The Penguin Ping.
Wanna be Penguified? Just holla!
Click me!
Got root?
Posted on 04/19/2004 1:07:39 PM PDT by TheEngineer
CHICAGO — Days after an embedded-industry CEO stirred up a firestorm by charging that Linux poses a threat to U.S. security, two prominent computing-security experts said last week that some developers are already inappropriately using Linux in critical security applications where it isn't suitable.
Purdue University professor Eugene Spafford and Cynthia Irvine of the Naval Postgraduate School warned that the highest-level, but little-understood, security concerns are sometimes ignored during the development of control systems for tanks, bombs, missiles and defense aircraft. Linux, Windows and Solaris operating systems should not be used in such applications, Spafford said.
"An awful lot of decisions involving national-defense implications are being made on the basis of price and personal bias, and not upon sound evaluation of the underlying tools and software," said Spafford, who is executive director of the largest U.S. academic research center on information security, the Center for Education and Research in Information Assurance and Security, as well as an adviser to President Bush. "And it's happening in places where it should not be happening."
Although Spafford said that virtually no developers would attempt to use Windows in such high-security applications, many are already employing Linux, believing it is sufficiently secure.
"I don't want to single out Linux alone, because it is not the only [operating] system with problems," he said. "But it certainly has one problem, and that is that there are many elements of unknown provenance in it."
"Software subversion," in which adversaries add a few lines of code that can cause a major system to malfunction, is a concern of security experts, said Irvine, a professor of computer science and an expert on information warfare at the Naval Postgraduate School in Monterey, Calif. In such applications, she said, developers need to use "high-assurance" operating systems with the smarts to prove that subverting code doesn't exist. Linux, she said, is not one of them.
"There are definitely places within the national critical infrastructure where we should be concerned and should be looking at higher-assurance systems to protect us from adversarial attack," Irvine said.
Spafford added that he "would be scared to death" to be near a power plant or defense aircraft that employed any of the "general-use operating systems," such as Linux, for the highest levels of safety-critical control.
Comments by Spafford and Irvine stood in sharp contrast to those of many embedded-industry members who vehemently argued last week that Linux is inherently secure. Makers of Linux-based tools and software, and even some Linux competitors, went on record to declare that Linux's development process, which involves the scrutiny of thousands of individuals, makes it almost impossible for "adversarial code" to sneak through. Their comments came on the heels of assertions about "the Linux threat" made a week earlier by Dan O'Dowd, chief executive officer of Green Hills Software Inc. (Santa Barbara, Calif.).
"The open-source community doesn't just take whatever someone contributes," noted Bill Weinberg, strategic-marketing director of MontaVista Software Inc. (Sunnyvale, Calif.). "These contributions aren't like a message in a bottle."
"It [Linux] poses no more of a threat than any other operating system in the world," said Neil Henderson, general manager of Mentor Graphics Corp.'s Embedded Systems Division (Wilsonville, Ore.), a maker of hardware and software design solutions.
Speaking at the Net-Centric Operations Industry Forum in McLean, Va., O'Dowd of Green Hills said that Linux violates every principle of security, and charged that Linux suppliers MontaVista Software and LynuxWorks Inc. are using offshore software developers in such locales as Moscow and Beijing, a practice he described as a security threat.
Executives from both those companies, as well as others in the embedded industry, blasted O'Dowd's comments as a form of FUD (a claim that causes "fear, uncertainty and doubt" about Linux).
'Plays on paranoia'
"The way it was stated is exaggerated, and it plays on the paranoia about terrorism and even communism," said Inder Singh, CEO of LynuxWorks (San Jose, Calif.). Singh added, however, that if suppliers are creating a piece of security-related software, "it should be done in the U.S., by U.S. citizens." Singh said that is how LynuxWorks develops its own security-related software.
O'Dowd has since reiterated and even amplified his comments about Linux's security shortcomings. He told EE Times ">last week that in the past few months he has spoken to developers working on control systems for tanks and other high-security systems, and has seen individuals who are planning to use Linux and are unaware of what he describes as its security lacks.
"What concerns me is that people have heard Linux is secure and they are starting to use it in tanks and bombs and planes," O'Dowd said. "We've known this for months, and it scares me. If we don't tell them soon about the security problems, they will get so far down the road in the development process that they won't be able to change."
O'Dowd cited Green Hills' Integrity real-time operating system, along with LynuxWorks' LynxOS-178 and Wind River Systems' VxWorks AE653 RTOSes, as secure solutions.
Foreign risk
Industry executives, however, bristled last week at the suggestion that such operating systems could solve the subversion problem, arguing that O'Dowd was using the subject to focus attention on his own company's product.
"It's ridiculous," said Henderson of Mentor Graphics. "Is he saying that he has no foreign employees? He has no one who could subvert his code? He makes compilers that are used by the military. What's to stop one of his employees from putting a backdoor into the code that's generated by the compiler?"
Security experts Spafford and Irvine, however, said the oft-cited "many eyes" concept of open-source software development is not a sufficient form of assurance for national-security-level applications. "A subtle flaw could be included in the system and missed by all those eyes, because they may not have the training or motivation to look for the right problems," Spafford said.
Spafford, an IEEE Fellow who has testified before Congress on matters of national information security, urged the programming community to get past issues of cost, corporate politics and technological "religion" when dealing with matters of national security.
"The problem occurs when a vendor decides to adopt software because of cost or because of familiarity to their current programmers," he said. "They end up making a decision that involves risk, and they don't have the appropriate background to make that decision."
Irvine said that to head off catastrophes, high-security applications need software that can't be corrupted. "The Linux people feel that Linux is very flexible, so they can do many things with it," she said. "But one of the things you can't do with it is demonstrate the absence of subversive artifice in the system."
Spafford added that the embedded community needs to have rational discourse on the subject. "The question is why people are so up in arms about this Linux story," he said. "Do they want a system with flaws in it to be used in national defense?"
Wanna be Penguified? Just holla!
Click me!
Got root?
See the next-to-last paragraph in the article.
:^)
Which specific folks are you referring to?
And, if you're going to go to that level of silliness...how do you know that aliens haven't hit you with mind-control rays, causing you to write an exploit-generator into your compiler?
These highly qualified folks have set up a straw man argument in order to support an agenda.
Gene Spafford is a longtime Open Source detractor. When it comes to Open Source, I wouldn't take his word that day is light and night is dark.
The gist of the article is correct, but in all the wrong ways and it fixes the problem incorrectly.
The SE Linux patches are great. I still wouldn't run Linux where lives were on the line.
The problem isn't so much one of security, it a problem of stability. And while Linux is head and shoulders above other popular operating systems, it's very complex and tends a bit much toward the bleeding edge.
This is necessary in order to support new technologies such as SATA, wireless networking, Bluetooth and others.
In order to work perfectly every single time, you need stability, and generally that implies simplicity and extensive code review.
For life-and-death systems, OpenBSD is an acceptable choice for Open Source. For non-OSS, QNX is also acceptable.
But asking Gene Spafford about operating system recommendations is like asking PETA about a steakhouse menu.
Garbage. Spaf is hard on all operating systems when it comes to security, and OSS is no different in that regard. Turning that into him being a "detractor" of OSS in particular is pretty much a sure sign of fanboyism.
You don't think Purdue University professor Eugene Spafford (IEEE Fellow) and Cynthia Irvine of the Naval Postgraduate School have never heard of SE-Linux? Pretty doubtful.
Particularly in the case of LynxOS, I think they are being rather disingenuous, since they claim that a linux binary will drop right into their OS. Technically, I suppose it might, if you had the same processor when you compiled under linux as you intend to use on the embedded application. We haven't been able to get a linux binary to drop in on LynxOS yet.
Who cares? That isn't even remotely related to this article.
I think these guys (RTOS vendors) might be just trying to maintain their business base, which LINUX is threatening. A lot of government weapon systems programs are taking a hard look at using LINUX instead of the RTOSs like VxWorks and Lynx.
That doesn't explain why an independent researcher like Spafford is speaking out...
Spafford, an IEEE Fellow who has testified before Congress on matters of national information security, urged the programming community to get past issues of cost, corporate politics and technological "religion" when dealing with matters of national security.
I laugh in his general direction. Here is a guy who sells a secure real-time OS. He has figured out that he can get non-defense trade journalists to write about his company and his product if he tosses the word "linux" around a couple of times. That is the only reason we see this article.
No one in the defense community is going to say, "Yeah, let's try Red Hat for the flight control systems on the F-22." That is ludicrous. Off-the-shelf linux is not even a real-time OS; it's a multiprocessing system, which is a different thing entirely. Security aside, you don't put a time-sharing system where you need guaranteed response time to interrupts.
Sure enough, this guy found a trade journalist who doesn't know process control from Shinola, who bought the whole story about fresh-outs from Berkeley choosing the operating system for critical defense programs on the basis of sheer ignorance. Well, good for him, he managed to get Green Hills Software mentioned a couple of times in the trades.
http://www.linuxforum.dk/2000/slides/GeneS/GeneSpafford.pdf
And from 2002:
http://www.techtv.com/screensavers/linux/story/0,24330,3406300,00.html
And another from 2002:
http://www.esecurityplanet.com/views/article.php/1482631
He's had negative things to say about Linux security for some time.
That is not to say that he thinks Windows is any better. Rather, he's one of those old-school bearded roadapples that yearn for the glory days of proprietary Unix.
I, and several other Open Source advocates got into a rather nasty flamewar on Usenet back in '99 or so with His Eugenness. He's a typical university academic with little experience in the real world. He thinks we should all be happy with terminal access to a VMS machine.
The sad fact of the matter is that he has more of a fanboi problem than I ever will. He's married to the idea of proprietary big iron, ignoring the reality that most of them have horrendous security and a long history of unpatched bugs.
I applaud anyone that pushes security, but Spaf bashes Linux a little too often and proprietary systems a little too seldom. I'm not saying that he's not right about Linux security issues, but he seems to go out of his way to put the smack on Linux without addressing the very same issues in the operating systems he holds up as secure.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.