RTOS, secure virtualization technology for real-time systems, DO-178B and hypervisor for the most demanding embedded operating system applications...

Coming Together of Safety and (Cyber) Security Changes Demands in RTOS Market an RTOS security white paper

The coming together of safety and security is a major technical trend in the RTOS market, as outlined in this white paper by Hamid Mirab, Managing Director EMEA, LynuxWorks. It will mean that separation kernels/secure hypervisors will be evermore in demand. Safety and certification will be required in more and more applications. Cyber security is still in its embryonic state; governments are already working on infrastructures deploying this type of technology. Businesses and manufacturers have also recognized the risks and have started planning.

Q: Mr. Mirab, what are your opinions regarding the major trends for the RTOS market?

Hamid Mirab, Managing Director EMEA, LynuxWorks

Traditionally, the emphasis was to have an RTOS with very fast context switching. Most of these were home-grown; and gradually the manufacturers realised it would pay to deploy COTS products, since they could concentrate on their own core competences. Then with the introduction of embedded Linux®, there was a period that a lot of companies embraced this, to benefit from a number of advantages it offered. One of these advantages is the fact that there are a large number of applications readily available for Linux.

The market however demanded robustness and stability, providing a high-performance platform for embedded real-time applications. RTOSes that used open standards and provided support of open systems interfaces allowed maximum portability of open-source, Linux and Solaris™ applications to be run on the RTOS; and as a result managed to achieve best of both worlds.

The market seems to be favouring COTS products that offer real-time determinism with openness—the growth in the market share for this type of product is an endorsement of the fact that it addresses the demands.

Another area of growth is the use of multicore processors to address the SWaP (Size, Weight and Power) issue faced by a number of embedded vertical markets. And we are seeing multicore processing is having a tremendous impact on the development of embedded systems. While previous multiprocessing solutions involved two or more physical chips, which doubled or more the amount of board space consumed, the introduction of multiple processing cores in a single chip allows operating systems and applications to leverage increased computing power, and has provided access to additional computing resources without noticeably increasing the size or weight of the system. However these advantages come with certain obstacles in the form of additional considerations that must be taken into account during the design process.

In multicore computing, the functions performed by the operating system become layered and more complex. The operating system design must be capable of handling the complex concurrency issues that arise with multicore architectures.

Some of the generic areas of OS design that are affected by the presence of multiple cores are initialization, interrupt handling, scheduling and locking. However, in the context of a real-time operating system, other key factors such as priority scheduling, determinism and interrupt latency should be preserved in multicore architectures. Safety-critical applications are gaining momentum. These are ARINC 653/DO-178B, time- and space-partitioned RTOSes which guarantee the separation between partitions running different applications. This partitioning is subject to extensive testing and proof requirements as part of the certification process.

Certification is an expensive business, in terms of the process you must follow, the evidence you must generate, and the examination of the certification claim by the certification authority. Companies cannot afford to make mistakes that get discovered late in the development cycle or, even worse, during certification. It can cost huge amounts to correct even a single certification mistake so there is a big emphasis on getting it right the first time, or at least catching mistakes early.

In general terms, the parts of the software industry concerned with safety are facing big challenges to make the process of certification (to any standard) more repeatable, more efficient, and more cost-effective. The general software industry has been working on software reuse and modularity for many years but these concepts only touched the surface of the DO-178B industry. For good reason, a lot of software was re-written each time—just to be sure it was OK. Even though most people don't do that now, there are still concerns over what can be used because you have to prove it is safe. Most companies design their software to be modular and will reuse it now, but that reuse hasn't been able to be extended to software certification.

In addition to safety, there seems to be an increased demand in the market to provide security—this could vary from SCADA systems to endpoint security. In security-critical applications, it can be vital that one component be prevented from accessing the resources of another component. Separate computers can provide perfect isolation, at the expense of space, weight, money, power, complexity and flexibility.

Q: What are the key strategies adopted by your company in the short/medium period to (better) address the needs of the market?

LynuxWorks, is a pioneer and a proven leader in the embedded-systems industry with more than 21 years experience. Our mission is to provide open-standards-based embedded software products offering the highest performance, reliability, safety and security to developers of embedded applications.

Our embedded operating systems are based on open standards, and are used over and over in important products made for markets such as communications, aerospace and defense systems, medical, and consumer.

Our powerful development tools and comprehensive global consulting services provide customers with an indisputable first-mover advantage in their respective markets. And our ability to provide the industry's longest-term support has proven invaluable in keeping their offerings profitable, their end-customer satisfied, and their names at the forefront.

Our OS product family provides a best of breed POSIX®-conformant hard real-time OS (LynxOS), an industry-envied DO-178B-certifiable OS for safety-critical environments, and a separation kernel for high-assurance computing environments.

So we address specific requirements in various markets, by providing individual COTS products that are designed and architected to fit the specification, in contrast to providing one product that tried to address competing requirements and, not surprisingly, fails. This way, we have evolved our products from ground up without compromise. The resulting products provide high performance, they are reliable, cost-effective, and feature-rich. We combine this with our customer-solutions group to tailor solutions for our customers. Also working with partners that provide complementary products, we can put a complete solution together if required.

Our RTOS, LynxOS is a fully preemptable, reentrant, multi-threaded kernel, with advanced features like priority inheritance ideal for use in complex real-time environments. Utilizing a UNIX® process model which is unique in the RTOS world; open standards; POSIX-conformant, supporting POSIX, UNIX and Linux system interfaces; individual application and kernel-address space protection; Crucial bounds and system-call parameter checks; RAS (reliability, availability, and serviceability) functionality including: board-level failover and hot-swappable support for mission critical applications.

Support of all of these open systems interfaces allows maximum portability of open source, Linux and Solaris applications to be run on the RTOS. Supporting a binary interface for Linux applications that allows Linux applications to be run unmodified on the RTOS is also important.

It also provides multiprocessor and multicore support with SMP. New strides in multicore architecture make this an exciting time to be a developer. Every day, new approaches and strategies come to light that show us new ways to approach the efficient multicore systems that are forming the heart of our next-generation embedded computing solutions.

Our level A DO-178B-certified safety-critical OS, LynxOS-178, provides hard partitioning of time, memory, and resources—LynxOS-178 implements a time-slice scheduling algorithm that gives each partition fixed execution time so that the system can be deterministically safe. Additionally, the system allows multiple applications of differing criticality levels within partitions to execute, completely isolated, on the same hardware resource. With LynxOS-178, each task runs protected in its own space for uncompromising reliability within a hard partitioned virtual machine, enabling easier application certification.

We were the first company to release a COTS DO-178B safety-critical certifiable OS, so we have a long pedigree in this field. This partitioned OS product is in use in many applications from commercial airplanes to missiles to the Galileo satellite program.

To address reusability, the FAA has produced Advisory Circular 20-148 for Reusable Software Components (RSC). DO-178B RSC is a software collection that is recognized as meeting the requirements of RTCA/DO-178B and that may be used on more than one project without having to regenerate certification. The above is possible due to the modular architecture of LynxOS-178. There are no dependencies of kernel on the application or the BSP/CSP—and they are completely decoupled. LynxOS-178 can still be certified in the traditional manner as well, with the benefit of improved evidence and modularity of design. LynxOS-178 is also available with a certifiable network stack.

The LynxSecure Separation Kernel Hypervisor (SKH) is both a separation kernel and hypervisor. The hypervisor functionality maintains an abstraction layer between the hardware resources of the target system and the hosted operating systems and software. The separation kernel functionality partitions and isolates the software and hardware resources from each other. An operating system, intended to be hosted by the SKH, is referred to as a subject when, and only when, it is combined with specific resources sufficient to allow it to be run by the SKH.

LynxSecure allows multiple subjects to run concurrently on the same hardware, while strictly enforcing policies of isolation and information flow control. It enforces directional information flows. This capability is sometimes referred to as a data diode.

LynxSecure addresses several key issues facing system integrators: limited power, space, and weight budgets, system security time and space separation, performance, reliability and certifiability. LynxSecure is an ideal foundation for building secure applications, including cross-domain systems, MILS and MLS applications.

The LynxSecure SKH is implemented as a type-1, or bare-metal, hypervisor. A type-1 hypervisor does not require a host OS and allows LynxSecure to have complete control over all guest OSes running within the separate VMs. Custom device drivers are not needed as LynxSecure enables guest OSes to access hardware in the exact manner as if they were running stand-alone, enforcing only preconfigured access control policies.

Many virtualization technologies operate at a significant cost to performance. LynxSecure provides mechanisms to minimize the performance impact. By reducing the number of hardware systems required, LynxSecure can reduce the number of potential points of failure. Some of the resources saved by consolidating hardware could be devoted to redundant systems thereby increasing reliability. LynxSecure supports both para-virtualized and fully virtualized subjects. Para-virtualization is the modification of a given subject to run on LynxSecure.

LynxSecure supports Symmetric Multi Processing (SMP), and runs as a multicore Separation Kernel Hypervisor. The cores utilized by LynxSecure are configurable via XML. Subjects can be configured via XML to have direct access to a given set of devices and host controllers.

LynxSecure also supports layered configuration. The layered configuration tool allows the configuration to be broken into a two-level process. This is useful for situations where the same hardware configuration will be used by different installations and the difference is how many subjects of a given type are needed and what devices are assigned to each subject.

Q: What are you doing in order to implement your strategies?

As was stated earlier, we offer a best-in-class set of RTOS, separation kernel/hypervisor addressing the embedded and enterprise markets. Expansion of the market to include safety-critical, security, and enterprise has certainly increased opportunities for us. We are working with key partners to provide complete solutions and, where it makes sense and enough synergy exists, we will also look to acquire technologies. An example solution that we have with a partner company is our secure thin-client solution provided with our German partner secunet.

This collaborative high-security product is a complete solution centering around a multi-level secure thin-client workstation running secunet security technology running atop LynxSecure and also featuring back-end infrastructure and configuration management components. This solution can be used by government agencies and Department of Defense (DoD) programs requiring secure separation of multiple networks on a single workstation or any enterprise organization with highly sensitive information that needs isolation from malicious computing environments.

The SINA Multi-level Workstation (MLW) is a multi-domain thin-client access solution running on a standard off-the-shelf laptop. It offers unprecedented security on a low-cost platform, providing access to multiple security domains from a single-user workstation over a single network infrastructure.

The SINA MLW takes full advantage of the separation-kernel security benefits offered by LynxSecure that provides a foundation to host a minimal component-based architecture with formally verified security components. The SINA MLW features multiple isolated bare-metal cryptographic engines for each security domain to maintain the confidentiality, integrity and authenticity of information processed in each security domain. The SINA crypto engines utilize LynxSecure's platform resource control capabilities to mitigate some of the most advanced threats posed on today's multi-level solutions running on shared computing resources, such as crypto side-channel attacks and covert user data spill channels.

Q: And in the middle/long term (if you have a crystal ball!)?

We anticipate that the demand for our products will keep growing. The coming together of safety and security will mean that separation kernels/secure hypervisors will be evermore in demand. Safety and certification will be required in more and more applications. Cyber security is still in its embryonic state; and as the risks in this area are highlighted more, products like LynxSecure will play an important part in countering the threats. Governments are already working on infrastructures deploying this type of technology. Businesses and manufacturers have also recognized the risks and have started planning. There is a whole host of tools now available and a vast pool of knowledge concentrated to address the threats. We at LynuxWorks plan to be a big player in this space and capitalize on our experiences and successes in this market. There could be future key partnerships and possible acquisitions to respond to market demand, but what is certain is that it is an expanding market with enormous opportunities.

A LynuxWorks embedded OS is featured in this embedded system application:
Who else uses a LynuxWorks embedded operating system?
Security white papers
Separation Kernels Enable Rapid Development of Trustworthy Systems
By using separation kernel technology and a security abstraction design approach, military system developers can use off-the-shelf components and tools to rapidly build and maintain high security systems. (March 2014)
Coming Together of Safety and (Cyber) Security Changes Demands in RTOS Market
Separation kernels and secure hypervisors will be evermore in demand as safety and certification will be required in more and more applications. Governments are already working on infrastructures deploying this type of technology. (October 2012)
Building in RTOS Support for Safety- & Security-Critical Systems
LynuxWorks explains the differences between safety-critical and security-critical applications and how to meet their demanding requirements with the LynxOS-178 RTOS and the LynxSecure hypervisor. (EE Times Design, August 2011)
Enhancing Application Performance on Multicore Systems
Tips on optimizing a multicore real-time system, including virtualization, avoiding synchronization and concurrency while maximizing application parallelism. (Military Embedded Systems, February 2011)
Hardware Virtualization puts a new spin on Secure Systems
Real-time determinism and military security don't have to be separate realities. A combination of a secure separation kernel and an embedded hypervisor enables whole new levels of system security. (COTS Journal, October 2010)
Using a Separation Kernel to add Military-Grade Security to Legacy Systems
A challenge for the software designer is how to integrate modern military-grade software programs into legacy software designed long before security standards were predominant in system requirements. (VME Critical Systems, Summer 2010)
Virtualization: Keeping Embedded Software safe and Secure in an Unsafe World
A new, secure methodology is needed to separate systems of different security levels which run on shared resources—without compromising the performance of legacy systems. (EE Times, June 2010)
Secure Virtualization Combines Traditional Desktop OSs and Embedded RTOSes in Military Embedded Systems
Advances in software and hardware technologies now make it feasible to use both embedded and desktop operating systems in a secure military system. (Military Embedded Systems, May 2010)
DO-178B Provides Certification Safety net
Developers of commercial avionics software must demonstrate compliance with DO-178 guidelines. The FAA has issued additional guidance for so-called DO-178B Reusable Software Components (RSCs as defined in AC20-148), which allow for reuse of certifications. (COTS Journal, November 2009)
Designing Safety-critical Avionics Software Using open Standards
Safety-critical avionics systems have continually grown more complex and software-intensive. Regulatory authorities and avionics manufacturers have responded with guidance such as DO-178B and RSC to ensure that software performs safely, with controlled development cost. (Boards and Solutions, September 2009)
Two Different Realms: RTOS Support for Safety-critical vs. Security-critical Systems
Safety- and security-critical system functions are evolving simultaneously, with different yet similar requirements. Modern RTOSes are stepping up to meet these needs. (VME and Critical Systems, June 2009)
Virtualization Makes Better use of Open-source OSes and apps
With the introduction of the embedded hypervisor, embedded systems can avoid certain performance or licensing issues inherent to open-source OSes and applications. (EE Times, March 23, 2009)
Secure Virtualization Technology can Extend the life of Legacy Systems
By combining the concept of virtualization and security, one can consolidate multiple legacy systems running on heterogeneous operating systems onto a single host system with high-assurance security. (Military Embedded Systems, January/February 2009)
Virtual Machines: Intel's CPU Extensions Transform Virtualization
Virtualization has traditionally presented its share of design challenges in information-assurance-based systems. But now, Intel's VT-x and VT-d CPU extensions are changing the game and showing potential to become the de facto path to virtualization. (Military Embedded Systems, January 2009)
Separation Kernel for a Secure Real-time Operating System
The technical foundation adopted for the so-called MILS architecture is a separation kernel like LynxSecure, which permits multiple functions to be realised on a common set of physical resources without unwanted mutual interference. (Boards and Solutions Magazine, February 2008)
Advances in Virtualization aid Information Assurance
Advances in the newest Intel® processors are making virtualization much easier to implement in security applications than ever before. (Embedded Computing Design, January 2008)
Protecting our most Vital Systems
Some significant defence programmes are already committed to a new approach to high-threat, high-asset-value systems. Rance DeLong explains MILS. (Components in Electronics, April 2007)
Perspectives: Security and the Separation Kernel
Today's avionics systems are designed to support more than one application, using a partitioned operating system and memory management units to ensure applications have adequate separation. (Avionics Magazine, April 2007)
MILS: An Architecture for Security, Safety, and Real Time
The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Technology Magazine, November 2006)
Partitioning Operating Systems Versus Process-based Operating Systems
Partitioning operating systems are the latest buzz, while processes, by contrast, have been around for over 30 years. Both provide memory protection, however, the intent behind them is very different.
DO-178B and the Common Criteria: Future Security Levels
Although there are similarities between the airborne safety-critical requirements in RTCA/DO-178B and the Common Criteria, ISO 14508, compliance with the higher levels of security in the Common Criteria demands meeting additional security requirements. (COTS Journal, April 2006)
Reusing Safety-Critical Software Components
Safety-critical systems often operate together as a single "system-of-systems," making it important that they meet the most stringent and rigorous requirements for safety-criticality. The failure of one module in a system could create other failures or vulnerabilities, or worse yet, failure of the system as a whole. (COTS Journal, August 2005)
Using the Microprocessor MMU for Software Protection in Real-Time Systems
With minimal impact to overall system performance, user tasks and the kernel can be protected from accidental corruption by using multiple protected address spaces.
Improving code Migration and Reuse
The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Computing Design, August 2006)
FCS Program Rolls Forward in Formation
A wireless data network, with advanced communications and technologies, links soldiers with 18 new, lightweight manned and unmanned ground vehicles, unmanned aircraft, sensors and weapons—and it's all in one program. (COTS Journal, June 2005)
Secure Operating Systems for Deeply Embedded Devices
As we add more intelligence to our embedded devices, we find that they are becoming increasingly integrated into our information technology infrastructure. Though system security is not a new concept, security-in-depth is a new paradigm developers are now starting to address. (RTC Magazine, September 2004)
LynxSecure Separation Kernel and Embedded Hypervisor LynxOS-SE Embedded RTOS Luminosity Eclipse-based IDE
LynxOS Embedded RTOS RTOS: LynxOS-178 for software certification


SpyKer Embedded-System Trace Tool

Industry Solutions


Industry Standards

Embedded Systems Technology

RTOS Training for Embedded Systems

Training at LynuxWorks

LynuxWorks Support

Embedded Systems

LynxOS RTOS Support

Embedded System Consulting

Contact Us

About LynuxWorks

Press Room

Newsletter and Announcements



Site Map

Board Support Packages (BSPs)

BSP Device Drivers

BSP Targets by Operating System

BSP Targets by Form Factor

Third-party I/O Devices and Hardware

SynergyWorks: LynuxWorks partners

What is SynergyWorks?

Third-party add-ons for LynuxWorks operating systems

Copyright © LynuxWorks™, Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of LynuxWorks is prohibited.