INTEGRITY-178 tuMP RTOS:

Application development using C, C++, and Ada is supported, including library subsets designed for DO-178B Level A (and lower levels), Multi-Level Secure (MLS), and Multiple Independent Level Secure (MILS) related applications. Programming language considerations defined in the Handbook for Object-Oriented Technology in Aviation (OOTiA) were used in the selection of the supported object-orientated library features. C, C++, and Ada support are part of the certified FACE conformance for INTEGRITY-178 tuMP.

The ANSI C library subset is included with the INTEGRITY-178 tuMP RTOS. EC++178 is a safety and security-critical implementation of Green Hills Software’s C++ profile, which is a subset of full C++ based on a combination of Embedded C++ and OOTiA.

Ada run-time systems are available for two different Ada profiles. GHS Minimal Ada Run-Time System (GMART) is a safety- and security-critical single-tasking Ada run-time system based on the SPARK Ada profile. GMART can also be utilized in multi-threaded applications (on a per-process basis) when used in conjunction with the ARINC 653 Part 1 Required Services. GHS Safe-Tasking Ada Run-Time System (GSTART) is a safety- and security-critical multi-tasking Ada run-time system based on the Ravenscar Ada profile. GSTART supports determinism and schedulability analysis for multi-tasking.

ANSI C subset, EC++178, GMART, and GSTART are available with full off-the-shelf DO-178C Level A certification material. All have formally passed Level A multiple times as a part of avionics systems and thus are certified and not just certifiable.

The IPFLITE product provides a UDP/IP network system for DO-178B Level A certification. This lightweight client-server implementation provides reliable networking support for Ethernet-connected devices. The IPFLITE Client provides a BSD-style socket API that can be used to access networking services. The IPFLITE Server provides the network stack implementation, manages multiple Ethernet devices, and handles simultaneous API requests from clients and Address Resolution Protocol (ARP) requests/transmissions. The IPFLITE server provides partitioning support when utilized by clients operating in different partitions.

The IPFLITE Trivial File Transfer Protocol (TFTP) library provides TFTP services compatible with the INTEGRITY-178, IPFLITE, and PJFS-178 products. The TFTP library supports both read and write file transfer requests generated through either the TFTP API or by a foreign host.

Green Hills Software offers products for five of the optional services defined in ARINC 653 Part 2, “Avionics Application Software Standard Interface Part 2 - Extended Services.”

The ARINC 653 File System Interface consists of a single high-level file system component that is used with INTEGRITY-178 tuMP and PJFS-178 to provide file system capabilities to ARINC 653 based applications.

The ARINC 653 (Part 2) Multiple Module Schedules Interface provides the capabilities for authorized partitions to select a new module schedule, where the new module schedule begins at the end of the major frame. The ability to change to a different module schedule can be useful for initialization sequences, adapting to component failure, or reacting to system mode change as directed by the pilot.

The ARINC 653 Sampling Port Extensions capability extends the services available for use by ARINC 653 compliant applications. The primary purpose of these services is to provide greater flexibility to the application when reading sampling port messages.

The ARINC 653 Memory Blocks capability provides a means for a partition to access specific blocks of physical memory. The partition is granted (or denied) access to a Memory Block in accordance with the access privileges defined in the configuration tables. This capability can be useful for defining read-only databases, such as navigation databases, or mapping to IO devices.

The ARINC 653 Multiple Processor Cores Extensions capability provides greater flexibility in assigning processes (tasks) to cores. Part 1 requires each process to be defined to have an affinity to run on a specific processor core, a capability also known as bound multi-processing (BMP). ARINC 653 Part 2 provides the capability for a process to have an affinity to run on any processor core, a capability also known as symmetric multi-processing (SMP). INTEGRITY-178 tuMP provides both BMP and SMP in addition to asymmetric multi-processing (AMP). In Part 1, the task-core affinity can only be set during the initialization phase. Part 2 relaxes that restriction and allows the affinity to be changed during normal operation mode if authorized by the configuration tables.

For projects that require very small footprints with no time and space partitioning requirements, Green Hills Software provides several products that run as bare target runtimes. A bare target run-time executes directly on the underlying processor (i.e., no operating system involved in multi-partition, multi-tasking, or hardware abstractions).

The GMART Bare Target is a non-tasking, minimal, Ada language-based run-time. GMART Bare Target is intended to be suitable for use by Ada application developers who utilize SPARK toolsets and development concepts.

The GCERT Bare Target is a non-tasking, minimal, C language-based run-time. GCERT Bare Target provides a minimal run-time that supports the ANSI C Library subset.

Security Product Extensions

These products provide support for the Separation Kernel Protection Profile (SKPP) functional capabilities. The certification evidence also supports the use of these products by DO-178B Level A (and lower levels) applications.

Audit Logging
The Audit Logging product supports the logging of a well-defined set of events during RTOS execution. A customer-defined monitoring application uses the Audit Logging functionality to access the logged audit events to detect potentially malicious code behavior. INTEGRITY-178 includes definitions of the events being logged as part of RTOS execution. The logged events may only be read by applications explicitly authorized to access the audit log. A means to statically configure the system to exclude specific events on a partition or event basis is also supported.

Audit Logging also provides capabilities for authorized applications to reset the audit log, enable/disable audit logging, record specific events, and halt system operation.

Integrity Tests
Integrity tests ensure the integrity of the executable images of the RTOS stored in both volatile and non-volatile RAM. Those include continuous tests of the active executable image of the RTOS in RAM as well as a set of power-up tests. The integrity tests can detect program memory failures that could result in loss of protective checks within INTEGRITY-178 (the partitioning architecture prevents malicious code in a partition from attempting to modify applications after load-time). The Green Hills implementation is designed to comply with the NIST/FIPS Secure Hash Standard (FIPS 180-2).

A user application project’s overall executable object code is constructed with digest information for each ELF image. The integrity tests provide the capability to detect integrity failures within these ELF images. When a failure is detected, an audit event is reported. The integrity testing product is designed to operate with INTEGRITY-178 and the Audit Logging product.

Abstract Machine Test (AMT)
The Abstract Machine Test product provides support for testing and confirming the correct operation of the hardware protection mechanisms at RTOS startup and periodically after that. This includes, for example, tests that attempt memory violations and privileged instruction execution in order to ensure the hardware that enforces separation between the virtual address spaces is still operational. In this way, AMT can detect hardware failures that could have allowed malicious code unauthorized access to hardware or software.

When a failure is detected, an audit event is logged, and the failure is reported. The AMT product is designed to operate with INTEGRITY-178 and the Audit Logging product.