Common Criteria EAL Certification
Common security problems
Wind River's Linux Secure is based on SELinux, a secure, policy-based system. I talked with Wind River’s Senior Director for Linux, Nithya Ruff, about this new product and the implications of a secure operating system for embedded applications.
Wong: Wind River Secure Linux is based on SELinux. How has Wind River enhanced this platform?
Ruff: SELinux is only one of the features of Wind River Linux Secure. Wind River Linux Secure brings the best of open source security technologies together to offer a full spectrum of security features and provides the necessary robustness and assurance with common criteria and FIPS certifications. Wind River Linux Secure utilizes a multi-layered detection, prevention and containment model to protect against the security threats. The scope of its comprehensive security includes access control mechanisms, runtime and stack protection, and system recovery and manageability tools.
- The common criteria has defined a base set of requirements for a general purpose OS in its protection profile (GP-OSPP), effective since 2010. Wind River Linux Secure meets all these requirements, which provides the common framework for a secure OS. The functional requirements in GP-OSPP includes Identification & Authentication, Discretionary Access Control (DAC), Cryptographic and Audit Services. WRLS provides required security services and assurances to process administrative, private and sensitive/proprietary information.
- Security Enhanced Linux (SELinux) provides firewall down at the process level in the OS. It provides confidentiality protection through Multilevel Security (MLS) and Multi-Category Security (MCS) based on Bell-LaPadula model. In addition, it enables containing (sandboxing) untrusted programs through its type enforcement feature. SELinux has a rich and flexible security policy that is scalable to include broad application ecosystem.
- Wind River Linux Secure also includes Grsecurity, which is another well-regarded technology in the Linux community that has achieved significant adoption, just like SELinux. It’s a suite of patches bring a great set of security improvements and the ease-of-use with its configuration-free operation. Its comprehensive memory protection includes both compile-time and runtime stack protection against buffer overflows and address-space modifications. Also provides a complete hardened solution with Access Control Lists (ACL), file system and network protection.
- The system recovery and manageability tools in Wind River Linux Secure come into play when a system is compromised. It helps to figure out how to clean up the hacked system, prevent attacks from happening again, track what system resources were compromised and what portions of the system are no longer trustworthy.
- As a trusted OS, Wind River Linux Secure provides demonstrated security assurance and simultaneously ensures a well-rounded protection at different levels with focus on security, reliability and high availability.
Wong: Will existing Linux applications designed for Wind River Linux run on this new product?
Ruff: Yes, the existing user applications are compatible with this product. Since this is a hardened, locked-down secure OS, the applications that directly access kernel or system resources must be configured in the security policy to allow access.
Wong: Will those familiar with SELinux be comfortable with Wind River Secure Linux?
Ruff: Yes, Wind River Linux Secure includes the standard open source SELinux along with the reference policy so it is relatively seamless to transition to Wind River Linux Secure for someone who is familiar with SELinux in general.
Wong: Many developers will be unfamiliar with SELinux. What types of training and services does Wind River provide to help them take advantage of these new features?
Ruff: Wind River provides a comprehensive education and training services. For Wind River Linux Secure, there is a five-day hands-on training that covers the Linux basics and the advanced security features. In addition, Wind River services include platform customizations, installation, system design and integration, customer content management and roadmap acceleration services. Wind River also offers certification services to help customers incrementally certify any modifications.
Wong: What changes in perception have made the world ready for a certified secure embedded Linux?
Ruff: The old, “true” joke says that complete security assurance is possible only on a non-networked computer kept in a locked room. That said, we live in a networked world. Increasing numbers of use cases call for high bandwidth networked connections that carry private, confidential, sensitive data. In November of 2009, the acting head of IT for the US Department of Defense recommended the use of open source software wherever possible for the following reasons:
- Open Source software pervades all industries: Huge developer talent pool, peer review of software, interoperability
- Huge library of APIs, applications and ISV support: Speed, quality, maturity of software and ecosystem
- Lower total cost of ownership: No fee-per-user, no vendor lock in
- Best choice for high bandwidth applications: UI/HMI, data visualization, multimedia, networking
The high level of code exercise, code transparency and open source community monitoring are coming to be understood as security assets, rather than liabilities. And the bandwidth capabilities of Linux make it desirable as a communications channel, especially when voice or visual data is being transmitted.
When there are mission-critical communications such as a military command and control center, or battlefield communication gear, adding assured security and robustness to a natively secure operating system makes sense.
Wong: When and how might a secure Linux distribution be used?
Ruff: Wind River Linux Secure is the right choice whenever assured security and robustness is required.
- Aerospace and Defense - Wind River Linux Secure is well-suited for use in military command-and-control ground stations, in software defined radio, in secure handheld devices, and in GPS satellite and combat systems requiring medium to high levels of assured security and robustness.
- Industrial Automation - Wind River Linux Secure is a good choice for user interface/human-machine interface, data visualization, multimedia, and other applications where data must be protected over secured networks, in smart energy gateways and cross-domain guards.
- Medical - As more medical information and treatment relies on network connectivity, Wind River Linux Secure can provide data security and integrity as well as high availability and reliability to ensure patient privacy and system uptime.
- Networking - Wind River Linux Secure offers cost and competitive advantages in network filter and edge infrastructure applications by offering a hardened, trusted operating system for increased security and performance assurance.
Wong: What’s involved in creating an open source software platform that can be certified? What kind of time and money investment is involved to achieve this level of certification?
Ruff: Creating the Target of Evaluation is the initial heavy-lifting. In the case of a certified embedded Linux, there’s choice of kernel and toolchain version and the selection of necessary packages, optimized for embedded applications, integration and test—creation of a complete, functional product that is then submitted for review (Fig. 1).
Approximate expenditure of resources to take a hardware/software platform through EAL4+ (Evaluation Assurance Level) certification is about two years’ time and more than $1 million. Some advantages of WR Linux Secure include that it is certified on three hardware architectures—making it an affordable COTS-ready solution for organizations that use one of those certified configurations. It can be incrementally certified to include additional packages or custom hardware at a fraction of the cost of certifying a new product or platform.
Wong: What kinds of security threats does an EAL4+ certification protect against?
Ruff: Wind River Linux Secure solves common security problems, as seen in Figure 2.
Through its FIPS 140-2 certification, the product meets secure cryptography requirements.
The + in our certification means we are augmenting our EAL4 certification with systematic flaw remediation sub-activity (ALC_FLR.3). The objective of this sub-activity is to determine whether the developer has established flaw remediation procedures that describe the tracking of security flaws, the identification of corrective actions, and the distribution of corrective action information to the users.
Wong: After 9/11, a lot of attention was focused on physically securing data and IT infrastructure rather than secure devices. Have we returned to a focus on device security? What role might a secure Linux platform play going forward?
Ruff: The events of 9/11 turned security priorities toward the physical protection of data, through building and securing remotely situated redundant data centers – at times, at the expense of improving network and application security. But the growing threat of cyber-attack for political and economic purposes makes it essential that organizations address the security of their computer systems -- assuring confidentiality, reliability and availability. So much of our personal information and so many of our financial transactions now occur online that a certified medium to highly robust Linux is a highly desirable solution. As mobile devices become the computing environment of choice for business as well as pleasure, we expect it will become even more important.