BSDCan2018 - 1.54
BSDCan 2018
The Technical BSD Conference
| Speakers | |
|---|---|
|
Henning Brauer |
| Schedule | |
|---|---|
| Day | Talks #2 - 9 June - 2018-06-09 |
| Room | DMS 1110 |
| Start time | 11:15 |
| Duration | 01:00 |
| Info | |
| ID | 986 |
| Event type | Lecture |
| Track | Embedded |
| Language used for presentation | English |
OpenBSD/x-ray
OpenBSD on medical x-ray machines
Modern, digital x-ray machines are pretty complex beasts. They contain several networked systems and must in turn be connected to the hospital or doctor's office network - basically, requests with the patient data are being sent to the x-ray machine, the operator processes these requests and the records are sent back with the images attached. To further complicate matters, there are external image readers in some cases, connected to the external network, not the x-ray machine itself, that the x-ray machine needs to talk to.
Thanks to the wonderful combination of high certification costs and monopolies in certain areas, some of these sensors only speak ftp. The x-ray machine's internal network must be the same layer 2 network as the external one thanks to the mandatory protocols involved, and medical regulations make any kind of investigation or information gathering on production systems outright impossible. The same regulations impose very very strict limits on remote access - only if the machine is in maintenance mode and not operational, of course.
Certification requirements make upgrading hard, and the field engineers are x-ray engineers, not networking specialists. Even a DoS has unexpected consequences - if the data transfer between the image sensor and the imaging station fails, the x-ray process has to be repeated, and that is considered bodily injury. While most vendors just ignore the problem, one vendor's digital x-ray and fluoroscopy (think x-ray movies) ship with an OpenBSD bridge for roughly 10 years now to separate the internal from the external network. This system as recently been redone and is getting rolled out to their CT and MRI machines as well.
I will show how OpenBSD is being used on this scenario, dive into the arp filter I wrote for the bridge in the process as well as several smaller pf changes, and provide new insights - even in the literal sense.