Wind-River-Security-Crypto.Pdf

Intel Subsidiary Agrees to $750,000 Penalty for Unauthorized Encryption Exports

| Print |

FOR IMMEDIATE RELEASE BUREAU OF INDUSTRY AND SECURITY Wednesday, October 8, 2014 Office of Congressional and Public Affairs www.bis.doc.gov 202-482-2721

Intel Subsidiary Agrees to $750,000 Penalty for Unauthorized Encryption Exports WASHINGTON – The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) today announced that Wind River Systems of Alameda, Calif., a wholly-owned subsidiary of Intel Corporation, has agreed to a $750,000 civil penalty to settle charges that it sold encryption software products to foreign government customers and to organizations identified on the BIS Entity List without the required Department of Commerce licenses.

In April 2012, Wind River Systems voluntarily disclosed to BIS that between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List.

“I approved penalties in this case because the violations were ongoing over a period of several years,” said Assistant Secretary of Commerce for Enforcement, David W. Mills. “Because the violations were voluntarily disclosed, the company received significant mitigation. This penalty should serve as a reminder to companies of their responsibility to know their customers and, when using license exceptions, to ensure their customers are eligible recipients.

BIS controls exports and reexports of commodities, technology, and software to support national security and foreign policy, including nuclear, chemical and biological weapons, and missile non-proliferation, human rights, regional stability, and curbing terrorism. Criminal penalties and administrative sanctions can be imposed for violations of the Export Administration Regulations. For more information, please visit www.bis.doc.gov.

Wind River VxWorks Platforms 6.9

The market for secure, intelligent, Table of Contents Wind River Workbench connected devices is constantly expand- Development Suite...... 26 Available VxWorks Platforms...... 2 ing. Embedded devices are becoming Eclipse...... 26 more complex to meet market demands. New in VxWorks Platforms 6.9...... 2 Project System...... 26 Internet connectivity allows new levels of VxWorks Platforms Features...... 3 Build System ...... 26 remote management but also calls for VxWorks Real-Time Operating Command-Line Build System...... 26 increased levels of security. System ...... 3 Workbench Debugger...... 26 Compatibility...... 3 More powerful processors are being VxWorks Simulator...... 27 considered to drive intelligence and State-of-the-Art Memory higher functionality into devices. Because Protection...... 4 Workbench VxWorks Source Build Configuration...... 27 real-time and performance requirements VxBus Framework...... 4 VxWorks 6.x Kernel are non-negotiable, manufacturers are Core Dump File Generation Configurator...... 27 cautious about incorporating new and Analysis...... 4 Host Shell...... 27 technologies into proven systems. To Message Channels and TIPC...... 5 succeed, companies must optimize their Kernel Shell...... 28 Memory Management...... 5 device software across the entire product Run-Time Analysis Tools...... 28 Error Management...... 5 life cycle: from design through develop- System Viewer...... 28 Processor Abstraction Layer...... 6 ment, from QA to the remote manage- Performance Profiler...... 28 Operating System Scalability ment of deployed devices. The challenge and Performance Tuning...... 6 Memory Analyzer...... 28 for many device developers is in balanc- Small-Footprint Profile...... 6 Data Monitor...... 28 ing the need for increased speed, greater File Systems...... 6 Code Coverage Analyzer...... 28 efficiency, and lower cost with an acceptable level of development risk. Wind River Network Stack...... 6 Optional Add-ons for VxWorks Platforms...... 28 Wind River PPP...... 10 Wind River VxWorks platforms meet this Wind River Workbench Wind River USB...... 10 challenge with an embedded platform On-Chip Debugging...... 28 VxWorks Multi-core solution that combines VxWorks 6.9, the Technologies...... 10 IPL Cantata++...... 29 industry’s leading 32-bit and 64-bit Middleware Technology...... 17 Technical Specifications...... 29 capable real-time operating system (RTOS); Wind River Workbench, the Security...... 17 Architectures, Hosts, and Board Support Packages...... 29 premier device software development Management...... 20 Supported Target Architectures suite; and essential security, device Distributed Messaging and Processor Families...... 29 management, and connectivity middle- and Services...... 22 Supported Hosts...... 30 ware, including drivers and protocols for Bridging and Routing...... 23 connected devices on the factory floor, Supported Board Packages...... 30 Graphics and Local Interface....23 wireless peripherals, and other devices Partner Ecosystem...... 30 Connectivity...... 24 within the network infrastructure. The Professional Services...... 31 Wireless ...... 24 VxWorks platforms are backed by Wind Installation and Orientation Compilers...... 25 River’s 25 years of device software industry Service...... 31 Wind River Diab Compiler and experience, a world-class support Education Services...... 31 Wind River GNU Compiler...... 25 organization, a comprehensive partner Public Classes...... 31 Intel C++ Compiler and Intel ecosystem, and a specialized professional Integrated Performance Private Classes...... 31 services team. Primitives...... 25 Mentoring Services...... 31 Wind River VxWorks platforms provide Live Remote Delivery...... 32 comprehensive multi-core processor Support Services...... 32 support, including asymmetric debugging support for processors with developers to see how interrupts are • IPsec offloading with SMP systems hardware breakpoint capability provide assigned to processors. This will apply to • Support for FIPS 140-2 mode another way to track data values, by static and dynamic assignment. Wind River IKE is a scalable implementa- setting breakpoints that trigger on data tion of IKE versions 1 and 2, as specified accesses at a specified address. Middleware Technology by the IETF, and it provides for secure key exchange for IPsec. Identifying the Best Functions to Speed Up Security To increase performance by applying Features of Wind River IKE 6.9 include Wind River IPsec and IKE parallelism, begin with the parts of your the following: Wind River IPsec is a scalable implementa- program that consume the most CPU • Support for IKE v1 and IKE v2 tion of IPsec, as specified by the IETF. It cycles. The Wind River development • Support for address and port ranges in provides authentication, data integrity, environment for VxWorks and Linux the IPsec SA configuration (IKEv2 only) encryption, and replay protection of any provides several ways to collect this • Support for listening on any address network traffic on the IP layer. It is information. The VxWorks Spy() capability (0.0.0.0 for IPv4, or :: for IPv6) implemented as a tightly integrated • Support of Online Certificate Status and the top command available in a software module for Wind River Network Protocol (OCSP) extensions to IKEv2, as Linux environment provide one alterna- Stack, for both IPv4 and IPv6 operations. defined in RFC 4806 tive. Wind River Performance Profiler Wind River IPsec is interoperable with • Ability for IKEv1 and IKEv2 to verify the (formerly ProfileScope) and System other IPsec implementations and conforms validity of a given certificate against a Viewer make it easy to identify which certification revocation list issued by an to the IPsec RFCs, as specified by the IETF. functions in an application are consum- appropriate certificate authority ing the most CPU cycles. In an SMP Features of Wind River IPsec 6.9 include • IKE v1 support of accepting both ESP and system, additional threading will help to the following: AH negotiation in the same proposal for a given IPsec flow configuration, required increase system performance. In an AMP • 64-bit support for interoperability with Windows Vista system, these are the functions that may • Updates to the PF_Key v2 management and Windows Server equivalents, which benefit from decomposition or reassign- interface allow such policy specifications ment to a processor with a lighter load. • New keyadm commands and options • NAT traversal of ESP packets over UDP • RFC 4301, 4308, 4835, and others • Integration with Wind River Network Stack Uncovering Shared Resource Contention • Support for IP forwarding with IPsec on • Authentication based on X.509 certifi- The rich data collection capabilities of Cavium Networks CN38xx and CNN58xx cates and preshared secrets (passwords) processors Wind River System Viewer can be used to • Passive and active establishment of • Support for IPsec ESP cryptographic log information that can later be IPsec connections offload to Cavium Networks CN38xx and analyzed to expose a range of resource • Secure, interoperable communication CN58xx processors contention–related issues. with other IPsec endpoints • Addition of new commands and • Plug-and-play integration with Wind parameters as well as changes to Tracking Inter-processor Communication River IPsec existing keyadm shell commands and Synchronization • VPNC certification for Basic, AES, IKE v2, • Tunnel and transport mode in any IPv6, and certificate interoperability In multiprocessor systems, the interaction security association (SA) combination • Support for FIPS 140-2 mode of processors is at least as important as • Support for AH and ESP modes • IKE SA rekeying what happens on any single processor. • IP in IP tunneling • 64-bit support Spinlocks are commonly used to provide • Bypass/apply/discard IP packet filtering • Support for Section 2.24: Explicit with both input and output selectors synchronization in multi-core systems. Congestion Notification (ECN) of RFC • Support for IPsec monitoring MIB Spinlocks are supported with VxWorks 4306 Internet Key Exchange (IKEv2) • Key and SA management with PF_Key SMP, and spinlock activity is trackable in Protocol Management API v2 with openbsd System Viewer visualization. System • Support of RFC 4718 IKEv2 Clarifications extension Viewer instrumentation of TIPC messages and Implementation Guidelines • Support for all required authentication • Support for secure key storage also provides insight into the interaction transforms and encryption algorithms • Enhanced dead peer detection (DPD) between processors. • Validated with Common Cryptography • Enhanced IKE daemon to renegotiate Interface (CCI) proposals in the IKE stack if the first Displaying Static or Dynamic Routing of • Extended Sequence Number (ESN) specified group is not accepted Interrupts to Processors Addendum to IPsec • ipike_identification-extract( ) routine The assignment of hardware resources, • Integrated and validated with optional optimized to avoid unnecessary malloc() including interrupts, to specific proces- security coprocessors, demonstrating calls to enhance memory usage significant performance improvement sors is an important multi-core design • Fetching certificates using HTTP over software processing decision. The ability to query the state of • Matched delete sequence during • VPN-A and VPN-B suites VxWorks kernel objects allows rekeying for IKEv1 and IKEv2 • Traffic flow confidentiality (TFC)

17 | Wind River VxWorks Platforms 6.9 Wind River Wireless Security • New commands to support run-time Features of Wind River Firewall 6.9 include Wind River Wireless Security is a suite of configuration of multiple port access the following: entity (PAE) instances security protocols implemented by Wind • Ability to run on a 64-bit platform • Support for the coexistence of WPS and River that includes a supplicant and • IP filtering with stateful inspection for 802.1X in a single image, allowing authenticator for the 802.1X-2001 IPv4 or IPv6 packets parameters to be supplied through WPS, • MAC (media access control) filtering standard and Wi-Fi Protected Setup followed by 802.1X authentication with • Logging at the network (L3) and data link (WPS). The Wireless Security authentica- an authentication server tor is integrated with the Wind River (L2) layers Wind River EAP • HTTP content filtering for URLs (both RADIUS and Diameter, Wind River specific and by keyword), proxy traffic, Learning Bridge, and Wind River Wireless Extensible Authentication Protocol (EAP) Java applets, ActiveX controls, and Ethernet Driver, providing all the core allows a client and a server to negotiate cookies an authentication method and establish functionality for typical authenticator • Nonvolatile (NV) storage of firewall rules client and, optionally, server authentica- products, such as wireless access points. • Input and output filters Both supplicant and authenticator can be tion. The protocol defines a packet • Stateful inspection used in the same product, allowing structure that contains commands and • Rate limiting greater flexibility and a range of applica- attributes used by the client and server • Filter on network interface tion support. Wind River Wireless Security during an authentication session. A • Support for the pktflags keyword that’s works together with Wind River EAP that number of EAP types and EAP type used to filter IPsec, NAT, and tunneled supports multiple Extensible Authentica- combinations are available to implement packets • Rule grouping tion Protocol (EAP) types. Integration with an authentication method. • Simplified procedure for excluding Wind Wind River SNMP is included to interface EAP is a separate module based on the River Firewall from a VxWorks Image with the 802.1X MIB. IPCOM EAP (IPEAP). EAP is used by the Project Also part of Wind River Wireless Security Wind River Wireless Security supplicant Wind River NAT is a full-featured imple- is Wind River’s implementation of WPS. to negotiate an authentication method. mentation of the industry-standard WPS simplifies the setup and manage- EAP supports the WPS EAP method Network Address Translation Protocol ment of wireless networks by automating (EAP-WSC). EAP-WSC is used for registrar (NATP) for use in routers, firewalls, DSL the configuration of access points and and enrollee discovery and for credential and cable modems, and residential peripheral devices. Wind River Wireless establishment in a WPS environment. gateways. A device running Wind River Security comprises the following Wind River EAP 6.9 supports 64-bit NAT can connect an entire department or components: operation. In addition, EAP includes VSB a small office to the Internet using a single • COMPONENT_DOT1X configuration enhancements, support for global IP address. Address mapping • COMPONENT_8021X the use of the secure key database to effectively conceals the size and topology • COMPONENT_WPS store EAP passwords and private keys, of the private network from the outside, Features of Wind River Wireless Security and EAP Session-Id. providing a basic level of security. 6.9 include the following: The following are the EAP types sup- The chief advantage of NAT is that • Support of WPS for the enrollee, AP ported in Wind River EAP 6.9: addresses on the private network are without registrar, and AP with registrar hidden from the public Internet, provid- • EAP-AKA models ing a measure of security. A second • EAP-GTC • Capabilities including 802.1X, Wi-Fi • EAP-LEAP advantage, realized with certain varieties Protected Access (WPA and WPA2), • EAP-MD5 of NAT, is that scarce IP addresses are 802.11i, Temporal Key Integrity Protocol • EAP MS-CHAPv2 conserved, reducing network administra- (TKIP), AES, preshared keys • EAP-PEAPv0 tion costs. • EAP types and EAP type combinations • EAP-PEAPv1 added with use of new independent EAP Wind River NAT supports the two most • EAP-SIM module (IPEAP), allowing EAP to be widely used NAT modes. Basic NAT • EAP-TLS used by other Wind River modules performs one-to-one mapping of private • EAP-TTLS • Full integration and testing with Wind • EAP-WSC IP addresses to a preallocated block of River Wireless Ethernet Driver (station external IP addresses. The more com- and access point modes), easily portable Wind River Firewall and NAT monly used NATP maps port numbers to other wireless driver solutions as well as IP addresses. NATP allows • Support for both authenticator and Wind River Firewall supplies a powerful multiple private addresses (up to 64,000 supplicant modes filtering engine that allows device manufac- • Support for wide range of encryption turers to optimize their software to provide address/port combinations) to be and hashing algorithms advanced features that protect valuable multiplexed on a single public address, • Support for dot1xPaeConfigGroup data. This engine is ideally suited to a wide offering the full benefit of address supplicant MIB range of products, including SOHO routers, conservation and security. broadband access devices, and small to medium-size enterprise devices.

18 | Wind River VxWorks Platforms 6.9 NAT provides basic security by blocking When VxWorks is compiled in FIPS mode, VxWorks. This includes a library of all incoming connection requests that the affected algorithms are compiled out. cryptographic algorithms, the common don’t map to recognized address The MD5 hash algorithm is not compiled crypto interface (CCI), used by other translations. out, but it is disabled in run-time if the components requiring access to crypto system is running FIPS 140-2 mode. Since functions, and the crypto provider interface Wind River NAT supports the following these algorithms are not FIPS-approved (CPI), which supplies a mechanism for features: and are compiled out, it is not possible to developers to add other crypto libraries or • Ability to run on a 64-bit platform select components that use them in your hardware-based crypto functions. • Basic NAT VSB when you enable the FIPS 140-2 • Network Address Port Translation option. Some components will not be Wind River SSL and SSH (NAPT) Wind River SSL is a client server technol- • Bidirectional NAT possible to enable, for example, Mobile IP • Network Address Translation-Protocol v4. This exception applies to specifications ogy used to secure any higher layer Translation (NAT-PT) that mandate the use of non-FIPS-ap- protocol that uses sockets. A typical • Demilitarized zone (DMZ) host proved algorithms, such as MD5. There are application is to secure HTTP connec- • Application-level gateways (ALGs) also some modules that will simply compile tions (HTTPS) for e-commerce. • Port triggering out features that use non-FIPS-approved Security is provided by the following: • Support for the Session Initiation algorithms. For example, in TCP the MD5 • Privacy, using data encryption Protocol (SIP) Application-Level Gateway checksum option will be compiled out. • Authentication, using digital certificates (ALG), allowing simple SIP UDP sessions When FIPS mode is turned off, the MD5 to pass through a NAT device • Message integrity, using message hash is enabled. digests Wind River Cryptography Libraries Customers have the ability to build a Features of Wind River SSL 6.9 include non-FIPS image that includes all compo- Wind River Cryptography Libraries 6.9 is the following: an implementation of standard crypto- nents and a FIPS image including the • Support for FIPS 140-2 (the set of cipher graphic algorithms and supporting encryption library and SSL. In order to suites is reduced when running SSL in configure FIPS 140-2 mode, the VSB option utilities that can be used in developing FIPS 140-2 mode due to not all algo- needs to be enabled. secure applications. It is based on the rithms being FIPS approved; customers cryptographic portions of the open The following are included algorithms: can only use cipher suites using AES, source project OpenSSL. It is also used by 3DES, and SHA1 when running in FIPS • AES other components requiring access to 140-2 mode) • Blowfish crypto functions. Wind River Cryptogra- • Operation in VxWorks 6.9 for both 64-bit • CAST and 32-bit modes phy Libraries can run on a 64-bit platform. • DES • Support for AES-GCM (Advanced • RC2 Wind River Cryptography Libraries Encryption Standard in Galois Counter • Arcfour includes the following: Mode), including AES-128-GCM and • RC5 AES-128-CCM • Software implementations of crypto- • AES key wrap • SSLv2, SSLv3, TLSv1, and DTLSv1 graphic algorithms • SHA-1 support • An API for creating interfaces to • MD2 • HMAC-SHA-1 and HMAC-MD5 hardware cryptographic devices for • MD4 • DES, 3DES, and AES offload of computationally intensive • MD5 • RSA public-key cryptography cryptographic algorithms • RIPEMD-160 • Implementation of OpenSSL APIs to • An implementation of a hardware • HMAC allow for easy porting of existing interface for Freescale SEC devices • AES CMAC applications • An implementation of a cryptography • Diffie-Hellman • Advanced Encryption Standard (AES) offload engine that is supported and • DSA Ciphersuites for TLS (RFC 3268) included for Cavium OCTEON CN38xx • RSA and CN58xx processors • Datagram Transport Layer Security (RFC 4347) • X.509 certificate support Wind River Security Libraries • Support for AES key wrap and AES • Updated version of OpenSSL Wind River Security Libraries continue to CMAC algorithms be deprecated. New development should Wind River SSH (Secure Shell) is an Wind River Cryptography Libraries use Wind River Cryptography Libraries, implementation of the Secure Shell continues to provide support for the which provides enhanced functionality. protocol that provides secure remote Federal Information Processing Standard login, file transfer, and port forwarding Starting with VxWorks 6.6, cryptographic (FIPS) 140-2. The set of available cipher over an unsecure network. This means services are provided by the Wind River suites is reduced when building VxWorks in embedded systems can communicate at Cryptography Libraries. Wind River Security FIPS 140-2 mode because some security the application level over a connection Libraries is also included for backward- algorithms are not FIPS-approved. that is encrypted and provides data compatibility with prior versions of integrity and replay protection. This

19 | Wind River VxWorks Platforms 6.9 effectively eliminates eavesdropping, Telnet/Serial Browser Custom Console connection hijacking, IP spoofing, and other network-level attacks. In addition, embedded SSH provides several secure tunneling capabilities that Consumers may be used to create VPNs. A variety of authentication methods is also supported. Wind River CLI Wind River Web Server Custom Agent Features of Wind River SSH 6.9 include the following: • SSH server mode • SFTP client support • SSH versions 1.5 and 2.0 MIBway Wind River Management Backplane • Support for key-exchange/regeneration as defined in section 9 of RFC 4253 • Support for arcfour128 encryption Producers algorithms • Support for the diffie-hellman-group14- Wind River SNMP Custom Data Producer sha1 key exchange algorithms • Operation in VxWorks 6.9 for both 64-bit and 32-bit modes Figure 9: Wind River network management architecture • Support for SSHv1 RSA fingerprints and calculating in a way that matches version 4 (MIPv4), and remote network manageable elements (producers). The OpenSSH fingerprints generation access applications. Diameter runs on scalable framework can have any type of one or more network access points, consumers and any type of producers. Wind River RADIUS and Diameter sending authentication requests to a Wind River RADIUS Client is a full- Wind River Management Backplane shared Diameter server. featured implementation of the industry- interfaces with a CLI agent, Wind River standard remote authentication dial-in The Diameter protocol has several CLI; an embedded web server, Wind River user protocol. Wind River RADIUS Client advantages over previous AAA protocols Web Server; and an SNMP implementa- supports a complete set of functions for in that it offers improvements in the areas tion, Wind River SNMP (Simple Network authentication, accounting, and security, of reliability, security, scalability, and Management Protocol). In addition, the and it has been verified against several flexibility. Wind River Diameter Client 6.9 framework comes with a full-featured, commercial RADIUS servers, ensuring supports Diameter Proxy Agent. Windows-based developer tool (GUI), Wind River Management Integration Tool compatibility with a wide range of Wind River RADIUS and Diameter 6.9 (WMIT). This tool eases the development applications. add the following: of management interfaces by bringing all Wind River RADIUS Client 6.9 allows the • Support for 64-bit the framework components together. network to determine whether a user is • Diameter secure key storage allowed access (authentication). Authen- • Support for RFC 4675: RADIUS Attri- Management Configuration Editor (MCE) tication is also used to determine that a butes for virtual LAN and priority is a simplified Eclipse plug-in to help with message has not been fabricated or support development of CLI- and Web-based • RADIUS support for RFC 5247: Exten- altered in transit. Authorization deter- management interfaces. MCE is integrat- sible Authentication Protocol (EAP) Key mines which network resources a user ed with Wind River Workbench and may Management Framework, section 5.9 may access, and the accounting functions be run on any host that Workbench supports. Developers may choose MCE, provide a record of usage. The RADIUS Management tunneling protocol and roaming charge- WMIT, or both tools to configure a Wind River provides a scalable, unified, able user identity (CUI) is supported. project. MCE is intended as a replace- small-footprint management framework ment for WMIT. The Diameter authentication, authoriza- that enables creation of Web-based, tion, and accounting (AAA) protocol CLI-based, or custom management WMIT supports only 32-bit target code provides support for peering AAA interfaces to manage networked ele- and cannot be used for 64-bit projects. transactions across the Internet. The ments. As shown in Figure 9, it consists of The MCE can produce 64-bit target code, Diameter base protocol provides the a management backplane, which acts as a even if it is run on a 32-bit host. You minimum requirements needed for AAA conduit for data-handling between cannot convert between WMIT and MCE if protocol, Mobile Internet Protocol management interfaces (consumers) and you are generating 64-bit code with MCE.

20 | Wind River VxWorks Platforms 6.9