4/16/2004 - The rapid proliferation of open-standards software continues to elicit responses from software vendors attempting to spread fear, uncertainty and doubt (FUD) as they find their business models threatened by the global open-standards movement. Vendors have attempted to thwart Linux® through lawsuits and legal actions and, most recently, are fueling the FUD surrounding Linux and the security threat it poses to our nation's defense systems. Open software standards and interfaces remain widely misunderstood and misrepresentative claims by technology companies continue to be the norm, not the exception.
LynuxWorks' point of view on security in the military
Sweeping generalizations that Linux poses a national security threat are shortsighted and self-serving," continued LynuxWorks chairman and CEO, Dr. Inder Singh. "Implying that the government is not assuring the highest levels of security for software that they deploy is baseless and inaccurate. All major military systems undergo extensive review and vulnerability analysis. This is quite contrary to the current commercial industry practice of 'penetrate and patch' for security, as evidenced by recent virus attacks against Windows®-based systems. The government and military, on the other hand, are employing prevention and 'defense in depth' to ensure the highest level of security. In other words, exploitable flaws are eliminated at each stage of the system design process. A significant amount of time and money is devoted to make sure this occurs at each step of the software development lifecycle. Further, open-standards architectures will be vital to decrease the time and costs in ensuring security in the military design process."
The benefits of open standards in the military
Linux and other open standards continue to gain significant momentum in the government and military because they enable ease of application portability, software reuse and interoperability between systems. For example, Navy Open Architecture Computing Environment (OACE) has mandated that all future software development be open standards-based, stipulating that software that does not meet this requirement will not be accepted by the Navy. By ensuring that all software is open standards-based, future hardware and software upgrades can be made seamlessly to reduce cost and development time and support future enhancements to new and unique war-fighting capabilities on ships, aircrafts, submarines and other platforms.
"The military is realizing that maintaining and being locked to a closed OS that does not adhere to open standards is time and cost-prohibitive," said Bob Morris, vice president of sales and marketing of LynuxWorks. "Leveraging the ever-growing world of open-standards software leads to better risk mitigation and supports costs for the long-term because military customers can protect their investment and avoid the high cost barriers and time-to-market penalties that changing operating systems normally incurs. Non open standards-based software is continuing to be overlooked in favor of Linux and POSIX, which is why you are seeing vendors employ scare tactics meant to fuel the FUD regarding the security of open standards-based software."
Achieving the highest level of security for open standards-based software is attainable
According to a study by the University of Idaho, there is a high correlation between DO-178B, a safety standard for safety-critical airborne systems, and Common Criteria, an international framework for developing a set of security requirements for IT products. The study concluded that DO-178B level A certified products, the highest level of safety for airborne systems, have significant overlaps with the lower levels of Common Criteria. LynuxWorks believes that its LynxOS-178 product will be certified to EAL-4 if not EAL-5. Common Criteria define seven hierarchical assurance levels of security, of which EAL-7 is the highest. Certification to EAL-7 dictates that a software product has been formally verified, designed and tested. Today, no commercial off-the-shelf (COTS) operating system is certified to EAL-7, although it remains theoretically and mathematically achievable.
A new paradigm for security: keep it open standards-based
LynuxWorks is currently developing a Common Criteria level EAL-7 secure separation kernel in concert with the NSA and others for the highest level of security ever achieved. The availability of an EAL-7 separation kernel would eliminate the timely and costly system evaluation process the government and military are currently performing on each operating system it deploys. The LynuxWorks separation kernel would ensure that any operating system, including Linux and other open standards-based OSes, could run in a secure partition in a EAL-7 system environment with no vulnerabilities. Most importantly, since the LynuxWorks separation kernel will be open standards-based, embedded software tools and applications that the military and government are currently using can be easily ported to an EAL-7 secure environment.
"The old paradigm of 'security through obscurity' is out the window," said Dr. Singh. "Perception is that you can not trust software that you did not create yourself. Reality is that with the advent of an EAL-7 separation kernel, you can. We're on the cusp of reaching a monumental milestone never before achieved in the embedded software industry."
Only Linux / POSIX conformance can unlock the power of level EAL-7 security
Support of the POSIX open standard in embedded systems assures code portability and is increasingly being mandated for commercial applications and government contracts. POSIX conformance means that software has been certified by an accredited, independent standards authority to be certified to all levels of POSIX. Currently, testing for full POSIX conformance is not readily enforced in the government and military. As a result, some vendors label their software as POSIX "compliant," a meaningless claim that simply lists which levels of POSIX are and are not supported. Although more government and military agencies are advocating stringent testing within military programs to enforce full POSIX conformance, currently only the Allied Standard Avionics Architecture Council (ASAAC) and the Navy OACE test for it.
As part of LynuxWorks' long-standing commitment to open standards support, its entire product line is POSIX conformant and capable of running Linux applications, including its flagship LynxOS® real-time operating system (RTOS), LynxOS-178, and BlueCat® Linux 5.0, the company's enhancement of the Linux 2.6 kernel. LynuxWorks' EAL-7 separation kernel will enable POSIX conformant OSes such as Linux to run in a secure partition, ensuring that current Linux, SolarisTM, HP-RT, HPUX and UNIX® applications that the military is using can be easily migrated to an EAL-7 secure environment.
LynuxWorks is a world leader in the embedded software market, providing operating systems, software development products and consulting services for the world's most successful communications, aerospace/defense, and consumer products companies. Established in 1988, the company is a technology leader in the real-time operating systems (RTOS) industry, and a founding member of the Embedded Linux Consortium (ELC). LynuxWorks headquarters are located in San Josť, California.
LynuxWorks is a trademark and LynxOS and BlueCat are registered trademarks of LynuxWorks, Inc.
Previous Page | News by Category | News Search
If you found this page useful, bookmark and share it on: