Posted on 04/19/2004 1:07:39 PM PDT by TheEngineer
CHICAGO — Days after an embedded-industry CEO stirred up a firestorm by charging that Linux poses a threat to U.S. security, two prominent computing-security experts said last week that some developers are already inappropriately using Linux in critical security applications where it isn't suitable.
Purdue University professor Eugene Spafford and Cynthia Irvine of the Naval Postgraduate School warned that the highest-level, but little-understood, security concerns are sometimes ignored during the development of control systems for tanks, bombs, missiles and defense aircraft. Linux, Windows and Solaris operating systems should not be used in such applications, Spafford said.
"An awful lot of decisions involving national-defense implications are being made on the basis of price and personal bias, and not upon sound evaluation of the underlying tools and software," said Spafford, who is executive director of the largest U.S. academic research center on information security, the Center for Education and Research in Information Assurance and Security, as well as an adviser to President Bush. "And it's happening in places where it should not be happening."
Although Spafford said that virtually no developers would attempt to use Windows in such high-security applications, many are already employing Linux, believing it is sufficiently secure.
"I don't want to single out Linux alone, because it is not the only [operating] system with problems," he said. "But it certainly has one problem, and that is that there are many elements of unknown provenance in it."
"Software subversion," in which adversaries add a few lines of code that can cause a major system to malfunction, is a concern of security experts, said Irvine, a professor of computer science and an expert on information warfare at the Naval Postgraduate School in Monterey, Calif. In such applications, she said, developers need to use "high-assurance" operating systems with the smarts to prove that subverting code doesn't exist. Linux, she said, is not one of them.
"There are definitely places within the national critical infrastructure where we should be concerned and should be looking at higher-assurance systems to protect us from adversarial attack," Irvine said.
Spafford added that he "would be scared to death" to be near a power plant or defense aircraft that employed any of the "general-use operating systems," such as Linux, for the highest levels of safety-critical control.
Comments by Spafford and Irvine stood in sharp contrast to those of many embedded-industry members who vehemently argued last week that Linux is inherently secure. Makers of Linux-based tools and software, and even some Linux competitors, went on record to declare that Linux's development process, which involves the scrutiny of thousands of individuals, makes it almost impossible for "adversarial code" to sneak through. Their comments came on the heels of assertions about "the Linux threat" made a week earlier by Dan O'Dowd, chief executive officer of Green Hills Software Inc. (Santa Barbara, Calif.).
"The open-source community doesn't just take whatever someone contributes," noted Bill Weinberg, strategic-marketing director of MontaVista Software Inc. (Sunnyvale, Calif.). "These contributions aren't like a message in a bottle."
"It [Linux] poses no more of a threat than any other operating system in the world," said Neil Henderson, general manager of Mentor Graphics Corp.'s Embedded Systems Division (Wilsonville, Ore.), a maker of hardware and software design solutions.
Speaking at the Net-Centric Operations Industry Forum in McLean, Va., O'Dowd of Green Hills said that Linux violates every principle of security, and charged that Linux suppliers MontaVista Software and LynuxWorks Inc. are using offshore software developers in such locales as Moscow and Beijing, a practice he described as a security threat.
Executives from both those companies, as well as others in the embedded industry, blasted O'Dowd's comments as a form of FUD (a claim that causes "fear, uncertainty and doubt" about Linux).
'Plays on paranoia'
"The way it was stated is exaggerated, and it plays on the paranoia about terrorism and even communism," said Inder Singh, CEO of LynuxWorks (San Jose, Calif.). Singh added, however, that if suppliers are creating a piece of security-related software, "it should be done in the U.S., by U.S. citizens." Singh said that is how LynuxWorks develops its own security-related software.
O'Dowd has since reiterated and even amplified his comments about Linux's security shortcomings. He told EE Times ">last week that in the past few months he has spoken to developers working on control systems for tanks and other high-security systems, and has seen individuals who are planning to use Linux and are unaware of what he describes as its security lacks.
"What concerns me is that people have heard Linux is secure and they are starting to use it in tanks and bombs and planes," O'Dowd said. "We've known this for months, and it scares me. If we don't tell them soon about the security problems, they will get so far down the road in the development process that they won't be able to change."
O'Dowd cited Green Hills' Integrity real-time operating system, along with LynuxWorks' LynxOS-178 and Wind River Systems' VxWorks AE653 RTOSes, as secure solutions.
Foreign risk
Industry executives, however, bristled last week at the suggestion that such operating systems could solve the subversion problem, arguing that O'Dowd was using the subject to focus attention on his own company's product.
"It's ridiculous," said Henderson of Mentor Graphics. "Is he saying that he has no foreign employees? He has no one who could subvert his code? He makes compilers that are used by the military. What's to stop one of his employees from putting a backdoor into the code that's generated by the compiler?"
Security experts Spafford and Irvine, however, said the oft-cited "many eyes" concept of open-source software development is not a sufficient form of assurance for national-security-level applications. "A subtle flaw could be included in the system and missed by all those eyes, because they may not have the training or motivation to look for the right problems," Spafford said.
Spafford, an IEEE Fellow who has testified before Congress on matters of national information security, urged the programming community to get past issues of cost, corporate politics and technological "religion" when dealing with matters of national security.
"The problem occurs when a vendor decides to adopt software because of cost or because of familiarity to their current programmers," he said. "They end up making a decision that involves risk, and they don't have the appropriate background to make that decision."
Irvine said that to head off catastrophes, high-security applications need software that can't be corrupted. "The Linux people feel that Linux is very flexible, so they can do many things with it," she said. "But one of the things you can't do with it is demonstrate the absence of subversive artifice in the system."
Spafford added that the embedded community needs to have rational discourse on the subject. "The question is why people are so up in arms about this Linux story," he said. "Do they want a system with flaws in it to be used in national defense?"
True, but remember that Spafford is talking in the context of this recent brouhaha among real-time Linux vendors. Most people would (rightly) laugh at the idea of using Windows in national-security applications, but there are people seriously touting Linux (inappropriately, in Spafford's eyes) for the same applications.
I'm surprised that Spafford doesn't consider the Immunix Cryptomark ( http://www.immunix.org/cryptomark.html ) a viable solution to his concerns.
Probably because it competes with his own creation ;)
Anyway, stuff like Tripwire and Cryptomark help prevent the system from being subverted once it's deployed - what he's talking about here is subversion before it's even finished. Cryptomark tells you if your system has been changed after-the-fact - it can't help you if it wasn't written securely in the first place.
For a very good reason ALL NEW CRYPTOSYSTEM ALGORITHMS
>>>> MUST <<<<
must be published and reviewed before they are accepted by the various standards committees.
There are even contests (such as the recent RSA contest to break a certain type of Eliptical Curve encryption algorithm) with prize money to break these publicly known systems
Security through obscurity just doesn't work! It just means the software developer can hide their sloppy code...
D'OH! I should have seen that coming.
Anyway, stuff like Tripwire and Cryptomark help prevent the system from being subverted once it's deployed - what he's talking about here is subversion before it's even finished.
Yikes. That's a nigh impossible task if the code and the hardware is created by anyone save one's self. The greatest threat to any security model is always the trusted path. And the greatest reducer of every security system is time. Eventually some weasel who shouldn't be trusted gets that trust and it's game-over. That dynamic cannot be stopped; it can only be delayed long enough to change things so the intruder has to start back at block zero again.
Oh well, I'll just stick to my own home-grown-hardened Linux and be happy. I'm going on almost 10 years without a successful intrusion (so far). : )
The article mentioned that Windows and Solaris are vulnerable to the same attack. It's not just Linux.
Unless what he says is false, and you basically concede that it's not, he's doing you a favor. Take it as constructive criticism and use it to move forward, because "Y is no better!" is not an intelligent, thoughtful response to someone who says "X has a problem". Either X has a problem, or it doesn't, but talking about how the messenger prefers Y, which is clearly worse, is the height of irrelevancy.
I'm not saying that he's not right about Linux security issues, but he seems to go out of his way to put the smack on Linux without addressing the very same issues in the operating systems he holds up as secure.
Eric Raymond has been talking smack about Linux usability for months now. Is he an OSS detractor?
I really think - and this is IMO, obviously - that a guy like Spafford, who is one of the pre-eminent security experts in the world, who wrote THE canonical book on Unix security, deserves a better, more cogent response to his critique than suggestions that he's somehow biased. You don't have to like what he says, but you'd better find a better response than that, because when he talks, people listen.
Fine. If it's a fact, that means it's been proven. Please present your proof.
And that, sir, is precisely why I take him to task for not shedding equal light on other operating systems, particularly the one's that he espouses.
A computer program IS A MATHEMATICAL ALGORITHM, and in fact Code Book systems at the A1 or A2 level, which must be "proven correct" are even written directly in the "predicate calculus" notation which is executed directly from within a predicate calculus virtual machine...
The article emphasizes linux...
...because linux heads, perhaps more than any other breed of software developer, don't understand/admit their pet operating system's limitations.
Hence the need for these researchers to publicly make the point that linux is not suitable for embedding in weapons systems.
And there's a ton of code being added to Windows by unknown individuals. They are called programmers. The fact that they draw a paycheck from Microsoft does not mean that they have any loyalty to that organization. The code that they are adding to the Windows code base could very well be malignant.
And there's the difference. Open Source code CAN be audited, even though it may not be. Closed source code CANNOT be audited. Period.
Nor does closed mean safe.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.