Open Source For You spoke to Alok Mehrotra, country manager (India) and Rajesh Lalwani, account manager, Wind River about how the companys security profile helps combat the everyday threats that are a normal offshoot of the Internet of Things (IoT). Excerpts:
Q. Do brief us about Wind Rivers presence in the open source domain.
Id like to share a little bit of history with you. VxWorks is our real time operating system (RTOS). You will find that pretty much any mission-critical embedded design you can think of will be on an RTOS, and that RTOS will typically be Wind River. To give you some perspective, today, we have over one and a half billion devices running on Wind River as the operating system, on which you go ahead and build your applications.
Commercial embedded Linux continues to gain traction across the board as the aerospace, defence, industrial, networking and automotive industries see how open source encourages rapid innovation at far lower costs. But navigating the open source ecosystem is not an easy task, and Linux is different from the real time operating systems, software development tools and test frameworks that play a critical role in developing and deploying embedded devices. Thanks to the thousands of developers who strive to make it better, Linux constantly evolves and expands over time.
Currently, we are experiencing the Internet of Things (IoT) phenomenon, where everything is connected to everything else. Its an amazing concept. However, the major challenge is how to secure the network using open source technology, which is available to everybody. In a nutshell, the IoT is great, but it comes with a few security challenges for developers.
Wind River has come up with a security profile on top of Linux, which secures the operating system besides being Evaluation Assurance Levels-4 (EAL-4) certified. Its a commercial off-the-shelf (COTS) product, built to align with the Common Criteria for Operating System Protection Profile. In this, weve hardened the kernel, enhanced the user space and have given the entire control of the user space to the super user. The security-focused kernel includes features like grsecurity, PaX and enhanced Address Space Layout Randomisation (ASLR), among others.
Q. What are the complex issues that developers face with the Internet of Things (IoT)?
Everybody has their own definition for the Internet of Things. Connectivity, manageability and security are important aspects. To me, the bigger question from the IoT perspective is not just how I connect to an aggregator, but how does this whole thing happen with the edge of the cloud.
The IoT has various applications such as smart cities, for instance, where the concept can be widely implemented with connected cars. Industrial automation is another application, where everything you need is on the Internet, so you can regularly update it. In the aforementioned cases, you need various protocols since you want everything to be secure, and these must be connected on the cloud as well. We need security at two levels. One, so that nobody can attack your system, and two, so that nobody can install their own application on top of it. In case they want to install a particular application, they need to have some authorised access to it.
Q. How would you differentiate between enterprise and embedded Linux?
When you refer to embedded Linux, its got one kernel that anybody can download from kernel.org. It then becomes enterprise Linux or embedded Linux depending on the kind of application youre developing. When you install it on any normal PC, you call it enterprise Linux, but when you use the same kernel for all your embedded applicationsmobiles, connected homes, in-vehicle infotainment (IVI), etc, it becomes embedded Linux.
Q. Security has emerged as one of the key considerations while developing products and solutions for all companies today, as seen in the case of the recent Heartbleed episode. What are your thoughts on this?
Lets assume that the largest network equipment provider in the world is building a fairly critical application and, that too, on Linux. Assume that there are millions of people who will get impacted if there is a bug in the operating system used. The application needs 99.99999 uptime. The company also needs a team that is ahead of the curve from an open source perspective, but that team still needs to work with a vendor that is conversant in open source and Linux. The vendor has to ensure that any issues found anywhere get patched and fixed in a manner such that the network equipment company is protected and is able to deliver to its customers. I was recently reading some information that was being circulated within Wind River. Heartbleed became known to the public on 7th April (in Finnish) and 8th April (in English). A fix was available on OLS to our Wind River Linux customers for download on 8th April – less than 24 hours after Heartbleed was introduced to the public domain. If youre running anything that has some level of criticality, you would absolutely need to have that level of security.
Q. Can Android challenge embedded Linux?
If you look at the Android kernel, its a flavour of Linux. Theres no challenge as such. The only thing is that there must be interoperability between Android and Linux. Android is being extensively used on the enterprise sidein mobiles, particularly. Now, to explain embedded Linux, lets look at routers. Here, most things run on VxWorks, or any other RTOS, but you cannot use Android. On the application side, Android is being used on the mobile, tablet or on a few of the IVIs that are coming out.
Many IVIs out there are Android-based and we have a very strong presence in the domain. We are one of the founding members of the Open Handset Alliance (OHA), something that came up even before Android became what it is today!
Q. Do you have some engagement opportunities for engineers?
Some of our core Indian customers came to us and expressed their concern about the fact that they were not getting trained engineers to work on our technology. We discussed this issue internally and came out with university licences. We now give the same technology provided by us commercially at a much subsidised price to universities. At the same time, we offer them a programme called Train the Trainer (TTT) to help train faculty members. We also provide them with a curriculum, if they ask for one. We are currently working with a number of key organisations that are writing a curriculum for Indian engineering colleges.