Leading the Embedded World


The INTEGRITY-178 tuMP RTOS is architected to have the highest security assurance of any commercial operating system or hypervisor, and that includes the capability to host multi-level security (MLS) applications, such as cross-domain solutions (CDS). INTEGRITY-178 tuMP comes from a long pedigree of security that doesn’t just claim to be secure but has the security certifications to reduce risk and enable deployment in the most sensitive systems. Those certifications include the Common Criteria EAL6+, NSA "High Robustness," and NSA's "Raise the Bar" standards for cross-domain solutions.

Separation Kernel Architecture

When multiple applications exist within the same system, those applications can be at different security levels. To ensure that those applications access only the information for which they are authorized, the system needs to implement a Multiple Independent Levels of Security (MILS) operating environment. A MILS operating system isolates applications and their data into different security domains and provides mechanisms for permitting authorized communication across domains. A MILS operating system should include support for hosting MLS applications, but most do not. A typical MLS application is a cross-domain solution that filters specific information flow from higher security levels to lower security levels.

Moving the virtualization function into user space yields:

  • Higher performance for the real-time and safety-critical applications that do not need virtualization because they run directly on the INTEGRITY-178 tuMP host RTOS
  • Tighter security because virtualization code is not in the kernel, thereby minimizing the code size and attack surface of kernel code while negating common hypervisor attacks
  • Easier certification because the kernel code is smaller without the virtualization, and there is no need to provide certification evidence for both a kernel and a safety-critical guest OS running on top of it
  • Safety and security in all software layers instead of providing security just in the hypervisor and safety just in the guest OS

The INTEGRITY-178 tuMP RTOS is a MILS operating system implemented as a separation kernel that fully isolates multiple partitions and controls the information flow between applications.

EAL 6+ High Robustness

In 2007, the Information Assurance Directorate of the U.S. National Security Agency (NSA) published the Separation Kernel Protection Profile (SKPP), a security document defining a complete set of functional and assurance requirements for separation kernels suitable to be used in the most hostile threat environments. In 2008, the INTEGRITY-178 RTOS became the first and only operating system to be certified against the SKPP, and it is the same RTOS that simultaneously complied with the requirements defined in RTCA/DO-178B Level A. That certification against the SKPP was to the highest Evaluation Assurance Level (EAL 6+) for general software products under Common Criteria (ISO/IEC 15408). The combination of high security functionality of "high robustness" and the rigor of a high evaluation assurance level make this certification unique for a COTS solution.

Raise the Bar for Cross-Domain Solutions

In 2018, the National Cross Domain Strategy Management Office (NCDSMO), now under the purview of the National Security Agency (NSA), published a new set of standards called "Raise the Bar" (RTB) for cross domain solutions (CDS).

The RTB standards enable multi-domain operations across a connected battlespace by ensuring that a CDS is at low risk of failing, even when under persistent cyber-attack. RTB standards go well beyond the National Institute of Standards and Technology's (NIST) Risk Management framework (RMF) controls that many government agencies implement, and are even the stricter than the set of RMF controls required for national security systems (NSS) under CNSSI-1253 "Security overlay for National Security Systems." INTEGRITY-178 tuMP is the first and only RTOS to be part of a Raise The Bar certification as a component of Collins Aerospace TCTS Inc. II program.

Security Product Extensions

To complete the support for the Separation Kernel Protection Profile (SKPP) functional capabilities, Green Hills Software offers layered product extensions for security. Those layered products include Audit Logging, Integrity Testing, and Abstract Machine Test (AMT). The certification evidence supports the use of these products by DO-178B Level A (and lower levels) applications as well as the SKPP/EAL 6+. For more information, see the Layered Product Extensions page.

Security Certification Data

Green Hills develops and maintains SKPP compliant processes and life-cycle data for INTEGRITY-178 and INTEGRITY-178 tuMP security customers. By also completing all of the safety-related processes and generating the corresponding safety life-cycle data, all security certifications support both safety (DO-178B/C Level A) and security (SKPP) usage in a single product.

Green Hills utilizes secure delivery procedures to deliver the substantiation evidence to security customers and to provide means for secure delivery authentication. In addition to all of the safety-related life-cycle data, below is a list of SKPP related life-cycle data generated as part of the initial certification or a customer-specific security effort:

  • Security-specific Software Development Plan
  • Development Security Plan
  • Security-specific Configuration Control Procedures
  • Assurance Maintenance Plan
  • Assurance Maintenance Requirements
  • Installation, Generation, & Startup Guidance
  • User and Administrator Guidance Document
  • Security Target and Security Policy
  • Formal model and proof
  • Covert Channel Analysis
  • Architecture Design Document
  • Target Platform-specific Definition Document
  • Target Platform-specific Vulnerability Analysis
  • Customer-specific Security Impact Analysis
  • Security-specific reviews