Coming Together of Safety and (Cyber) Security Changes Demands in RTOS Market an RTOS security white paper

The coming together of safety and security is a major technical trend in the RTOS market, as outlined in this white paper by Hamid Mirab, Managing Director EMEA, LynuxWorks. It will mean that separation kernels/secure hypervisors will be evermore in demand. Safety and certification will be required in more and more applications. Cyber security is still in its embryonic state; governments are already working on infrastructures deploying this type of technology. Businesses and manufacturers have also recognized the risks and have started planning.

Q: Mr. Mirab, what are your opinions regarding the major trends for the RTOS market?

Hamid Mirab, Managing Director EMEA, LynuxWorks

Traditionally, the emphasis was to have an RTOS with very fast context switching. Most of these were home-grown; and gradually the manufacturers realised it would pay to deploy COTS products, since they could concentrate on their own core competences. Then with the introduction of embedded Linux®, there was a period that a lot of companies embraced this, to benefit from a number of advantages it offered. One of these advantages is the fact that there are a large number of applications readily available for Linux.

The market however demanded robustness and stability, providing a high-performance platform for embedded real-time applications. RTOSes that used open standards and provided support of open systems interfaces allowed maximum portability of open-source, Linux and Solaris™ applications to be run on the RTOS; and as a result managed to achieve best of both worlds.

The market seems to be favouring COTS products that offer real-time determinism with openness—the growth in the market share for this type of product is an endorsement of the fact that it addresses the demands.

Another area of growth is the use of multicore processors to address the SWaP (Size, Weight and Power) issue faced by a number of embedded vertical markets. And we are seeing multicore processing is having a tremendous impact on the development of embedded systems. While previous multiprocessing solutions involved two or more physical chips, which doubled or more the amount of board space consumed, the introduction of multiple processing cores in a single chip allows operating systems and applications to leverage increased computing power, and has provided access to additional computing resources without noticeably increasing the size or weight of the system. However these advantages come with certain obstacles in the form of additional considerations that must be taken into account during the design process.

In multicore computing, the functions performed by the operating system become layered and more complex. The operating system design must be capable of handling the complex concurrency issues that arise with multicore architectures.

Some of the generic areas of OS design that are affected by the presence of multiple cores are initialization, interrupt handling, scheduling and locking. However, in the context of a real-time operating system, other key factors such as priority scheduling, determinism and interrupt latency should be preserved in multicore architectures. Safety-critical applications are gaining momentum. These are ARINC 653/DO-178B, time- and space-partitioned RTOSes which guarantee the separation between partitions running different applications. This partitioning is subject to extensive testing and proof requirements as part of the certification process.

Certification is an expensive business, in terms of the process you must follow, the evidence you must generate, and the examination of the certification claim by the certification authority. Companies cannot afford to make mistakes that get discovered late in the development cycle or, even worse, during certification. It can cost huge amounts to correct even a single certification mistake so there is a big emphasis on getting it right the first time, or at least catching mistakes early.

In general terms, the parts of the software industry concerned with safety are facing big challenges to make the process of certification (to any standard) more repeatable, more efficient, and more cost-effective. The general software industry has been working on software reuse and modularity for many years but these concepts only touched the surface of the DO-178B industry. For good reason, a lot of software was re-written each time—just to be sure it was OK. Even though most people don't do that now, there are still concerns over what can be used because you have to prove it is safe. Most companies design their software to be modular and will reuse it now, but that reuse hasn't been able to be extended to software certification.

In addition to safety, there seems to be an increased demand in the market to provide security—this could vary from SCADA systems to endpoint security. In security-critical applications, it can be vital that one component be prevented from accessing the resources of another component. Separate computers can provide perfect isolation, at the expense of space, weight, money, power, complexity and flexibility.

Q: What are the key strategies adopted by your company in the short/medium period to (better) address the needs of the market?

LynuxWorks, is a pioneer and a proven leader in the embedded-systems industry with more than 21 years experience. Our mission is to provide open-standards-based embedded software products offering the highest performance, reliability, safety and security to developers of embedded applications.

Our embedded operating systems are based on open standards, and are used over and over in important products made for markets such as communications, aerospace and defense systems, medical, and consumer.

Our powerful development tools and comprehensive global consulting services provide customers with an indisputable first-mover advantage in their respective markets. And our ability to provide the industry's longest-term support has proven invaluable in keeping their offerings profitable, their end-customer satisfied, and their names at the forefront.

Our OS product family provides a best of breed POSIX®-conformant hard real-time OS (LynxOS), an industry-envied DO-178B-certifiable OS for safety-critical environments, and a separation kernel for high-assurance computing environments.

So we address specific requirements in various markets, by providing individual COTS products that are designed and architected to fit the specification, in contrast to providing one product that tried to address competing requirements and, not surprisingly, fails. This way, we have evolved our products from ground up without compromise. The resulting products provide high performance, they are reliable, cost-effective, and feature-rich. We combine this with our customer-solutions group to tailor solutions for our customers. Also working with partners that provide complementary products, we can put a complete solution together if required.

Our RTOS, LynxOS is a fully preemptable, reentrant, multi-threaded kernel, with advanced features like priority inheritance ideal for use in complex real-time environments. Utilizing a UNIX® process model which is unique in the RTOS world; open standards; POSIX-conformant, supporting POSIX, UNIX and Linux system interfaces; individual application and kernel-address space protection; Crucial bounds and system-call parameter checks; RAS (reliability, availability, and serviceability) functionality including: board-level failover and hot-swappable support for mission critical applications.

Support of all of these open systems interfaces allows maximum portability of open source, Linux and Solaris applications to be run on the RTOS. Supporting a binary interface for Linux applications that allows Linux applications to be run unmodified on the RTOS is also important.

It also provides multiprocessor and multicore support with SMP. New strides in multicore architecture make this an exciting time to be a developer. Every day, new approaches and strategies come to light that show us new ways to approach the efficient multicore systems that are forming the heart of our next-generation embedded computing solutions.

Our level A DO-178B-certified safety-critical OS, LynxOS-178, provides hard partitioning of time, memory, and resources—LynxOS-178 implements a time-slice scheduling algorithm that gives each partition fixed execution time so that the system can be deterministically safe. Additionally, the system allows multiple applications of differing criticality levels within partitions to execute, completely isolated, on the same hardware resource. With LynxOS-178, each task runs protected in its own space for uncompromising reliability within a hard partitioned virtual machine, enabling easier application certification.

We were the first company to release a COTS DO-178B safety-critical certifiable OS, so we have a long pedigree in this field. This partitioned OS product is in use in many applications from commercial airplanes to missiles to the Galileo satellite program.

To address reusability, the FAA has produced Advisory Circular 20-148 for Reusable Software Components (RSC). DO-178B RSC is a software collection that is recognized as meeting the requirements of RTCA/DO-178B and that may be used on more than one project without having to regenerate certification. The above is possible due to the modular architecture of LynxOS-178. There are no dependencies of kernel on the application or the BSP/CSP—and they are completely decoupled. LynxOS-178 can still be certified in the traditional manner as well, with the benefit of improved evidence and modularity of design. LynxOS-178 is also available with a certifiable network stack.

The LynxSecure Separation Kernel Hypervisor (SKH) is both a separation kernel and hypervisor. The hypervisor functionality maintains an abstraction layer between the hardware resources of the target system and the hosted operating systems and software. The separation kernel functionality partitions and isolates the software and hardware resources from each other. An operating system, intended to be hosted by the SKH, is referred to as a subject when, and only when, it is combined with specific resources sufficient to allow it to be run by the SKH.

LynxSecure allows multiple subjects to run concurrently on the same hardware, while strictly enforcing policies of isolation and information flow control. It enforces directional information flows. This capability is sometimes referred to as a data diode.

LynxSecure addresses several key issues facing system integrators: limited power, space, and weight budgets, system security time and space separation, performance, reliability and certifiability. LynxSecure is an ideal foundation for building secure applications, including cross-domain systems, MILS and MLS applications.

The LynxSecure SKH is implemented as a type-1, or bare-metal, hypervisor. A type-1 hypervisor does not require a host OS and allows LynxSecure to have complete control over all guest OSes running within the separate VMs. Custom device drivers are not needed as LynxSecure enables guest OSes to access hardware in the exact manner as if they were running stand-alone, enforcing only preconfigured access control policies.

Many virtualization technologies operate at a significant cost to performance. LynxSecure provides mechanisms to minimize the performance impact. By reducing the number of hardware systems required, LynxSecure can reduce the number of potential points of failure. Some of the resources saved by consolidating hardware could be devoted to redundant systems thereby increasing reliability. LynxSecure supports both para-virtualized and fully virtualized subjects. Para-virtualization is the modification of a given subject to run on LynxSecure.

LynxSecure supports Symmetric Multi Processing (SMP), and runs as a multicore Separation Kernel Hypervisor. The cores utilized by LynxSecure are configurable via XML. Subjects can be configured via XML to have direct access to a given set of devices and host controllers.

LynxSecure also supports layered configuration. The layered configuration tool allows the configuration to be broken into a two-level process. This is useful for situations where the same hardware configuration will be used by different installations and the difference is how many subjects of a given type are needed and what devices are assigned to each subject.

Q: What are you doing in order to implement your strategies?

As was stated earlier, we offer a best-in-class set of RTOS, separation kernel/hypervisor addressing the embedded and enterprise markets. Expansion of the market to include safety-critical, security, and enterprise has certainly increased opportunities for us. We are working with key partners to provide complete solutions and, where it makes sense and enough synergy exists, we will also look to acquire technologies. An example solution that we have with a partner company is our secure thin-client solution provided with our German partner secunet.

This collaborative high-security product is a complete solution centering around a multi-level secure thin-client workstation running secunet security technology running atop LynxSecure and also featuring back-end infrastructure and configuration management components. This solution can be used by government agencies and Department of Defense (DoD) programs requiring secure separation of multiple networks on a single workstation or any enterprise organization with highly sensitive information that needs isolation from malicious computing environments.

The SINA Multi-level Workstation (MLW) is a multi-domain thin-client access solution running on a standard off-the-shelf laptop. It offers unprecedented security on a low-cost platform, providing access to multiple security domains from a single-user workstation over a single network infrastructure.

The SINA MLW takes full advantage of the separation-kernel security benefits offered by LynxSecure that provides a foundation to host a minimal component-based architecture with formally verified security components. The SINA MLW features multiple isolated bare-metal cryptographic engines for each security domain to maintain the confidentiality, integrity and authenticity of information processed in each security domain. The SINA crypto engines utilize LynxSecure's platform resource control capabilities to mitigate some of the most advanced threats posed on today's multi-level solutions running on shared computing resources, such as crypto side-channel attacks and covert user data spill channels.

Q: And in the middle/long term (if you have a crystal ball!)?

We anticipate that the demand for our products will keep growing. The coming together of safety and security will mean that separation kernels/secure hypervisors will be evermore in demand. Safety and certification will be required in more and more applications. Cyber security is still in its embryonic state; and as the risks in this area are highlighted more, products like LynxSecure will play an important part in countering the threats. Governments are already working on infrastructures deploying this type of technology. Businesses and manufacturers have also recognized the risks and have started planning. There is a whole host of tools now available and a vast pool of knowledge concentrated to address the threats. We at LynuxWorks plan to be a big player in this space and capitalize on our experiences and successes in this market. There could be future key partnerships and possible acquisitions to respond to market demand, but what is certain is that it is an expanding market with enormous opportunities.