QNX SDP is a cross-compiling and debugging environment, including an IDE and command-line tools, for building binary images and programs for target boards running QNX Neutrino 7.1.
The QNX System Security Guide is intended for both system integrators who are responsible for the security of a QNX Neutrino RTOS system and developers who want to create a QNX Neutrino resource manager free from vulnerabilities.
This User's Guide describes version 7.1 of the Integrated Development Environment (IDE) that's part of the QNX Momentics tool suite.
The following table describes security problems and cyberattacks and the QNX Neutrino security features that can mitigate them.
For best security, after system startup, all services should be running with their own unique user and group IDs.
Within the kernel and process manager, control over a process's ability to perform many actions is governed not by the user ID (UID) of the process, but by a set of approximately 70 permissions called process manager (procmgr) abilities.
Security policies provide a central way to control the privileges that processes have, which simplifies an audit of a system’s security.
Secure boot is a mechanism that ensures the integrity of the running system, by cryptographically verifying each stage of the boot process.
QNX Neutrino supports multiple ways to access cryptography services.
Address space layout randomization varies the location of data and instructions each time an executable is loaded as long as it was compiled with Position-Independent Executable (PIE) support.
QNX Neutrino RTOS fortified system functions are designed to detect out-of-bounds memory accesses by performing lightweight parameter validation at compile-time, runtime, or both.
Access control is the selective restriction of access to a resource. Access controls take many different forms and the sections below describe which ones can be used in QNX Neutrino systems.
Virtual devices (vdevs) provided by QNX Hypervisor for Safety (QHS) and other QNX hypervisors.
Application groups are used to group processes together so they can be controlled as a group.
The QNX hypervisor is built as an extension of the QNX Neutrino microkernel. As such, it inherits the security features of the microkernel itself as well as the secure execution environment created by the microkernel. In addition, the hypervisor has additional layers that are purpose-built for secure virtual machine operation.
The QNX cryptography library (qcrypto library) is a generic cryptographic shim layer that provides a consistent API to the various cryptographic primitives offered by third-party libraries.
The devcrypto service is a legacy system driver interface and is mainly provided for backwards compatibility.
The pathtrust feature prevents processes from executing untrusted code. If a process is compromised, pathtrust mitigates the threat of the system being further compromised by an attacker using chained-together exploits.
Systems that need authentication can use pluggable authentication module (PAM), a configurable standard library.
The QNX Hypervisor allows you to run multiple OSs on a target system so you can separate critical and non-critical functions, support a wide variety of applications, and reduce hardware costs.
QNX Software in the Cloud enables developers to use the QNX software in Amazon Web Services (AWS) and Microsoft Azure (Azure).
This User's Guide is aimed at all systems integrators and developers who want to design and build embedded systems using the QNX Advanced Virtualization Frameworks.
This section describes the typographical conventions used throughout the documentation and explains how to obtain technical support.
