Leading the Embedded World

Certified Language Support

Application development using C, C++, and Ada is supported, including library subsets designed for DO-178B Level A (and lower levels), Multi-Level Secure (MLS), and Multiple Independent Level Secure (MILS) related applications. Programming language considerations defined in the Handbook for Object-Oriented Technology in Aviation (OOTiA) were used in the selection of the supported object-orientated library features. C, C++, and Ada support are part of the certified FACE conformance for INTEGRITY-178 tuMP.

The ANSI C library subset is included with the INTEGRITY-178 tuMP RTOS. EC++178 is a safety and security-critical implementation of Green Hills Software’s C++ profile, which is a subset of full C++ based on a combination of Embedded C++ and OOTiA.

Ada run-time systems are available for two different Ada profiles. GHS Minimal Ada Run-Time System (GMART) is a safety- and security-critical single-tasking Ada run-time system based on the SPARK Ada profile. GMART can also be utilized in multi-threaded applications (on a per-process basis) when used in conjunction with the ARINC 653 Part 1 Required Services. GHS Safe-Tasking Ada Run-Time System (GSTART) is a safety- and security-critical multi-tasking Ada run-time system based on the Ravenscar Ada profile. GSTART supports determinism and schedulability analysis for multi-tasking.

ANSI C subset, EC++178, GMART, and GSTART are available with full off-the-shelf DO-178C Level A certification material. All have formally passed Level A multiple times as a part of avionics systems and thus are certified and not just certifiable.

PJFS-178 File System

The PJFS-178 product is a high-assurance, reliable file system designed for DO-178B Level A certification that supports both file and directory services. This small footprint client-server implementation provides power-failure safe access to a variety of underlying storage devices. The PJFS-178 Client provides a POSIX-based API that can reside in one or more application partitions. The PJFS-178 Server implements the file system, handles simultaneous API requests from clients, and manages all physical and virtual file storage devices. The PJFS-178 Server provides partitioning support when used by clients running in different partitions.

The PJFS-178 Server can manage multiple storage devices, divided into separate volumes, each with their own client access permissions. A journal of operations is used to guarantee file system integrity, and provide power-failure safe write operations. Startup time is very fast as operations to ‘check-disk’ are not necessary. PJFS-178 can also be integrated with DO-178B Level A wear-leveling flash device drivers.


The IPFLITE product provides a UDP/IP network system for DO-178B Level A certification. This lightweight client-server implementation provides reliable networking support for Ethernet-connected devices. The IPFLITE Client provides a BSD-style socket API that can be used to access networking services. The IPFLITE Server provides the network stack implementation, manages multiple Ethernet devices, and handles simultaneous API requests from clients and Address Resolution Protocol (ARP) requests/transmissions. The IPFLITE server provides partitioning support when utilized by clients operating in different partitions.

The IPFLITE Trivial File Transfer Protocol (TFTP) library provides TFTP services compatible with the INTEGRITY-178, IPFLITE, and PJFS-178 products. The TFTP library supports both read and write file transfer requests generated through either the TFTP API or by a foreign host.

GHNet-178 TCP/IP Network

The GHNet-178 TCP/IP stack is a full-featured and high-performance dual-mode IPv4/IPv6 stack for embedded systems that do not require DO-178C or security certification. GHNet-178 is integrated with a broad range of networking applications, management, and security protocols. GHNet-178 offers several optional capabilities, including advanced router stack, IPSec library, FTP, NFS, and local backplane support.

ARINC 653 Part 1 APEX

The ARINC 653 (Part 1) Required Services product satisfies the characteristics and interfaces defined for an operating system in ARINC 653 Part 1, “Avionics Application Software Standard Interface Part 1- Required Services.” ARINC 653 part 1 defines a general-purpose Application/Executive (APEX) software interface between the operating system of an avionics computer and the application software.

The ARINC 653 APEX library provides an ARINC 653 compliant API to the INTEGRITY-178 RTOS and includes module-level and partition-level health monitoring capabilities. The supported language bindings permit DO-178B Level A (and lower levels), MLS, and MILS related ARINC 653 applications to be developed in Ada, C, or C++. This product includes support for the latest revisions, Supplements 4 & 5, which added multicore capabilities. Specifically, the standard requires “concurrent use of multiple processor cores by processes within a partition” and “support for scheduling processes that can be run on one of the processor cores assigned to the partition.” Taken together, those require the core affinity of bound multi-processing (BMP). INTEGRITY-178 tuMP supports task-core affinity and BMP, as well as core affinity.

ARINC 653 Part 2 Extended Services

Green Hills Software offers products for five of the optional services defined in ARINC 653 Part 2, “Avionics Application Software Standard Interface Part 2 - Extended Services.”

The ARINC 653 File System Interface consists of a single high-level file system component that is used with INTEGRITY-178 tuMP and PJFS-178 to provide file system capabilities to ARINC 653 based applications.

The ARINC 653 (Part 2) Multiple Module Schedules Interface provides the capabilities for authorized partitions to select a new module schedule, where the new module schedule begins at the end of the major frame. The ability to change to a different module schedule can be useful for initialization sequences, adapting to component failure, or reacting to system mode change as directed by the pilot.

The ARINC 653 Sampling Port Extensions capability extends the services available for use by ARINC 653 compliant applications. The primary purpose of these services is to provide greater flexibility to the application when reading sampling port messages.

The ARINC 653 Memory Blocks capability provides a means for a partition to access specific blocks of physical memory. The partition is granted (or denied) access to a Memory Block in accordance with the access privileges defined in the configuration tables. This capability can be useful for defining read-only databases, such as navigation databases, or mapping to IO devices.

The ARINC 653 Multiple Processor Cores Extensions capability provides greater flexibility in assigning processes (tasks) to cores. Part 1 requires each process to be defined to have an affinity to run on a specific processor core, a capability also known as bound multi-processing (BMP). ARINC 653 Part 2 provides the capability for a process to have an affinity to run on any processor core, a capability also known as symmetric multi-processing (SMP). INTEGRITY-178 tuMP provides both BMP and SMP in addition to asymmetric multi-processing (AMP). In Part 1, the task-core affinity can only be set during the initialization phase. Part 2 relaxes that restriction and allows the affinity to be changed during normal operation mode if authorized by the configuration tables.

ARINC 615A Data Loader

The ARINC 615A Data Loader product satisfies the target data loading characteristics and file formats defined in the ARINC 615A and ARINC 665 specifications. The library provides capabilities to upload/ download target hardware memory and retrieve configuration information from the target hardware. The ARINC 615A Data Loader is compatible with the INTEGRITY-178, IPFLITE, and IPFLITE TFTP products.

Bare Target Products for Ada and C

For projects that require very small footprints with no time and space partitioning requirements, Green Hills Software provides several products that run as bare target runtimes. A bare target run-time executes directly on the underlying processor (i.e., no operating system involved in multi-partition, multi-tasking, or hardware abstractions).

The GMART Bare Target is a non-tasking, minimal, Ada language-based run-time. GMART Bare Target is intended to be suitable for use by Ada application developers who utilize SPARK toolsets and development concepts.

The GCERT Bare Target is a non-tasking, minimal, C language-based run-time. GCERT Bare Target provides a minimal run-time that supports the ANSI C Library subset.

Cryptographic Libraries

The INTEGRITY-178 Embedded Cryptographic Library is a standards-based, FIPS 140-2 compliant cryptographic library used to protect data and intellectual property. It contains the latest algorithms to assure confidentiality, integrity, and authentication, including certified AES, ECC, ECDSA, RSA, HMAC, SHA, random number generator, and key derivation functions. The Embedded Cryptographic Library may be used as the foundation for secure boot and load of the INTEGRITY-178 tuMP RTOS.

Building upon the Embedded Cryptographic Library, security protocol stacks for IPSec/IKE, TLS/SSL, and SSH are available to provide secure, encrypted communication and data transfer. IPSec/IKE provides high-assurance security at the network IP layer with no changes to the application. TLS/SSL provides communication security at the transport layer and is often used for communication between a client and a server. SSH has a variety of uses, such as secure tunneling through a firewall to a virtual machine or using secure copy protocol (SCP) to transfer files. Protocol stacks can be combined to provide security at multiple networking layers as part of a defense-in-depth solution.

Security Product Extensions

These products provide support for the Separation Kernel Protection Profile (SKPP) functional capabilities. The certification evidence also supports the use of these products by DO-178B Level A (and lower levels) applications.

Audit Logging
The Audit Logging product supports the logging of a well-defined set of events during RTOS execution. A customer-defined monitoring application uses the Audit Logging functionality to access the logged audit events to detect potentially malicious code behavior. INTEGRITY-178 includes definitions of the events being logged as part of RTOS execution. The logged events may only be read by applications explicitly authorized to access the audit log. A means to statically configure the system to exclude specific events on a partition or event basis is also supported.

Audit Logging also provides capabilities for authorized applications to reset the audit log, enable/disable audit logging, record specific events, and halt system operation.

Integrity Tests
Integrity tests ensure the integrity of the executable images of the RTOS stored in both volatile and non-volatile RAM. Those include continuous tests of the active executable image of the RTOS in RAM as well as a set of power-up tests. The integrity tests can detect program memory failures that could result in loss of protective checks within INTEGRITY-178 (the partitioning architecture prevents malicious code in a partition from attempting to modify applications after load-time). The Green Hills implementation is designed to comply with the NIST/FIPS Secure Hash Standard (FIPS 180-2).

A user application project’s overall executable object code is constructed with digest information for each ELF image. The integrity tests provide the capability to detect integrity failures within these ELF images. When a failure is detected, an audit event is reported. The integrity testing product is designed to operate with INTEGRITY-178 and the Audit Logging product.

Abstract Machine Test (AMT)
The Abstract Machine Test product provides support for testing and confirming the correct operation of the hardware protection mechanisms at RTOS startup and periodically after that. This includes, for example, tests that attempt memory violations and privileged instruction execution in order to ensure the hardware that enforces separation between the virtual address spaces is still operational. In this way, AMT can detect hardware failures that could have allowed malicious code unauthorized access to hardware or software.

When a failure is detected, an audit event is logged, and the failure is reported. The AMT product is designed to operate with INTEGRITY-178 and the Audit Logging product.