One of the key benefits of creating a virtualised OS architecture is the addition of security capabilities into embedded design. The time-space partitioning capabilities provided in this architecture form a natural foundation for creating secure applications in embedded design. The MILS architecture based on time-space partitioning design is an approach that naturally evolves from the time-space partitioning paradigm.

The MILS (Multiple Independent Levels of Security/Safety) architecture adopts the best principles of security and safety-critical design to define a hard real-time, secure embedded OS that can be evaluated to the highest levels of security (EAL7) and safety assurance (DO178B), while preserving the flexibility to support diverse security policies. The architecture identifies four key security policies: Information Flow; Data Isolation; Residual Information Protection, and; Damage Limitation.

Information Flow policy states that only authorised subjects can exchange information using pre-configured communication channels. Data Isolation policy states that objects can be isolated into separate partitions, such that subjects can only gain access to objects they are authorised to access. Residual Information Protection policy states that covert channels cannot exist through unintended transfer of residual state information. Damage limitation policy states that fault isolation is present and faults in one partition do not propagate to other partitions

The MILS architecture uses a small partitioning kernel (RTOS) that runs in supervisor mode and provides brick-wall partitioning of memory, time and I/O resources. The partitioning kernel only provides the basic functionality needed to support the underlying hardware. Within each partition, the traditional OS functionality executes in user mode com-pletely isolated from other partitions.

The middleware and appli-cations make up the rest of the components that may execute in a single partition. The MILS archi-tecture is an example of component layering (kernel, middleware and application), and provides a platform for virtualisation of commodity OSes. This architecture provides flexible security capabilities and can be the basis of several secure embedded designs on multi-core processors.

Figure 2: LynuxSecure RTOS on a multi-core processor

Example architecture
An example architecture that exemplifies the principles of virtualisation, real-time and security on multi-core processors is the LynxSecure architecture from LynuxWorks (Figure 2, above).

The LynxSecure RTOS combines time-space partitioning and virtualisation to allow multiple, heterogeneous operating systems to execute in a robust, highly secure environment on 64bit, multi-core processors. It allows safety-critical and secure operating systems to function alongside non-secure operating systems without compromising the entire system's security, reliability and data integrity.

This separation kernel is also a virtual machine monitor that is certifiable to Common Criteria EAL-7 Security certification (Evaluated Assurance Level 7). This is a level of certification not attained by any known operating system to date. It is also certifiable to DO-178B Level A, the highest level of FAA certification for mission-critical avionics applications.

It is designed to provide a virtualised hardware interface to allow multiple guest operating systems to run in a context of a single physical machine. To achieve this the separation kernel creates a virtualisation layer that maps physical system resources to each guest operating system, thereby virtualising operating systems like Linux, Windows, and LynxOS-SE to run within ultra-secure partitions.

This virtualisation technique provides superior performance for virtualised operating systems and its applications, while preserving 100% application binary compatibility with its non-virtualised instance.

In addition, it guarantees resource availability, such as memory- and processor-execution resources, to each partition, so that no software can fully exhaust or consume the scheduled memory or time resources of other partitions. There is support for simultaneous use of system interfaces, including multiple instances of the same or different operating systems in different partitions.

A fixed-cyclic ARINC653-based scheduler to ensure that all partitions are allocated adequate CPU time to prevent starvation for any partition, as well as dynamism in its scheduling policy to allow maximum flexibility are additional capabilities of this architecture.

This example separation kernel provides the essential components for a complete implementation of a scalable, multithreaded and secure architecture through support for Symmetric multi-processing (SMP) for optimal resource utilisation and load balancing on multi-core processors. It also provides additional high-end scalability and memory support through 64bit execution mode and addressing capabilities.

As the complexity of embedded applications continue to grow, the need for greater computing power continues to drive advances in processor architecture. The emergence of multi-core processors marks a strategic inflection point in the embedded industry.

The confluence of innovation in operating system design in the areas of virtualisation, real-time and security on these newer processors is enabling new paradigms in embedded application design, the effects of which will propel further advances in application design in the embedded marketplace.

The design of embedded applications is becoming a complex endeavour. The need for advanced operating systems and tools to enable application designers to take advantage of these hardware innovations has never been greater. The technology issues outlined in this article should help embedded designers make appropriate choices for their embedded software needs, as the embedded industry moves into the 21st century.