The INTEGRITY-178 tuMP RTOS is architected to have the highest security assurance of any commercial operating system or hypervisor, and that includes the capability to host multi-level security (MLS) applications, such as cross-domain solutions (CDS). INTEGRITY-178 tuMP comes from a long pedigree of security that doesn’t just claim to be secure but has the security certifications to reduce risk and enable deployment in the most sensitive systems. Those certifications include the Common Criteria EAL6+, NSA "High Robustness," and NSA's "Raise the Bar" standards for cross-domain solutions.
Separation Kernel Architecture
When multiple applications exist within the same system, those applications can be at different security levels. To ensure that those applications access only the information for which they are authorized, the system needs to implement a Multiple Independent Levels of Security (MILS) operating environment. A MILS operating system isolates applications and their data into different security domains and provides mechanisms for permitting authorized communication across domains. A MILS operating system should include support for hosting MLS applications, but most do not. A typical MLS application is a cross-domain solution that filters specific information flow from higher security levels to lower security levels.
The base layer for a MILS operating system is a separation kernel. A separation kernel fully isolates applications into partitions and controls the information flows among partitions and with external resources. To create the most secure base possible, the separation kernel is the only software that runs in privileged kernel mode and includes only the fundamental security policies. The four fundamental security functions are protection of all resources from unauthorized access, isolation of partitions except for explicitly allowed information flows, resource sanitization, and fault isolation. All other services are moved to unprivileged user space, including the networking stack, file system, and virtualization. As a result, a separation kernel provides high-assurance partitioning and information flow control that satisfy the non-bypassable, evaluatable, always invoked, and tamperproof (NEAT) security policy attributes. The INTEGRITY-178 tuMP RTOS is a MILS operating system implemented as a separation kernel that supports MLS applications.
The INTEGRITY-178 tuMP RTOS is a MILS operating system implemented as a separation kernel that fully isolates multiple partitions and controls the information flow between applications.
To provide virtualization within the most secure environment, INTEGRITY-178 tuMP implements a virtualization layer in user space instead of in the kernel. This approach reduces the size of the trusted computing base (TCB) thereby reducing the size of the attack surface compared to a hypervisor. The INTEGRITY-178 tuMP separation microkernel makes use of the same hardware features to enforce isolation as used by a hypervisor, but it goes well beyond those hardware features with its high assurance design while minimizing the TCB. Note that minimizing the TCB is not the end goal but only a means to ease verification. For systems requiring high security, the end goal is certification to applicable security assurance requirements.
Moving the virtualization function into user space yields:
- Higher performance for the real-time and safety-critical applications that do not need virtualization because they run directly on the INTEGRITY-178 tuMP host RTOS
- Tighter security because virtualization code is not in the kernel, thereby minimizing the code size and attack surface of kernel code while negating common hypervisor attacks
- Easier certification because the kernel code is smaller without the virtualization, and there is no need to provide certification evidence for both a kernel and a safety-critical guest OS running on top of it
- Safety and security in all software layers instead of providing security just in the hypervisor and safety just in the guest OS
EAL 6+ High Robustness
In 2007, the Information Assurance Directorate of the U.S. National Security Agency (NSA) published the Separation Kernel Protection Profile (SKPP), a security document defining a complete set of functional and assurance requirements for separation kernels suitable to be used in the most hostile threat environments. In 2008, the INTEGRITY-178 RTOS became the first and only operating system to be certified against the SKPP, and it is the same RTOS that simultaneously complied with the requirements defined in RTCA/DO-178B Level A. That certification against the SKPP was to the highest Evaluation Assurance Level (EAL 6+) for general software products under Common Criteria (ISO/IEC 15408). The combination of high security functionality of "high robustness" and the rigor of a high evaluation assurance level make this certification unique for a COTS solution.
Raise the Bar for Cross-Domain Solutions
In 2018, the National Cross Domain Strategy Management Office (NCDSMO), now under the purview of the National Security Agency (NSA), published a new set of standards called "Raise the Bar" (RTB) for cross domain solutions (CDS).
The RTB standards enable multi-domain operations across a connected battlespace by ensuring that a CDS is at low risk of failing, even when under persistent cyber-attack. RTB standards go well beyond the National Institute of Standards and Technology's (NIST) Risk Management framework (RMF) controls that many government agencies implement, and are even the stricter than the set of RMF controls required for national security systems (NSS) under CNSSI-1253 "Security overlay for National Security Systems." INTEGRITY-178 tuMP is the first and only RTOS to be part of a Raise The Bar certification as a component of Collins Aerospace TCTS Inc. II program. The TCTS II entry on the NCDSMO Baseline list incudes listing INTEGRITY-178 as the operating system that was used for the certification.
Security Product Extensions
To complete the support for the Separation Kernel Protection Profile (SKPP) functional capabilities, Green Hills Software offers layered product extensions for security. Those layered products include Audit Logging, Integrity Testing, and Abstract Machine Test (AMT). The certification evidence supports the use of these products by DO-178B Level A (and lower levels) applications as well as the SKPP/EAL 6+. For more information, see the Layered Product Extensions page.
Security Certification Data
Green Hills develops and maintains SKPP compliant processes and life-cycle data for INTEGRITY-178 and INTEGRITY-178 tuMP security customers. By also completing all of the safety-related processes and generating the corresponding safety life-cycle data, all security certifications support both safety (DO-178B/C Level A) and security (SKPP) usage in a single product.
Green Hills utilizes secure delivery procedures to deliver the substantiation evidence to security customers and to provide means for secure delivery authentication. In addition to all of the safety-related life-cycle data, below is a list of SKPP related life-cycle data generated as part of the initial certification or a customer-specific security effort:
- Security-specific Software Development Plan
- Development Security Plan
- Security-specific Configuration Control Procedures
- Assurance Maintenance Plan
- Assurance Maintenance Requirements
- Installation, Generation, & Startup Guidance
- User and Administrator Guidance Document
- Security Target and Security Policy
- Formal model and proof
- Covert Channel Analysis
- Architecture Design Document
- Target Platform-specific Definition Document
- Target Platform-specific Vulnerability Analysis
- Customer-specific Security Impact Analysis
- Security-specific reviews