Table of Contents:
Securing Airborne Systems with Advanced Memory Safety Techniques
RunSafe Code Qualification – Development Tool
RunSafe Code Certification – Flight Software
RunSafe Code Certification – Airworthiness Security
Elevating Flight Safety: Software Security in Airborne Systems
Securing Airborne Systems with Advanced Memory Safety Techniques
Critical software, including vital infrastructure management systems, heavily relies on languages like C and C++, notorious for their power but plagued by memory vulnerabilities. The NSA reports that 70% of security fixes by tech giants like Google and Microsoft pertain to memory safety, a concern echoed in MITRE’s Top 25 Most Dangerous Software Weaknesses, where memory safety ranks first, as well as seven of the top twenty-five vulnerabilities.
The crux of the problem lies in the predictability of these languages. Without measures like RunSafe, discovering a memory vulnerability in one software binary becomes a gateway for attackers, simplifying the exploitation process. This challenge is compounded by the proliferation of open-source code and advancing binary analysis tools.
RunSafe’s product, RunSafe Code, aims to address these vulnerabilities. It will be certifiable for flight safety at the highest level through DO-178C at DAL A and qualifiable by DO-330 at TQL 1. Comprising two components, RunSafe Code operates during both compilation and execution of software. The security features of RunSafe will be outlined in shell documents, offering comprehensive insights into its design.
How RunSafe Code Works
RunSafe Code modernizes software security by dynamically relocating function loads into memory uniquely for each instance deployed, thwarting attackers’ attempts to exploit memory-based vulnerabilities, which constitute nearly 70% of compiled code vulnerabilities. This is achieved without altering any lines of source code, ensuring no impact on system performance or functionality.
During the development phase, integrating RunSafe Code into software renders exploitation attempts unreliable for attackers, as the code needed for exploitation is never in the same place twice. Even failed exploit attempts result in program crashes, rendering any gained information useless upon relaunch. This seamless integration with existing compilers and linkers streamlines the development process, ensuring compatibility with various build systems, from simple examples to complex builds using different compilers per project.
In airborne systems, RunSafe Code continues its transformative role, ensuring unique memory layouts for each binary and shared object. Through metadata embedded in the ELF file, RunSafe Code relocates functions in memory using customer-defined seeds, ensuring a deterministic relocation process. Notably, this relocation process incurs no runtime performance overhead, preserving the program’s intended functionality without compromising performance.
This robust approach to software hardening, both during development and deployment, positions RunSafe Code as a vital tool in the arsenal against cyber threats, qualifying it under industry standards such as DO-330 and DO-178C for airborne systems. With RunSafe Code, software developers can confidently bolster their defenses against exploitation attempts, ensuring the resilience and security of critical software systems.
RunSafe Code Qualification – Development Tool
RunSafe is certifying RunSafe Code as a TQL-1 tool and flight software at DAL-A, enabling its use across diverse Critical Software Configuration Items (CSCIs), regardless of their DAL classification. TQL-1, the most stringent level outlined by DO-330, demands meticulous qualification due to its potential impact on flight safety, acknowledging the catastrophic consequences of any defects introduced into flight software.
The certification process adheres rigorously to DO-330’s objectives and activities, ensuring compliance with engineering independence. Recognizing the existing version of RunSafe Code as a prototype, the project anticipates addressing any gaps identified during the certification phase systematically. Development plans, standards, and work products are meticulously crafted and vetted, with engineering independence verifying their integrity.
Moreover, the tool qualification package assembled will furnish CSCI developers with essential materials, including Tool Operational Requirements (TOR), a Tool Qualification Plan (TQP), and verification test cases. Draft materials provided by RunSafe will be tailored by developers, ensuring seamless integration into their environments. Any issues encountered during application will be escalated to RunSafe for resolution, with developers assuming responsibility for correct tool usage and adherence to quality assurance protocols.
RunSafe Code Certification – Flight Software
Under DO-178C, CSCI developers are tasked with creating software that follows a detailed certification plan. RunSafe Code introduces novel alterations to the CSCI executable, invalidating the formal “run for score” test that verifies compliance with DO-178C expectations. Thus, this testing must occur after applying RunSafe Code.
To meet DO-178C requirements, RunSafe Code provides proposed materials for integration into the CSCI developer’s data, including proposed system requirements, Software High Level Requirements (HLRs), and Low Level Requirements (LLRs), along with test cases and trace data. The seed value generated for each load is treated as a Parameter Data Item (PDI) under DO-178C. The qualification package includes draft materials for integration, outlining proposed changes to the CSCI plan and development artifacts to accommodate RunSafe Code alterations.
RunSafe Code modifies source code to relocate itself in allocated memory space upon loading, using a randomly selected seed value. This deterministic relocation ensures uniqueness across instances, thus enhancing software security.
RunSafe Code Certification – Airworthiness Security
DO-326 and DO-356 emphasize an integrated approach to cybersecurity, aiming to prevent and mitigate cyber attacks by integrating security strategies tailored to specific systems and environments. RunSafe Code contributes to this approach by aligning with two key principles: Defense in Depth and Ease of Maintenance.
By enveloping the entire product CSCI with its protective shield, RunSafe forms a crucial layer within the Defense in Depth strategy, allowing developers to concentrate on custom defense strategies for their projects. Moreover, RunSafe Code simplifies CSCI maintenance by assuming responsibility for tool upkeep, training, support, and documentation.
RunSafe provides comprehensive documentation to meet the requirements of DO-326/356, serving as a model for CSCI developers. This documentation includes security certification plans, risk assessments, system requirements, and verification results. While tailored to RunSafe Code, this package serves as a template for other CSCIs, offering operational and maintenance guidance.
Committed to supporting CSCI developers, RunSafe assists in the successful implementation of RunSafe Code and addresses any arising issues, ensuring robust software supply chain security.