IT security: isolating the problem

Security specialist Adriel Desautels was not impressed by the reply he received from GoGo Inflight when he asked why the airborne wireless network service did not bother to even attempt to encrypt data that passed through its routers. The president of Netragard, a company that penetrates corporate IT systems to show their vulnerabilities, had found how easy it was to pull data from the GoGo network – and push software onto other laptops – on a recent flight.

Says Desautels: 'I can inject a piece of malware, and have it wait until you get back into the office. It's easy because the network itself is not encrypted.' When it wakes up on the corporate network, it would provide a way in for hackers to find out what is stored there. 'We notified GoGo of our concerns. Their first response was that they don't want to confuse users,' Desautels reports. 'And,' they added: 'If you're on an aeroplane you are with a select group of people. One of the great screeners is the $365 you pay to get on the plane'.'

The price of that ticket might, Desautels said, also include a company's trade secrets: 'How much do you think I could sell access to your network for?' he wonders puckishly.

GoGo is far from alone in leaving its Wi-Fi networks unencrypted: many suppliers leave them free of WEP or WPA for similar reasons. Freelance developer Eric Butler wrote the Firesheep extension for the Firefox Web browser to demonstrate how prevalent the problem is and how it affects network applications that do not implement end-to-end encryption. The extension will sniff-out session cookies used by social networking software such as Facebook, and allow the user to hijack someone else's connection.

In practice, even if implemented on public-access Wi-Fi networks WEP would not help users much, as the encryption is easy to break. It just takes a little longer than on an open channel, where the network cards shout data over the air. Even users being careful to not send sensitive data could still be tripped up by a session hijack when not realising malware now sits on their PC, uploading keystrokes and passwords to someone who could be located halfway around the world.

Unwanted 'business partners'

Henry Harrison, technical director at Detica, says: 'People are finally coming to terms with the fact that there is a huge threat. It is not just to government, but mainstream organisations.' Many have been working entirely unaware of the problem until the day they start to look at suspicious behaviour on the network, or call in a company such as Detica or Netragard to look at their systems.

'They are often shocked to find an unwanted 'business partner' sitting inside their network,' Harrison says. 'It has convinced us that mainstream IT infrastructures are not designed to deal with this threat. There are two strategic moves that they need to make. One is to deploy advanced monitoring,' he says, pointing to systems such as Detica's own Treidan product, which watches for unusual activity in the corporate network; 'The other is to think about how they segregate aspects of their environment.'

The military community has had a prophylactic IT solution in place for years: do not connect anything remotely sensitive to the Internet. Air gaps keep tactical systems away from the back-office hardware used by military personnel for more mundane work. For years, contractors such as Marconi made their engineers surf the Internet on a machine in the corner of an open-plan office while design work was conducted on PCs that were not allowed near AltaVista or Google.

'We work with customers who believe that the only practical solution is airgaps,' says Harrison. 'But airgaps are not really practical for mainstream enterprises.'

Even for the military, airgaps are no longer practical. The US military is keen to reduce their use in the field because of the logistical nightmare of transporting multiple computers in the operations zone where one could easily handle the workload – if the most sensitive elements could be protected from Internet-borne malware. Robert Day, vice-president of marketing at software company Lynuxworks, puts it more pragmatically: 'Out there in Afghanistan, sitting in a Humvee, you do not want to have ten computers in there with you.'

According to Adriel Desautels, some users have given up on air gaps without understanding what they have done. He points to the utilities: 'A lot of people in infrastructure say they have the air gap but they don't. They got rid of it for convenience.'

Over time, systems that were supposed to be isolated from the Internet have come online to take advantage of easier remote maintenance. These systems are, however, saddled with an additional layer of vulnerability over other commercial systems, Desautels claims.

'I was talking to a guy working at a water treatment plant. It was a Microsoft Windows shop. I asked: 'Do they patch?',' Desautels says, referring to the practice of applying security-related software updates when a vendor finds a vulnerability. 'The answer was no, because they do not know if the patches will cause stability issues. They thought they would be safe because hackers could not find their IP address. Critical infrastructure is easier to hack than businesses. And it is more vulnerable because of the people running them.'

Love and the single worm

'I love Stuxnet,' Desautels declares. The worm crippled a number of Microsoft Windows-based computers controlling centrifuges for Iran's nuclear programme.

'It is a beautiful thing, but only because it was able to demonstrate something I have been talking about without killing anybody.' Because of these issues, the developers of embedded systems – the computers that do not sit on a desktop but are buried within a machine – have started to build in virtual air gaps to protect the operating systems they run and their operators from themselves.

Claims Dan O'Dowd, president and CEO of Green Hills Software, 'The good news is that all these problems are solved. We solve them every day on critical systems on military aircraft.'

Embedded systems, particularly in the military and avionics world, have used software-enforced separation for years using'various forms of virtualisation. The control computers on many modern aircraft will let different operating systems share access to one processor under the control of a hypervisor that will only let each run within a specific time slot. The components can only communicate with each other through the hypervisor, and only if they have the right access privileges.

Protect and prevent

Originally, the hypervisors were tested only for reliability, not for security – the systems were never designed to attach to any public network. But requests from military users to improve the level of protection in avionics systems led Green Hills to produce a version of its Integrity operating system that could not just act as a hypervisor, but was small enough to be certified to a much higher level of security than had previously be done for any other operating system.

'We were brought in on the Lockheed Martin F-35 [multirole fighter] programme. It has shared levels of security on the same computer,' explains O'Dowd. 'When you build an aeroplane there is a process to identify the security and reliability critical systems. The level of programming and the care that software goes through the aircraft industry is hundred times greater than what happens in every other industry.'

Green Hills successfully obtained certification to Common Criteria Evaluation Assurance Level 6+ in late 2008 for a version running on a PowerPC processor using a combination of tests and formal, mathematics-based verification. The highest possible rating, Level 7, demands full formal verification.

Most operating systems that have obtained an EAL rating, however, only reach Level 4 or 4+ which provide a level of protection that is 'appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security', according to the US-based National Information Assurance Partnership (NIAP) that administers the scheme.

Certifications only apply to the specific hardware and software combination for which they are tested – they do not carry over automatically from the PowerPC to more prevalent x86 architecture, for example; but, O'Dowd says, the company is alone among suppliers with a hypervisor intended to separate guest operating systems from each other or, indeed, any other operating system with a certificate to this level.

Bridging the security gap?

Once the software became available, other military users started to look at it as a way of removing their physically enforced air gaps. Robert Day says the LynxSecure implementation is 'certifiable', but the software has yet to complete the NIAP process. He claims that the trend among military and government organisations is away from Common Criteria certifications.

'A lot of customers are going more to system level certification rather than common criteria certification. Partly because a lot of the promise of common criteria has not panned out in terms of reusability,' says Day.

O'Dowd warns again that the security element is vital: 'When you talk about secure virtualisation, some people think that it is a tautology. Virtualisation was originally promoted for server consolidation. Now [it is] being promoted as the be-all-and-end-all to security. It is not, it's the other way round. You need to add security to make virtualisation secure.'

For Detica's Harrison, the availability of small, lean kernels that can separate mainstream operating systems from the hardware as well as each other and which promise to be more hack-proof than conventional and often much larger virtualisation environments is the important thing. Detica has opted to use the LynuxWorks product as the basis for its work with separation kernels.

'It is something that can be done on a single piece of commodity hardware. It allows these models to be more widely adopted,' Harrison claims. 'These technologies were built for the embedded world originally. But they have huge applicability if they can be made useful for the mainstream world' Almost any separation is better than what we have at the moment. A browser that can access any website sitting next to confidential documents presents a clear risk to security.'

Although it is more or less impossible to hack-proof Windows, separation at least should stop a virus or Trojan running on the guest that handles online access from being able to access sensitive documents in another guest that is effectively isolated from the wider network. This form of isolation is how a LynuxWorks subsidiary, ValidEdge, tests software for malware properties. The appliance made by ValidEdge is an embedded PC under the control of a hypervisor.

As Day explains: 'It runs malware samples in partition, watches them, and if they do not behave puts a report out saying 'this thing is going to run riot'. The problem with most malware detection today is that it is done by the Macafees and Symantecs based on signatures' But now malware is targeted against single customers.'

Smart malware

A targeted attack is unlikely to have a signature in the database, so the only clue is how the software behaves when it runs. This malware is also smart enough to shut down if isolated from the network, so appliances such as the ValidEdge product maintain the illusion of connection to encourage the malware to keep running and attempt to 'phone home' to its creator, or send out feelers across the network.

Malware does not necessarily run on standard PCs. The embedded computers in networks, routers and printers are now reprogrammable and able to take software updates over the Internet, whether official or unofficial. This is why Detica's Traiden looks for abnormal behaviour on the network. 'We saw a printer accessing a search engine the other week,' Detica's Harrison reports.

Further information

• www.embeddedsystemssecurity.com/
• www.maxim-ic.com/app-notes/index.mvp/id/3824