How Virtualization Can Help Embedded Security

Cyber attacks continue to become more sophisticated. Software teams need to be more vigilant in identifying security vulnerabilities early in the development process when problems can be remediated without putting critical systems or data at risk of compromise. Nowhere is this more important than in the aviation and defense industries, where platform longevity means code can stick around for years, and where a failure might create a real risk to public safety or national security. Led by modernization efforts like ADS-B and NextGen, many systems will be bringing new data types and interfaces online for the first time. The industry has made significant gains in security over the last decade, especially in the network, cloud, and desktop application space. Embedded software remains a challenge, due to the limited range of security tools and test platforms available.

Virtualization can help bridge the gap to deliver higher security with reduced cost. With virtualization, embedded applications run within a software emulator which simulates the real hardware but enables additional instrumentation. Until recently, virtualization has been limited to commercial-quality implementations for desktop platforms like Windows and Linux, hobbyist implementations that don’t support high-fidelity testing, and expensive one-off systems. Now, comprehensive cross-platform virtualization solutions are available for embedded aviation and defense applications.

Virtualization supports security testing in several ways. One of these is advanced diagnostics and debugging of potential vulnerabilities. By using a virtual machine, developers have much more visibility into the inner workings of application and system code. In many cases, latent defects like race conditions and data corruption can lead to denial-of-service or outright security compromise, but these bugs are notoriously difficult to diagnose in real hardware. Virtualization enables single-step debugging, traces, logging, and root-cause analysis without the need for JTAG or other hardware test instrumentation. What’s more, virtualization supports scalable test automation without the need to fully replicate hardware components. Developers can even build high-volume regression and security test automation into the source check-in and nightly build processes.

Scalable test automation is also critical in carrying out one of the most successful security testing strategies: fault injection. Hardware fault injection can be difficult to achieve or even damage equipment; virtualization overcomes these problems. Because most virtual machines support full instrumentation, faults can be injected onto any interface: just as peripheral and memory failures can be effectively simulated. Malicious data can also be automatically generated and inserted on software boundaries to test boundary conditions, fault tolerance, and error handling. This capability is especially important on interfaces that may accept data from untrusted or unreliable sources. When a failure condition is found, it can often be reproduced in the virtual machine without difficulty, leading to better bug diagnosis.

Finally, some virtual environments allow for the integration of heterogeneous virtual machines running different architectures, operating systems, and applications. By leveraging this capability, development teams can conduct “system-of-systems” simulations of a platform’s overall architecture. System-of-systems testing is critical for verifying defense-in-depth and identifying cascading failures. Instrumentation can even be placed at system boundaries to inspect for information leakage or data corruption to ensure that faults in an open-input system like ADSB do not affect closed-input systems like flight control.

As attacks evolve and systems become more networked, aviation and defense integrators will need a higher level of cyber assurance for embedded and real-time components. Security assessment using virtual machines is both a highly effective and cost-efficient method to begin achieving significant security improvements.

Learn more about virtualization and embedded security by contacting Performance Software today.