PikeOS Certified Hypervisor


Security Architecture

PikeOS Certified Hypervisor


Security Architecture

Security-critical applications for real-time embedded systems benefit from the PikeOS Multiple Independent Levels of Security (MILS) architecture. This MILS architecture features a Separation Kernel, allowing the combination of trusted and untrusted codes on a single hardware platform. PikeOS complies with the MILS architecture concept and allows certification according to the Common Criteria (CC) standard.

Multiple Independent Levels of Security (MILS)

Multiple Independent Levels of Security (MILS) is a Security architecture based on the concepts of separation and controlled information flow implemented by separation mechanisms that support a user-defined number of trust domains. PikeOS is designed in line with the main requirements of a MILS architecture ensuring that a secure system is not by-passable and tamper-proof. The MILS concept was adopted by NSA and the Airforce Research Laboratory (AFRL).

MILS is a componentized architecture that enforces strict communication and partitioned process execution. It supports multiple levels of Security communication, Security policy composition, and modular design, so that critical components are able to be evaluated at the highest levels to ensure a secure and safe operation.

Security by use of a Separation Kernel

By definition, Separation Kernels aim to establish a degree of isolation between the applications on a single hardware platform which, in terms of Security, is comparable to running the application executables on physically separate platforms. However, Separation Kernels also provide communication facilities that allow the applications to interact with each other, if configured by the integrator.

The PikeOS Separation Kernel serves as hypervisor of one or several guest operating systems, e.g. real-time operating systems (RTOS), run-time environments (RTE) and/or APIs. With respect to Security, the idea of a hypervisor is to intercept privileged machine instructions of the guest operating system and instead of running them directly on the hardware, first check the rights of the caller against the system configuration and other permission attributes before actual execution.

Current popular desktop operating systems usually have all device drivers managing I/O devices (graphics and network cards, keyboard controllers, pointing devices etc.) integrated into the kernel. This means that a failure in let's say a network driver can take down the entire system ("panic" or "bluescreen"). Instead, the modular PikeOS Separation Kernel has a small set of core services which run in privileged mode only and provide scheduling, context switches, process communication and synchronization, interrupt and processor exception handling, whereas device drivers on the other hand are executed in user mode like any other application code without access to privileged instructions.

This design strongly contributes to Security properties: When the privileged code base is small, then it is easier to verify its attack surface (exposed interfaces) against intrusion points for malicious attacks. Of course, a smaller Separation Kernel also has fewer points components that might fail.

The Common Criteria (CC) Standard: IEC 15408

The Common Criteria for Information Technology Security Evaluation, in short Common Criteria (CC), is an international standard (IEC 15408) for computer Security certification and has evolved to be of widespread importance. Common Criteria defines a framework in which computer system users specify their Security requirements, vendors implement them and testing laboratories evaluate the product Security to determine whether the vendor's claims are met.

Conformance claims by a product according to the Common Criteria are documented in a so-called Security Target (ST). The PikeOS 4.2 ST has benefited from the work in the TECOM, SeSaM, PASS and EURO-MILS funded projects.

Find out more

The Verisoft XT Project

The SeSaM Project

The EURO-MILS Project