The INTEGRITY-178 tuMP multicore RTOS provides an optional virtualized environment for running a guest OS while delivering the highest levels of safety, security, and performance. Unlike most embedded solutions that utilize a hypervisor running in kernel space to provide a combination of virtualization and isolation, INTEGRITY-178 tuMP separates the virtualization function from the isolation function resulting in increased security and performance. Virtualization is implemented as an optional software layer running in user space, while isolation is delivered by the INTEGRITY-178 tuMP separation microkernel running in privileged mode (kernel space). The result is the solution that is certified both safe and secure.
Moving the virtualization function into user space yields:
- Higher performance for the real-time and safety-critical applications that do not need virtualization because they run directly on the INTEGRITY-178 tuMP host RTOS
- Tighter security because virtualization code is not in the kernel, thereby minimizing the code size and attack surface of kernel code while negating common hypervisor attacks
- Easier certification because the kernel code is smaller without the virtualization, and there is no need to provide certification evidence for both a kernel and a safety-critical guest OS running on top of it
- Safety and security in all software layers instead of providing security just in the hypervisor and safety just in the guest OS
INTEGRITY-178 tuMP separates the virtualization function from the isolation function resulting in increased security and performance.
Highest Overall System Performance
"Optional virtualization" is a key ingredient to maximizing overall system performance because every type of virtualization has some performance penalty. INTEGRITY-178 tuMP enables the software architect to utilize virtualization only where needed, such as for legacy applications or non-critical applications, so that the essential real-time and safety-critical applications run without the virtualization penalty. The result is higher overall system performance, with the highest performance exactly where you need it.
Safe from Hyperjacking
It is a common misconception that hypervisors are inherently secure because they utilize hardware to enforce virtual address spaces and virtual I/O to isolate virtual machines. INTEGRITY-178 tuMP and other partitioning operating systems use those same hardware features to enforce isolation but without the security vulnerabilities of a hypervisor. Hypervisors have been shown to be susceptible to flaws that could allow code execution through buffer overflows and other exploits. For example, the Spectre vulnerability revealed in early 2018 can trick a hypervisor into leaking secrets to a guest application. Because hypervisors run below the guest operating system, a compromised hypervisor is not detectable by the virtual machine, guest OS, or guest application. Such exploits even have a catchy name: hyperjacking. INTEGRITY-178 tuMP is safe from hyperjacking because it runs the virtualization in a user-space partition.
Certified Secure Solution
As opposed to hypervisor-based solutions that just claim to provide security and isolation, INTEGRITY-178 tuMP has multiple security certifications to demonstrate it is the most secure embedded solution available. The highest assurance set of security requirements ever publicly defined for an operating system is the NSA-defined Separation Kernel Protection Profile (SKPP).
In 2008, the INTEGRITY-178 RTOS became the first and only operating system to be certified against the SKPP, and that same codebase simultaneously complied with the safety requirements defined in RTCA/DO-178B Level A. The certification against the SKPP was to both "High Robustness" and Common Criteria EAL 6+.
As part of certification to the SKPP, INTEGRITY-178 underwent independent vulnerability analysis and penetration testing by NSA to demonstrate both that it is resistant to an attacker possessing a high attack potential and that it does not allow attackers with high attack potential to violate the security policies. Additionally, it underwent covert channel analysis by NSA to demonstrate that it satisfies all covert channel mitigation metrics.
More recently, in 2018, the National Cross Domain Strategy Management Office (NCDSMO), now under the purview of the NSA, published a new set of security standards called "Raise the Bar" (RTB) for cross domain solutions (CDS). The RTB standards enable multi-domain operations across a connected battlespace by ensuring that a CDS is at low risk of failing, even when under persistent cyber-attack. In 2021, INTEGRITY-178 tuMP became the first and only RTOS to be part of a Raise the Bar certification.
- Unmodified guest OS: run any unmodified OS, such as Windows, Linux, or Android
- Mixed criticality: simultaneously run one or more guest operating systems alongside safety-critical and security-critical partitions
- Shared devices and peripherals: allow devices and peripherals to be exclusively assigned or shared between guest operation systems and high-assurance functions
- Configurability: provision system resources, including memory and devices
- Hardware acceleration: use available hardware virtualization acceleration, such as VT-x and VT-d, to increase performance and reduce software size
- Health monitoring: enable performance monitoring, fault detection, and restart of guest operating system and applications
- Multicore guests: run multiple guest operating systems on multiple cores with overlapping configurations to take advantage of INTEGRITY-178 tuMP's priority-based automatic load balancing
- Multicore control: flexibility to either bind each guest operating system to a single core in an Asymmetric Multi-Processing (AMP) model, or allow a multicore guest OS to dynamically schedule workloads across assigned cores in a Symmetric Multi-Processing (SMP) model
- Unified debugging: use the MULTI debugger with its complete and unified visibility and control into all executing software components of a virtualized system, including the RTOS kernel, the virtualization layer, the Linux guest OS and device drivers, the applications on the guest OS, and the critical applications running on the RTOS
- White Paper
Secure Virtualization for Real-Time Military Embedded Systems
- Technical Note
Embedded Hypervisors fall Short of INTEGRITY-178 tuMP for Security and Multicore Features
- Article in Modern Battlespace (Mar 2021)
Raise the Bar: Demanding Cybersecurity Excellence for Cross Domain Solutions in the Battlespace