Green Hills Platform for Secure Networking
By one estimate, over 150 million sensitive records have been breached in the last three years alone. To combat this growing problem, companies employ an average of 30 security products throughout their organizations. It's not just sophisticated, well trained hackers who commit cyber-crimes these days. With ready access to sophisticated hacker tools, security breaches are as easy as point-click-attack.
The solution to fail-first, patch-later
The world has become accustomed to the fail-first, patch-later mentality of insecure software and computing infrastructure. Because of this, much of the world’s critical infrastructure, financial networks, medical information systems, telecommunications gear, and portable mobile devices are open to compromise by determined individuals, corporations, organized crime, and nation states.
Network developers need to build in device security at the core of system design by starting with INTEGRITY operating system technology. The combination of INTEGRITY’s separation architecture and advanced GHNet networking stack delivers unmatched security and reliability without compromising system throughput.
Telecom OEMs and network device manufacturers can increase time-to-market by relying on a complete, proven, and integrated solution developed and supported by experts in telecommunications and networking.
Maximum security and reliability
With INTEGRITY, embedded networking developers can ensure their applications meet the highest possible requirements for security, reliability, and performance.
To achieve this, INTEGRITY uses hardware memory protection to isolate and protect application execution. Secure partitions guarantee each task the resources it needs to run correctly and fully protect the operating system and user tasks from errant and malicious code—including denial-of-service attacks, worms, and Trojan horses.
Unlike other memory-protected operating systems, INTEGRITY never sacrifices real-time performance for security and protection.
Guaranteed protection
The INTEGRITY operating system provides all the capabilities embedded designers need to enforce the policies of separation, damage limitation, and information flow control as well as provide secure networking for today's more complex and connected applications.
INTEGRITY was designed from the beginning with network security in mind and supports the requirements and security policies of Multiple Independent Levels of Security (MILS)—the architecture for composing secure computing systems from high-assurance components.
INTEGRITY's separation kernel protects against damage from errant or malicious code by preventing processes from writing beyond assigned memory regions. In addition, INTEGRITY's partitions prevent unintended access to data from outside the partition where the data resides.
INTEGRITY's Multiple Independent Levels of Security (MILS) separation kernel architecture provides a highly robust mechanism to separate security functions. INTEGRITY's separation kernel protects against damage from errant or malicious code by preventing processes from writing beyond assigned memory regions. In addition, INTEGRITY's partitions prevent unintended access to data from outside the partition where the data resides.
Deploying a networking solution based on the secure separation kernel architecture of the INTEGRITY operating system enables the highest levels of security for network devices. INTEGRITY was designed from the beginning with network security in mind and supports the requirements and security policies of Multiple Independent Levels of Security (MILS)—the architecture for composing secure computing systems from high-assurance components.
INTEGRITY provides all the essential components required to harden networked devices against attack:
- Protected execution of applications and system service
- Guaranteed resource allocation and application execution
- Information flow control between partitions, stack, router and application isolation
- Containment of errors and attacks
GHNet Networking Stack
The GHNet TCP/IP stack is the foundation for all networking protocols for the Green Hills family of operating systems (including INTEGRITY, INTEGRITY-178 tuMP, and µ-velOSity). A full-featured, high-performance host and router TCP/IP stack, GHNet was designed specifically for network-centric systems with options for advanced routing as well as an extensive suite of security protocols.
GHNet is an ultra-compact dual-mode IPv4/IPv6 stack that combines a minimum footprint with maximum performance.
GHNet is suited for use in products ranging from small footprint consumer devices to advanced core network equipment. It has broad RFC support, BSD 4.4 and NetLink socket API support, and has been through extensive protocol conformance and interoperability testing. It is also integrated with a broad range of networking applications, management, and security protocols. See the complete list of supported protocols below.
Dual
mode IPv4/IPv6
GHNet is a true dual mode IPv4/IPv6 stack and can be configured for IPv4
only, IPv6 only, or to support both protocols simultaneously. This is an
important feature since the transition from IPv4 to IPv6 is expected to
take several years. Furthermore, the IPv6 functionality has been approved
by the industry standard IPv6 READY Program, which guarantees IPv6 interoperability.
Modular design and scalability
The GHNet protocol suite has a modular design and is highly configurable,
providing maximum size and feature scalability. If a module isn’t
used, instead of being merely deactivated it is removed entirely to
save valuable storage memory space in the often limited capacity of
an embedded device.
Extensive routing support
GHNet can be configured to support host-only stack features with minimal
footprint, or enabled with advanced routing features. The built-in
virtual routing and forwarding support enables a single stack to assume
the responsibility of multiple TCP/IP stacks. As a result, existing
hardware and software capabilities can be used far more efficiently.
Multiple instances
GHNet can be configured to run in either the kernel’s address space,
or in a separate partition for maximum security and availability. Multiple
instances of the stack can be run in separate partitions enabling these
stacks to execute at multiple independent levels of security, easily
managing multiple Ethernet connections securely and independently.
True zero copy
To optimize processing speed and packet throughput, GHNet offers a zero
copy API with the option for true zero copy for raw sockets, UDP, and TCP
from the application all the way through the driver (including the TCP
layer when the stack is running in kernel mode).
Written by US citizens
GHNet is a clean room design, written by US citizens from the ground
up. It was not derived from publicly available Unix stacks or open
source software. The design achieves Berkeley 4.4 and Netlink socket
compatibility, small size, and high performance for both IP and UDP
traffic.
INTEGRITY Multivisor Secure Virtualization Architecture
Channel density is another critical consideration for equipment manufacturers. As processor speeds increase, manufacturers need to squeeze more channels and data throughput onto a single CPU. But to do this, some hardware redundancy may need to be sacrificed.
With Green Hills Software’s separation kernel technology and the guaranteed resource allocations it provides, developers can securely and reliably execute multiple virtual processors and guest operating systems on a single device. This enables them to retain the same redundancy architecture while consolidating software from multiple CPUs onto a single CPU.
Features and benefits of Green Hills Software’s INTEGRITY Multivisor:
- Built on the secure INTEGRITY separation kernel
- Support for multiple virtual machines
- Execute any guest operating systems and applications
- Software development tools to develop and run native security and safety critical applications
- Enable highest security and safety where you need it
- Maintain current investment in legacy operating systems and applications
- Open flexibility for OS integration
Professional services
Expanding on its unique position in the industry by delivering comprehensive
software solutions for secure networking, Green Hills Software offers
a full range of professional services that include: complete networking
system design, integration, debug, optimization, customization, test,
and validation, training, and enhanced product support. By taking advantage
of these services, customers can deliver higher-quality products with
faster time-to-market and at lower development and deployment cost.