Need More Secure Operating Systems

Kaspersky Lab has announced that they are developing a secure operating system for protecting SCADA (supervisory control and data acquisition) and ICS (industrial-control systems). These are the systems used for industrial control. They are core to most utility companies and industrial infrastructure, controlling such things as valves or switches.

Security experts have been warning about the vulnerability of SCADA and ICS systems and the possibility of attack.  A malicious attack on a water system could have very real and life threatening ramifications. That is why Kaspersky believes there is a critical need for better resistance to attack on these crucial systems. Kaspersky Lab has begun work on their new operating system described as being a secure-by-design environment for the operation of SCADA and ICS systems. The main purpose and focus of their new operating system will be security. The approach is to build in security rather than manage risk.

Recently U.S. Secretary of Defense Leon Panetta stated that “the nation is facing a “digital Pearl Harbor” or “digital 9/11” from hostile nation states like Iran. There is real reason for concern. It has been reported the US fired the first shot in this war with the use of the stuxnet worm against the Siemens industrial software and equipment used in the Iranian uranium enrichment infrastructure.

Most common operating systems in use today were started during simpler and less connected times. They were designed when remote access was easier to control and physical access was a bigger concern.

Today’s operating systems are too complicated. They are general-purpose operating systems (Linux®, Windows® and UNIX®) that have evolved dramatically over the course of the last 20-30 years. They try to be everything to support every purpose. This can create vulnerabilities for exploitation. Some of the major items that create exposure within operating systems include:

Too Much Code at Highest Hardware Privilege Level – Modern microprocessors typically provide four levels of hardware privilege that the operating system may use. Such privilege levels, together with virtual addressing, are employed to separate and protect information and executable codes. The common operating systems today on use 2 privilege levels and grant the highest level too easily.

System Code is Not Authenticated When Loaded – Operating system code is assumed to be trustworthy; it typically is loaded from disk storage into memory and executed with little if any authentication to ensure that it has not been altered since it was originally created. Attackers take advantage of this situation to install their own code on disk, and/or to modify the original version of system modules on disk. In doing so, attackers are able to compromise the integrity of targeted systems. They often disguise the existence of their attack code, making it almost impossible to detect or eliminate. Such stealthy “root kits” pose some of the most serious threats to the security of computer systems and networks, as they can operate unfettered and undetected for long periods of time.

Systems Designed to Run Dynamic Code – Dynamic code refers to code that was not shipped with the operating system, but which, while a system is running, is allowed to download and execute on the system. Two examples include Java applets and ActiveX applications. While these capabilities make possible the development of dynamic applications that are easily downloaded and executed within a target system, they also open up significant security holes that attackers take advantage of to install malicious code.

Executable Code is Not Locked Down – Operating system code often is not locked down in any way either on disk or in memory. System code on disk can be read by a determined attacker of an operating system. System code executing in memory often is similarly accessible. All microprocessors allow memory pages to be restricted to some combination of read (R), write (W), and/or execute (X) access privileges, but operating systems often do not take advantage of these capabilities.

Code Execution from Data Buffers and Stacks – One of the most common ways that attacks are initiated is through a buffer overflow. Buffer overflows are programming errors in which software attempts to store information beyond the boundary of the buffer intended to hold it. The result is that the information can overwrite other stored information and/or program control data. Attackers can take advantage of this by carefully crafting a malicious input stream to send to a vulnerable process. When read into the vulnerable process’s input buffer, the attacker’s input data overwrites critical control information, such as a return address on a stack, causing the executing function to return control to attacker code rather than to the legitimate caller of the function.

There is no such thing as perfect security in the computer world. Conventional operating systems offer a level of security that is appropriate for some organizations and activities, especially where the risk or consequences of damage or loss is sufficiently low. However, for organizations where the risk of damage or loss from network attacks is high, conventional operating systems do not offer sufficient protection. For these organizations, genuinely secure operating systems provide the needed secure foundation for mission-critical server and network applications.

That is why at Secure64 we have developed our own highly secure operating system. We designed it to first and foremost be secure. It addresses all of the issues sited above, along with other features such as resistance to DDoS attacks. For more information please visit our site. You can also download a whitepaper on secure operating systems.