LynxSecure Embedded Hypervisor and Separation KernelOperating-system virtualization and embedded virtual machines for real-time systems
PRINTABLE PDF VERSION (267 kB)
LynxSecure provides a multicore foundation for adding security to legacy systems and securely reusing legacy Windows® and Linux® applications alongside real-time systems
With the introduction of the new LynxSecure 3.0 separation kernel and embedded hypervisor, LynuxWorks™ once again raises the bar when it comes to superior embedded software security and safety. This new release adds full virtualization capabilities to allow unmodified guest OSes to run on LynxSecure.
Virtualization of guest operating systems
The built-in embedded hypervisor and virtualization technology allows guest operating systems (and their applications) to run on top of LynxSecure, in effect allowing multiple dissimilar operating systems to share a single physical hardware platform. Virtualization technology allows for significant cost savings through hardware consolidation, while retaining the ability to leverage the ecosystem of applications that belong to different operating system domains into a single system.
To achieve virtualization, LynxSecure uses a hypervisor to create a virtualization layer that maps physical system resources to each guest operating system. Each guest operating system is assigned certain dedicated resources, such as memory, CPU time and I/O peripherals. "Co-operative virtualization" (para-virtualization) provides superior performance for the guest operating systems—such as Linux®, LynxOS®-SE and LynxOS-178. Full virtualization allows unmodified operating systems like Windows® to run next to para-virtualized ones.
100% application binary-compatibility with the non-virtualized instance of the operating system is preserved. LynxSecure isolates each virtual instance by providing hardware protection to every partition with its own virtual addressing space. In addition, it guarantees resource availability, such as memory and processor-execution resources, to each partition, so that no software can fully consume the scheduled memory or time resources of other partitions. LynxSecure supports simultaneous use of system interfaces, including multiple instances of the same or different operating systems in different partitions.
Highest standards for safety- and security-critical applications
The military and avionics industries rigidly mandate high security for safety-critical software environments, operating systems and development tools. Meanwhile, military networks increasingly need to interface with the civilian IT infrastructure, exposing them to program bugs, design flaws and other vulnerabilities.
TRAINING ON LynxSecure FOR OS VIRTUALIZATION
LynxSecure addresses this issue on all fronts by providing a robust environment within which multiple secure and non-secure operating systems can perform simultaneously—with no compromise of security, reliability or data.
The LynxSecure separation kernel is a robust virtual machine monitor that has been designed to be certifiable to:
- Common Criteria EAL-7 security certification (Evaluated Assurance Level 7), which is a level of certification unattained by any known operating system to date; and
- DO-178B level A, the highest level of FAA certification for safety-critical avionics applications.
MILS architecture conformance for building secure systems
LynxSecure conforms to the Multiple Independent Levels of Security/Safety (MILS) architecture, with strict adherence to data isolation, damage limitation and information flow policies identified in this architecture. Unlike a traditional security kernel that performs all trusted functions for a secure operating system, a separation kernel's primary security function is to partition data and resources of a system and to control information flow between partitions.
Partitions and information-flow policies are defined by the kernel's configuration. This provides a robust foundation for the creation of multi-level secure systems.
Flexible scheduling policy
LynxSecure's fixed-cyclic ARINC 653-based scheduler manages CPU time to prevent starvation in any partition. LynxSecure also allows dynamic scheduling policies to maintain maximum flexibility in developing diverse secure applications using OS virtualization.
Highly scalable technology
LynxSecure provides a scalable solution ranging from deeply embedded systems to high-end workstations and servers for the design of applications in embedded avionics products, weapons systems, C4ISR data systems as well as critical infrastructure control systems.
The LynxSecure separation kernel provides the essential components for a complete scalable, multithreaded and secure architecture:
- multithreaded small-footprint run-time environment for secure application development
- multiprocess, multithreaded environment through virtualized Red Hat®, Linux, LynxOS or LynxOS-SE real-time operating systems
- symmetric multiprocessing (SMP) for optimal resource utilization and load balancing
- Microsoft® Windows® support in full virtualization mode
- high-end scalability and memory support through 64-bit execution mode and addressing capabilities
Support for open standards
Like all LynuxWorks operating systems, LynxSecure is based on open standards. LynxSecure provides a seamless migration path for LynuxWorks customers whose Linux- and POSIX®-based applications can now run on virtualized Red Hat Linux, BlueCat Linux and LynxOS family environments within LynxSecure partitions.
Security
- DO-178B Provides Certification Safety net
- Developers of commercial avionics software must demonstrate compliance with DO-178 guidelines. The FAA has issued additional guidance for so-called DO-178B Reusable Software Components (RSCs as defined in AC20-148), which allow for reuse of certifications. (COTS Journal, November 2009)
- Designing Safety-critical Avionics Software Using open Standards
- Safety-critical avionics systems have continually grown more complex and software-intensive. Regulatory authorities and avionics manufacturers have responded with guidance such as DO-178B and RSC to ensure that software performs safely, with controlled development cost. (Boards and Solutions, September 2009)
- Two Different Realms: RTOS Support for Safety-critical vs. Security-critical Systems
- Safety- and security-critical system functions are evolving simultaneously, with different yet similar requirements. Modern RTOSes are stepping up to meet these needs. (VME and Critical Systems, June 2009)
- Virtualization Makes Better use of Open-source OSes and apps
- With the introduction of the embedded hypervisor, embedded systems can avoid certain performance or licensing issues inherent to open-source OSes and applications. (EE Times, March 23, 2009)
- Secure Virtualization Technology can Extend the life of Legacy Systems
- By combining the concept of virtualization and security, one can consolidate multiple legacy systems running on heterogeneous operating systems onto a single host system with high-assurance security. (Military Embedded Systems, January/February 2009)
- Separation Kernel for a Secure Real-time Operating System
- The technical foundation adopted for the so-called MILS architecture is a separation kernel like LynxSecure, which permits multiple functions to be realised on a common set of physical resources without unwanted mutual interference. (Boards and Solutions Magazine, February 2008)
- Advances in Virtualization aid Information Assurance
- Advances in the newest Intel® processors are making virtualization much easier to implement in security applications than ever before. (Embedded Computing Design, January 2008)
- Protecting our most Vital Systems
- Some significant defence programmes are already committed to a new approach to high-threat, high-asset-value systems. Rance DeLong explains MILS. (Components in Electronics, April 2007)
- Perspectives: Security and the Separation Kernel
- Today's avionics systems are designed to support more than one application, using a partitioned operating system and memory management units to ensure applications have adequate separation. (Avionics Magazine, April 2007)
- MILS: An Architecture for Security, Safety, and Real Time
- The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Air Force Research Laboratory Technology Horizons, November 2006)
- Partitioning Operating Systems Versus Process-based Operating Systems
- Partitioning operating systems are the latest buzz, while processes, by contrast, have been around for over 30 years. Both provide memory protection, however, the intent behind them is very different.
- DO-178B and the Common Criteria: Future Security Levels
- Although there are similarities between the airborne safety-critical requirements in RTCA/DO-178B and the Common Criteria, ISO 14508, compliance with the higher levels of security in the Common Criteria demands meeting additional security requirements. (COTS Journal, April 2006)
- Reusing Safety-Critical Software Components
- Safety-critical systems often operate together as a single "system-of-systems," making it important that they meet the most stringent and rigorous requirements for safety-criticality. The failure of one module in a system could create other failures or vulnerabilities, or worse yet, failure of the system as a whole. (COTS Journal, August 2005)
- Using the Microprocessor MMU for Software Protection in Real-Time Systems
- With minimal impact to overall system performance, user tasks and the kernel can be protected from accidental corruption by using multiple protected address spaces.
- Improving code Migration and Reuse
- The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Computing Design, August 2006)
- LynuxWorks: A case Study in Combat-ready Linux
- As open source, especially Linux, makes its way into nearly every sector of the economy, one of the final frontiers is the military and aerospace market, where new applications must clear hurdles such as the FAA's rigorous DO-178B certification for aviation software. (Newsforge, December 2005)
- FCS Program Rolls Forward in Formation
- A wireless data network, with advanced communications and technologies, links soldiers with 18 new, lightweight manned and unmanned ground vehicles, unmanned aircraft, sensors and weapons—and it's all in one program. (COTS Journal, June 2005)
- Embedded Tools Train an eye on Security
- As embedded designers incorporate more security and safety needs into devices, embedded tools will have to evolve to provide capabilities needed both for product development and process management. (EE Times, September 2004)
- Secure Operating Systems for Deeply Embedded Devices
- As we add more intelligence to our embedded devices, we find that they are becoming increasingly integrated into our information technology infrastructure. Though system security is not a new concept, security-in-depth is a new paradigm developers are now starting to address. (RTC Magazine, September 2004)
advantages
- Optimal security and safety—the only operating system designed to support both CC EAL-7 and DO-178B level A
- Real time—time-space partitioned RTOS for superior determinism and performance
- Hypervisor and virtualization technology— supports multiple heterogeneous, both para-virtualized and fully virtualized, operating system environments on the same physical hardware including Intel® VT
- Highly scalable—supports Symmetric MultiProcessing (SMP) and 64-bit addressing for high-end scalability
- Support for open standards—supports 100% binary compatibility for Linux or POSIX-based software application to migrate to a highly robust, secure environment
- Faster time to market—enables developers to begin early development for secure applications
- Webinar: Latest Release of LynuxWorks' Safety-critical DO-178B-certified RTOS, Mar 24
- Avionics Europe 2010, Amsterdam, Netherlands, Mar 24-25
- LynxSecure Real-time Applications and Device Driver Programming Workshop, San José, CA, USA, Mar 30-Apr 2
