Secure virtualization combines traditional desktop OSs and embedded RTOSs in military embedded systemsStory
May 31, 2010
Advances in software and hardware technologies now make it feasible to use both embedded and desktop operating systems in a secure military system. Robert examines enablers such as a secure separation kernel and an embedded software hypervisor, then explains uses of desktop OSs in secure military systems. (470th Military Intelligence Brigade Public Affairs photo by Gregory Ripps)
As Intel continues to bring its processor technologies into the embedded world, an interesting convergence of embedded applications with more traditional desktop applications is taking place. For military applications, desktop systems and embedded systems have traditionally been separate systems, connected over a secure network (see Figure 1). However, there is now a desire to consolidate multiple hardware platforms to reduce Size, Weight, and Power (SWaP) while maintaining the security that discrete systems traditionally offered.
Figure 1: Traditional systems have physically separate hardware to maintain security and performance.
(Click graphic to zoom by 1.9x)
By combining new software and hardware technologies, this consolidation is now a reality, without having to sacrifice either performance or security. The software technology is a secure separation kernel and embedded hypervisor, utilizing the Intel multicore virtualized hardware technology. This software platform becomes a true enabler of modern hardware functionality; however, before examining the application of the technology, it is beneficial to examine the two component parts of the software.
Software component 1: Secure separation kernel
A separation kernel is a small, lightweight operating system that is the lowest-level connection to the processor. The separation it provides is not dissimilar to a traditional time- and space-partitioned OS (see Sidebar 1), but it also adds a secure function by enforcing predefined security policies in areas such as device management and interpartition communication. Also, the separation kernel itself does not offer traditional OS features such as disk or network access, but it does manage scheduling and memory functions. The advantage of removing many of the high-level OS features is that the separation kernel can be kept small and efficient, offering real-time application performance and secure, high-speed interpartition communication using memory rather than physical networking connections.
Sidebar 1: There are differences between safety-critical OSs and security separation kernels.
(Click graphic to zoom by 3.0x)
In the security world, this small separation kernel is the cornerstone of high-assurance systems, offering security policy enforcement and strict partitioning, using a Multiple Independent Levels of Security (MILS) architecture. This allows security engineers to build systems that need to be taken to the highest level of Common Criteria (currently EAL 7) and run applications requiring different security levels on the same physical hardware. Many separation kernels are derived from partitioned OSs by removing OS functionality and adding security features. However, to achieve the highest levels of evaluation, the software must also be proven secure by using formal-methods analysis. The separation kernel is the fundamental enabler to the secure coexistence of multiple applications on the same hardware platform. And, when united with an embedded hypervisor, the combination of desktop and embedded systems can be achieved.
Software component 2: Embedded hypervisor
A software hypervisor is a software layer that allows different guest OSs to reside on a single hardware platform. This technology is commonly used in the enterprise or data center realm to allow the IT departments to run all their required applications across multiple versions of server-based OSs. In the embedded world, the use of hypervisors is not as common. The requirement to run multiple different versions of an OS on a dedicated embedded system is not as crucial. And there have been questions over the performance of running extra layers of software in systems where real-time performance is key. When a hypervisor and a separation kernel are combined, the ability to bring desktop and embedded systems together becomes a reality (see Figure 2).
Figure 2: The combination of separation kernel and hypervisor allows multiple OSs to be run securely on the same physical hardware.
(Click graphic to zoom by 1.9x)
Hardware: Desktop OSs in secure military systems
With the use of Intel processors, traditional desktop OSs are also being used in many military systems. However, when multiple levels of security are required, this can stop the use of nonsecure desktop OSs. With the introduction of a secure separation kernel and hypervisor, traditional desktop OSs and applications can be run in their own unclassified partition, thus allowing for the functionality of a known user interface and applications, without compromising the security of the rest of the system. Anything that enters into the desktop partition cannot breach the secure separation kernel and hence will be contained in the unclassified part of the system.
This software partitioning and virtualization also aid in the consolidation of hardware and the reduction of SWaP, which is of particular interest in many military scenarios. By running separate systems in their own partitions, and allowing for different OSs and applications to be run in those partitions, there can be a true consolidation of physically separate systems to a single physical piece of hardware.
The use of Intel multicore, virtualized processors allows the merging of a Windows or Linux desktop system with a more traditional Real-Time Operating System (RTOS), and allows the same performance and functionality of applications as if they were still running on their own dedicated hardware platforms.
An additional feature that is very compelling in regard to this approach is that of virtual networking. Here, the guest OSs and applications can communicate “virtually” with other guest OSs and applications, even though they are residing in separate partitions. The virtual network looks to the applications as a real network port, and so these applications can communicate as if they were two physically separate networked devices, even though the communication is internal. A secure separation kernel can also enforce security policies to this virtual networking and dictate which partitions can communicate with each other and in which direction (see Figure 3).
Figure 3: The use of a separation kernel and hypervisor allows desktop OSs and RTOS to reside on the same hardware platform.
(Click graphic to zoom by 1.9x)
This gives a secure partitioned environment with the ability to run multiple guest OSs and applications separated from one another on the same hardware. To allow near-native performance while maintaining real-time determinism and security, hardware virtualization support for both execution and memory can be utilized by the separation kernel and hypervisor. Independent studies performed on the LynxSecure separation kernel and hypervisor have shown that running benchmark applications on a virtualized Linux OS yields less than a 5 percent performance degradation as compared to the same applications running on a native implementation of the same Linux on the same hardware.
Another benefit of the migration of desktop systems is afforded if the embedded hypervisor uses Intel’s Virtualization Technology. This allows Microsoft Windows to be run in fully virtualized mode, which requires no changes to Windows to run on the hypervisor, and a combination of the software separation kernel and the hardware virtualization gives Windows the impression it has the whole system, while running in its own secure partition. If no changes are required to either Windows or its applications, this speeds the development or porting activity from a stand-alone system to a secure virtualized system.
An example of a MILS solution running on Intel virtualized hardware is LynxSecure from LynuxWorks. It is a secure separation kernel and embedded hypervisor that uniquely offers both para- and full-virtualization of guest OSs, and maintains real-time performance and MILS security that can be evaluated to the highest Common Criteria levels. It takes advantage of multicore Intel components to enable high performance even when running multiple guest OSs. Microsoft Windows can run on the same system as Linux and RTOS, with each having its own secure partition and running applications at different security classifications. For the next generation of military embedded systems, the combination of LynxSecure and Intel hardware allows the ultimate in flexibility of system and applications while maintaining the highest level of security.
Robert Day is Vice President of Marketing for LynuxWorks, where he is responsible for all global external and internal marketing functions. With more than 20 years in the embedded industry, his most recent position prior to joining LynuxWorks was heading marketing for Mentor Graphics’ embedded software division. Prior to the marketing role, he held a variety of management, sales, and engineering positions for Mentor Graphics and Microtec Research, spanning more than 18 years in total. Based in San José, California, Robert is a graduate of The University of Brighton, England, where he earned a Bachelor of Science degree in Computer Science. He can be contacted at [email protected]
LynuxWorks 408-979-3900 www.lynuxworks.com