Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 6. Security in Open Source Software<br />
meta model, a meta model is called open meta model, a model open model, and an application<br />
(or software), of course, open source.<br />
This means that most parts of the software for this work should be developed (and published)<br />
as open meta model and open model. Only the domain framework, generators, and parts of<br />
the verification and validation suite apply directly to the term open source.<br />
This approach leads to a security related problem because parts of the architecture can<br />
or should be (re)implemented or extended by users / suppliers. As explained in Chapter 5,<br />
the developed software should be verified, validated, and certified, which cannot be done<br />
for (later) additional implemented software from third-parti<strong>es</strong> in advance. This means that<br />
verification and validation cannot be assured for all parts of the openETCS software because<br />
the third-party implementations from other users / suppliers can only be verified and validated<br />
by their developers or later in an additional proc<strong>es</strong>s. Therefore, it have to be assumed that<br />
third-party software that is not verified and validated do<strong>es</strong> not comply with the EN 50128<br />
(Subsection 5.1.2) and may even hold faulty or malicious software, e.g., a Backdoor. Malicious<br />
software may even compromise software parts that were verified and validated before.<br />
On the other hand, if additional supplier implementations are validated and certified, this<br />
has to be done for the additional software, the open source, and the open model software<br />
together. The r<strong>es</strong>ult is an extensive proc<strong>es</strong>s because all possible impacts of the additional<br />
software to the already certified open source and open model software have to be analysed.<br />
Figure 6.2 shows a very general example of how a third-party or supplier implementation<br />
could compromise other parts of an open model software. This example has one model<br />
implementation, which is certified, because it was directly generated from the certified open<br />
model. Additionally, it holds two supplier implementations, which both instantiat<strong>es</strong> certain<br />
model parts of the open model software. Th<strong>es</strong>e supplier implementations cannot guarantee<br />
to be certified whereas one of them holds even malicious code. The communication between<br />
different implementation parts is often required. A typical method is the usage of shared<br />
memory. This means two (or more) implementations read and write to same areas in the<br />
memory to communicate. Unfortunately, this mechanism can also be misused to compromise<br />
other implementation parts. Therefore, the malicious supplier implementation could acc<strong>es</strong>s the<br />
memory of any other implementation and change their data used for execution or even the<br />
execution itself.<br />
Measur<strong>es</strong> and techniqu<strong>es</strong> should be found to minimise the possible influence of a faulty or<br />
malicious supplier implementation. Already existing strategi<strong>es</strong> and a novel approach with the<br />
usage hardware virtualisation are introduced and compared in the following sections and are<br />
also d<strong>es</strong>cribed in [26].<br />
In the following section, traditional methods for the management of memory are shortly<br />
explained followed by the d<strong>es</strong>cription of concepts for the usage of hardware virtualisation as a<br />
new strategy. Afterwards, certain problems related to hardware virtualisation are discussed.<br />
Possible solutions are elaborated and pr<strong>es</strong>ented, which will be used for the case study in<br />
Part III.<br />
66