The Race to Build a Secure Operating System

By Kevin Coleman
Defense Tech Cyber Warfare Correspondent

In response to the continuous compromise of networks, multiple countries have begun developing secure platforms and operating systems. Computer companies, university researchers, defense R&D contractors and militaries around the world recognize the criticality of networks and embedded processors within their equipment. They also recognize how vulnerable they are and that’s why so much attention is being given to building in security at every level of the system including the operating system.

As discussed here, China’s Trusted Computing Platform (TCP) program has been underway for some time now and can be traced back to the early 2000s. The Chinese TCP includes multiple layers of built-in security, as well as trusted computing components at the chip operating system level and the machine operating system level.

European Union
Early in 2009 a Dutch university was awarded a grant for $3.3 million from the European Research Council to fund 5 more years of work on a Unix derivative version operating system called Minix. This research effort is designed to be more resilient and secure than either Linus or Windows. The most impressive feature in Minix is said to be its self healing feature. This is believed to be the first operating system with the capable of fixing itself when a bug is detected.

One of the more recent secure operating systems in the world is the Secure Microkernel Project (seL4). Late in 2009 NICTA announced that it has completed the formal verification of the seL4 kernel. It is believed that this makes seL4 the world’s first general purpose OS kernel with a formal mathematical proof that the implementation does what the specification says. The proof is machine checked and one of the largest ever done.

United States
In April, researchers at the University of Illinois at Chicago received a $1.15 million grant from the National Science Foundation to build a new computer operating system called Ethos. This secure OS is said to be based on virtual machines and the concept of isolation. Ethos is based on the Xen hypervisor and is being created with security as its primary objective.


The need to build security in at every level of a system is clear given how many networks have been penetrated, as well as the ever increasing frequency of complex and sophisticated cyber attacks. A secure operating system would be a huge step forward in reducing the overall vulnerability of critical systems and computing capabilities embedded in equipment. While there are other secure operating systems in play within the United States, Secure Linux seems to be the leader at this point. This is clearly part of the cyber defense arms race.

Photo: iPhoto/Simon Smith

  • Brian

    OpenBSD is an open source unix clone that has focused on security since it was founded back in the 1990’s.

    The best way to secure our infrastructure is to disconnect it from the public internet. There is no reason that critical control systems need to be accessible via the internet. If security is a concern, run your own wires or wireless to/from the equipment.

  • E_Khun

    Well, with the whole world using Linux as a base for a secure OS Linus Torvalds is going to need security before them blasted Norks think of launching their own operation Paperclip.

  • Brian

    There is no such thing as a secure OS. You can only write an OS less prone to be compromised. Even then if your hardware or environment are compromised, or perhaps your users it doesn’t matter which OS you are using. Then what about your application, or network layer?

    Seriously there is no panacea of Security in technology, just tradeoffs. Think of it this way, is there an ultimate rifle + bullet good for every situation with 100% reliability + easy to use? No. Anyone who even tried to build such a weapon would be wasting there money. The art of design is the proper application of tradeoffs for the situation you are likely to encounter.

  • A. Nonymous

    I always thought Linus was pretty secure. I’m no psychologist, but to me Charlie Brown seemed to be the one struggling with insecurity issues.

    • a y mouse

      editor meant Linux

      • Kevin

        I fat-fingered “LINUS” Just like the Wall Street Trader! At lease the X adn S keys are next to each outher unlike the B (billion) and M (million) keys!

  • Wildcard

    NSA released a Security Enhanced (SE)Linux. Was it not upto the task?

  • Shawn

    There is no secure version of Linux. The only reason it’s considered secure is because everyone is writing viruses for Windows, not Linux, so there isn’t many virus attacks on Linux systems to report. With Windows machines outnumbering Linux machines 20 to 1, it makes sense to write viruses for the mass market which is Windows. Even Apple’s computers aren’t secure. The fact is, no machine out there is 100% secure. If someone wants in, they could feasibly find a way. The best we can aim for is to prevent intrusion long enough to stop the attack. So never consider anything secure. Anything can be hacked.

  • D. Dieterle

    I have to agree with Brian, if you want to secure your internal business from internet threats, cut the cord connecting it to the internet.

    FreeBSD seems to be the secure OS choice for some large companies. Richard Bejtlich recommends using it as the base for network sensors in a monitored network. It also appears to be the base for China’s secure Kylin OS, 99.45 percent match according to ZDNet.

    The US does need to do something. Microsoft is not the answer. The problem is they create something “secure” then include backwords compatibility into it. Yikes…

    Also, Microsoft wants to release Windows 7 Embedded and put it on billions of embedded devices, god save us…

  • Oblat

    >The need to build security in at every level of a system is clear

    And the evidence Kevin gives is 10 programmers working worldwide on the problem half of which are actually working on making Os’s more bug resistant not security. Not that Kevin knows the difference.

  • Mary

    If you are interested in leaning more about Network Infrastructure and Systems my client Cisco is hosting Cisco Live at The Mandalay Bay Resort in Las Vegas…June 27th-July 1st.

  • @davearonson

    And then there’s STOP. (Google “XTS/STOP” — yes, that third link is me.)

  • Brian Mulholland

    Brian, wasn’t the Justice Department building a secure mail system on OpenBSD?
    What happened to that? And if it works for them, why not elsewhere?

  • nraddin

    There seems to be a fundamental misunderstanding of what is meant when someone says computer or IT security. Security from viruses or other pre-scripted attacks is a very different issue than defending from specifically targeted attacks, which is very different than security in code execution, which is different than network traffic security, etc. Security is such a broad statement I almost hate seeing is used.

    Most operating systems can be made pretty ‘secure’ by removing the rights of users and system accounts from files, processes, etc. but the more you do that the less general usefulness you get out of that system. As a result the security of a system always depends on what you need/want to do with it. The more general/open the use of the machine, the less security you are going to get out of it.

  • Nick P

    Dude, this article is pretty weak. Allow me to issue a string of corrections and counters. China’s “secure” OS is a modified version of an older FreeBSD source. This can’t even touch OpenBSD, much less the higher standards required for EAL5-7 or Type 1 devices. It’s not secure: it’s just theirs, it’s not Windows, and has some extra features (with potential bugs). They do have the chip based security, but it’s a crutch and still not fully deployed.

    Europe has done plenty of good research. You should have mentioned Perseus or Nizza security architectures, based on L4. TU Dresden’s Nizza platform has Linux compatibility, small high quality kernel, and a viable way to build secure desktops. It’s all FOSS too. Perseus added virtualization and trusted computing to this scheme, resulting in a FOSS release and then Turaya Security kernel (commercial). And QNX has been self-healing forever. MINIX’s author even cited it as an example of good microkernel design for reliability in an argument with Torvalds.

    Good call on seL4/L4Verified, but it’s debatable: their proofs haven’t been independently checked and the system is still vaporware. OKL4 3.0, from the same people, is a high quality capability based microkernel with Linux compatibility and good assurance. OKL4 4.0 Microvisor is proprietary and probably includes (or will later) the seL4 kernel technology. I know they are making it multicore and might eventually release the proofs/code. Keep eye on it.

    In United States, the MILS kernels have been coming out because the NSA wants to do that. We have led the way in secure OS’s. Here’s some U.S. B3/A1-class OS’s of the past: GEMSOS (A1, still available); Army Secure OS, ASOS (A1+); XTS-400/STOPOS (B2-B3, available); MK++ (B3-equiv, maybe avail); LOCK (A1). For MILS, there are several US products: INTEGRITY-178B (EAL6+ certified); Vxworks MILS (in evaluation to EAL6+); LynxSecure (not in evaluation, but Navy will use/evaluate it maybe). Medium assurance: SourceT for DNS, Hydra’s RTOS for app-level firewall, and McAffee SecureOS for Sidewinder. Vendors also have medium assurance RTOS’s with more flexibility and high quality middleware (TCP/IP, USB, graphics, CORBA, virtualization, etc.) to support their activities. I’m glad you mentioned Ethos, though, as it eluded me somehow.

    So, we’ve already built a ton of secure and useful operating systems. The best approach to securing our computers on todays hardware and legacy software is probably that of LynxSecure. They’ve basically built a virtualization kernel that leverages Intel VT to divide the system into partitions and control information flow MILS-style. The next step is to use low defect development processes to produce middleware, good VMM’s, and isolated apps. Examples include Software Inspection Process (e.g. Fagan), Praxis Correct by Construction, Galois’ Haskell stuff, or formal methods a la seL4 or CompCert. Most basic level is isolating security-critical functionality from the main OS using things like LynxSecure and INTEGRITY Padded Cell. Nizza did this for eCommerce, OKL4 did this for Citrix, and INTEGRITY Global Services has numerous applications using INTEGRITY RTOS.

    So, secure OS’s and development processes already exist in the dozens all over the world, but mainly in US. There’s a few obstacles to market saturation: they take longer to build and companies want fastest time to market; the highest security can be quite expensive and restrict features/performance for complex apps; too much dependence on legacy, untrustworthy code that would invalid security guarantees of correct apps; government and universities won’t release the OS’s taxpayers funded; no real market for high assurance. The last point bugs me the most. Honeywell’s SCOMP only sold 35,000 units after NSA begged for secure OS, then bought lower assurance stuff in mass for features or convenience. It might have been different if a A1 software firm could sell to everyone, but the US government considers high assurance B3/A1/EAL6/EAL7 software as “munitions” and they are subject to export control. Who wants to spend $25 million developing a secure platform if they can’t be sure that there’s a market for it? Nobody. If the market wants secure software, they must be willing to pay for it and wait on it.

    Anyone wanting to discuss this, join me on Schneier’s blog. There’s a few of us that want true security and we get into deep discussions about the details. Google “Nick P”, “Schneier” and something like “media encryptor” “MILS” “malware” to see some of the discussions.