The INTEGRITY-178 tuMP RTOS is architected to have the highest security assurance of any commercial operating system or hypervisor, and that includes the capability to host multi-level security (MLS) applications, such as cross-domain solutions (CDS). INTEGRITY-178 tuMP comes from a long pedigree of security that doesn’t just claim to be secure but has the security certifications to reduce risk and enable deployment in the most sensitive systems.

Separation Kernel Architecture

When multiple applications exist within the same system, those applications can be at different security levels. To ensure that those applications access only the information for which they are authorized, the system needs to implement a Multiple Independent Levels of Security (MILS) operating environment. A MILS operating system isolates applications and their data into different security domains and provides mechanisms for permitting authorized communication across domains. A MILS operating system should include support for hosting MLS applications, but most do not. A typical MLS application is a cross-domain solution that filters specific information flow from higher security levels to lower security levels.

The base layer for a MILS operating system is a separation kernel. A separation kernel fully isolates multiple partitions and controls the information flows between applications/partitions and external resources. In part, that includes protection of all resources from unauthorized access, isolation of partitions except for explicitly allowed information flows, resource sanitization, and fault isolation. As a result, a separation kernel provides high-assurance partitioning and information flow control that satisfy the non-bypassable, evaluatable, always invoked, and tamperproof (NEAT) security policy attributes. The INTEGRITY-178 tuMP RTOS is a MILS operating system implemented as a separation kernel that supports MLS applications.

The INTEGRITY-178 tuMP RTOS is a MILS operating system implemented as a separation kernel that fully isolates multiple partitions and controls the information flow between applications.

To provide virtualization within the most secure environment, INTEGRITY-178 tuMP implements a virtualization layer in user space instead of in the kernel. This approach reduces the size of the trusted computing base (TCB) thereby reducing the size of the attack surface compared to a hypervisor. The INTEGRITY-178 tuMP separation microkernel makes use of the same hardware features to enforce isolation as used by a hypervisor, but it goes well beyond those hardware features with its high assurance design while minimizing the TCB. Note that minimizing the TCB is not the end goal but only a means to ease verification. For systems requiring high security, the end goal is certification to applicable security assurance requirements.

EAL 6+ High Robustness

In 2007, the Information Assurance Directorate of the U.S. National Security Agency (NSA) published the Separation Kernel Protection Profile (SKPP), a security document defining a complete set of functional and assurance requirements for separation kernels suitable to be used in the most hostile threat environments. In 2008, the INTEGRITY-178 RTOS became the first and only operating system to be certified against the SKPP, and it is the same RTOS that simultaneously complied with the requirements defined in RTCA/DO-178B Level A. That certification against the SKPP was to the highest Evaluation Assurance Level (EAL 6+) for general software products under Common Criteria (ISO/IEC 15408). The combination of high security functionality of "high robustness" and the rigor of a high evaluation assurance level make this certification unique for a COTS solution.

Security Product Extensions

To complete the support for the Separation Kernel Protection Profile (SKPP) functional capabilities, Green Hills Software offers layered product extensions for security. Those layered products include Audit Logging, Integrity Testing, and Abstract Machine Test (AMT). The certification evidence supports the use of these products by DO-178B Level A (and lower levels) applications as well as the SKPP/EAL 6+. For more information, see the Layered Product Extensions page.

Security Certification Data

Green Hills develops and maintains SKPP compliant processes and life-cycle data for INTEGRITY-178 and INTEGRITY-178 tuMP security customers. By also completing all of the safety-related processes and generating the corresponding safety life-cycle data, all security certifications support both safety (DO-178B/C Level A) and security (SKPP) usage in a single product.

Green Hills utilizes secure delivery procedures to deliver the substantiation evidence to security customers and to provide means for secure delivery authentication. In addition to all of the safety-related life-cycle data, below is a list of SKPP related life-cycle data generated as part of the initial certification or a customer-specific security effort:

  • Security-specific Software Development Plan
  • Development Security Plan
  • Security-specific Configuration Control Procedures
  • Assurance Maintenance Plan
  • Assurance Maintenance Requirements
  • Installation, Generation, & Startup Guidance
  • User and Administrator Guidance Document
  • Security Target and Security Policy
  • Formal model and proof
  • Covert Channel Analysis
  • Architecture Design Document
  • Target Platform-specific Definition Document
  • Target Platform-specific Vulnerability Analysis
  • Customer-specific Security Impact Analysis
  • Security-specific reviews