Building a Security Hardened VxWorks Kernel
Table of Contents
- 1. Introduction
- 2. Prerequisites
- 3. Related Documentation
- 4. Understanding NIST 800-53
- 5. Understanding the VxWorks Security Hardened Profile
- 6. Hardened Profile Implementation Details
- 7. Building the VxWorks Hardened Profile
- 8. Next Steps
When any procedure is undertaken involving issues of safety and security, tight controls must be followed by those executing the procedure. For example, imagine you are going to the hospital for an operation. You would be right to expect the hospital staff to follow careful industry standard guidelines on the preparation of the operating theater, the execution of your procedure, and the envronment within your recovery ward.
The NIST 800-53 security controls perform a similar function for those developing secure software systems. When these security controls are adhered to, the end result is more likely to reflect a secure design approach that minimizes the effects of hostile cyber attacks and intentional and unintentional human error.
In this blog, I will talk about how the VxWorks security hardened profile helps you build systems that adhere to NIST 800-53 and follow a security methodology.
VxWorks is a Real Time Operating System built by Wind River.
NIST stands for National Institute of Standards and Technology.
These instructions assume that you are using:
An Intel target supporting TPM and secure booting. For example, a DELL Latitude E6540 laptop Two USB flash drives, 4GB minimum size. A Windows workstation with the following installed on it: Wind River VxWorks 7, SR21.07
3 Related Documentation
For more information on these topics, refer to:
Wind River documentation: VxWorks Hardening Guide Approach document VxWorks Hardening Guide
NIST documentation: Security and Privacy Controls for Federal Information Systems and Organizations, http://dx.doi.org/10.6028/NIST.SP.800-53r4 Framework for Improving Critical Infrastructure Cybersecurity, https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf
4 Understanding NIST 800-53
NIST describe a set of goals for an organiation to aim at that will result in a secure software development process. This set of practices does not dictate specific steps to take. It describes a general philosophy and a set of outcomes that you must aim at if you are to produce secure products and services.
The goals are described in “Security and Privacy Controls for Federal Information Systems and Organizations.”
They are arranged into four groups of outcomes:
– Prepare the Organization – your people, processes, and technology are set correctly to produce secure software.
– Protect the Software – your organization must protect all software components from unauthorized access.
– Produce Well-Secured Software – you must produce well secured software with the minimum of security vulnerabilities.
– Respond to Vulnerabilities – your organization must identify residual vulnerabilities in software releases and respond appropriately.
5 Understanding the VxWorks Security Hardened Profile
The Security Hardened Profile is documented in two Wind River publications. The VxWorks Hardening Guide Approach document describes how Wind River has mapped VxWorks onto the NIST 800-53 standard. It has created a document called the VxWorks Hardening Guide which is presented in the STIG document format as defined by the GPOS SRG. This identifies a set of requirements.
The requirements themselves are also defined by NIST in their “Framework for Improving Critical Infrastructure Cybersecurity.” Requirements are subdivided into five functions: Identify Protect Detect Respond Recover
Each requirement maps onto at least one NIST 800-53 security control.
Three levels of requirements are defined in the VxWorks approach document:
– Mandatory – these requirements must be met by both Wind River and the developer using VxWorks to build a secure product.
– Discretionary – these requirements are optional.
– Not Applicable – these requirements are desktop operating system specific and so not relevant for VxWorks.
6 Hardened Profile Implementation Details
When you build the VxWorks kernel and apply the hardened profile, many security related kernel features are included as a matter of course: Disk encryption to secure data at rest in the system Secrets repository to manage the secrets that enable secure communication SSH Kernel hardening Secure loader RTPs Stack smashing protection
But in order to meet the NIST security requirements, many important features are not provided by Wind River, but must be implemented by the designer of the end system. Refer to the “VxWorks Hardening Guide” for a breakdown of these customer supplied functions. For example, a securely booting target must be used to take advantage of the kernel boot keys. Also, the system hardware must be designed to take account of hardware anti-tampering. It should be hard for someone to access the system hardware without consent. And the system should support patch management, so that security fixes can be applied once the system is deployed.
The hardened profile can be built in three different configurations:
– Required Controls – include the base set of NIST 800-53 compatible controls.
– Required and Discretionary Controls – include the base set of controls and add networking support to them.
– Development (with shell) – includes the insecure kernel shell for development purposes only.
You should not deploy a secure system based on “development (with shell)” as it contains powerful development features that can be used to undermine security.
7 Building the VxWorks Hardened Profile
The hardened VxWorks profile is only supported with the itl_generic BSP.
We will build a set of projects that conform to “development (with shell)” configuration. We will do this in two stages.
We will start with stage 1.
7.1 Create the Hardened VxWorks Projects
a) Open Wind River Workbench
b) Select File > New > Example > VxWorks System Setup
c) Click Next
d) Select VxWorks Security Hardened System
You are now in the System Creation Command dialog box.
e) Set the System base name as “hssHardenedVx1”
f) Set the Test or Development Image as “development (with shell)”
g) Click Finish.
Workbench then creates three projects: hssHardenedVx1_develop_vsb, hssHardenedVx1_develop_vip, hssHardenedVx1_develop_rtp
h) Build hssHardenedVx1_develop_vsb
i) Open the project hssHardenedVx1_develop_vip
j) Locate and open the file rtpPartition.c
k) Add the following line to the top of the file. This ensures the default path for RTPs on the target is the /romfs drive:
l) Locate and open the file scapVxWorks.c
m) Add the following line to the top of the file to disable the SCAP mechanism. This checks that only secure components are being included in the build.
n) Open the Kernel Configuration tool, find the DEFAULT_BOOT_LINE and give the target a valid IP address
o) Build hssHardenedVx1_develop_vip
7.2 Prepare the USB Flash Drives for the Hardened VxWorks Kernel
We will use the two USB flash drives to boot the target. I will refer to them as flashdrive1 and flashdrive2.
a) In the VSB, locate the three files secureLoader/db.sig, secureLoader/KEK.sig, and secureLoader/PK.sig
b) Copy these three files to the root of flashdrive1
c) In the VIP, locate the file loader/obj/uefi_x86_64/BOOTX64.EFI.signed
d) Copy this file to flashdrive1 as EFI/BOOT/BOOTX64.EFI
e) In the VIP, locate the file default/vxWorks.signed
f) Copy this file to flashdrive1 as EFI/BOOT/bootapp.sys
g) Eject flashdrive1 from the workstation and insert into the target
We must create a 2 GB partition on flashdrive2 for the secure kernel to use.
h) Insert flashdrive2 into the workstation and create a single 2GB partition using your workstation partition management tools and format it as FAT
i) Insert flashdrive2 into the target
7.3 Boot the Stage One Hardened VxWorks Kernel
a) Power-up the target and enter the BIOS
b) Use the BIOS to add the security key files db.sig, KEK.sig, and PK.sig as secure boot keys
c) Reboot the target and watch VxWorks start and the kernel shell appear on the target console
d) From the kernel shell, run the devs command to identify the device names of the flash drives You will see something like the following:
-> devs drv refs name 4 [ 3] /ata0a 4 [ 3] /ata0b 4 [ 3] /ata0c 4 [ 3] /ata0d 4 [ 3] /bd0d 4 [ 3] /bd16a 11 [ 3] /host.host 9 [ 3] /input/event 0 [ 3] /null 2 [ 5] /pcConsole/0 4 [ 3] /ram 8 [ 3] /romfs 1 [ 3] /ttyS0
The device name of flashdrive1 is /bd0a, and flashdrive2 is /bd16a
We now know the VxWorks device names of flashdrive1 and flashdrive2. It is now time to move to stage two where we will recreate the hardened VxWorks profile projects using these device names.
7.4 Create and Boot the Stage Two VxWorks Projects
a) Rerun “Create the Hardened VxWorks Projects.” This time, call the System base name hssHardenedVx2 and specify the flash drive device names as follows:
“trust store vault file root (default /ata1a)(optional):” must be set to /bd0a
“encrypted partition name (default /ata1b)(optional):” must be set to /bd16a
b) Rerun “Prepare the USB Flash Drives for the Hardened VxWorks Kernel”
c) Rerun “Boot the Stage One Hardened VxWorks Kernel”
You have now successfully booted the security hardened VxWorks kernel in a development configuration.
8 Next Steps
Now you have a secure development environment, you can develop secure applications as RTPs, copy the RTP vxe files to the target /romfs in the normal way, and then debug and develop them using the Wind River tools.
When it comes to finally deploything the secure system, you must do so by embarking on a third stage. Create the stage three projects just like you created the stage two projects. However, when you come to setting “Test or Development Image”, you must use either “required controls” or “required and discretionary controls.” This eliminates the kernel shell, and only builds the kernel using secure components.