From helicopters to medical devices and power stations, mathematical proof that software at the heart of an operating system is secure could keep hackers out

Autonomous, and staying that way (Image: Boeing)

AN AUTONOMOUS helicopter gunship is flying over a military base in Arizona. Suddenly, officers on the ground lose radio contact: hackers have taken control of an on-board computer. Could they fly the helicopter?

This has happened – well, almost. New Scientist can reveal that the US Defense Advanced Research Projects Agency (DARPA) used this scenario in a drill to test the cybersecurity of an uncrewed Boeing Little Bird helicopter.


Despite the hackers being given unfettered access to the computer, and then trying their hardest to disable the helicopter – even crashing the computer – they could not disrupt critical systems. For DARPA, which is aiming to develop an “unhackable” drone by 2018 as part of its High-Assurance Cyber Military Systems (HACMS) programme, the drill was a success.

This isn’t just about the military, though. The software that kept the helicopter’s computer secure was at the heart of its operating system, and it could be just what the world needs to make everything from pacemakers to insulin pumps and power stations to cars immune to hacking.

“My hope is that in 10 years’ time, anything that is security critical is running on our system or some other one built on the principles we’ve established,” says Gernot Heiser from the newly formed Australian national research agency, Data61. One of its predecessors developed the crucial component of the “unhackable” operating system – its kernel.

The kernel is the central core of any computer’s operating system. If hackers gain access to it, they can perform actions that are meant to be forbidden – like turning a mobile phone into a signal jammer, for example. Last year, Heiser’s team proved mathematically that their kernel is unhackable.

Known as seL4, the kernel has a few highly secure properties: it can only do what it is designed to do; its code can’t be changed without permission; and its memory and data transfers can’t be read without permission. An earlier version of it, called OKL4, is now in millions of smartphones.

Heiser says that two features underpin seL4’s security, one of which is a new way of isolating data inside the kernel. But the key development was making the code capable of being checked mathematically. Other kernels might have these properties too, but it is impossible to know for sure without mathematical proof, says Heiser.

In July, two hackers pulled a prank by remotely accessing the computer of a Chrysler Jeep, making it stop suddenly on a highway and then crash into a ditch. As a result, the company recalled 1.4 million vehicles. Could seL4 prevent such episodes in the future?

No more break-ins

Heiser says you can’t stop hackers getting access to things like a car’s entertainment system, if it communicates using Wi-Fi. And hackers often use a non-critical system as a springboard to critical areas like steering – as happened with the Jeep prank. But the seL4 kernel can keep systems separate, Heiser says. “There are now efforts afoot to roll this out to cars to protect them.”

“Car hackers may access the entertainment system and use it as a springboard to a critical area like steering”

That’s what the helicopter drill demonstrated. On the assumption that not every system can be made secure, the organisers made one computer run two operating systems simultaneously, one of which included the seL4 kernel. They then gave hackers full access to the other system.

“In the past they had no problem owning that thing. But we can now stop them from breaking in,” says Heiser.

The same principles will apply in preventing hackers from gaining access to critical systems in power grids or medical devices, says Kathleen Fisher at Tufts University in Medford, who is also the HACMS programme manager.

It is a big deal for cybersecurity, says Iman Shames from the University of Melbourne in Australia. But he says there are always ways to attack hardware, even if the software is impregnable. Hackers might be able to spoof a device’s sensors or jam incoming communications or other signals, which could be just as devastating.

This article appeared in print under the headline “Can’t hack this”