By Charles J. Murray

Chicago — Despite lingering debates over its suitability in secure systems, the Linux operating system appeared poised last week to play a strong supporting role in highly security-critical applications, ranging from battlefield hardware to cities’ electrical power grids.

Three software suppliers said last week that they will integrate the open-source OS into their security products, with one, Green Hills Software Inc. (Santa Barbara, Calif.), rolling out an entry that immediately brings the vision to life.

In all three cases, Linux would be called on to serve not as a secure operating system in itself but as software for an application that would lie atop of—and be partitioned away from—a secure system. That way, developers could use their existing Linux-based code for confined applications without compromising the security of larger, safety-critical applications. At the same time, software vendors could provide secure products while simultaneously exploiting Linux’s popularity.

“This allows them to partition the device memory in such a way that they can have multiple instantiations of operating systems and therefore use Linux,” said Daya Nadamuni, a senior analyst for Gartner Dataquest Inc. (San Jose, Calif.) “The practical reality is there is money to be made in this market.”

In the other announcements last week, Wind River Systems Inc. and LynuxWorks Inc. both said they plan to roll out secure software products that integrate Linux, possibly within the next year. The vendors will aim the products at applications ranging from tanks and handheld battlefield devices to telecom switches, electrical grids and even streetlights. They expect security-critical applications that accommodate Linux to gain popularity as developers increasingly connect embedded devices to the Internet.

“It’s being driven by the memory of 9/11 and the increased security measures around the world, but also by the increase in connected devices,” said Joerg Bertholdt, director of platforms marketing for Wind River Systems (Alameda, Calif.). “And it’s not just in military applications; it’s becoming pervasive in all industries.”

CEO Dan O’Dowd and other executives at Green Hills stressed last week that the company’s strategy is essentially to allow developers to put Linux in a box, which in turn lets them leverage existing applications that may have previously been written for Linux. The technology, known as INTEGRITY PC, uses a so-called padded cell to implement a virtual computer that runs atop the company’s secure INTEGRITY operating system. Linux applications run inside the padded cell, which securely partitions them away from the safety-critical portions of the system.

Boxed in

Green Hills Engineers do this by capitalizing on the virtual memory space mechanism that exists on many of the most popular processors, including Pentium, MIPS, PowerPC and higher-end ARM cores. By taking a prescribed amount of physical memory and mapping out a virtual address space within it, they create the padded cell, which prevents the program inside from reading and writing into any other parts of the physical memory that are not allocated to it.

“In essence, the application ‘thinks’ it has its own computer, and it has no awareness of anything you don’t want it to see,” said David Barnett, director of product marketing for Green Hills. “It thinks it’s talking to its own interface card, when it’s actually talking to a virtual computer running on INTEGRITY.”

Engineers, of course, routinely use such memory allocation techniques to separate programs, but they don’t normally place operating systems inside virtual address spaces. That, say Green Hills engineers, is what distinguishes their latest effort.

“Being able to run a program inside the [virtual address space] is a much simpler task,” O’Dowd said. “Running Linux in there is trickier because Linux normally wants to run on the base hardware. It does not want to run in a virtual address space.”

By modifying Linux, however, Green Hills has been able to make the concept work since early this year on custom engineering products for customers. Last week, it rolled out those modifications in a commercial product.

Barnett said that the technology will spare developers the need to rewrite apps.

Wind River said it, too, is developing technology that will allow Linux to run securely inside a kernel. In 2003, the company announced its Platform for Safety Critical and the separate Platform for Safety Critical ARINC 653, based on the company’s VxWorks AE653 operating system. Both platforms are geared toward use in military and aerospace applications but could also be applied in other industries.

Wind River has already deployed the ARINC 653 technology in Boeing’s upcoming 7E7 Dreamliner jetliner program. From a tech standpoint, encapsulating Linux in the existing technology “is not going to be a big challenge,” said Joe Wlad, a senior project manager for Wind River.

LynuxWorks (San Jose, Calif.) said that it, too, is working on the technology in which Linux could coexist with an operating system that offers the highest of the so-called Evaluation Assurance Levels (EALs). “We’ve been working on an EAL-7 separation kernel, which is being designed to support a guest operating system like Linux,” said Inder Singh, chief executive officer.

Hacker defense

Security experts have said that such highly certified systems are necessary because such commonly used operating systems as Windows, Linux and Solaris are not sufficiently safe for security-critical applications. Many worry about “software subversion,” in which adversaries add a few lines of code that can cause a major system to malfunction. Certified software, they say, solves some of those problems by employing design verification techniques and other formal methods of mathematically proving that a software program does what it is supposed to do.

Many engineers believe the demand for such certified software is rising, in part because of national-security concerns but also because so many embedded devices now have access to the Internet.

“We have one industrial customer who told us, ‘I implemented my first IP-based controller and suddenly realized I’m on the Internet. So now how do I protect against unauthorized access and malicious attacks?’ ” said Bertholdt of Wind River.

Indeed, tales of unauthorized damage caused by hackers are on the rise. In Australia, a hacker was recently jailed for two years after it was discovered that he had tapped into a waste management control system, causing millions of pounds of raw sewage to spill out into local parks and rivers and onto the grounds of a Hyatt Regency Hotel. Fearing that similar maliciousness could cause blackouts, researchers with the U.S., Canadian and British governments are also said to be sniffing out computerized “back doors” and other vulnerabilities on electrical grids.

Vendors say such possibilities exist even in small devices. “What happens when you put a network interface on your device?” asked Jimmy Sorrells, a district sales manager for Green Hills. “Not only can your expert get into your device, but every 14-year-old on the Internet can discover it too.”

But Nadamuni of Garner Dataquest noted that “not every device needs to be totally secure, so it’s going to be a while before we see this technology filtering down” from defense apps to other realms.