An interview with Green Hills Software's CTO David Kleidermacher: EAL6+ certification boosts confidence for Green Hills, world's security

VME: What was the motivation behind Green Hills certifying its INTEGRITY-178B RTOS to EAL6+? I understand it was NSA [National Security Agency] driven?

KLEIDERMACHER: So there have always been people in the government interested in seeing if an operating system could be certified at this high a level of assurance. But the actual programs of record that made it happen were the F-22 and F-35 because of the expectation that these fighters are communicating over networks to battle commanders, to assets on the ground, and so on. So these aircraft indeed act as network nodes and are a very important part of the GIG or net-centric operations.

The government is concerned about protecting sensitive information on the aircraft and across the network. This led to the security evaluation of INTEGRITY-178B, which was selected for these programs and for this evaluation because of its security pedigree. Then beginning in 2005, INTEGRITY-178B was put through the paces of the certification process.

VME: EAL Common Criteria certificationís highest level is 7. Why strive for level 6+ then?

KLEIDERMACHER: The government uses the term "High Robustness" as the security level needed to protect high-value information or high-value assets at risk of attack from determined and sophisticated attackers. National secrets and private banking information, for example, are "high value." And when youíre on an open network where enemies could get at your information or try to sabotage your system, thatís a high-risk, high-sophistication threat.

Thus, the government created the U.S. Protection Profile for Separation Kernels in Environments Requiring High Robustness. But thereís no such thing as certifying to high robustness – at least there wasnít at that time, so the government mapped High Robustness to Common Criteria since that is the international standard for security evaluations. The resulting specification was something thatís just about EAL7.

VME: Then whatís the difference between EAL6+ and EAL7?

KLEIDERMACHER: There were a couple requirements left out from EAL7 – so thatís why the security level is referred to "EAL6+" or "EAL6 augmented" instead of "EAL7." But on top of that, the government added dozens of requirements that werenít even in Common Criteria in order to meet the High Robustness demands for the operating system. So a more accurate naming would be "EAL6 augmented and extended," but thatís too lengthy, so people just call it "EAL6+." Most importantly, EAL7 requirements for formal methods, as well as source code NSA penetration testing, are included. Some would argue that the Protection Profile is harder than EAL7 because of the extensions.

VME: So this is the highest level of EAL certification earned in the industry so far.

KLEIDERMACHER: Yeah, no oneís even come close to it. So for EAL4, even EAL5, itís all informal or semiformal kinds of analysis, and the rigor for development process and testing is far less. There are no formal methods required until you get to EAL6 and 7. So INTEGRITY-178B is not just the first operating system but the first software product thatís ever been certified at this level.

VME: So can you tell us briefly about these "formal methods"?

KLEIDERMACHER: The formal methods are actually a mathematical proof of the security policy. The operating system is formally modeled and thereís a security policy that has to be enforced by the system, and we actually formally prove it, using modern theorem proving techniques. This provides an incredible level of assurance – itís awesome because basically it means that every line of kernel code has been mathematically analyzed.

VME: You also mentioned penetration testing – how did that play into the certification?

KLEIDERMACHER: At EAL levels 5 and below, the rigor of independent vulnerability assessment is commensurate with a low or medium attack potential. EAL6+ requires penetration testing to counter high-attack potential. Thus, the NSAís experts get the source code and try their best to find vulnerabilities.

VME: How are the requirements compiled for the certification process?

KLEIDERMACHER: All the requirements are collected into the "protection profile." So when a Common Criteria certification is done on a product, that product is certified against a standard that corresponds to the product type. There are protection profiles for firewalls, operating systems, antivirus software, Web servers, whatever. The protection profile defines both the functional and assurance requirements.

VME: So whatís the No. 1 thing that makes this certified INTEGRITY-178B RTOS unique?

KLEIDERMACHER: Itís the level of confidence. The difference between EAL6+ and whatís out there in the commercial world today is literally the difference between secure and not secure. At EAL4+, which is where most of the rest of the world is at – Linux and Windows – those are very functional and useful systems but they are specifically known by every security expert in the world to not be able to protect your network against sophisticated attackers. EAL6+ can protect you, will protect you against sophisticated attackers. Itís as simple as that.

VME: Practically speaking, what kind of security threats does INTEGRITY-178B prevent?

KLEIDERMACHER: If you look at general-purpose OSs – I donít want to pick on Windows or Linux, so just imagine any general-purpose OS – how do security problems arise? They usually result from vulnerabilities in the actual product itself. And so by having this level of assurance – by having the formal methods and the level of testing and design – we essentially say "There are no defects in there" and so thereís no surface area for an attacker to go after. 

VME: So what was the biggest challenge in the certification process for Green Hills?

KLEIDERMACHER: The biggest challenges, I think, were political and bureaucratic. INTEGRITY was designed from day one to reach this level. When we came out with it in 1997, we knew we would do this some day – that weíd go through the certification. It was designed for it. Formal methods were designed in. In 2002 we got our first DO-178B Level A – thatís the highest level – flight safety certification and now we have the security certification. One thing that makes the process so long is that someone else has to independently certify it. If youíre going to be putting the countryís crown jewels or an enterpriseís crown jewels under the control of this system, it has to be independently certified. We accept that it needs to happen. Itís just a bummer that it has to take so long.

VME: So this whole process took nearly a decade. What were the milestones?

KLEIDERMACHER: Certification signing actually occurred last September, but the Common Criteria evaluation process began in 2005. One thing to keep in mind – the protection profile itself also has to be certified because if that hasnít been vetted to contain the right requirements, how can you certify something against that? So that didnít get done until 2007. The NSA really spent a lot of time looking at the source code. The complete evaluation is a long process.

VME: So does INTEGRITY-178B port easily to other hardware apps, other than the two it was originally certified for?

KLEIDERMACHER: Yes. Now that we have the first version certified, we expect to do many "delta certifications," where you certify the same basic software but on different hardware platforms. Because every time you move it from one hardware platform to another, some things like the formal methods are reused, but things like device drivers have to be reevaluated. We have a lot of demand in our customer base for more and more certifications. This first certification was about 99 percent of the work, but it was like breaking the back of the problem, and so weíre not worried about the deltas that follow.

VME: Are you saying that you have to go back to NSA and do all this again when itís moved to a different platform?

KLEIDERMACHER: Not the whole process. Itís basically a preapproval kind of thing. So we have a process for moving it from platform to platform and we have government signoff on how thatís done. Iím not sure weíll announce all of them, but weíll just keep doing deltas because everyoneís got a different platform they care about.

VME: So what does INTEGRITY-178Bís EAL6+ certification mean to the software and embedded systems communities?

KLEIDERMACHER: Most people in the embedded community understand this bar that weíve achieved. But itís not just an important event for our embedded systems customers; itís actually an important event in the security world. Itís never been done before, and it proves that high assurance is possible for important pieces of software.

VME: Do you think your competitors will follow suit with their own certifications?

KLEIDERMACHER: There are people out there who would like to get to where we are now, and there are people out there who have announced plans to get to where we are now. NIAP has a website [www.niap-ccevs.org] revealing EAL certification progress by product and vendors. If youíre not listed there, then youíve got a long way to go. None of our competitors are yet listed on the NIAP website as having started the process. And if they do, it will take them a very long time.

VME: Why is that?

KLEIDERMACHER: What theyíve done is they basically said "Our old products canít do it," and so theyíre creating essentially from-scratch, brand-new products. And theyíre very up front about it. Not only is a new product harder to get certified, but thereís the question of "Does it really work?" There's something that the Common Criteria can never test for, which is a proven-in-use pedigree: Itís been flying in airplanes, itís been running in life-critical devices, those kinds of things. Our product was running in devices for more than 10 years before we got our certification.

VME: Where did Green Hills get the foresight to design INTEGRITY and plan for this certification 10 years ago? While cyber attacks occurred, they werenít nearly as common back then as compared to now.

KLEIDERMACHER: Dan [OíDowd] really foresaw a need for this, even back then, because if you look at the OSs that were running in airplanes and other critical devices, embedded systems, most of it was on VxWorks and VRTX operating systems. They were built in the early '80s, donít have partitioning, donít take advantage of modern hardware facilities, and werenít designed for complex pieces of software. He looked at the future and said, "You know what – the amount of software in these systems is exponentially growing. We need something that can do a far better job. It has to be secure, it has to be safe. And Iím going to design INTEGRITY from day 1 to be that way." So he was really 10 years ahead of everybody else.

VME: Money spent is always a perceived drawback of certification. How much did this EAL6+ certification cost?

KLEIDERMACHER: I canít provide any numbers personally. Certainly the government at least partially funded that. It was expensive. Iím not going to mislead you. It was millions of dollars.

VME: Do you think all your customers will switch to your certified RTOS, now that itís available?

KLEIDERMACHER: I think itís going to grow the market for our products in general. Contracts will begin to require EAL6+ certification, because it now exists, and so the INTEGRITY-178B market will continue to grow.  A lot of our customers who consider our commercial INTEGRITY offerings say, "Well, I know that thereís the same kernel technology between the two." They might not necessarily need a certified product, but they want the pedigree of it, so theyíll just stick with our commercial product. Thatís a common thing that happens, because of customersí comfort levels.

VME: So NASAís Orion project is using the certified RTOS? Which other types of mil or critical apps might benefit?

KLEIDERMACHER: Yes, Orion is one of the projects we have announced. As far as military and critical applications, oh gosh, where do I start? Software-Defined Radio is a big and emerging thing as well as Type 1 cryptographic communications devices. Really, it works well in any communications device thatís managing sensitive information. INTEGRITYís been running a lot of those historically. Itís a big market for us.

VME: So what about net-centricity and the GIG  – a blessing or a curse?

KLEIDERMACHER: It has the potential to be a curse, and it really is going to require some serious intelligent security engineering to be sure it doesnít become a curse. As the world gets more connected on networks, people are more exposed to hackers. Same thing on the Global Information Grid. Youíre basically saying, "Take all of our valuable stuff and put it up on a network." Most people would think thatís a really bad idea on the surface, but if you can secure it, it becomes the best thing since sliced bread due to the power of information availability.

VME: Whatís the answer to net-centricity and GIG security concerns in the future?

KLEIDERMACHER: I think it remains to be seen. The biggest thing is that thereís an enormous community of people involved in determining what itís going to look like. You have government bureaucracies, you have large corporations. Weíre a relatively small company. We have a proven technology and process, and we are the worldís leading experts in architecting things to be highly secure. Some people out there understand that you have to approach things in a different way if you want to achieve this level of security. But there are a heck of a lot of people out there who just donít get it. They donít know information security threats are out there. And unfortunately, theyíre putting very important things under control of operating systems and other software technologies that canít possibly be secure. I love my iPhone, but I would never trust national secrets or even my digital identity to my iPhone.

VME: So whatís next for Green Hills, say, in the next 5 to 10 years?

KLEIDERMACHER: I think youíre going to see Green Hills with its INTEGRITY Global Security subsidiary become a company thatís focused much more on the worldís security problems and not just embedded systems. Thatís probably the biggest change youíre going to see for us. Embedded systems are important; theyíll always be important to us and weíll always be an embedded innovator. However, what weíve done in regard to INTEGRITY-178Bís certification is so important to the security world that we believe it needs to be applied to the enterprise world, so youíll see an increased focus on that. We believe weíve actually solved the problem of securing the Internet, but we have to get the word out to the rest of the world.

David Kleidermacher, CTO at Green Hills Software, is responsible for INTEGRITY Global Security's technology strategy and solutions. As CTO of Green Hills, David manages the technology evolution of the INTEGRITY secure OS, of which he was one of the original developers in the 1990s. He is a leading authority in systems software and security, including secure OSs, secure virtualization technology, and the application of high-robustness security engineering principles to solve computing infrastructure problems. He holds a Bachelor of Science degree in Computer Science from Cornell University.

Green Hills Software, Inc.

805-965-6044

www.ghs.com