Opinion: Linux Can Be Used in the Military From COTS Journal: "On the Softer Side: RTOSes: Linux Update"
by Bob Morris, Vice President, Sales and Marketing, LynuxWorks
Download a PDF VERSION
Reprinted from COTS Journal June 2004.
From the editor's files:
"The controversy surrounding the use of Linux® in military applications is heating up. Here are several points of view from companies in-the-know. COTS Journal encourages and will continue to air meaningful opposing points of view."
–Ed.
There has been lively debate recently regarding the use of Linux military applications. One proprietary (OS) vendor has boldly claimed, "Every principle of security is being violated to enable Linux to spread through our defense systems. This must not be allowed to continue." Sweeping generalizations such as this have certainly fueled the fear, uncertainty and doubt (FUD) surrounding the use of Linux in the military.
Taking these self-serving and shortsighted statements aside, the embedded software and military industries must determine the real issues of using Linux in the military. Linux from an operational point of view is very similar to other robust OSes such as Solaris™, UNIX® or LynxOS® because it is open, standards-based and POSIX®-conformant and capable of running tens of thousands of different off-the-shelf applications. What is different in other embedded OSes that is not found in Linux? Most importantly, can Linux be run in a secure network-centric environment without compromising security?
The real center of controversy is the fact that the Linux source code is open for all to see. Consequently, proprietary OS vendors claim that the openness of Linux creates vulnerability dangers because programmers can insert malicious code that could potentially create a security breach. One of the many values of Linux, however, is the fact that the Linux source code has tens of thousands of programmers reviewing it to identify this type of insertion. Vendors that preach "security through obscurity" believe it is better that a single company with only a handful of people be able to view the source code and look for the insertion of malicious code. These vendors would have us believe that trusted programmers inserting malicious code and hiding it from their internal reviewers is not a possibility.
Proprietary OS vendors also state that Linux cannot be certified to Common Criteria level EAL-7. While this is accurate, let's not ignore the fact that there are no COTS OSes certified to EAL-7. In fact, no COTS OS is certified higher than EAL-4. Therefore, Linux is no worse off than other OSes on the market today. Nonetheless, Linux opponents and naysayers continue to spread FUD that Linux cannot run in a secure network and that only a proprietary operating system can be trusted.
Green Hills Software, LynuxWorks™ and Wind River Systems are three embedded software vendors currently working toward achieving EAL-7 in their new OSes with an EAL-7 separation kernel that should be certifiable. None, however, are available today. So until the availability of an EAL-7 OS, what should the military do? Wait and, in the meantime, select a proprietary OS and be tied to a single vendor?
Unfortunately, the military has painstakingly realized that being tied to a single OS can be cost prohibitive and lead to long product delays because applications cannot be easily ported among incompatible proprietary OSes. Therefore, the military is trying to reduce costs and improve time to deployment through "spiral development" and the use of open standards. With Linux, the military can choose from multiple vendors whose products are compatible.
Most importantly, since Linux uses open standards and is POSIX-based, it can be used in an EAL-7 environment by having the Linux OS run in a secure partition on an EAL-7-certified kernel. To achieve this, a Linux application could be isolated from other applications, and data and information control would be managed by the EAL-7-certified kernel.
This separation is extremely important because the key element in security is keeping unauthorized people from viewing information that they don't have security privileges to access. If Linux is running in a partition of an EAL-7-certified kernel, it could be completely isolated from all other applications running in other partitions on the same certified kernel.
Vendors will always try to get an unfair advantage if allowed. The military has smartly decided to move away from proprietary solutions and toward open standards so that future hardware and software upgrades can be made seamlessly. Also, open standards require vendors to be competitive in their offerings. As a result, Linux is seen as a threat to proprietary OS vendors because it will jeopardize their profits, not our military's ability to fight. Linux will work in a secure network-centric battlefield and LynuxWorks is one of the vendors that will provide the tools to make that happen.
- DO-178B Provides Certification Safety net
- Developers of commercial avionics software must demonstrate compliance with DO-178 guidelines. The FAA has issued additional guidance for so-called DO-178B Reusable Software Components (RSCs as defined in AC20-148), which allow for reuse of certifications. (COTS Journal, November 2009)
- Designing Safety-critical Avionics Software Using open Standards
- Safety-critical avionics systems have continually grown more complex and software-intensive. Regulatory authorities and avionics manufacturers have responded with guidance such as DO-178B and RSC to ensure that software performs safely, with controlled development cost. (Boards and Solutions, September 2009)
- Two Different Realms: RTOS Support for Safety-critical vs. Security-critical Systems
- Safety- and security-critical system functions are evolving simultaneously, with different yet similar requirements. Modern RTOSes are stepping up to meet these needs. (VME and Critical Systems, June 2009)
- Virtualization Makes Better use of Open-source OSes and apps
- With the introduction of the embedded hypervisor, embedded systems can avoid certain performance or licensing issues inherent to open-source OSes and applications. (EE Times, March 23, 2009)
- Secure Virtualization Technology can Extend the life of Legacy Systems
- By combining the concept of virtualization and security, one can consolidate multiple legacy systems running on heterogeneous operating systems onto a single host system with high-assurance security. (Military Embedded Systems, January/February 2009)
- Separation Kernel for a Secure Real-time Operating System
- The technical foundation adopted for the so-called MILS architecture is a separation kernel like LynxSecure, which permits multiple functions to be realised on a common set of physical resources without unwanted mutual interference. (Boards and Solutions Magazine, February 2008)
- Advances in Virtualization aid Information Assurance
- Advances in the newest Intel® processors are making virtualization much easier to implement in security applications than ever before. (Embedded Computing Design, January 2008)
- Protecting our most Vital Systems
- Some significant defence programmes are already committed to a new approach to high-threat, high-asset-value systems. Rance DeLong explains MILS. (Components in Electronics, April 2007)
- Perspectives: Security and the Separation Kernel
- Today's avionics systems are designed to support more than one application, using a partitioned operating system and memory management units to ensure applications have adequate separation. (Avionics Magazine, April 2007)
- MILS: An Architecture for Security, Safety, and Real Time
- The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Air Force Research Laboratory Technology Horizons, November 2006)
- Partitioning Operating Systems Versus Process-based Operating Systems
- Partitioning operating systems are the latest buzz, while processes, by contrast, have been around for over 30 years. Both provide memory protection, however, the intent behind them is very different.
- DO-178B and the Common Criteria: Future Security Levels
- Although there are similarities between the airborne safety-critical requirements in RTCA/DO-178B and the Common Criteria, ISO 14508, compliance with the higher levels of security in the Common Criteria demands meeting additional security requirements. (COTS Journal, April 2006)
- Reusing Safety-Critical Software Components
- Safety-critical systems often operate together as a single "system-of-systems," making it important that they meet the most stringent and rigorous requirements for safety-criticality. The failure of one module in a system could create other failures or vulnerabilities, or worse yet, failure of the system as a whole. (COTS Journal, August 2005)
- Using the Microprocessor MMU for Software Protection in Real-Time Systems
- With minimal impact to overall system performance, user tasks and the kernel can be protected from accidental corruption by using multiple protected address spaces.
- Improving code Migration and Reuse
- The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Computing Design, August 2006)
- LynuxWorks: A case Study in Combat-ready Linux
- As open source, especially Linux, makes its way into nearly every sector of the economy, one of the final frontiers is the military and aerospace market, where new applications must clear hurdles such as the FAA's rigorous DO-178B certification for aviation software. (Newsforge, December 2005)
- FCS Program Rolls Forward in Formation
- A wireless data network, with advanced communications and technologies, links soldiers with 18 new, lightweight manned and unmanned ground vehicles, unmanned aircraft, sensors and weapons—and it's all in one program. (COTS Journal, June 2005)
- Embedded Tools Train an eye on Security
- As embedded designers incorporate more security and safety needs into devices, embedded tools will have to evolve to provide capabilities needed both for product development and process management. (EE Times, September 2004)
- Secure Operating Systems for Deeply Embedded Devices
- As we add more intelligence to our embedded devices, we find that they are becoming increasingly integrated into our information technology infrastructure. Though system security is not a new concept, security-in-depth is a new paradigm developers are now starting to address. (RTC Magazine, September 2004)
- Avionics Europe 2010, Amsterdam, Netherlands, Mar 24-25
- LynxSecure Real-time Applications and Device Driver Programming Workshop, San José, CA, USA, Mar 30-Apr 2
- Device-Driver and Real-Time Programming for the LynxOS RTOS Family, San José, CA, USA, Apr 12-16
