Security FAQ

Q: What is the QNX Neutrino RTOS Secure Kernel?
A: The secure kernel is a specific version of the QNX Neutrino RTOS that has been officially tested and certified to meet Common Criteria ISO/IEC 15408 standards EAL 4+. QNX Software Systems recommends this secure kernel only for customers that require Common Criteria certification for their end product.

Q: I am worried about security; do I need the QNX Neutrino RTOS Secure Kernel?
A: QNX Software Systems only recommends the QNX Neutrino RTOS Secure Kernel for customer products that require Common Criteria ISO/IEC 15408 certification. This is the officially tested and certified version of the QNX Neutrino RTOS. That said, the non-certified kernel still provides the highest level of security assurance in the embedded operating system market.

Q: What does the QNX Neutrino RTOS do to ensure security?
A: The QNX Neutrino RTOS is an exceptionally secure operating system by design. Its microkernel architecture along with a high availability framework, adaptive partitioning, and Common Criteria certification are all the right ingredients for building a secure product. See the whitepaper on building secure, fault-tolerant systems.

Q: What about viruses and other malware?
A: Viruses are desktop computing phenomenon that are unusual in embedded devices. While the QNX Neutrino RTOS does have desktop components, there are currently no documented cases of a virus specifically designed for it. This, along with the fact the RTOS supports a fully POSIX-compliant user-privilege model, robust design fundamentals, and fault tolerance, makes a virus attack on it unlikely. There are no existing virus or malware scanners for the QNX Neutrino RTOS and QNX Software Systems does not anticipate a need for these types of products.

Q: What about Internet security?
A: The QNX Neutrino RTOS handles all aspects of Internet security. If secure communications is required over an Internet connection, QNX extended networking technology supports IPSec and various secure protocols such as SSL and HTTPS. The QNX Neutrino RTOS also supports POSIX-user authentication and privilege enforcement. In addition, QNX-based adaptive partitioning and high availability can mitigate and actively resolve external attacks. The QNX Neutrino RTOS can still have vulnerabilities and if detected, are taken seriously; QNX Software Systems issues patches to fix vulnerabilities as soon as possible.

Q: Does QNX Software Systems have an official statement regarding Internet security?
A: See response above. There are no warranties or guarantees implied, however.

Q: Does the QNX Neutrino RTOS have users, groups, etc?
A: The QNX Neutrino RTOS is a POSIX-compliant RTOS and supports the usual UNIX-like users and groups as well as rights and permissions. Access to resources can be restricted based on user and group as can OS properties such as maximum priority. Processes can run with user and group owners with associated restrictions as needed.

Q: Does the QNX Neutrino RTOS have passwords and user authentication?
A: The QNX Neutrino RTOS has typical UNIX-like username and password authentication. It is, however, only as good as the passwords. Strong passwords are key to making a user-authentication system work.

Q: How does adaptive partitioning help with security?
A: QNX adaptive partitioning technology is a great security tool because it allows the system designer to isolate parts of the system from each other. Adaptive partitioning, for example, can be used to guarantee CPU time to a maintenance process that allows remote login. If, for example, the system is under a denial-of-service attack and all of the CPU is being used to lock out other processes, the maintenance process can still run within its partition while the rest of the system is restarted or repaired. Adaptive partitioning can similarly be used to isolate untrusted parts of the system – CPU resources are allocated such that the partition with the untrusted content can never use more than the budgeted resources.

Q: Do you have any security best-practices that use QNX-specific features or technologies?
A: Although this is a large topic, at a high level we suggest the following best practices:

• Use least privilege when possible. Run processes and threads at user level and ensure correct permissions on shared resources (files, etc). The QNX Neutrino RTOS is POSIX compliant and as such provides the necessary tools for secure programming.
• Use the QNX high availability framework to ensure critical processes stay running. This framework can ensure critical processes are restarted after crashing (possibly due to exploit, vulnerability, or software error).
• Use QNX adaptive partitioning technology to create secure partitions within the system. In particular, partition potentially unsafe/insecure processes from the critical parts of the system. For example, a process that is responsible for downloadable content that could potentially harm the system can be isolated in a secure partition to prevent disruption to the rest of the system.
• Use safe programming techniques – many vulnerabilities are the result of poor programming techniques. Use tools such as runtime and static analysis to help detect potential security issues. For example, the memory analysis tools in the QNX Momentics Tool Suite are useful for detecting and debugging potential buffer overflows – a commonly exploited vulnerability.

Q: We’re planning to enable the user to download arbitrary JAVA apps from untrusted sources. What can we do to prevent these apps from harming the system?
A: The best solution for dealing with virtual machines, such as a Java runtime, is to isolate the virtual machine (VM) process into its own adaptive partition. This way, the VM can get access to as many CPU cycles as needed but never more that its budget when the CPU is fully loaded. If, for some reason, an application goes into an infinite loop or tries to hog all of the available CPU, it will be throttled back to the partition’s budget. Using a secure partition in this way ensures downloadable Java applications can never interfere with the rest of the system.