Virtualization: A Security Monitoring Solution for Embedded Aerospace

By Darren Cummings, DoD/Cyber Leader

As threats against embedded aviation and defense systems become more complex and commonplace, developers and system integrators will need to develop defenses parallel to technologies already in use in the enterprise networking domain. Security strategies like deep packet inspection, intrusion detection, and active intrusion prevention rely on an ability to monitor system and network boundaries, detect threats, and apply mitigations. Mature products already exist for internet-style networks, but aviation systems rely on a variety of protocols for interoperability and communications, not just TCP/IP. In addition, embedded systems often require protection on subsystem boundaries as well as at the perimeter. This is because a full system-of-systems like a commercial aircraft may include both life and safety-critical components and public or even internet-facing systems.

Virtualization technologies offer one way for aviation systems to extend their monitoring and security response capabilities to include these additional interfaces. The ideal embedded security product will contain capabilities for detecting threats at system and subsystem boundaries, inspect code and data as they pass through interfaces, and interdict or disarm potentially suspicious transactions. When components are virtualized, instrumentation running in the virtual machine is capable of both monitoring and manipulating data anywhere within the system, but especially at the boundaries where information changes security priority. Malicious code is not able to interact with this instrumentation, since it runs “underneath” the operating system and applications, and is invisible to it. This invisibility is one-way in favor of the defensive application: the defensive system can see the bad code and data, but cannot be seen by it.

An intrusion detection system works by searching streams of machine data for patterns that indicate the presence of an attacker. When threats exceed a certain threshold, an alert is made to the security operator. A virtual machine can often monitor not just network boundaries, but system calls, communication between applications, or communications between applications with the kernel as well. With this enhanced visibility, it is possible to combine indicators from different interfaces in ways that improve the likelihood of detecting an attack. As a result, virtualization can often offer improved security results over classical network-based intrusion detection systems. Intrusion prevention systems take this one step further, implementing a specific set of countermeasures in response to a perceived attack. Again, because virtual machines have fine-grained control of the applications running on them, they are capable of implementing countermeasures that minimize disruption and downtime while maximizing system integrity. Some systems even function with the full cooperation of the operating system’s kernel, ensuring that no threats can bypass the safeguards in place.

Virtualization-based data collection can also serve as an input source to more sophisticated data mining and intrusion detection applications. Collecting security data following a protocol like ARINC 852, which is designed to extend security event and incident management (SEIM) into aviation systems, will allow for integration with traditional network security monitoring technologies to develop full-spectrum analysis of cyber events and push remediations to the perimeter of the enterprise, away from critical systems. These countermeasures will not take the place of smart and secure development practices and testing, but when implemented correctly, will offer significant improvements over the current embedded security paradigm.

Contact us today to discuss how virtualization can improve the security of your aerospace or defense system.


cyber kill chain testingJETS Defense