Embedded RTOS Maker Raises Linux Security Issues

drquizas writes "Embedded RTOS provider Green Hills recently delivered an address where they raised the question of whether Linux can be considered secure enough to be used in defense applications. Much of the usual FUD is present in the remarks, although an interesting question is raised regarding what defense and other government contractors are required to do in testing code (in this case anyway): is the closed code here being held to a higher standard than its open-source equivalent, and does this change the 'security through obscurity' argument?"

Open source is much better than closed souce

[mindless4210]

"Open Source is actually more secure than closed source proprietary software because the oversight of technology content is broader and deeper. Instead of just one company monitoring its own contributions -- or potentially hiding security holes and exploits -- a worldwide community of interested parties actually oversees Linux to make it strong and secure. That's why the NSA -- the most security-conscious organization in the world -- chose to standardize on Linux, and even supplies its own version of secure Linux."

Can't put it much better than that. When you have the contribution of the entire open source development community, so much knowledge and experience comes to the table that it's difficult for any one group of programmers to compete.

Re:Open source is much better than closed souce

[beacher]

Yeah but he's spewing this crap.. "Everyday new code is added to Linux in Russia, China and elsewhere throughout the world. Everyday that code is incorporated into our command, control, communications and weapons systems. This must stop." ... Cmon he has a vested interest... His own company puts out it's own RTOS Go to that link. Now. Read the TOP of the middle column "Real-Time Operating Systems Must be Highly Reliable"
Microsoft Windows, MacOS, Unix, and Linux often crash, lock up, or go crazy. They indicate this condition by displaying a sad face, an exploding bomb, a red X, a blue screen of death, or by simply refusing to respond to mouse-clicks or keyboard input.

This is FUD and he does have a vested interest.

Re:Open source is much better than closed souce

[Total_Wimp]

Come on. These guys have a valid point. When you rely on high-quality closed source vendors like Cisco at least you guarentee you won't have back doors built into your system.

Oh. Wait. Nevermind.

Re:Open source is much better than closed souce

[iamwahoo2]

Well, yes, he does have a vested interest and is trying to sell his product, but maybe why his company devised this product, because they felt their was a need and market for it.

Frankly, even as a faithful Linux user, I still have to agree with him. Our missile defense systems should not be running the same software as my home PC whether it is a commercial or open-source product.

Re:Open source is much better than closed souce

[Jeremiah+Cornelius]

No.

You want custom, quality, made for Govt. spec code! The kind that is produced by either the low-bidder, or corporate crony!

Re:Open source is much better than closed souce

[Eskarel]

Well the problem here is that that's not entirely true. Yes OSS receives testing from a much larger and broader group of people, but how much of an asset is that for the military.

I mean I can test the latest version of redhat, I can even, if I really desire to do so and am willing to work out the specifics, fix some of the problems I might encounter, but the militray is unlikely to care how something works on my system, they are going to want to know how it performs on their systems, the most important of which are likely to be either expensive and difficult to obtain servers or proprietary military hardware. I can't test that nor, I believe, can 99% of the people who test and examine OSS software.

Even the NSA doesn't use Linux, they use their own brand of Linux which they've probably modified the bejesus out of, Linux was just an easier place to start than other OS's(I don't doubt that the NSA could make their own version of Windows if they liked and there wouldn't be a damned thing MS could do about it, but it'd be a pain).

Re:Open source is much better than closed souce

[cmacb]

"Frankly, even as a faithful Linux user, I still have to agree with him. Our missile defense systems should not be running the same software as my home PC whether it is a commercial or open-source product."

Funny... I feel just the opposite. Whether it's missile control, voting machines or accounting system 99% of what the operating systems components are doing is the same. I'd want that code tested millions of times if possible. Of course some of the code, unique to that application, can only be tested in place, but the less there is of that the better. For every person who would want to introduce a flaw into such software there are hundreds, more likely thousands, who would want to expose that flaw and fix it. It really doesn't matter if their reasons are patriotic or ego related.

It is closed systems after all that produce voting machines with huge bugs in them, and closed systems that crash vehicles into Mars due to metric to English conversion bugs. It is also closed systems that had laptop computers being used in Afghanistan being subverted by pop-up messages from ... well, nobody really knows. The notion that closed systems are superior from the security point of view simply doesn't hold up to any sort of statistical analysis. Heck, it doesn't even hold up to a back of the napkin analysis.

Re:Open source is much better than closed souce

[HungWeiLo]

I develop aircraft safety software, and the FAA's guidelines require that all code and tools must be certified at the same level of competency. Windows cannot be qualified as a valid development tool or environment, because it is closed source.

Re:Open source is much better than closed souce

[mindless4210]

I believe that being able to build on top of open source software is one of the best parts about it. Customizing an open source project, in my mind, doesn't make it a proprietary or closed source project by any means.

It is not too difficult to build your own customized OS based off Linux, even using Red Hat (Although it wouldn't be my choice of distributions to start with).

Re:Open source is much better than closed souce

[abandonment]

the military uses the exact same off-the-shelf software and hardware that the rest of the world does - you think they have their own computer chip manufacturing going on? of course not.

you think they don't use the same big oracle databases that everyone else uses?

there was an article posted in the last week about the US navy's newest fanciest warship, the commanders were all drooling about how they can run the ship with 3 people on the bridge compared to 8 on a standard ship - and the article SPECIFICALLY said that the entire ship is run on standard off the shelf software and hardware.

the NSA uses linux because there are no suitable alternatives that are worthwhile securing. windows is flat out too broken for them.

the military is the same. they may have fancy mainframes for some stuff, but they still buy their who-knows-how-many-billion dollar software licenses from the same microsoft we do.

Re:Open source is much better than closed souce

[Halfbaked+Plan]

Windows could easily be qualified, by a team under NDA with a source license for Windows.

I've worked at a medical device company that produces implantable cardiac devices. They write their own code for the embedded devices, but all reading and control of the devices is done with licensed 'embedded' copies of off-the-shelf OSes in the 'Programmer' system. With Windows NT or OS/2, to be specific. In systems like that a 'narrow' approach is taken to qualify the design. A specific controlled code base is used, and a specific controlled hardware platform is chosen. It's rigorously tested and normally 'closed' components are audited.

You're almost certainly wrong in your assertion about Windows. Perhaps you work for a vendor who likes things that way, because they'd rather not build on a Windows platform. That's not an unreasonable approach to take, especially if you can make more money rolling your own and/or building in a codebase you've got your fingers deeper into.

Re:Open source is much better than closed souce

[Detritus]

you think they have their own computer chip manufacturing going on? of course not.

Yes, they do have their own chip fabrication facilities. The NSA has had one at Fort Meade for many years. I'm sure there are others.

Re:Open source is much better than closed souce

Most RTOSs are small, a tiny fraction in size compared to general purpose operating systems, making them easier to write well and test thoroughly.

The feature requirements for control systems are also vastly different and would inevitably exercise different features of the system, so testing in the server or desktop areas would be of limited value. No general purpose operating system provides hard real-time constraints out of the box.

My preference would be an open source RTOS. I know there are a lot of people who like Linux so much that they want to use it for everything, but that seems like emotional attachment more than rational thought. Software is very often used for purposes other than what it is intended for and best suited to doing, but this is often because of the "if the only tool you have is a hammer ..." phenomenon, combined with the fact that with software (programming languages especially), something that is far from the best tool can be made to work, and thus people don't bother to learn more than the few first tools they are introduced to.

Re:Open source is much better than closed souce

[0x0000]

You're almost certainly wrong in your assertion about Windows. Perhaps you work for a vendor who likes things that way, because they'd rather not build on a Windows platform.

No, he's not, your assertion that "Windows could easily be qualified, by a team under NDA with a source license for Windows." is just plain laffable. And I say that as one who has been working in DO-178b certification efforts for the last 8 years or so. Believe me when I tell you that I have already laffed out loud at that sort of a statement more than once, both on and off the job.

Take a look at the cost per line of code for the typical level A cert and you will find that just the sheer volume of code in Windows makes any such effort impractical. Then there's the issue of the man-hours of effort per line of code...

Also, saftey-critical code is requirements driven. That is, the requirements are defined, then the code is written to implement the requirements. Using this approach, even if you could find something in Windows that fit your requirements, by the time you removed everything else, it wouldn't be Windows anymore. There would likely be no requirement for the user interface, for example.

That said, it is notable that most operating systems that exist today have similar issues. The bottom line is, none of them can be considered an RTOS, so if an RTOS is what you need, they won't do.

Smaller kernels have a better chance if you're trying to make one compliant, and the scheduler is the most useful piece, since it a) is what is needed (otherwise an OS wouldn't be needed, a monolithic embedded application would suffice), and b) it must be completely reliable, incapable of allowing race conditions, priority inversions, lockups, etc.

As for Green Hills, the fact is that Green Hills has the reputation in the industry for having produced the only (there may be another, but this is their rep I'm speaking of) actual OS that has qualified under DO-178b.

There have been several tries to produce others, but to date none has qualified, afaik. I have been, and continue to be, invovled in those efforts, so I am properly a competitor to Green Hills, since I am not a Green Hills employee, and have not worked with their OS.

I have, however, been involved in attempts to bring the Linux kernel into compliance with both DO-178b and ARINC 653 (the document desribing the partitioned RTOS model for "Loadable Software Airplane Parts," that is expected to be used in the future, starting with RTOSs like the one sold by Green Hills). While the Linux kernel port is considered doable, the cost of the effort was more than that client chose to bear. Again, the critical part of the port was to make the scheduler provably deterministic. Without that, the OS can't be considered.

The marketting hype (FUD) included in the piece is standard marketting hype, and is completely beside the point from an engineering standpoint, but plays well with suits, who typically don't understand what they're trying to build (software-wise), anyway.

Also, if you take a look at the experience the US Navy had trying to use Windows NT for engine control applications, you will get an idea of a) the relative simplicity of making it function as an RTOS, b) the degree of effort Microsoft was willing to expend towards the reliability of their software for a critical system, c) what a dumb idea it was, and d) why anyone with any understanding of the problem will not trust their life to software made by Microsoft, NDAs notwithstanding.

Finally, regarding the Open Source/Cathedral/Bazaar argument: When creating saftey critical requirements and the implementation of them, it is pretty much impossible to have too many eyes on the work. Practicality and economics are the constraints. That, and security, in the case of military or other sensitive applications.

Re:Open source is much better than closed souce

[0x0000]

Well, yes, he does have a vested interest and is trying to sell his product, but maybe why his company devised this product, because they felt their was a need and market for it.

Definitely a need, and absolutely there is a market. There is also intense competition for the market. There are few players.

Frankly, even as a faithful Linux user, I still have to agree with him. Our missile defense systems should not be running the same software as my home PC whether it is a commercial or open-source product.

Oh, I don't know. Personally, I want to be able to perform missile launch and guidance control from my Linux desktop; the apparent performance degradation that would accompany the kernel revisions required to make it a true RTOS would be more than made up for by all the cool things you could do with it. Esp since the newer, faster hardware would make the deterministic scheduler appear to perform as well on the new hardware as the current scheduler performs on existing hardware. Just think of the possiblities.... It adds a whole new dimension to the idea of "fighting SPAM" or "nuking" an offensive banner ad...

Re:Open source is much better than closed souce

[0x0000]

You are correct, medical device manufacturers do in fact use Windows in some cases, and I find it plausible that they use OS/2, although I am not directly aware of an instance.

However, I would also point out that medical device manufacturers are not held to development process standards or testing requirements as stringent as those applied in the aerospace industry. I won't get into the possible reasons for that, but the medical industry is a lot more self-regulating.

In my experience, "critical" in medical industry software means somewhat else than it does in my field. This based on having interviewed for some of those types of positions. ...

Thanks for the 'Government Computer News: US Navy Ship stalled because of Windows NT' Anecdote. That one sure gets recycled a lot.

And for good reason. It was a clear case of Microsoft having bribed a congressional committee, and the first clue that many of us outside Microsoft got that El Senor Gates' ambitions reached beyond mere global domination of the software industry and great wealth. I think that aspect of it was not as widely discussed in the media, though.

Re:Open source is much better than closed souce

[dustmite]

Our missile defense systems should not be running the same software as my home PC whether it is a commercial or open-source product.

Are you a software developer, or don't you understand software development? As a software developer I cannot agree with you. Sounds a little like those who don't understand the math behind encryption and think the government can crack it by being smart/sophisticated. The more open and broadly tested software components are, the closer to impossible it becomes to crack them, NOT more possible.

Re:Open source is much better than closed souce

[flossie]

I develop aircraft safety software ... Windows cannot be qualified as a valid development tool or environment

Perhaps that may be true of civilian aircraft systems, but the DoD certainly has no objection to using Windows as a development environment for military aircraft. The Common Operating Environment may change that in the future, but MS Windows is definitely used at the moment.

Re:Open source is much better than closed souce

[JamesP]

"Real-Time Operating Systems Must be Highly Reliable"
Microsoft Windows, MacOS, Unix, and Linux often crash, lock up, or go crazy. They indicate this condition by displaying a sad face, an exploding bomb, a red X, a blue screen of death, or by simply refusing to respond to mouse-clicks or keyboard input.

Come on, if Windows was that bad Diebold wouldn't use it in their ATMs... Ooops...

Re:Open source is much better than closed souce

[tolan-b]

The point is that the specialist parts of the code are only a small part of the whole system. The generic parts, everything from the network stack through to userland commands like cp and mv, are tested by a huge number of people.

It's not like you're going to have open source missile guidance systems, they're going to be written by the government or their contractors, and so aren't open to contributions from all and sundry.

Re:Open source is much better than closed souce

[WNight]

You just know that if NASA released the algorithms they used for anything space related they'd have tons of people looking them over. From the bitter, trying to prove the government is stupid, or scientists looking to help or for ideas, to video game companies wanting to advertise that their game's simulation of a Mars lander is based on real NASA code.

Somewhere in there an imperial to metric conversion failure would be caught.

Popular projects never lack for developers or testers.

Re:Open source is much better than closed souce

[Mr.+Shiny+And+New]

I asked the same question to a university prof I had who consulted for NASA and he claimed that many people at NASA actually do all their work in imperial measurements, and they actually tried to make the ISS an all-imperial system. Still I think it's rather stupid that they can't use the standard measurement system.

A related Green Hills article...

on a related topic... here.

What? What? What11!11?1

[zogger]

quote from this raty-os dude

"It costs us $500 to $1,000 a line to review our source code. It would cost billions of dollars to review Linux."

Say whut? It actually costs this? why? where can I sign up???? I'll sub my per-line auditing out, rake it in...

Naw, cmon, really? the government charges this, or he just pays this cost? Because..huh?

Re:What? What? What11!11?1

[gnugie]

OS dude's got the quote wrong:

"It costs us $500 to $1,000 a line to review our source code. It would cost _us_ billions of dollars to review Linux."

That's why he's losing business.

The NSA seems to think

[pair-a-noyd]

that Linux can be made pretty damn secure.
If they have faith in it....
http://www.nsa.gov/selinux/

Re:The NSA seems to think

that Linux can be made pretty damn secure.
If they have faith in it....
http://www.nsa.gov/selinux/

except they say:

There is still much work needed to develop a complete security solution. In addition, due to resource limitations, we have not yet been able to evaluate and optimize the performance of the security mechanisms.

One problem, as I see it is there are many people messing with the code that each update would require a line by line check to verify nothing has changed - greatly increasing the cost to maintain it certified as secure. Close source, however, can be maintained by strict procedures to ensure only parts of it get changed, greatly reducing the time needed to verify. Is it "more secure" - that's debatable, but it is certainly easier to control changes; making it easier to keep secure.

As for the $500 - 1000 per line, that may be high, but probably only reprsents 5 or so hours of time, which is not an unreasonable estimate for teh time to check a line and what it does.

Re:The NSA seems to think

Wow! The NSA also thinks that Windows can be made pretty damn secure!!

Back to square one for that argument.

Review cost

[CrystalChronicles]

"It costs us $500 to $1,000 a line to review our source code. It would cost billions of dollars to review Linux."

Hows that any different from if they chose windows? Wouldnt it still cost them just as much? thats assuming they can get access to the windows code. At least with Linux you don't have to pay to get it.

And no the leaked source does not count.

Re:Review cost

[plone]

Green Hills isnt comparing Linux with Windows, but rather with their own RTOS, Integrity. Which in that case, THEY ALREADY OWN AND CONTROL THE BLEEDING SOURCE CODE!

Obscurity not worthless

[CaptainPinko]

While it is never good to rely on "security through obscurity", it doesn't mean that it is useless. For example, if after all the thorough testing the same number of bugs were left (hypothetically) in the software, they would be harder to find in the closed system where you wouldn't know where to starting looking as opposed to open source where you could scan the source until you came upon what looked like a vulnerability. The obscurity isn't harmful in itself and it provides an additional barrier. Maybe not a powerful, but every little bit helps. I'd feel a little nervous if I knew some terrorist (as a much over used example) could look over the source code (even if it had no holes!) for a nuclear weapon command centre or something of that sort. I think the ultimate question should be whether the open nature of the open source development can lead to the less bugs - and thus greater security- than closed source development plus the small bonus of obscurity. I think the value of obscurity may have been undervalued in the past, it does have some value.

Re:Obscurity not worthless

[Aneurysm9]

The problem with your thinking is that you assume military applications would be opened. That's highly unlikely. Military applications may be built on an open source platform, but the code for a "nuclear weapon command centre" will remain closely guarded. And, as was mentioned earlier, terrorists don't need open source software to exploit security holes. Have you ever used Microsoft's Flight Simulator? How about Wilco's 767 Pilot-In-Command? There are two pieces of closed-source software that could have greatly facilitated the September 11, 2001 attacks.

give us a break

[Aneurysm9]

"Everyday that code is incorporated into our command, control, communications and weapons systems. This must stop."

I don't know how they do things at his shop, but if the DoD is pulling code from CVS into their production systems without auditing it, we deserve whatever we get as a result. That said, I highly doubt that's happening and it's more likely this blowhard is just trying to put a good scare into the technophobic jarheads who control procurement.

Re:give us a break

[gnugie]

IAWTP.

If the Gov't requires the vendor to audit the code that stringently, why wouldn't they put the same requirement on the embedded Linux provider?

In that case, it's the vendor's responsibility to audit to the gov't requirements. I'm going to seriously doubt it'll cost $500/line, but it should already be a part of the quote.

Re:give us a break

[calidoscope]

In that case, it's the vendor's responsibility to audit to the gov't requirements. I'm going to seriously doubt it'll cost $500/line, but it should already be a part of the quote.

It might be more like $2,000/line - or more

There's also the issue of what kernel version you want to run - once you've decided on a certain version, it will be extremely painful to updtae to a new one. You've also have to validate that the compilers are generating the expected code. Compared to a well designed RTOS, Linux is bloatware.

One thing many Linux fans forget is that there are situations where you do not want to use Linux - pretty much the same way explaining to PHB's that there are situations where you do not want to use Windows.

Linux is a general purpose OS and there are places where general purpose OS's don't cut it.

Compare that to

[rasafras]

in-house code, as well.
The advantages of closed source coding seem to me to be a faster development time, stronger integration of components, and more support. The drawbacks, though, are that you are ultimately trusting somebody else.
Open source code, I would say, is more secure overall - there are more people looking at the code, so it is less likely that bugs slip through. The drawbacks would be that open source is less custom-made and possibly less supported than the rest (also, as O'Dowd would have it, people 'contributing' backdoors).
As for simply writing your own secure code (an agency doing this, that is), it's obviously just more expensive.
The best solution, in my opinion, is to make your own custom flavor of Linux that is open to all, but contribution is regulated so no questionable code can be admitted - the tack taken by the NSA.

Higher Standards

[njcoder]

There are much higher standards for security in these situations.

I know Sun had to have a special version of Solaris just to meet these needs and Solaris was already considered very secure to begin with. I can't remember if MS released a secure NT for this reason as well or if they tried to and failed.

Talking about the openess of the linux code, there's another question I always wonder nobody asks. Sure Linux is open source and that's what helps it get better but I don't see the argument in terms of cost and security. Saying "you have the source you can see how secure it is" doesn't work for me. People buy an OS because it's cheaper to spend a few hundred or a few grand per PC than it is to hire the staff to build their own OS. Having to have the staff that can review, maintain and patch their own linux kernel alone isn't easy. It's something like 1.5 million lines of code right now. People want an OS that just works and is cheaper than building one themselves.

Re:Higher Standards

[HiThere]

They got a Class C license (whatever that means), but only on the condition that it wasn't connected to a network.

A Few Quick Notes about Green Hills

[pridkett]

First, this isn't the first time that Green Hills has come out complaining about Linux, you may remember a previous slashdot story where they claimed that the embedded linux tools market was a myth. Secondly, this article, like their previous one is through EETimes. If you've ever read EETimes you'll know why that should make you question the quality/validity/truthfulness of all the statements in the article.

Basically, Green Hills seems to be just another proprietary software vendor scratching for ways to try and derail a competitor in their market space. Nothing to see here. Move along now.

Green hills hey?

[oddbudman]

Is it only me - cause when i read green hills I immediately thought about the Windowss XP background :P

Open vs. closed...

[briaydemir]

This is kind of a side remark that I haven't really thought on too much, but here goes. (I think I'm playing devil's advocate...)

(1) Who audits the open source software that they use? I certainly don't. I rarely even bother to look at the source. So in this respect, it doesn't matter (to me) if the software is closed source or open source since the code isn't looked at even if you (I) had the chance to.

(2) If you're not going to audit the code, will you trust the code developers to have done adequate auditing? Again, the folks who write open source software are, for the most part, as much a stranger as the folks working in some company (at least if you're me). Why should I trust "open source" strangers more than "closed source" strangers?

These points rarely seem to get brought up here. I can certainly see the answers to (2) giving the edge to open source, but what about (1)?.

The best line is about the spies who insert code

[Nice2Cats]

I had submitted this two days ago and it got thrown away, probably because I had the better quote:

"Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software."

The whole story is so absolutely paranoid (The Russians are coming! Beware of the Yellow Peril!) and shows such a complete lack of understanding of the Linux Open Source process that it would make me worry if I were buying Green Hills' software: Do you want to buy something from somebody who is this divorced from reality and has this little understanding of how his competitor works?

He's right you know

[bogie]

For example you'll never see backdoors in commercial software. You can rest easy that they've done their job well and everything is nice and secure. That's why its better to stick with big commercial vendors like Cisco.

btw, why even give a story like this press? What a joke.

This makes no sense...

[Perseid]

I half expected to see a big "Sponsored by Microsoft" sticker on the bottom of the page.

Basically this guy is recommending we entrust the security of our defense systems to the code review teams of the closed-source OS, rather than taking the time and money to do have the DOD do it themselves. Sounds like a money saver until a missile goes blue-screen and blows up a school...

If these people are so concerned about code review(which, admittedly, they ought to be), then perhaps they should be writing their own OSes, especially for imbedded systems.

MissileOS...

secure programs howto

[e**(i+pi)-1]

Some good reading about this topic can be found here.

Pot Kettle

[DAldredge]

"Everyday new code is added to Linux in Russia, China and elsewhere throughout the world. Everyday that code is incorporated into our command, control, communications and weapons systems. This must stop."

Does he get this pissed about Microsoft, IBM, Sun, HP and other companies that outsource core dev to those same countries?

In all fairness

The parent post is funny but in all fairness I think the general idea is that he's discussing the cost per line for a very large system. A single line in isolation is easy to debug. But you can't debug them in isolation, can you now? I think it should be fairly obvious the average cost to debug per line of code increases the more lines of codes you have in the system. Since the different lines of code interact, you know.

And this tendency is probably much more pronounced when rather than debugging, you are, for example, attempting to certify something as a failsafe system.

Linux is a fairly large and multifarous system. If his company sells a product that is designed and streamlined to be an RTOS embedded kernel, it more than likely achieves this in far, far fewer lines of code than Linux overall. While he is probably being unfair by counting in the total number of Linux number of lines of code things like desktop video card drivers, it is an altogether reasonable statement to suppose that the streamlined and smaller RTOS kernel this company sells is probably easier to debug and reason about than the Linux kernel, which is relatively larger, more complex, and has more complex design goals.

Re:In all fairness

[maximilln]

-----
Annonymous anything is annoying to the military. They need to be able to trust who and what they're dealing with
-----
The military has no trust. The only reason why anonymous software bothers the military is because they don't have a clear idea who they're going to attack next.

I question why we should even care about the military. Other than chasing imaginary straw men across the world and disrupting thousands of innocent lives wherever they go, what are they doing for us? Are we really afraid that some nut is going to land an invading force on US soil? The thought alone is almost as ridiculous as anyone trying it. Are we really afraid that someone is going to lob a few nukes onto US soil? If that happens then no amount of submarines and tanks and floating palaces and flying planes is going to stop them.

Biggest load of sh**.

[chendo]

In the article, he states that anyone can contribute backdoors/trojans into the code because nobody is looking at the code. This is completely and utterly wrong. I'm pretty sure that to insert code into the kernel, you have to sign up to the mailing-list, and send in a diff. There, other kernel hackers can easily see the code, and if Linus accepts it, it goes into the tree. Even though anyone around the world can do this, the process is fairly strict.

Anyone want to place bets that Microsoft paid him to say that?

Market share hype from Wind River

[Animats]

Wind River makes a big deal about being "#1 in market share growth". But in the RTOS market, independent analysts list them as in seventh place.

Actually, this is somewhat misleading. The top players listed are Microsoft (Windows CE), Wind River, Symbian, Palm. QNX, OSE, and Green Hills. But Microsoft, Symbian, and Palm are really selling into handheld devices, not hard real-time control. (The phone and PDA markets are much bigger than real time control, though.) Wind River's VRTX is the dominant player by a big margin, especially in low-end embedded control. QNX is next, and is usable on a broad range of platforms. Wind River is more of a specialist maker catering to the military Ada market.

Following these seven come LinuxWorks and MonteVista, who are moving up. These are the main Linux-based offerings.

Also confusing the issue is Windows XP Embedded, which is basically a Windows XP from which you can delete stuff you don't need. This sells more into point-of-sale applications than hard real time control.

SAYODF

[10101001+10101001]

Green Hill seems to be making some unsubstantiated claim that open source isn't held up to the same standards as closed source, and I find that rather funny. I think the real issue is, when Green Hill approaches the FAA or whatever, the FAA will do its own testing of the source. If Green Hill's code is breakable, Green Hill is the one responsible for fixing it. But, if what the FAA is reviewing is open source, it's possible the FAA can just fix the source themselves (and avoid having to pay an outside contractor). So, Green Hill, to avoid the scenario where the FAA might be displeased with Green Hill's RTOS and switch to open source, decides on its *own* to spend $500/$1,000 per line to audit their OS.

In the end, this means to me that Green Hill believes OSS has an unfair advantage. Personally, I think it's perfectly fair for people to offer free software. If Green Hill doesn't like it, tough. Or, they can just make their RTOS so good that the FAA or some other organization will be so impressed they won't bother going over some OSS and possible having to fix bugs or write documentation. Looks like the free market to me.

PS: SAYODF == Self-Analysising Your Own Dog Food; it's like a water bottling plant bitching about there being freshwater lakes because lakes don't have to do their own quality control

Look at it this way.

[mcc]

Who audits the open source software that they use? I certainly don't. I rarely even bother to look at the source. So in this respect, it doesn't matter (to me) if the software is closed source or open source since the code isn't looked at even if you (I) had the chance to.

Let's say you're in a major city. Let's say there's a small, narrow street. And let's say you walk down this street twice; once in the middle of the day, when the street is well-lit and crowded. And the second time in the middle of the night, when it is empty, abandoned and dark.

In which of these situations do you feel more safe?

I would probably guess the second. Why? In both the first and the second case, you have no way of knowing if there is someone who has a weapon and wishes you harm. But in the first case, this possibility is not something that worries you.

Open source is kind of like the well-lit, crowded street, and auditing is kind of like being able to tell if someone wishes you harm. First off, you don't *have* to be constantly watching your back; it's more than likely someone is looking at your back at any given moment, and can tell if someone is walking up behind you with a blunt instrument. Second off, the fact that *everyone knows people are watching* means it's less likely anyone will try anything, because they know they'll get caught and have messy problems with the law.

Note that this argument does not go so well unless the open source product is relatively well used. If you're the only user, well, you're not much better off.

---

Anyway, as far as (1) goes, I would imagine that while it may probably be a very important point insofar as you go, as far as the kinds of software discussed in this article go it's not so useful. You probably don't audit the open source software you use. But a propreitary embedded RTOS vendor certainly would, since their demands for security and reliability are much higher.

But wait, you say, wouldn't the need to audit the code at that level be an argument against open source, since it destroys the "free" nature? Well, here we run into the basic problem of the conflation of "free" software with "open source" software, or the conflation of "free" software with what RMS might call "software libre". These two concepts are often described by the same term. However, they are not the same thing!

A program being open source does not mean that it can have a trusted company of some kind behind it! A company such as IBM could be providing an open source program they internally wrote, or you could have a case such as that with MySQL (ok, maybe that's not a great example, but you know what I mean) where a community-developed program passes through a certain central trusted point (MySQL AB) which can be trusted to-- or demanded to-- perform the auditing for you. So this is not a problem with Open Source, this is just a problem with software you downloaded for free off the internet.

People like O'Dowd are running scared

[ShatteredDream]

I caught this story on OSNews yesterday and posted a rebuttal on my blog. This sort of thing probably doesn't carry a lot of weight with most of the defense types because the military is the very definition of mission critical, no pun intended. Peoples lives are at risk on a daily business in most jobs in the military these days. There is almost no price too high to pay for the freedom to design to specification that Linux provides.

Linux is certainly not ready to take over a lot of things yet, but it is good enough for many things that traditional defense contractors are involved with. I wouldn't trust it yet as an OS for our warships or other vehicles, but I would trust it for communication systems and things like that. For situations like that, a RTOS from a company like Green Hills may not provide enough benefit to justify the cost. Linux is free, their product isn't. They can try to get the military hooked for a while, but Linux will always be free and there are plenty of IT workers in the military who could work on existing RTOS Linux forks for military use.

Another thing that has to be kept in mind is that with the push for homeland security, the laissez faire attitude that has been prevalent toward security has to go. The miltiary wants transparency so it knows it's not getting something bugged all to hell by some Jihadi who wormed his way into Microsoft or Sun via the H1-B visa program. The Debian and Fedora teams are great for that very reason. Everything is open to public scrutiny, from the installer to every package so the military gets a chance to audit everything.

Free markets are great, but in this case the military has to perform a more core mission: defend the US from attack. If that means violating free market principles by pouring taxpayer dollars into a free OS for public use, then they should and most likely will do it eventually.

Re:People like O'Dowd are running scared

[hak1du]

I wouldn't trust it yet as an OS for our warships or other vehicles,

I would trust it more in that application than Windows or even Green Hills.

Free markets are great, but in this case the military has to perform a more core mission: defend the US from attack. If that means violating free market principles by pouring taxpayer dollars into a free OS for public use, then they should and most likely will do it eventually.

What makes you think that is not part of the free market? When the military invests money in the development of Linux, it's because they decided that it's cheaper to get the software that way than to keep paying licensing fees to Microsoft or Green Hills. That is very much a free market decision.

Just because something is GPL'ed doesn't place it outside the free market. The choice of "free software" is a free market choice like any other.

Re:The best line is about the spies who insert cod

[fermion]

Considering the number of double agents we have caught in the US lately, I think our concern should be the employees of closed source companies sticking evil easter eggs into the code used in national defense. We have all these Americans selling secrets for years before being caught. OTOH, we keep arresting these residents only to release them for lackof evidence. It is not the foreign agent that is the danger, but the domestic agent doing anything to pay a mortgage, private school, and vacations.

DoD, Linux and Security

[thewiz]

Having worked as an systems administrator on DoD programs, I can tell you for a FACT that ANY software that goes on mission-critical systems is either developed in-house or very throughly scrutinized. They do code review, bug fixes and testing in a continuous cycle to get all the software bugs out. (This is one of the big reasons you hear about DoD projects going over time and/or over budget).

If COTS products are used, the DoD programmers will test the software for defects and ask the vendor to correct the defects they find. There have been cases where the DoD has signed NDAs to gain access to source code for COTS software to fix bugs that caused problems with the DoD software that the software company WOULDN'T fix. This has even been done to find backdoors, trojans, and other bad things that disgruntled employees of proprietary software vendors have put into that company's products.

OSS gives the DoD the power to make the changes they want to secure their systems the way they want. They WILL go through the code and look for backdoors, trojans, viri, etc. They may even set up their own repository and fork the kernel. Once the DoD has a trusted version of Linux, they'll use it in-house. I suspect that most DoD programs looking at Linux are probably testing NSA's version.

The DoD should be able to release some of the improvements they make back to the community, but don't expect them to release everything. The military still has it's secrets.

How the Defense industry produces code

[lkaos]

I used to work as a Defense contractor and I spent quite a lot of time going through the various processes. As a Linux developer, I can certainly say that Linux has not been developed to the same standards that the projects I've been involved on have.

For starters, in the DoD, every line of code is reviewed by hand by a team of reviewers (usually 4-5). There are records of all the defects found and verification that fixes were made. After the initial development cycle, there's a rigorious testing phase where all specifications are tested, senarios are ran, and stress tests are performed. Any defect from this testing is recorded, and the software doesn't ship until it's fixed. This usually ends up being a 2-4 year process of just doing bug fixes.

And for those that don't know the difference, Windows is *not* certified for tactical use. Having EAL4 is not the same as being certified for tactical use.

It's really a different type of software. It's not that Linux isn't good piece of software, it's just that it wasn't developed for this type of work. There's nothing wrong with that.

Re:How the Defense industry produces code

[0x0000]

I take it that tactical (?battlefield CCC?) is essentially written from scratch "inhouse" then? If so, that's a very good thing IMO. Gotta be damned difficult tho.

Well, that's part of the point, here. Green Hills is going after that market as a "COTS" (Commecial Off-The-Shelf) vendor. There are a couple other vendor companies who are in, or aspire to, that niche, and Green Hills apparently fears that some Linux-based outfit, trying to adapt Linux to the task, will give them additional competition. Hence the use of "Linux" in the FUD, as opposed to, say, NetBSD.

I would bet that Linux is no better or worse for the purpose than whatever codebase Green Hills started with. They are just trying to apply negative leverage due using what little bit people know and fear about open source. FUD is the term to describe it. Definitely. It will cost them customers in the long run, once the marketting people bring the Green Hills pitch to the engineers...

MS Isn't The Only One

[Tony]

Anyone want to place bets that Microsoft paid him to say that?

Nah, MS isn't the only one with a livelihood at stake. Linux is going to change the way a lot of people do business; some companies will not be able to adapt, and will die.

This is the sound of someone running scared. Plus, he probably believes what he says. Think about it from his perspective: his company is in the business of supplying good software, and he *knows* it's good software. Linux is deveoped in a strange way, one that is counter-intuitive to current business models. So it's no wonder he has said the things he said. From his perspective, it's true.

He's wrong, of course, but that doesn't change his perspective.

Re:BS and you know it! - China linux versions

[Total_Wimp]

How hard will it be for Chinese nationals to poison each of the major linux applications + the kernel?

And no one would dare do that at a closed source vendor. How on earth could it be possible for, say, a Chinese or Russian person to get a job a Microsoft or Cisco working on an operating system? It would never happen.

How right you are, our closed source software is completely safe!

Whose Linux is it anyway?

[LostCluster]

Linux, in a proper definition, isn't very functional. It's the OS kernel... you're gonna need some software to go with that. So, which distro should be the "standard issue" for a military use?

Drawing a line between what's secure enough to make the grade, and what that's out there might not be trustworthy enough for "secure" use is quite a tough thing. Sure, Open Source allows the code to be reviewed... but the government doesnt have the time to do that so that's no good for them.

Microsoft can at least come forward and show a big company standing behind their product... how can Linux match that?

Russian Gas Pipeline Code

[technoCon]

Note to self: If ever pirate Russian gas pipeline control software, look for the "paybacksAreHell" subroutine.

not open vs. closed, cathedral vs. bazaar

[alangmead]

When you buy a RTOS, you usually aren't getting compiled executable code. You usually get source code that you need to port to the hardware you are building.

Data sheets like this implies that Green Hills adheres to this common practice. So all the open source is more trustworthy than a black box arguments don't apply. Anyone who wishes to deploy a system based on Green Hills' RTOS can audit the code, it isn't hidden from them. Also, this PDF linked says:

INTEGRITY178B has been audited and approved by the FAA for DO178B Level A use.

Which to me implies that it has had a more thorough external audit than most open source packages.

One final argument is that an RTOS is usually very small. Their Velocity RTOS can run in 3KB of RAM. When the OS is stripped down to something that small, a full audit seems like a much less daunting task.

This implies that he isn't arguing security through obscurity. He is arguing for the cathedral approach vs. the bazaar. Don't get me wrong, he still is spreading FUD. Its just a different FUD than you think. He is ignoring the role that Linus Torvalds and some of his trusted lieutenants like Alan Cox play in planning a direction, vetting ideas, and protecting the stability of the code base. Patches don't just come out of the blue from anonymous sources and applied without any examination, no matter what Dan O'Dowd may think.

Re:not open vs. closed, cathedral vs. bazaar

[Halfbaked+Plan]

It is worth adding to your point that the 'Cathederal Method' versus the 'Bazaar Method' is not an open versus closed source schism. Raymond wrote that essay as a criticism of the small-group closed way that the GNU Emacs team was doing their work. It's quite possible, and rather common for source-disclosed projects, even ones that are released with the GPL or BSD licenses, to be developed by small closed groups who don't actively solicit outside code.

Re:not open vs. closed, cathedral vs. bazaar

[Saint+Nobody]

that they sell source code instead of compiled code just makes it even funnier and more desparately pathetic that, in their press release, they made a reference to this ken thompson paper as proof that the "many eyes" theory doesn't hold.

Re:not open vs. closed, cathedral vs. bazaar

Actually, Raymond was an idiot - cathedrals weren't built the way he seems to think they were.

Terrorists using fake identities to make changes?

[770291]

Wow, that's pretty thin. But let's assume it is a real possibility. What are the employee vetting procedures of closed-source companies? How do we know terrorists aren't working for Microsoft? If I were a terrorist, I think I would rather go the route of working for closed source in order to insert my devious code. There isn't a public review of my code, and apparently, important decision-makers seem to want to blindly trust closed-source companies while being hyper-suspicious of publicly-available open source code.

What people seem to forget as well is that terrorism is a moving target. One of the the things terrorists try to do is exploit weaknesses in the system. If open-source/Linux development had a history of rolling out changes with little review or testing, then I could see there being a case for concern. But where is the weakness right now? Closed source! Partly because of attitudes like this. You can't trust open source, but you can trust closed source. So who would the terrorists try to exploit? They aren't going to use open-source if it is going to be heavily scrutinized. Not to mention the outsourcing of development, which only reduces the ability of employers to know who is really working for them.

What's the difference with open-source? I think that it's simple -- your code is your identity. I don't care who you are, I care what you are contributing. You can tell me what a great patriot you are and show me all sorts of credentials, but if you submit crappy code, you aren't worth any more than someone who submits the same code anonymously. You will have to endure the same peer review, your code will have to perform just as well.

oss anonymous?

[IncohereD]

Excuse me? Isn't the whole point of the LKML/CVS/BitKeeper process that every line that goes into the kernel (at the least) is traceable to somebody? Do any major projects give out anonymous CVS access? Or even access to people who aren't at least somewhat known by other developers?

Meanwhile, at many commercial companies you could have employees who worked there for a few months and got fired/quit. Depending on their internal code tracking it might be hard to tell what code they submitted, and whether it should be changed. And I really doubt they keep track of the employees after they leave.

Most OSS projects you probably have at least an e-mail for all the contributors.

Closed source should be held to a higher standard

[stox]

IMHO, closed source solutions must be held to a higher standard then open source solutions. Open source solutions are proven in the wild, while close source solutions are much less so. With the availability of the source code, far more permutations of attack have probably been attempted against open source than closed source. In bottom line testing terms, chances are that open source has had far better code coverage tested than the closed source competitor. Closed source solutions must be held to a higher standard to compensate for this difference.

Trojan horses not much of an issue in embedded OSS

[hak1du]

I doubt Trojan horses are much of an issue in embedded systems: since embedded systems don't generally have external Internet access, it would be hard to trigger a Trojan horse in an embedded system, so any failures it would introduce would have to show up randomly and not just in response to a trigger.

Furthermore, for embedded code to try and infer what kind of system it's running on (military/non-military, essential/non-essential, deployed/non-deployed) and only fail in the essential, deployed, military systems is essentially impossible with the kind of minimalist code that could be hidden in an open source project and not noticed.

That means that if anybody planted a Trojan horse in OSS that was of any military significance, it would show up during testing as random failures, and that is just taken care of by normal testing procedures.

Note that the same argument doesn't work for closed source: something like a Green Hills embedded kernel could easily ship with a huge Trojan horse that looks for specific strings in system output/logs ("military", "target", "live munitions", "vehicle speed", whatever the military lingo is) and/or looks for specific sensor types, output devices, and/or communications channels and only triggers under specific circumstances likely to represent actual combat situations. While such attempts to identify combat situations would be blatantly obvious in 100% open source software and be noticed right away, they could easily be hidden in any big binary component of any closed source system.

DO-178B and Linux.

[BStorm]

The FAA approves software when it is written according the DO-178B specification. This specification states that software when developed must adhere to a development process.

This is defined within the D) 178b as software requirements, software specification, software design, source code configuration, and software test suites. If one changes one part then all levels affected must change as well.

Simply put a paper trail must exist for every change made in a system. It is stringent anal rententive form of development. It is costly since the amount of book keeping that must be done to incorporate changes.

This is the 'cost' that O'Dowd is refering to. In order to make a 'DO-178B' compliant version of Linux a group of developers/software house would have to:

1) Ensure that a comprehensive set of functional requirements is generated to match the desired platform.

2) Define a kernel that matches desired functional requirement. Any kernel portion that is not needed is defined out.

3) Specify the behaviour for each driver. Ensure the driver is fully specified. Work from the source and ensure that the behaviour of each execution path is documented.

4) Ensure that all changes to this build are reviewed and a paper-trail exists for all changes and changes are made for solid well documented reasons.

5) Use the documented behaviours to generate test cases that validate the documented behaviour.

It goes on and on...

There is nothing inherent within Linux that would prevent a DO-178B build to be created.

Only in the last 3 years has Green-hills has marketed a DO-178B compliant system. DO-178B as a standard has been around for I believe the last 10 years. Hmmm...

DIEBOLD VOTING SYSTEM PROGRAMMERS ARE RUSSIAN

[goombah99]

Yeah and no one would think of letting foreign nationals and crimminal programm voting machines in the united states that dont have open source software.

oh yeah I forgot. Diebold uses russians. Sequoia is foreign owned. Shouptronics founder served time for Election Machine Rigging, Seqoia execs indicted for bribing election officials, and GEMS VP of research served time for computer fraud.

In contrast OVC is a multi-national effort but its all open source so no one cares there be foreign nationals programming US machines.

Re:BS and you know it! - China linux versions

[Jah-Wren+Ryel]

With all the off-shoring of work that large companies like Microsoft, HP and IBM do there is at least a perception on their part that when selling to the DoD that they should downplay the fact that foreign nationals, in foreign countries, not only have read access to the source code for the OSes (NT/XP/HPUX/AIX) that most DoD contractors don't have themselves, but that these same foreign nationals also, in many cases have write access to that source code too. Whether most DoD contractors care, I don't know, but like I said, the vendors often remind their customer interaction people to gloss over those kind of details.

Re:RTOS has some inherent reliability advantages

[afidel]

There is a real time variant of linux called RTLinux which is used across a large number of embedded and real time sensitive industries to great effect. Real time scheduling is exactly that, mostly about the scheduler. Linux is modular enough that it has had no less than four different schedulers in the last two major kernel releases, not counting the RT variant. If you can have as large a swath of the code peer reviewed as possible then I don't see where you can really go wrong, if you feel more testing is needed then put dollars into testing, not into creating new code that is then going to need just as much testing!

O'Dowd did not learn Thompson's lesson

[Eric+Smith]

Mr. O'Dowd of Green Hills Software obviously didn't really learn anything when reading Ken Thompson's paper, or he would realize that the trust problem Thompson described is just as severe with commercial closed-source software. Actually, the compiler trojan Thompson described was for commercial, closed source software.

In fact, open-source software may have a slight advantage here, because it's less of a monoculture. Presumably Microsoft always uses their own Visual C++ compiler to build Windows, so if there were a trojan in the compiler that compromised the resulting Windows executables, it would be present in all copies of Windows that Microsoft distributed. But open source software is by its nature built on many different platforms using different compilers, so a compiler trojan would only affect a portion of the deployed copies of the open source software. And it is possible that a trojan introduced by one particular compiler would be found due to the executable it produces being different in some noticable way from the executable produced by a different compiler. For instance, strace might show the trojaned executable making extra system calls.

How does Mr. O'Dowd propose to assure us that his company's operating systems and compilers are more secure than Linux, xBSD, GCC, etc? Is he certain that none of his employess who have written code incorporated into his products have ever installed trojans? If so, how has he gained this certainty? Has he scrutinized every line of source code himself? Including those of the compilers that compiled the compilers, back all the way to the machine-code only origin of the system? Somehow I doubt it.

It is a matter of historical fact that far more trojan and back door exploits have been present in commercial, closed source software than in open source software. Just two days ago Cisco had to issue a security advisory regarding a back door found in their WLSE and HSE products. Would Mr. O'Dowd conclude that foreign agents and terrorists are responsible for that? Would he really have us believe that these shadowy figures can compromise open source software developed in the public eye more easily than they could subvert a commercial closed-source software package for which the source code and development process get no public scrutiny?

One is forced to conclude that Mr. O'Dowd feels his company's business model is threatened, and rather than change that model to reflect changes in the marketplace, he prefers to use "the sky is falling" proclamations in an attempt to scare customers into sticking with his products.

Re:The best line is about the spies who insert cod

The whole story is so absolutely paranoid (The Russians are coming! Beware of the Yellow Peril!) and shows such a complete lack of understanding of the Linux Open Source process that it would make me worry if I were buying Green Hills' software: Do you want to buy something from somebody who is this divorced from reality and has this little understanding of how his competitor works?

There are a number of open source projects that have had their servers 0wn3d by crackers in the last year or two. In at least one or two cases the source code was tainted.

So, are you saying that, given an appropriate motivation (like linux being used to power Star Wars weapons) that the national security apparatus of a major power, with what are relatively unlimited resources and methods (buy equipment, time, expertise or information, hack, bribe, extort, tait software at source, infiltrate, murder (project lead?)) wouldn't be able to insert code when a pimple faced kid somehwere was able to do so?

Do you think that code would automatically be detected when so many bugs, bad practices, poor design, etc., etc., go undetected or fixed in open source software?

Consider this. Ken Thompson used to be able to login to just about any unix system in the world even if he didn't have an account. People checked and rechecked their systems. It didn't tend to help them. He later revealed his secret. Next, check out the Obfuscated C Contest. Some of the entries have additional functionality that isn't evident. One example is this one which implements 4 functions. I certainly wouldn't put it past somebody to be able to produce pretty standard looking C code that would pass the sniff test but which would, either by itself, or perhaps in combination with other code, implement an entirely different, second level of functionality which could be exploited as needed.

Given the potential stakes of defense work (losing a war, national survival, etc.) there is plenty of potential incentive for the finest minds a nation produces to tackle these problems, and potentially solve them. If you believe otherwise I think you are living in an open source dream world.

Embedded Software Different from Desktop/Server

[oldCoder]

The costs and benefits of reliability are different
If you've got your real time system in rom inside a piece of equipment, or in thousands of pieces of equipment, you've got to be very careful with it.

Desktop system can be patched and upgraded, but ROMs have to be replaced or flashed. For example, you've got to bring the missle into the hanger/lab and hook up the reflashing unit or swap out the ROM chip. You've got to test the missle with the new chip. Out in the field, the soldiers have new ly upgraded missles (or tanks...) and would really like to know that it will work when they need it. You can field test a tank, but some missles are expensive, especially when all you want to do is prove you installed the right chip in the right way.

When a desktop or server software hiccups, the human user can work around it. Often this is not the case in communications and avionics.

Linux Advantages Don't Translate to Military Embedded Systems
Embedded systems are almost always memory-resident and have no disk for software storage. There are usually no user identities to manage, and the user interface is quite often absent or primitive.

Most of the advantages of Linux do not apply to an embedded, military situation: Licensing fees for software are usually a negligable part of a tank, missle or radar. Embedded RTOS systems are already quite reliable, and do not suffer from nearly as many buffer overruns, neither are they susceptible to hackers. Embedded military systems are almost never connected to the internet.

You could build a reliable, compact embedded software system from embedded Linux, but you'd want to write all your own drivers and you would have to port it to special hardware. This approximately the same amount of work that you would have to do if you were to use a proprietary RTOS.

The vast bulk of the problems users experience with proprietary OS's are 1) expensive to license, more expensive to license across many machines. 2) Security vulnerabilities resulting from using a system designed and built for stand-alone personal use in an internetworked environment. Neither of these problems matters much to embedded, military systems.

Piss bucket boy...

[Badanov]

This won't win me any mod points, but...

This Green Sumfiun fella said all this because he can get away with saying it even if there is nothing of substance.

The idea that code is being introduced as though no one is minding the store is fatuous.

The very idea that an open source project is less secure precisely because it is open source is equally fatuous, but I suspect the speaker already knew that. To borrow a phrase from Chris Rock, ain't nothing in the world worse than someone who knows you won't sue them.

What is the most absurd part of the remarks, implicit in them is the idea that someone from Russia or China has no desire that the Linux kernel be secure for their own national defense interests as well, and that no one other than the US is interested in helping the DoD maintain a strong defense.

Remember: The United States of America is the sole remaining bulwark against the barbarity represented by terrorists, their supporters, nation-states who provide funding and enablers. The United States wants to preserve civilization, not knock it down

Saying that folks who live under different flags do not share the same goals as the US is as goofy as the speaker's assertions

There is TINY_OS

[cheekyboy]

What is time any way.....

Each application has different needs, so some might need 1ns accuracy (nuclear detonators/patriot missiles) , and some might need 20ms accuracy.

Besides linux there are other RT free OS's , like TINYOS - http://webs.cs.berkeley.edu/tos/
or mini NetBSD.

Linux isnt the only thing around, theres a lot of choices which are free, just that linux gets the attention, both good and bad.

Re:This has little to do with Closed v.s. Open

[Ada_Rules]

Sure Integrity is certified but it has very limited capability. If I were doing something that required DO178B level A certification, I would consider it and I would likely not consider Linux (yet). I would consider other vendors (Windriver pops into mind) as well as going OS'less and using a smaller microkernel approach.

However, very very little Defense software requires DO-178B level ANYTHING certification.

This certification does not mean that there are not bugs in the software. Based on some limited experience I would say it does not even imply that the compiler and OS that Greenhills provides actuall even works together.

In the end, selecting an environment for any system has little to do with a closed v.s. open source issue and more to do with selecting the tool fits the job. However, the portion of the trade space that deals with open v.s. closed would certainly tip in favor of Open since I have almost no hope of reviewing or discovering holes in a closed system.

Technically, there is a concern

[Great_Geek]

In theory, it may be possible for someone to hide some trap-door function that allows some un-authorized access.

Before lecturing me on the "many-eyes" theory of code inspection, recall that some cases take a LOT of work to decided. In fact, many people are probably familiar with a famous instance of this problem - DES. For a quarter-century, the debate has raged on whether NSA selected the S-Boxes to have an unknown weakness, AKA private back-door. Many clever cryptographers have spent many man-years and there is still no conclusive statement. (I happen to agree with the majority view that there is probably no such weakness but I wouldn't bet my life on it.)

So, the question is: can someone put in a bunch of clever code in appearantly unrelated places that happens to create a security hole? Emperically, this happens accidentally quite often (just go through the CERT security advisories for examples) so it is at least possible that someone could deliberately put one in.

There is no theoretical reason nor practical experience to say that "many-eyes" will catch all of these traps (even if we assume there are many eyes actually looking). Indeed, even concerted detailed code-inspection may not find them all.

Having raised this question, I like to state that I believe that this is most likely a theoretical concern as long as there are "owners" of each piece of code who pay long-term attention to their charges and that we can assume the owners are not colluding. This first condition pretty much eliminates any "simple" holes that are localised in a single component, the second condition makes it very difficult to have multi-component holes. Forturnately, most open-source software, including Linux, meet these conditions; so I am not too worried.

Is it right for national agencies to be worried? Of course they should! But it is also relatively easy to just have their own "shadow owner" for each module. So it is possible for the agencies to gain confidence at low cost (not cheap, just low cost relatively speaking).

I have explored Integrity and...

[stdio9]

I'm a long time Linux user (late '93) and advocate and I have explored Integrity about four months ago. Let them spread FUD if they want. I would hope that we, the linux community are above that. Nothing would please me more than to have this guantlet be taken up by some interested folks, have them explore some of the major concepts which Green Hills promoted for their embedded OS, and impliment them for embedded Linux.

Green Hills Integrity has interesting features such as kernel and MMC enforced seperation of memory space, manatory access controls in the OS, and most insteresting, guarantied resources.

It seemed to me, talking with a presenter that came into our firm, that Green Hills has three things going for them. First, they really do seem to have a solid design, well throught out with features required for folks seeking high levels of trust and availability (technically) and they have multiple organizations (FAA and soon NSA) backing their security targets (things they claim it does, verified by NIAP labs, etc), and third, they have some really fantastic debugging tools. Real-time and record and re-run monitoring for *everything*, direct off your emebedded hardware. Some of their stuff is really slick.

I'd hope that our community can see past the FUD and marketing dribble, and get to the heart of the challenge. If we want to show Green Hills up, take some of the key concepts which their customers require, such resouce availability and DAC capabilities of the OS and integrate them into embedded linux as options. Leave them with only the tools market, and in five years they may just be developing tools for embedded linux development instead...

Don't let Green Hills pull the wool over your eyes. This is not an Open Source vs Proprietary fight. They have some very nice security concepts and features embedded linux simply can not (yet) complete against. This is just the left jab...it's the distraction, watch for the right fist in closed door sales presentations and as deal closers. Would you let your CEO explain anything techincal? You might let him use a left jab...

He is overreacting.

[master_p]

Defense applications are usually running in an isolated environment, not connected to the internet or any WAN. So I can't see how there is a security problem. Furthermore, most real-time weapon and radar systems use operating systems like Lynx, not Linux or Windows.

Security issues may exist in development environments, that are usually LANs connected to WANs. In that case, Linux is preferrable, due to better security.

As for open source being better when it comes to security, it is irrelevant to defense applications subcontracting. As long as the subcontractor is audited and found to have satisfactory methodologies and coding procedures, the contractor is ok. The focus in these cases is on qualification and testing, and they usually do exhaustive testing (i.e. testing every possible case) to make sure the application works as intended.

I admit....

[zogger]

I don't have much knowledge into real time, although like most people I guess I "use" them all the time, just don't see it. Everything got osme embedded doo dad in them now. I'll take linux/bsd out of the equation and just use a generic "open source" then as a future projection model. Right now, what you say may well be true. In the future, and the real soon future, it just might not be so. If I had to bet,I'd bet on open source capturing most of the computer market for all purposes sooner or later. Not all, but most. Heck, I had as little of two years ago people (inet gurus mostly in discussions) telling me that open source was gonna not even be here much around this time, that it was a soon to disappear fad, would never amount to anything, that it was "doomed". I think it's safe to say at least on that point, those were an inaccurate past assessments. Whether or not closed source/propietary will maintain a huge presence, for the immediate future-the next few years, I think it will, but it will gradually lose steam, as it is now. And I think the emphasis will gain ground on a rising curve for open source, not just maintain a steady state. None of us has a lock on the future, but I think it's possible to get some pretty obvious trends. If there's a market or an interest, it's gonna be worked on in the open source arena, and so far, as near as I can see, that modality is getting some nice advances, moreso than what most of the mainstream pundits *that I read anyway) predicted just a few years ago. And it certainly shows in the software that is near mainstream now, take moz for example, and the larger distros. They are *signifcantly* better than two years ago, the improvement curve is most impressive. Not sure if this will slide into the real time and embedded applications, but it appears it will. Besides that, no one really "knows" so I'll concede on that.

What NSA Secure Linux really is.

[Animats]

There's a general misconception about NSA Secure Linux. It has a tough security model, but it's not developed to high security standards. The whole point of NSA Secure Linux is to find out if useful applications can be built on an OS with a mandatory security model. NSA has had tough OSs built for them before (I worked on one), but they were so restrictive that very few applications were developed for them.

What developers can do to help is to modify a web server, a mail server, and a DNS server (the most attacked server side software) to run under NSA Secure Linux, partitioned into levels of integrity.

The idea is that just because somebody attacks, say, the mail server receive program, that doesn't get them power over the whole system. All it should do is let them run their attack code in a jail where it can't do anything except burn CPU cycles, and maybe generate phony incoming mail. Mail associated with the known IP address from which that copy of the receiver was launched, so the problem can be tracked.. When they disconnect, or some monitor program kills the corrupted component off, all the damage should be flushed.

You need to rework key server apps so that about 95% of the code is untrusted and jailed, while the 5% that has to do security-related functions is isolated, identified, and carefully examined.

That's what NSA Secure Linux is for.

Security, Linux, and open source

[Paul_murphy]

Here's what Bruce Schneier had to say about this whole argument back in 1999:

"As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice."

Exactly right - so much so that I've asked my editor at linuxinsider (which will be offering a rebutal of my own soon) to contact him for permission to reprint his whole article on the subject. That may not happen, but you can look at it directly on his website: http://www.schneier.com/crypto-gram-9909.html and sae how an expert handles the somewhat loony argument against open source in high security environments.