Using a Separation Kernel to add Military-Grade Security to Legacy SystemsVirtualization for secure systems

ORIGINALLY PUBLISHED IN VME CRITICAL SYSTEMS, SUMMER 2010
Author: Stuart Fisher, LynuxWorks, Inc.

Security is fast becoming a prerequisite in today's software systems and nowhere more so than when dealing with software reuse. A challenge for the software designer is how to integrate modern military-grade software programs into legacy software designed long before security standards were predominant in system requirements. The panacea: virtualization and particularly the secure separation kernel.

Traditional, non-networked computers are secure from others in the system because of the physical separation that exists between them (Figure 1). Sometimes physical barriers are put in place to prevent unwanted user access in terms of a lock-and-key approach.

Figure 1: Security enforced by physical separation

Many modern software systems are designed with such tight project time restrictions that redesigning existing software from scratch is almost impossible. To limit engineering costs and to meet project schedules, it is common practice to see a significant amount of software reuse in many of today's software projects. This, however, poses a problem for architects trying to incorporate modern software security requirements into a code base with no concept of such standards.

Most new military systems require some level of security consideration. In some systems, this may be so stringent that formal certification is required. Attempting such a certification on legacy software would be extremely costly and in many circumstances is unachievable. One solution to this problem is to utilize advances in software virtualization techniques, and particularly a separation kernel.

Virtualization: Truth versus misconception

Software virtualization has long been understood as a way of hosting multiple Operating Systems (OSs) on a desktop computer. In recent years, we have seen virtualization migrate into the embedded realm and start to influence markets such as automotive, medical, and industrial, as well as the more traditional aerospace and defense markets.

In most situations, software virtualization is used to address the need for hardware consolidation where multiple systems are combined onto a single hardware platform performing multiple functions. This integration is further complicated by mixing legacy software on the same platform as new design and utilizing the separation between those software components to enforce security in the system.

A common misconception in the software world is that virtualization implies separation and that just because a platform utilizes virtualization, then its software subjects must be separated. In the security world, it is well understood that this is not the case. And many virtualization architectures and products on the market today cannot guarantee any level of software separation and, therefore, are not candidates for military systems requiring any level of security certification.

These architectures would not be suitable as a solution to the problem being addressed here. In this scenario, the separation kernel is quite different from traditional hypervisors. The separation-kernel hypervisor, such as LynxSecure from LynuxWorks™, not only allows multiple guest operating systems to run on the same hardware platform, but it also guarantees that those guests are separated and cannot affect each others' functions.

Not only does a separation kernel separate the guest operating systems, it additionally separates the physical devices and information flow between the various guests. A software designer has the ability to dictate which operating system has visibility of certain board devices and which guest operating systems are allowed to communicate with each other. It is the implementation of such communication paths that facilitates interpartition communication between guests. With such a path, the guest has no visibility or knowledge of its peer's existence.

Virtualization: A closer look

Figure 2: Using a separation kernel

Using the separation kernel as a base technology, the software designer can now guarantee that one operating system cannot affect another or access certain board devices.

As Figure 2 illustrates, the Windows® subject is running legacy application code in a "contained" Windows environment. The OS has no knowledge that it is running on a separation kernel or that another operating system is running on another core on the very same processor. The second operating system is designed to be the secure gateway and employs complex security software to protect the system from the outside world. Any data coming from the public network is first analyzed by the secure partition, and only if it is deemed secure does it make its way via interpartition communication to the Windows partition.

Using this approach, the software designer has the flexibility to design the secure partition from modern software principles while the legacy Windows OS is completely unchanged. The Windows OS simply sees the interpartition communication path as a connection to the outside network and has no knowledge that an intermediate software "guard" was analyzing the data and adding a level of software security to the non-secure legacy software.

This premise could indeed be extended to any number of theoretical guest operating systems, each performing a dedicated role in the overall system. Some of these guests might comprise legacy code, while others comprise newly developed code. Systems in the field today already employ such technologies in modified designs. Products such as secure separation kernel hypervisors not only provide a COTS methodology, but they also enable the military market to use modern military-grade software technologies alongside legacy software.

Virtualization melds legacy and secure apps

In conclusion, virtualization and particularly separation kernels are not just tools to allow users to host multiple operating systems on a desktop; they are also valuable technologies enabling system architects to extend the usability of legacy systems alongside but separate from more modern, secure military systems. One virtualization technology, as mentioned, is the LynxSecure separation-kernel hypervisor, certifiable to the highest level of robustness and capable of hosting both paravirtualized and fully virtualized guests including the Windows, OpenSolaris, and Linux® operating systems.

Stuart Fisher is a product manager for LynxSecure at LynuxWorks, Inc. He has more than 15 years of experience in the embedded market, both in engineering roles and customer-interfacing positions. Stuart is based in Sutton Coldfield, England and is a graduate of the University of Coventry, where he earned a Bachelor of Engineering degree in Computing and Electronics.

A LynuxWorks embedded OS is featured in this embedded system application:

QCAT's Automated Volume Estimation of Haul-Truck Loads

Who else uses a LynuxWorks embedded operating system?

Security white papers

Building in RTOS Support for Safety- & Security-Critical Systems: LynuxWorks explains the differences between safety-critical and security-critical applications and how to meet their demanding requirements with the LynxOS-178 RTOS and the LynxSecure hypervisor. (EE Times Design, August 2011)
Enhancing Application Performance on Multicore Systems: Tips on optimizing a multicore real-time system, including virtualization, avoiding synchronization and concurrency while maximizing application parallelism. (Military Embedded Systems, February 2011)
Hardware Virtualization puts a new spin on Secure Systems: Real-time determinism and military security don't have to be separate realities. A combination of a secure separation kernel and an embedded hypervisor enables whole new levels of system security. (COTS Journal, October 2010)
Using a Separation Kernel to add Military-Grade Security to Legacy Systems: A challenge for the software designer is how to integrate modern military-grade software programs into legacy software designed long before security standards were predominant in system requirements. (VME Critical Systems, Summer 2010)
Virtualization: Keeping Embedded Software safe and Secure in an Unsafe World: A new, secure methodology is needed to separate systems of different security levels which run on shared resources—without compromising the performance of legacy systems. (EE Times, June 2010)
Secure Virtualization Combines Traditional Desktop OSs and Embedded RTOSes in Military Embedded Systems: Advances in software and hardware technologies now make it feasible to use both embedded and desktop operating systems in a secure military system. (Military Embedded Systems, May 2010)
DO-178B Provides Certification Safety net: Developers of commercial avionics software must demonstrate compliance with DO-178 guidelines. The FAA has issued additional guidance for so-called DO-178B Reusable Software Components (RSCs as defined in AC20-148), which allow for reuse of certifications. (COTS Journal, November 2009)
Designing Safety-critical Avionics Software Using open Standards: Safety-critical avionics systems have continually grown more complex and software-intensive. Regulatory authorities and avionics manufacturers have responded with guidance such as DO-178B and RSC to ensure that software performs safely, with controlled development cost. (Boards and Solutions, September 2009)
Two Different Realms: RTOS Support for Safety-critical vs. Security-critical Systems: Safety- and security-critical system functions are evolving simultaneously, with different yet similar requirements. Modern RTOSes are stepping up to meet these needs. (VME and Critical Systems, June 2009)
Virtualization Makes Better use of Open-source OSes and apps: With the introduction of the embedded hypervisor, embedded systems can avoid certain performance or licensing issues inherent to open-source OSes and applications. (EE Times, March 23, 2009)
Secure Virtualization Technology can Extend the life of Legacy Systems: By combining the concept of virtualization and security, one can consolidate multiple legacy systems running on heterogeneous operating systems onto a single host system with high-assurance security. (Military Embedded Systems, January/February 2009)
Virtual Machines: Intel's CPU Extensions Transform Virtualization: Virtualization has traditionally presented its share of design challenges in information-assurance-based systems. But now, Intel's VT-x and VT-d CPU extensions are changing the game and showing potential to become the de facto path to virtualization. (Military Embedded Systems, January 2009)
Separation Kernel for a Secure Real-time Operating System: The technical foundation adopted for the so-called MILS architecture is a separation kernel like LynxSecure, which permits multiple functions to be realised on a common set of physical resources without unwanted mutual interference. (Boards and Solutions Magazine, February 2008)
Advances in Virtualization aid Information Assurance: Advances in the newest Intel® processors are making virtualization much easier to implement in security applications than ever before. (Embedded Computing Design, January 2008)
Protecting our most Vital Systems: Some significant defence programmes are already committed to a new approach to high-threat, high-asset-value systems. Rance DeLong explains MILS. (Components in Electronics, April 2007)
Perspectives: Security and the Separation Kernel: Today's avionics systems are designed to support more than one application, using a partitioned operating system and memory management units to ensure applications have adequate separation. (Avionics Magazine, April 2007)
MILS: An Architecture for Security, Safety, and Real Time: The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Technology Magazine, November 2006)
Partitioning Operating Systems Versus Process-based Operating Systems: Partitioning operating systems are the latest buzz, while processes, by contrast, have been around for over 30 years. Both provide memory protection, however, the intent behind them is very different.
DO-178B and the Common Criteria: Future Security Levels: Although there are similarities between the airborne safety-critical requirements in RTCA/DO-178B and the Common Criteria, ISO 14508, compliance with the higher levels of security in the Common Criteria demands meeting additional security requirements. (COTS Journal, April 2006)
Reusing Safety-Critical Software Components: Safety-critical systems often operate together as a single "system-of-systems," making it important that they meet the most stringent and rigorous requirements for safety-criticality. The failure of one module in a system could create other failures or vulnerabilities, or worse yet, failure of the system as a whole. (COTS Journal, August 2005)
Using the Microprocessor MMU for Software Protection in Real-Time Systems: With minimal impact to overall system performance, user tasks and the kernel can be protected from accidental corruption by using multiple protected address spaces.
Improving code Migration and Reuse: The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Computing Design, August 2006)
FCS Program Rolls Forward in Formation: A wireless data network, with advanced communications and technologies, links soldiers with 18 new, lightweight manned and unmanned ground vehicles, unmanned aircraft, sensors and weapons—and it's all in one program. (COTS Journal, June 2005)
Secure Operating Systems for Deeply Embedded Devices: As we add more intelligence to our embedded devices, we find that they are becoming increasingly integrated into our information technology infrastructure. Though system security is not a new concept, security-in-depth is a new paradigm developers are now starting to address. (RTC Magazine, September 2004)