Building in RTOS support for safety- & security-critical systems

By Will Keegan, LynuxWorks, Inc.

August 27, 2011

By Will Keegan, LynuxWorks, Inc.

LynxSecure for Security-critical Systems
National security relies on the explicit control of information, and the goal of all security-critical systems is to ensure that access to all system information is authorized. The slightest flaw in a system’s security enforcing function, such as a crypto-algorithm or random number generator, is a national threat.

Traditionally, sensitive information is protected on completely isolated infrastructures, ensuring that no unauthorized user gains access to these infrastructures and that no unauthorized data infiltrates or exfiltrates these infrastructures. But as government organizations mobilize, mission success puts higher demands on the ability to access and share information.

In response to this demand, government, industry, and academia have developed the Multiple Independent Levels of Security (MILS) specification. MILS allows a single information system to simultaneously process data of different security domains while maintaining isolation between the domains. This capability offers a multitude of benefits in both productivity and cost savings. One of the first demonstrations of a MILS system was a user PC that hosted multiple Operating Systems of different security levels. This gave users the ability to access their data of separate security levels from a single device while at the same time reducing the number of previously required machines.

The foundation of the MILS architecture is a separation kernel (SK), which is an RTOS that explicitly controls platform resources to create isolated computing partitions, ensuring that all information processed within a partition remains in that partition and does not leak out through underlying side channels.

LynxSecure (Figure 2 below) is a MILS Separation Kernel capable of OS para-virtualization and full-virtualization, making it both a separation kernel and hypervisor. Using LynxSecure, various security-critical information systems can be composed by simply creating protection boundaries around security-critical software components and explicitly controlling the flow of information between these boundaries. Within a protection boundary, users can run software as simple as a message guard or as complex as a fully virtualized instance of Microsoft Windows 7. In either case the security architecture of the system remains the same.



LynxSecure achieves its separation properties through similar means as LynxOS-178 by providing time, space, and resource partitioning between security domains. However, the two RTOSs are not related. Abiding by the principle that security must be built-in rather than bolted on, LynuxWorks made the decision that in order to develop an RTOS for the foundation of security-critical systems it must be built from the ground up.

Therefore LynxSecure was written from scratch, designed and implemented with different requirements under different environmental assumptions than LynxOS-178.

LynxSecure assumes that it operates in a malicious environment, that software both inside and out of the security domains is trying to breach and bypass the separation enforced by LynxSecure. Given these assumptions, additional protection mechanisms are in place to actively protect the integrity of LynxSecure security enforcing functions.

LynxSecure ensures that all code with privileged access to platform resources is sufficient and necessary to host guest partitions, maintain separation, and control information flow. This greatly differs from the design of LynxOS-178, which includes extra privileged functionality such as a network stack, device drivers, and real-time multithreading API. By only implementing the essential Separation Kernel and virtualization logic, LynxSecure drastically reduces its attack surface.

LynxSecure was designed to achieve the most stringent Common Criteria Evaluation Assurance Level, EAL 7, such that the security enforcing components can be proven correct according to the security requirements defined in the Separation Kernel Protection Profile (SKPP). In order to achieve EAL 7, LynxSecure was designed to be small and simple enough to undergo the process of mathematical formal verification.

Summary
As stated, safety-critical and security-critical systems are not mutually exclusive. Security is becoming a greater concern for safety-critical systems. As systems are further integrated and remotely managed the threat level rises for safety-critical systems, making information security a fundamental requirement. In these circumstances, LynxSecure, with its virtualization capabilities, can be used as a foundational layer to provide protection boundaries around entire safety-critical systems by hosting multiple instances of LynxOS-178, offering both a safety and security-critical solution.

Will Keegan is a security software specialist at LynuxWorks.  He has over 5 years of experience working in security-critical and safety-critical industries. He previously served as a product and sales engineer for OIS where he worked on the development and marketing of various high assurance cryptographic network and embedded middleware products. His was also a network engineer for USAA, maintaining a world-class data center. He graduated from the University of Texas at Austin, earning a B.S. in Computer Science. He can be contacted at wkeegan@lnxw.com.