Security holes are everywhere even in secure virtualization systems, says Green Hills Software CEO

By Joseph Normandin

Posted by John McHale
If the Wikileaks scandal shows anything it proves that no system is secure as people may think it is -- especially software virtualization systems, said Dan O'Dowd, chief executive officer of Green Hills Software during the company’s Software Elite Users Technology Summit. "Virtualization adds nothing to security," he added.

O'Dowd pointed out that virtualization systems have less code, "but that just means they are less bad, not more secure. Running bug-ridden operating systems in virtual machines does not solve the security issue unless the virtualization system itself is secure."

He then made a point that I think resonates well beyond virtualization systems. "The security claims of popular virtualization systems are just marketing fluff to exploit the desperate need of all computer users for security," O'Dowd says. These systems have only been evaluated to the National Security Agency's (NSA's) Common Criteria EAL4+.

According to the Common criteria EAL4+ "makes them appropriate for protecting against 'inadvertent or casual attempts to breach system security,'" O’Dowd said. It's as if they have five doors to their house but only locked four, he added.

O'Dowd was working up to making the case for his company's EAL6+ secure virtualization software, but, I think he's also right on that this is not just a virtualization security phenomenon.

People are lazy when it comes to securing their computers. They all want their systems to be secure, but typically buy into the marketing fluff of certain technology because they like the convenience it provides. However, in the long run they are setting themselves up for security breaches.

It reminded me of something an export compliance officer at a major aerospace company once told me that he tells his employees who travel overseas. He says they need to assume that their emails are being read and their phone conversations are being listened to. It doesn't make you paranoid, it makes you vigilant, he said.

Speaking of vigilance, let's get back to the secure virtualization discussion.

During their work in this area O'Dowd's engineers found security vulnerabilities in standard device drivers in virtual machines. He said they attempted to use I/O memory management units (MMUs) to improve the security of virtual machines, but found that "it doesn't work.

"We weren't looking for vulnerabilities, we were just trying to make the device drivers work," O'Dowd said. "Modern I/O devices often contain huge software control programs consisting of hundreds of thousands lines of code and they have just as many security vulnerabilities as traditional operating systems."

He made the case that if users want to be vigilant with their virtualization systems they need to use an EAL6+ secure system like that offered by Green Hills. Makes sense but with that vigilance also comes cost.

Systems like Green Hills do not come cheap, so it becomes a matter of managing risk. Military and avionics systems cannot take that chance, but companies in less mission/life critical applications may be able to get away with it.

What's more expensive paying for the security ahead of time or not paying and hoping nothing happens? I guess it depends on whether or not you think you, your company, or your technology is actually a target.

Easily post a comment below using your Linkedin, Twitter, Google or Facebook account.

Previous Blog Posts

Capital Hill budget deal could restore tens of billions of dollars to the Pentagon

Tue Dec 17 13:15:00 CST 2013

Hacker drone story a cautionary tale about the need for unmanned vehicle data security

Tue Dec 10 09:46:00 CST 2013

Lack of money for systems upgrades threatens to maintain wind-farm radar dead spots

Tue Dec 03 10:36:00 CST 2013

Engineering support contracts indicate the Pentagon is sinking into the Mothball Strategy

Tue Nov 26 06:57:00 CST 2013

The revenge of COTS: an ageing commercial technology base complicates military supply chain

Tue Nov 19 08:53:00 CST 2013

Navy's newest destroyers evolve to fill traditional battleship roles

Tue Nov 12 11:54:00 CST 2013

International suspicions of U.S. encryption technology putting defense companies in a bind

Tue Nov 05 11:24:00 CST 2013

Defense industry left guessing as Army struggles forward with an unclear mission

Tue Oct 29 09:45:00 CDT 2013

These are tough times for the combat vehicle and vetronics industries

Tue Oct 22 04:22:00 CDT 2013

Is the government shutdown a harbinger of more ominous things to come?

Tue Oct 15 11:21:00 CDT 2013

Government shutdown reduces military contracting, increasing pressure on U.S. defense industry

Mon Oct 07 12:17:00 CDT 2013

Potential good news: has U.S. defense spending finally bottomed-out?

Tue Oct 01 13:02:00 CDT 2013

Is robotics revolution the first glimpse of a fundamental change in human evolution?

Tue Sep 24 09:46:00 CDT 2013

Obsolescent parts: are we enhancing military readiness or creating a hollow force?

Tue Sep 17 15:46:00 CDT 2013

For the high-tech warfighter, the future of electronics-laden uniforms is here

Tue Sep 10 11:26:00 CDT 2013

New generation of embedded computing thermal management in development at GE

Tue Sep 03 09:44:00 CDT 2013

Trading bus stops for credit cards: how far embedded computing has come in three decades

Tue Aug 27 10:59:00 CDT 2013

Unmanned vehicle industry stands at the doorstep of a fundamental transformation

Tue Aug 20 11:09:00 CDT 2013

AUVSI 2013, one of the biggest unmanned vehicles shows in the world, opens this week in Washington

Tue Aug 13 05:35:00 CDT 2013

The Washington Post, under Jeff Bezos, could lead the way for media in the 21st Century

Tue Aug 06 09:47:00 CDT 2013

Are costs and vulnerabilities making military leaders nervous about satellite communications?

Tue Jul 30 11:07:00 CDT 2013

Unmanned aircraft carrier that travels beneath the waves may be in the Navy's future

Tue Jul 23 05:20:00 CDT 2013

Electronic warfare programs kick into high gear with a flurry of contract activity

Tue Jul 16 08:03:00 CDT 2013

How vulnerable are U.S. Navy vessels to advanced anti-ship cruise missiles?

Tue Jul 09 07:03:00 CDT 2013

First came VHSIC, then came MIMIC, and now comes ACE to push electronics technology

Tue Jul 02 09:16:00 CDT 2013

The Mil & Aero Bloggers

John Keller is editor-in-chief of Military & Aerospace Electronics magazine, which provides extensive coverage and analysis of enabling electronic and optoelectronic technologies in military, space, and commercial aviation applications. A member of the Military & Aerospace Electronics staff since the magazine's founding in 1989, Mr. Keller took over as chief editor in 1995.

Ernesto Burden is the publisher of PennWell’s Aerospace & Defense Media Group, including Military & Aerospace Electronics, Avionics Intelligence and Avionics Europe.  He’s a father of four, a runner, and an avid digital media enthusiast with a deep background in the intersection of media publishing, digital technology, and social media. He can be reached at ernestob@pennwell.com and on Twitter @aero_ernesto.

Courtney E. Howard, as executive editor, enjoys writing about all things electronics and avionics in PennWell’s burgeoning Aerospace and Defense Group, which encompasses Military & Aerospace Electronics, Avionics Intelligence, the Avionics Europe conference, and much more. She’s also a self-proclaimed social-media maven, mil-aero nerd, and avid avionics geek. Connect with Courtney at Courtney@Pennwell.com, @coho on Twitter, and on LinkedIn.

Mil & Aero Magazine

December 2013
Volume 24, Issue 12
file

All Access Sponsors


Download Our Apps



iPhone

iPad

Android

Connect with Us



Newsletters

Military & Aerospace Electronics

Weekly newsletter covering technical content, breaking news and product information
SUBSCRIBE

Defense Executive

Monthly newsletter covering business news and strategic insights for executive managers
SUBSCRIBE

Embedded Computing Report

Monthly newsletter covering news on embedded computing in aerospace, defense and industrial-rugged applications
SUBSCRIBE

Unmanned Vehicles

Monthly newsletter covering news updates for designers of unmanned vehicles
SUBSCRIBE