEGRITY-178B, which was selected for these programs and for
this evaluation because of its security pedigree. Then beginning in 2005,
INTEGRITY-178B was put through the paces of the certification process.
VME: EAL Common Criteria certificationís highest level is 7. Why strive for
level 6+ then?
KLEIDERMACHER: The
government uses the term "High Robustness" as the security level needed
to protect high-value information or high-value assets at risk of attack from
determined and sophisticated attackers. National secrets and private banking
information, for example, are "high value." And when youíre on an
open network where enemies could get at your information or try to sabotage
your system, thatís a high-risk, high-sophistication threat.Thus, the government created the U.S. Protection Profile for Separation Kernels in Environments
Requiring High Robustness. But thereís no such thing as certifying to high
robustness – at least there wasnít at that time, so the government mapped
High Robustness to Common Criteria since that is the international standard for
security evaluations. The resulting specification was something thatís just about
EAL7.
VME: Then whatís the difference between EAL6+ and EAL7?
KLEIDERMACHER:
There were a couple requirements left out from EAL7 – so thatís why the
security level is referred to "EAL6+" or "EAL6 augmented"
instead of "EAL7." But on top of that, the government added dozens of
requirements that werenít even in Common Criteria in order to meet the High
Robustness demands for the operating system. So a more accurate naming would be
"EAL6 augmented and extended," but thatís too lengthy, so people just
call it "EAL6+." Most importantly, EAL7 requirements for formal
methods, as well as source code NSA penetration testing, are included. Some
would argue that the Protection Profile is harder than EAL7 because of the
extensions.
VME: So this is the highest level of EAL certification earned in the
industry so far.
KLEIDERMACHER:
Yeah, no oneís even come close to it. So for EAL4, even EAL5, itís all informal
or semiformal kinds of analysis, and the rigor for development process and
testing is far less. There are no formal methods required until you get to EAL6
and 7. So INTEGRITY-178B is not just the first operating system but the first
software product thatís ever been certified at this level.
VME: So can you tell us briefly about these "formal methods"?
KLEIDERMACHER: The
formal methods are actually a mathematical proof of the security policy. The
operating system is formally modeled and thereís a security policy that has to
be enforced by the system, and we actually formally prove it, using modern
theorem proving techniques. This provides an incredible level of assurance
– itís awesome because basically it means that every line of kernel code
has been mathematically analyzed.
VME: You also mentioned penetration testing – how did that play into
the certification?
KLEIDERMACHER: At
EAL levels 5 and below, the rigor of independent vulnerability assessment is
commensurate with a low or medium attack potential. EAL6+ requires penetration
testing to counter high-attack potential. Thus, the NSAís
experts get the source code and try their best to find vulnerabilities.
VME: How are the requirements compiled for the certification process?
KLEIDERMACHER: All
the requirements are collected into the "protection profile." So when
a Common Criteria certification is done on a product, that product is certified
against a standard that corresponds to the product type. There are protection
profiles for firewalls, operating systems, antivirus software, Web servers,
whatever. The protection profile defines both the functional and assurance
requirements.
VME: So whatís the No. 1 thing that makes this certified INTEGRITY-178B RTOS
unique?
KLEIDERMACHER:
Itís the level of confidence. The difference between EAL6+ and whatís out there
in the commercial world today is literally the difference between secure and
not secure. At EAL4+, which is where most of the rest of the world is at
– Linux and Windows – those are very functional and useful systems
but they are specifically known by every security expert in the world to not be
able to protect your network against sophisticated attackers. EAL6+ can protect
you, will protect you against sophisticated attackers. Itís as simple as that.
VME: Practically speaking, what kind of security threats does INTEGRITY-178B
prevent?
KLEIDERMACHER: If
you look at general-purpose OSs – I donít want
to pick on Windows or Linux, so just imagine any general-purpose OS – how
do security problems arise? They usually result from vulnerabilities in the
actual product itself. And so by having this level of assurance – by having
the formal methods and the level of testing and design – we essentially
say "There are no defects in there" and so thereís no surface area
for an attacker to go after.
VME: So what was the biggest challenge in the certification process for
Green Hills?
KLEIDERMACHER: The
biggest challenges, I think, were political and bureaucratic. INTEGRITY was
designed from day one to reach this level. When we came out with it in 1997, we
knew we would do this some day – that weíd go through the certification.
It was designed for it. Formal methods were designed in. In 2002 we got our
first DO-178B Level A – thatís the highest level – flight safety
certification and now we have the security certification. One thing that makes
the process so long is that someone else has to independently certify it. If
youíre going to be putting the countryís crown jewels or an enterpriseís crown
jewels under the control of this system, it has to be independently certified.
We accept that it needs to happen. Itís just a bummer that it has to take so
long.
VME: So this whole process took nearly a decade. What were the milestones?
KLEIDERMACHER:
Certification signing actually occurred last September, but the Common Criteria
evaluation process began in 2005. One thing to keep in mind – the
protection profile itself also has to be certified because if that hasnít been
vetted to contain the right requirements, how can you certify something against
that? So that didnít get done until 2007. The NSA really spent a lot of time
looking at the source code. The complete evaluation is a long process.
VME: So does INTEGRITY-178B port easily to other hardware apps, other than
the two it was originally certified for?
KLEIDERMACHER:
Yes. Now that we have the first version certified, we expect to do many
"delta certifications," where you certify the same basic software but
on different hardware platforms. Because every time you move it from one
hardware platform to another, some things like the formal methods are reused,
but things like device drivers have to be reevaluated. We have a lot of demand
in our customer base for more and more certifications. This first certification
was about 99 percent of the work, but it was like breaking the back of the
problem, and so weíre not worried about the deltas that follow.
VME: Are you saying that you have to go back to NSA and do all this again
when itís moved to a different platform?
KLEIDERMACHER: Not
the whole process. Itís basically a preapproval kind of thing. So we have a
process for moving it from platform to platform and we have government signoff
on how thatís done. Iím not sure weíll announce all of them, but weíll just
keep doing deltas because everyoneís got a different platform they care about.
VME: So what does INTEGRITY-178Bís EAL6+ certification mean to the software
and embedded systems communities?
KLEIDERMACHER:
Most people in the embedded community understand this bar that weíve achieved.
But itís not just an important event for our embedded systems customers; itís
actually an important event in the security world. Itís never been done before,
and it proves that high assurance is possible for important pieces of software.
VME: Do you think your competitors will follow suit with their own
certifications?
KLEIDERMACHER:
There are people out there who would like to get to where we are now, and there
are people out there who have announced plans to get to where we are now. NIAP
has a website [www.niap-ccevs.org] revealing
EAL certification progress by product and vendors. If youíre not listed there,
then youíve got a long way to go. None of our competitors are yet listed on the
NIAP website as having started the process. And if they do, it will take them a
very long time.
VME: Why is that?
KLEIDERMACHER:
What theyíve done is they basically said "Our old products canít do
it," and so theyíre creating essentially from-scratch, brand-new products.
And theyíre very up front about it. Not only is a new product harder to get
certified, but thereís the question of "Does it really work?" There’s
something that the Common Criteria can never test for, which is a proven-in-use
pedigree: Itís been flying in airplanes, itís been running in life-critical
devices, those kinds of things. Our product was running in devices for more
than 10 years before we got our certification.
VME: Where did Green Hills get the foresight to design INTEGRITY and plan
for this certification 10 years ago? While cyber attacks occurred, they werenít
nearly as common back then as compared to now.
KLEIDERMACHER: Dan
[OíDowd] really foresaw a need for this, even back then, because if you look at
the OSs that were running in airplanes and other
critical devices, embedded systems, most of it was on VxWorks
and VRTX operating systems. They were built in the early ’80s, donít have
partitioning, donít take advantage of modern hardware facilities, and werenít
designed for complex pieces of software. He looked at the future and said,
"You know what – the amount of software in these systems is exponentially
growing. We need something that can do a far better job. It has to be secure,
it has to be safe. And Iím going to design INTEGRITY from day 1 to be that
way." So he was really 10 years ahead of everybody else.
VME: Money spent is always a perceived drawback of certification. How much
did this EAL6+ certification cost?
KLEIDERMACHER: I
canít provide any numbers personally. Certainly the government at least
partially funded that. It was expensive. Iím not going to mislead you. It was
millions of dollars.
VME: Do you think all your customers will switch to your certified RTOS, now
that itís available?
KLEIDERMACHER: I
think itís going to grow the market for our products in general. Contracts will
begin to require EAL6+ certification, because it now exists, and so the
INTEGRITY-178B market will continue to grow. A lot of our customers who consider our commercial INTEGRITY
offerings say, "Well, I know that thereís the same kernel technology
between the two." They might not necessarily need a certified product, but
they want the pedigree of it, so theyíll just stick with our commercial
product. Thatís a common thing that happens, because of customersí comfort
levels.
VME: So NASAís Orion project is using the certified RTOS? Which other types
of mil or critical apps might benefit?
KLEIDERMACHER:
Yes, Orion is one of the projects we have announced. As far as military and
critical applications, oh gosh, where do I start? Software-Defined Radio is a
big and emerging thing as well as Type 1 cryptographic communications devices.
Really, it works well in any communications device thatís managing sensitive
information. INTEGRITYís been running a lot of those
historically. Itís a big market for us.
VME: So what about net-centricity and the GIG – a blessing or a curse?
KLEIDERMACHER: It
has the potential to be a curse, and it really is going to require some serious
intelligent security engineering to be sure it doesnít become a curse. As the
world gets more connected on networks, people are more exposed to hackers. Same
thing on the Global Information Grid. Youíre basically saying, "Take all
of our valuable stuff and put it up on a network." Most people would think
thatís a really bad idea on the surface, but if you can secure it, it becomes
the best thing since sliced bread due to the power of information availability.
VME: Whatís the answer to net-centricity and GIG security concerns in the
future?
KLEIDERMACHER: I
think it remains to be seen. The biggest thing is that thereís an enormous
community of people involved in determining what itís going to look like. You
have government bureaucracies, you have large corporations. Weíre a relatively
small company. We have a proven technology and process, and we are the worldís
leading experts in architecting things to be highly secure. Some people out
there understand that you have to approach things in a different way if you
want to achieve this level of security. But there are a heck of a lot of people
out there who just donít get it. They donít know information security threats
are out there. And unfortunately, theyíre putting very important things under
control of operating systems and other software technologies that canít
possibly be secure. I love my iPhone, but I would
never trust national secrets or even my digital identity to my iPhone.
VME: So
whatís next for Green Hills, say, in the next 5 to 10 years?
KLEIDERMACHER: I
think youíre going to see Green Hills with its INTEGRITY Global Security
subsidiary become a company thatís focused much more on the worldís security
problems and not just embedded systems. Thatís probably the biggest change
youíre going to see for us. Embedded systems are important; theyíll always be
important to us and weíll always be an embedded innovator. However, what weíve
done in regard to INTEGRITY-178Bís certification is so important to the
security world that we believe it needs to be applied to the enterprise world,
so youíll see an increased focus on that. We believe weíve actually solved the
problem of securing the Internet, but we have to get the word out to the rest
of the world.
David Kleidermacher, CTO at Green Hills Software, is
responsible for INTEGRITY Global Security’s technology strategy and solutions.
As CTO of Green Hills, David manages the technology evolution of the INTEGRITY
secure OS, of which he was one of the original developers in the 1990s. He is a
leading authority in systems software and security, including secure OSs, secure virtualization technology, and the application
of high-robustness security engineering principles to solve computing
infrastructure problems. He holds a Bachelor of Science degree in Computer
Science from Cornell University.
Green Hills Software,
Inc.
805-965-6044
www.ghs.com