Linux Security Controversy

Dan O’Dowd, CEO of Green Hills Software

Part I
FAA Safety-critical Certified Operating Systems Deliver The Reliability and Security Required by Defense Systems; Linux Does Not

Over the last few days, I have received many objections to my warning at the NetCentric Operations Conference that Linux is not secure enough to be used in defense systems. Most of the objections are based on a series of common misconceptions. To avoid unnecessary duplication and to approach this subject rationally, it is necessary to examine these misconceptions systematically. This is part I of a series of articles that will be published over the next few weeks to address these issues.

Just because Linux is good for general purpose desktop computing and servers, for which it was designed, does not mean it is good for everything. Don’t be someone who owns only a hammer, to whom everything looks like a nail. If you keep an open mind, I will show you why Linux is inappropriate for defense systems, and what kind of operating system should be used for defense systems.

Many people criticized me for saying that Linux was unsafe for defense systems without offering any alternatives. My speech was to a defense conference. I didn’t mention our products because I didn’t want the issue that I was raising to be dismissed as advertising. But since so many people have asked me what operating system I would propose for defense systems, and how it avoids the security problems of Linux, I will oblige.

Many of the objections to my assertion that Linux is not secure enough to be used in national defense systems were based on the misconception that there are no proprietary operating systems that offer substantially better reliability or security than Linux. But Linux is not reliable enough or secure enough to meet U.S. Government safety and security standards that several proprietary operating systems have already met.

We should not move forward with plans to rely on Linux to control our most advanced future defense systems, including the Army’s Future Combat Systems (FCS), the Joint Tactical Radio System (JTRS), and the Global Information Grid (GIG), until Linux achieves the level of reliability and security required for commercial operating systems.

Green Hills Software’s Experience in Defense Systems
Green Hills Software is a major supplier of real-time operating systems and software development tools to the defense market. Boeing and Lockheed Martin have been two of our largest customers for many years. Some of our more notable military projects are supplying our INTEGRITY real-time operating system and software development tools for the avionics displays, communications, navigation, weapons systems, and flight control systems for many U.S. military aircraft such as Boeing’s B1-B and B-52 bombers, Lockheed Martin’s F-16, F-35, and F-22 fighter jets, the Boeing C-17 cargo plane, and the Boeing CH-47 helicopter. We also supply the operating system for flight safety equipment for commercial aircraft, including the inertial navigation unit for the new Airbus A380 500+ seat passenger jet, flight critical displays for the Sikorsky S-92 helicopter, and the traffic collision avoidance system for Northwest Airlines and Federal Express aircraft. On our website you can read the many news releases and customer designs we have from satisfied aerospace and defense customers.

Our INTEGRITY real-time operating system was designed from the start for the highest levels of safety and security. Our launch customer for our INTEGRITY real-time operating system was the Boeing B1-B bomber’s upgraded avionics, navigation, and weapons systems.

FAA Safety Certification
Software that runs commercial (and many military) aircraft is required to be approved by the Federal Aviation Administration as part of a DO-178B certification. DO-178B Level A is the highest safety standard for software design, development, documentation, and testing. It is required for any software whose failure could cause or contribute to a failure resulting in the catastrophic loss of an aircraft. Our INTEGRITY real-time operating system is used in several critical aircraft systems that have been certified to DO-178B Level A by the Federal Aviation Administration.

DO-178B Level A requires that there must be high-level requirements and low-level requirements for the software and tracing documentation that shows how the low-level requirements implement the high-level requirements, and how the source code implements the low-level requirements. There must be a comprehensive configuration management system to record every change to the code and why it was made and who made it.

DO-178B Level A also requires that every requirement be thoroughly tested, including tests for extreme input values and system conditions. An analysis must be performed that shows the testing covered every source code statement, both paths of every “if” decision, and that every input to an “if” decision can independently influence the decision’s outcome. This means that every error condition must also be documented, generated, and tested. In the case of our INTEGRITY-178B operating system, this analysis is performed on the object code itself. So, if malicious code were introduced at any point throughout the tool chain (compiler, assembler, linker, etc.) it would be detected and diagnosed during this analysis.

All documentation, code, and tests must be formally reviewed and approved within Green Hills Software by an independent team of competent developers who did not develop the article being reviewed. Then all of the documentation, code, and tests are audited and approved by our customers and employees of the Federal Aviation Administration. And then millions of people board aircraft trusting their lives that our INTEGRITY real-time operating system will not fail.

The aircraft manufacturers and Green Hills Software have proven that it is possible to develop truly reliable software with a “proprietary” software development model.
Before INTEGRITY was certified to DO-178B Level A, most aircraft manufacturers developed their own DO-178B Level A operating systems for flight critical systems at enormous cost. Now that INTEGRITY is available, most new Level A systems adopt INTEGRITY and many older systems are being retrofitted with INTEGRITY, because our “proprietary” software model allows this certification data to be reused by dozens of customers for hundreds of products saving all of them a great deal of time and money. We are the foremost commercial expert in operating system reliability. INTEGRITY has proven to be the most successful and cost-effective operating system for truly reliable software.

DO-178B Level A is the level of software assurance and reliability that proprietary operating systems are being held to for software upon which many lives depend.

Until Linux is certified to DO-178B Level A, our soldiers, sailors, airmen and marines should not be asked to trust their lives with it.

Common Criteria Security Evaluation
Truly secure systems are an evolution of truly reliable systems. Reliability means that a system will do precisely what it is documented to do. Security means that a system will not do anything other than what it is documented to do.

In 1995 and 1996, we designed our INTEGRITY real-time operating system to meet the requirements of the highest levels of security, the Department of Defense’s Trusted Computer System Evaluation Criteria (TCSEC Orange Book) A1 security level, mathematically provable security. Level A1 had only been achieved a few times before, and then only by operating systems that were tied to a single architecture, but we were determined to achieve Level A1 in a generally portable real-time operating system that would run on any modern computer system.

The INTEGRITY kernel is a designed program, not a hodge-podge of features lashed together over many years. INTEGRITY was fully designed for security and coded in its entirety before the first attempt to compile and debug it.

In 1999, the Common Criteria for IT Security Evaluation was adopted as ISO Standard 15408, superseding the Orange Book. Orange Book Level A1 was replaced by Common Criteria Evaluation Assurance Level 7 (EAL 7, the highest level).

Verification of security under Common Criteria EAL 7 means that you must formally mathematically prove that the software has not been compromised, no “ifs”, “ands”, or “buts.” This level of software assurance has been known for many years, but is not often practiced. It is well accepted by both academic and professional software security experts that anything short of mathematically proven security, and the associated software development processes, can be quickly cracked by a competent attacker with access to the source code.

An EAL 4 rating for an operating system is comparable to building a single perimeter fence around a military base as its only security. Once you cut through the fence, there are no guards, tripwires, cameras, locks, or bunkers. This is why the hackers on TV always say “we’re in” when they have broken through a computer’s security. They can go anywhere or do anything in the computer without any further problem. To get an EAL 4 rating, a system does not even need to undergo penetration testing by people who have access to the source code! Windows and Solaris have achieved EAL 4. But to date, Linux has only achieved EAL 2.

To get an EAL 5 rating, a system must ensure that if one subsystem is compromised, it can’t be used as a springboard to compromise any other subsystem. This is like the military base with guards, tripwires, cameras, locks, and bunkers. With an EAL 5 system, the hackers can’t say “we’re in.” Even if they penetrate the outer defenses, there will be many ways to detect their entry and prevent further penetration of the most important parts of the system.

An EAL 7 security evaluation will prevent a saboteur working on the operating system development team from subverting the operating system. Linux development and support are being outsourced to China, Russia, and other countries from which commercial defense software would never be purchased. Therefore, it is absolutely essential that Linux be subjected to formal EAL 7 verification to determine if it has been subverted by foreign intelligence agents or terrorists before it is allowed to control our nation’s critical future defense systems such as the Army’s Future Combat Systems (FCS), the Joint Tactical Radio System (JTRS), or the Global Information Grid (GIG).

Is Common Criteria EAL 7 Achievable?
Some people have argued that Common Criteria EAL 7 is some theoretical academic standard that has no applicability to the real world of security. Common Criteria is an international standard (ISO 15408) endorsed by the National Security Agency (www.nsa.gov) and National Institute of Standards and Technology (www.nist.gov). The people who argue that EAL 7 is irrelevant are the people who can’t meet the rigorous standards of software security that Green Hills Software can meet. They obviously know less about security than we do. While it is true that few people have ever attained this level of security, it is also true that the academic and professional security experts agree that EAL 7 is the only level of security that can be really trusted. The people who argue that EAL 7 is not necessary are asking you to accept a lower standard of security so that they can sell you something. Should you trust them?

Our INTEGRITY-178B real-time operating system is used in security critical applications on some of the nation’s most advanced defense systems that require EAL 7 Common Criteria certification by the NSA. Two other proprietary operating system vendors have publicly committed to certify their operating systems to EAL 7.

How Can We Trust National Security to Proprietary Software Vendors?
After I pointed out that developers and support personnel that were being hired by commercial embedded Linux companies in China and Russia could be intelligence agents or terrorists, some people asked how they could trust that the developers at proprietary operating system vendors are not intelligence agents or terrorists. There is no need to trust the developers when their work is evaluated in accordance with Common Criteria EAL level 7. The EAL 7 evaluation process will detect any attempt by a saboteur in the development or support team to subvert a national defense system.

With EAL 7 operating systems, no one will be able to subvert our nation’s defenses. That is the current standard that proprietary real-time operating systems for future critical defense systems are being held to.

Linux should not be allowed to run any national defense systems until someone is prepared to accept the responsibility for certifying Linux to EAL 7.

Conclusion
Compared to INTEGRITY, Linux is huge, slow, and has a higher total cost of ownership. Linux has never been certified to even the lowest level of safety assurance by anyone and has never been deployed in a flight critical system on board a commercial or military aircraft. Linux was developed mostly by foreign nationals, and is commercially supported out of Moscow and Beijing with virtually no security controls. Linux has achieved only an entry level security certification, EAL 2, which is below the EAL 4 that Microsoft Windows has attained. And Linux has been deployed in few, if any, military systems.

Clearly, defense systems should use our INTEGRITY real-time operating system instead of Linux. The INTEGRITY source code is available, and INTEGRITY has a lower total cost of ownership than Linux. INTEGRITY is approved by the Federal Aviation Administration as part of aircraft that have been certified to the FAA’s highest safety standard. Every day people board aircraft trusting their lives that INTEGRITY will not fail. INTEGRITY maintains an aircraft service history in airborne systems that exceeds all other commercially available operating systems combined. INTEGRITY was developed under tight controls and is being used in critical defense systems that require the NSA’s highest level of security. And INTEGRITY has been successfully deployed in hundreds of military systems already.

Next week I will show in my white paper, “Many Eyes – No Assurance Against Many Spies,” why the “many eyes” looking at Linux source code can’t possibly find a clever subversion intentionally placed in Linux.