Dreamliner security issue highlights need for bullet-proof OS technology
Reports of the recent publication by the FAA of a “special conditions” document warning of a potential security/safety vulnerability in the new Boeing 787 Dreamliner has created a bit of interest. Obviously, the idea of some kid (or terrorist) on a plane hacking into the flight control systems is a bit concerning. And it has a lot to do with operating-systems technology.
Note that the FAA doesn’t claim there is an actual security violation, only that Boeing hasn’t demonstrated (yet) that there isn’t. The issue comes down to there being a network in the “passenger domain”, presumably providing internet access etc, and which is not completely separated from the network(s) used to control the plane and collect the data required for navigation. Hence there is at least the suspicion of a potential that someone who gains unauthorised access to the PD (by cracking the OS of the computer supplied to them at their seat) could gain unauthorised access to computers outside the PD.
Some have asked why Boeing would be using an architecture where the two networks are not completely physically separated. The answer isn’t hard to guess (and is partially given in the above documents): There is a need for data flow between the networks, which is only possible if there is a connection between them. Take for example the popular flight status display, where the plane’s position is shown on a map on passengers’ screens, together with the plane’s speed over ground, head wind, outside temperature etc. Such information obviously is not gathered just for the enjoyment of passengers, it is essential to the cockpit crew for flying the plane. Hence there is at least some data coming out of the secure domain into the passenger domain, and thus the need for a connection between the networks. This is nothing new. What is (presumably) new is that the terminals at passengers’ seats are far more capable, are full-blown networked computers, whose operating systems might get compromised (as all PC OSes do sooner or later).
So, this problem is somewhat inevitable, but the (frequent) flyer would like some assurance that the problem is under control. But to which degree can it really be under control? The quotes from Boeing given in the article aren’t overly reassuring: they talked about software firewalls and that “the FAA and Boeing have already agreed on the tests that the plane’s manufacturer will have to do to demonstrate that it has addressed the FAA’s security concerns.” Given that all software must be suspected to be buggy unless proven otherwise, and that testing can only prove the presence, not the absence of errors, wouldn’t you feel more comfortable with some better proof of the protection?
And, if you think about it, this issue isn’t restricted to airplanes that cost $100M a pop, where maybe you can expect the manufacturer to spend a few dozen millions on ensuring that they get the code right (whatever that may mean). We moving towards similar issues in cars, where manufacturers (believe it or not) worry about whether some component costs a dollar more or less. Cars will soon have an integration of infotainment and control functionalities that create issues very similar to those of the 787. And car manufacturers are unlikely to spend zillions on ensuring that their software is bullet proof.
To me this just shows that present software technology, especially operating-systems technology, isn’t up to the challenges of the near future. If my life is at stake, I want to see better assurance than testing or audits. I want proof. Wouldn’t you?
People will probably tell you that proof isn’t feasible. They are wrong. It isn’t feasible for something of the complexity of Linux or Windows, but for a well-designed microkernel that serves as the lowest, trusted level of software ensuring the strict separation of subsystems, it is possible, as explained in my recent article about the work done under my direction at NICTA. OK is committed to turn this into a product that will give you real peace of mind.