It’s said necessity is the mother of invention. About 15 years ago, Dr Gernot Heiser, from Data 61, looked ahead and, despite being fit and healthy, could foresee a day when he might need an implanted, life-supporting device such as a pacemaker. And he didn’t like the idea the it might be attacked remotely. So, he set out to build a trustworthy computing platform that could not be hacked.
While the idea of trustworthy systems is not new, said Heiser, he says his team is one of the first in the world to achieve it. The first version of the kernel was released eight years ago and it “created a lot of waves in the scientific community,” he said.
It’s important to note, said Heiser, that not system is unhackable; “it’s only a question of the degree of effort you put into it”.
Heiser says what makes his platform different is that a system can’t be hacked by subverting the operating system he has developed with his team. He says the software he has produced is bug free and has the “right” security measures in place.
One of the reasons malware is able to work on modern systems is that we rely on “fundamentally broken operating systems” today. Heiser says while Windows is often the main target, macOS and Linux are not inherently better. He put this is purely mathematical terms.
“They’re too complex to get right. Rule of thumb is that for typical software, you are left with between two and five faults per thousand lines of code. If you realise the whole operating system is tens of millions of lines that means there are thousands of bugs whether you like it or not. In typical code like an operating system, experience shows that between 10 and 25% of these faults actually are security exploitable”.
With that number of flaws, it’s inevitable modern operating systems will be broken.
The focus for Heiser has been on embedded systems as it’s still an open playing field with no entrenched market leader that dominates the software side of these devices. His team doesn’t just have software engineers but also experts in mathematics that can prove the efficacy of his systems objectively.
Heiser says the operating system he has developed is usage agnostic. It’s mostly usable in cyber-physical systems such as drones and industrial machines. Much of the work and funding Heiser has secured has come form overseas, with the US Department of Defense very interested in his work.
One of the companies Heiser has worked with is Boeing on their “Little Bird”. This is an unmanned helicopter airframe that is being used for autonomous flight.
During tests before Heiser’s involvement in the project penetration testers, hired by DARPA, took a few weeks to break into the software used to control the Little Bird. They could change way-points to alter the helicopters navigation and control its flight during a mid-air attack.
Heiser worked with Boeing’s team to re-engineer the Little Bird’s software.
“At the end, the red team could break in. We actually gave them administrator access to a Linux system running on top, on the flight computer running all the critical software. They could not break in and conduct a mid-air attack,” said Heiser.
Heiser’s trustworthy system runs directly on the hardware, as a hypervisor, which allows other applications to run on top. By only allowing specific, secure operations to be sent to and from the virtualised functions to the operating system it’s possible to ensure only specific commands make it from the user layer applications to the hardware.
“We guarantee that the interfaces cannot be bypassed. We can prove any communication between components can only happen if it complies with operating system policies. This is what all good engineering is about. It’s about modularising things and making sure they have well defined interfaces”.
By containerising functions, it becomes possible to more strictly control them. In Boeing’s case, there was a need to modify the original software – some was changed while other components could be ported in order to make it work on Heiser’s system.
The potential applications of this are very broad, Aside from military and industrial applications, such a system needs to be considered for IoT. With so many devices entering the network, with no real security, there is a need to find a way to make them more trustworthy.
While it might not be possible to embed Heiser’s software in small, low-cost devices, it could be used in control systems. For example, while it might not make sense to embed this trustworthy platform on thermostats, but it could work on gateway systems so erroneous or hacked devices don’t result in equipment being damaged.