RTOS, secure virtualization technology for real-time systems, DO-178B and hypervisor for the most demanding embedded operating system applications...

Partitioning Operating Systems Versus Process-based Operating Systems

Understand RTOS and embedded Linux systems. Is it a process? Is it a partition?

Partitioning operating systems are the latest buzz—largely based on an ARINC 653-style separation scheme. Processes, by contrast, have been around for over 30 years in a classic UNIX®/POSIX® model and provide the most portability between UNIX and Linux® systems. Both provide memory protection, however, the intent behind them is very different.

Partitioning operating systems like the LynxOS-178 RTOS and LynxOS-SE RTOS represent the future of secure systems. They have evolved to fulfill security and avionics requirements where predictability is extremely important. In avionics systems, for instance, running interrupts other than the system clock needed for cycling the partitions is discouraged.

Partitioning operating systems

In a partitioning operating system, memory (and possibly CPU time as well) is divided among statically allocated partitions in a fixed manner. The idea is to take a processor and make it pretend it is several processors by completely isolating the subsystems.

Hard partitions are set up for each part of the system, and each has certain amount of memory (and potentially a time slice) allocated to it. Each partition is forever limited to its initial fixed memory allocation, which can neither be increased nor decreased after the initial system configuration.

Within each partition may be multiple threads or processes, or both, if the operating system supports them. How these threads are scheduled depends on the implementation of the OS. A partition will generally support a separate namespace to enable multi-programming by mapping the program into the partition.

If the operating system supports time partitioning, it too is fixed. For example, in an ARINC 653 partitioning system with just three partitions and a total major allocation of 100ms per cycle, a fixed cyclic scheduler could be set to run the first partition for 20 ms, then the second partition for 30 ms, and then the third for 50 ms.

LynxOS-178 is an ARINC 653 partitioning operating system that supports multiple POSIX processes and multiple address spaces; priority scheduling; priority inheritance; and priority ceilings within each partition. LynxOS-178 essentially moves the LynxOS scheduler and operating system up a level into each partition, with a full ARINC 653 partitioning operating system underneath.

The process model and thread-based operating systems

In a process model or thread-based system, processes protect and separate memory from each other, but they are dynamic rather than fixed.

A process can be dynamically loaded into memory from a fully linked executable located on the hard drive or on a RAM disk in memory. Then, a main thread is created and assigned to the process, and it is scheduled.

Because a process is NOT limited in how much memory it can have, additional memory can be dynamically allocated to it as needed during program execution.

Instead of cyclic scheduling like an ARINC 653 system, a process-based system runs priority-based preemptive scheduling based upon the priority of the threads. The performance of process-based systems is improved if the operating system handles priority inheritance efficiently and if it incorporates preemptible kernel technology.

A thread-based scheduler has more work to do than one that just cycles partitions because it needs to respond to the individual priority values of the threads it manages. Since each thread runs inside the memory context of a particular process, a context switch between threads within the same process takes less time than a switch between threads in separate processes.

Processes provide inherent memory protection by isolating their resident threads and memory from other processes. Despite this security measure, a process could still potentially exhaust system memory by continually forking more child processes.

Additionally, a runaway thread could also exhaust a system by requesting (and receiving) all the CPU time if it happens to be the highest priority thread. A watchdog timer is often used to prevent such situations.

POSIX thread creation and memory protection

Even though threads in one process can't overwrite threads in another, some spill-over between processes could possibly occur anyway because system memory is typically also accessible via a virtual address space (to allow the dynamic creation of additional threads, processes or OS structures). All memory areas aren't necessarily flushed on a process switch.

Some POSIX calls require that data be shared between processes. A dynamic library for instance will require that the code space of the library be shared between two or more processes by mapping the library area into both processes.

An mmap() call also can map a global memory area into the visibility of multiple processes. Both dynamic libraries dlopen() and mmap() are required by POSIX profile 54.

On a process-model operating system that supports shells and utilities (also POSIX profile 54) a user can log into the target operating system and dynamically invoke a new process by typing the ps command. The shell will locate the ps utility off the ram disk in /bin, fork a new process, and execute the ps program.

SCOPE_LOCAL and SCOPE_GLOBAL in the process-thread model

The process-thread model is used by both Linux and Solaris™ systems, but the actual implentation differs according to "scope." The POSIX standard defines both SCOPE_LOCAL and SCOPE_GLOBAL.

Solaris usually schedules all threads within a process first, and then processes are scheduled as a block based according to the priority of the process—SCOPE_LOCAL (typical UNIX implementation).

On the other hand, an operating system like the LynxOS RTOS will look across all of the threads in the system, regardless of which process they belong to, when deciding which thread to run next—SCOPE_GLOBAL.

LynxOS is a process-model operating system with global priority-based, preemptive scheduling at the thread level across the entire system (all processes). it supports both priority inheritance and priority ceiling protocol.

Partitions versus processes—understanding the difference

Partitioning operating systems like the LynxOS-178 RTOS and LynxOS-SE RTOS are powerful when it is necessary to completely isolate portions of the system from each other. For example, the activities of the CPU in a plane's cockpit control system must be predictable and known at all times, and the fixed, cyclic nature of a partitioning operating system's scheduler makes this possible. Without fixed time-slice partitioning, a rate monotonic analysis would need to be performed to know exactly where a system is executing.

Conversely, a global, thread-scheduler, process-based operating system such as the LynxOS RTOS best serves the requirements of a system with an I/O device that could burst, such as a radar system. Such a system must be capable of responding to bursting hardware with all the system resources available. This can only be achieved by denying processing time to other parts of the system, which would not be permitted under a partitioning operating system and its unmodifiable processing-time allotments.

A LynuxWorks embedded OS is featured in this embedded system application:
Who else uses a LynuxWorks embedded operating system?
Security white papers
Separation Kernels Enable Rapid Development of Trustworthy Systems
By using separation kernel technology and a security abstraction design approach, military system developers can use off-the-shelf components and tools to rapidly build and maintain high security systems. (March 2014)
Coming Together of Safety and (Cyber) Security Changes Demands in RTOS Market
Separation kernels and secure hypervisors will be evermore in demand as safety and certification will be required in more and more applications. Governments are already working on infrastructures deploying this type of technology. (October 2012)
Building in RTOS Support for Safety- & Security-Critical Systems
LynuxWorks explains the differences between safety-critical and security-critical applications and how to meet their demanding requirements with the LynxOS-178 RTOS and the LynxSecure hypervisor. (EE Times Design, August 2011)
Enhancing Application Performance on Multicore Systems
Tips on optimizing a multicore real-time system, including virtualization, avoiding synchronization and concurrency while maximizing application parallelism. (Military Embedded Systems, February 2011)
Hardware Virtualization puts a new spin on Secure Systems
Real-time determinism and military security don't have to be separate realities. A combination of a secure separation kernel and an embedded hypervisor enables whole new levels of system security. (COTS Journal, October 2010)
Using a Separation Kernel to add Military-Grade Security to Legacy Systems
A challenge for the software designer is how to integrate modern military-grade software programs into legacy software designed long before security standards were predominant in system requirements. (VME Critical Systems, Summer 2010)
Virtualization: Keeping Embedded Software safe and Secure in an Unsafe World
A new, secure methodology is needed to separate systems of different security levels which run on shared resources—without compromising the performance of legacy systems. (EE Times, June 2010)
Secure Virtualization Combines Traditional Desktop OSs and Embedded RTOSes in Military Embedded Systems
Advances in software and hardware technologies now make it feasible to use both embedded and desktop operating systems in a secure military system. (Military Embedded Systems, May 2010)
DO-178B Provides Certification Safety net
Developers of commercial avionics software must demonstrate compliance with DO-178 guidelines. The FAA has issued additional guidance for so-called DO-178B Reusable Software Components (RSCs as defined in AC20-148), which allow for reuse of certifications. (COTS Journal, November 2009)
Designing Safety-critical Avionics Software Using open Standards
Safety-critical avionics systems have continually grown more complex and software-intensive. Regulatory authorities and avionics manufacturers have responded with guidance such as DO-178B and RSC to ensure that software performs safely, with controlled development cost. (Boards and Solutions, September 2009)
Two Different Realms: RTOS Support for Safety-critical vs. Security-critical Systems
Safety- and security-critical system functions are evolving simultaneously, with different yet similar requirements. Modern RTOSes are stepping up to meet these needs. (VME and Critical Systems, June 2009)
Virtualization Makes Better use of Open-source OSes and apps
With the introduction of the embedded hypervisor, embedded systems can avoid certain performance or licensing issues inherent to open-source OSes and applications. (EE Times, March 23, 2009)
Secure Virtualization Technology can Extend the life of Legacy Systems
By combining the concept of virtualization and security, one can consolidate multiple legacy systems running on heterogeneous operating systems onto a single host system with high-assurance security. (Military Embedded Systems, January/February 2009)
Virtual Machines: Intel's CPU Extensions Transform Virtualization
Virtualization has traditionally presented its share of design challenges in information-assurance-based systems. But now, Intel's VT-x and VT-d CPU extensions are changing the game and showing potential to become the de facto path to virtualization. (Military Embedded Systems, January 2009)
Separation Kernel for a Secure Real-time Operating System
The technical foundation adopted for the so-called MILS architecture is a separation kernel like LynxSecure, which permits multiple functions to be realised on a common set of physical resources without unwanted mutual interference. (Boards and Solutions Magazine, February 2008)
Advances in Virtualization aid Information Assurance
Advances in the newest Intel® processors are making virtualization much easier to implement in security applications than ever before. (Embedded Computing Design, January 2008)
Protecting our most Vital Systems
Some significant defence programmes are already committed to a new approach to high-threat, high-asset-value systems. Rance DeLong explains MILS. (Components in Electronics, April 2007)
Perspectives: Security and the Separation Kernel
Today's avionics systems are designed to support more than one application, using a partitioned operating system and memory management units to ensure applications have adequate separation. (Avionics Magazine, April 2007)
MILS: An Architecture for Security, Safety, and Real Time
The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Technology Magazine, November 2006)
Partitioning Operating Systems Versus Process-based Operating Systems
Partitioning operating systems are the latest buzz, while processes, by contrast, have been around for over 30 years. Both provide memory protection, however, the intent behind them is very different.
DO-178B and the Common Criteria: Future Security Levels
Although there are similarities between the airborne safety-critical requirements in RTCA/DO-178B and the Common Criteria, ISO 14508, compliance with the higher levels of security in the Common Criteria demands meeting additional security requirements. (COTS Journal, April 2006)
Reusing Safety-Critical Software Components
Safety-critical systems often operate together as a single "system-of-systems," making it important that they meet the most stringent and rigorous requirements for safety-criticality. The failure of one module in a system could create other failures or vulnerabilities, or worse yet, failure of the system as a whole. (COTS Journal, August 2005)
Using the Microprocessor MMU for Software Protection in Real-Time Systems
With minimal impact to overall system performance, user tasks and the kernel can be protected from accidental corruption by using multiple protected address spaces.
Improving code Migration and Reuse
The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Computing Design, August 2006)
FCS Program Rolls Forward in Formation
A wireless data network, with advanced communications and technologies, links soldiers with 18 new, lightweight manned and unmanned ground vehicles, unmanned aircraft, sensors and weapons—and it's all in one program. (COTS Journal, June 2005)
Secure Operating Systems for Deeply Embedded Devices
As we add more intelligence to our embedded devices, we find that they are becoming increasingly integrated into our information technology infrastructure. Though system security is not a new concept, security-in-depth is a new paradigm developers are now starting to address. (RTC Magazine, September 2004)
LynxSecure Separation Kernel and Embedded Hypervisor LynxOS-SE Embedded RTOS Luminosity Eclipse-based IDE
LynxOS Embedded RTOS RTOS: LynxOS-178 for software certification


SpyKer Embedded-System Trace Tool

Industry Solutions


Industry Standards

Embedded Systems Technology

RTOS Training for Embedded Systems

Training at LynuxWorks

LynuxWorks Support

Embedded Systems

LynxOS RTOS Support

Embedded System Consulting

Contact Us

About LynuxWorks

Press Room

Newsletter and Announcements



Site Map

Board Support Packages (BSPs)

BSP Device Drivers

BSP Targets by Operating System

BSP Targets by Form Factor

Third-party I/O Devices and Hardware

SynergyWorks: LynuxWorks partners

What is SynergyWorks?

Third-party add-ons for LynuxWorks operating systems

Copyright © LynuxWorks™, Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of LynuxWorks is prohibited.