PikeOS Certified Hypervisor

Security Architecture

PikeOS Certified Hypervisor

Security Architecture

Security-critical applications for real-time embedded systems benefit from the PikeOS multiple independent levels of security (MILS) architecture. This MILS architecture offers a separation micro-kernel allowing the combination of trusted and untrusted code on a single hardware platform. PikeOS complies with the MILS architecture concept and allows certification according to the  Common Criteria (CC) standard.

Multiple Independent Levels of Security (MILS)

Multiple Independent Levels of Security (MILS) is a security architecture based on the concepts of separation and controlled information flow implemented by separation mechanisms that support both untrusted and trusted code. PikeOS is designed according to the main requirements of a MILS architecture ensuring that a secure system is not by-passable and tamper-proof. The MILS concept was adopted by NSA and AFRL, as the increasing power of hardware architecture made it feasible, and is proposed as a solution to meet the needs for critical information assurance.

MILS is a componentized architecture based on a commercial off-the-shelf (COTS) separation kernel that enforces strict communication and partitioned process execution. The MILS architecture defines three layers: the COTS operating system (or separation kernel), COTS middleware, and security functions (see info graphic on the right.). MILS supports multiple levels of security communication, security policy composition, and modular design so that critical components are able to be evaluated at the highest levels to ensure secure and safe operation. But whereas MILS is an architecture concept, security is measured and evaluated through an international standard called Common Criteria.

Security by use of a separation micro-kernel

Security is provided by the PikeOS separation micro-kernel which serves as hypervisor of one or several guest operating systems, i.e. real-time operating systems (RTOS), run-time environments (RTE) and/or APIs. Most hardware systems have a distinction of privileged and user mode machine instructions. With respect to security, the idea of a hypervisor is to intercept privileged machine instructions of the guest operating system and instead of running it directly on the hardware, first check the rights of the caller against the system configuration and other permission attributes before actual execution.

Currently popular desktop operating systems usually have all device drivers managing I/O devices (graphics and network cards, keyboard controllers, pointing devices etc.) integrated into the kernel. This means that a failure in, let's say, a network driver can take down the entire system ("panic" or "bluescreen"). Instead, the modular PikeOS separation micro-kernel has a small set of core services which runs in privileged mode only and provides core services such as scheduling, context switches, process communication and synchronization, interrupt and processor exception handling, whereas device drivers are executed in user mode like any other application code, without access to privileged instructions.

The micro-kernel strongly contributes to security properties: When the privileged code base is small, then it is easier to verify against intrusion points for malicious attacks. Of course, a small micro-kernel also has less points that might fault (e.g. it is stored in less memory cells in hardware that might degrade), so there is also a safety dimension.

The Common Criteria (CC) Standard - IEC 15408

The Common Criteria for Information Technology Security Evaluation, in short Common Criteria (CC), is an international standard (IEC 15408) for computer security certification and has evolved to be of widespread importance. Common Criteria defines a framework in which computer system users specify their security requirements, vendors implement it and testing laboratories evaluate the products security to determine if they actually meet the claims.

Any product that claims conformance to the Common Criteria does this in a high-level document called Security Target (ST). As part of the research projects Verisoft XTSeSaM and EURO-MILS SYSGO has been working on a security target.

Protection Profiles and other Important Concepts

Protection Profiles (PP) can be used to define the security requirements that have to apply to a target of evaluation (TOE) in the case of a CC evaluation. In the EURO-MILS project, a MILS-compatible protection profile for separation kernels is being developed, public drafts are currently expected to become available in autumn 2014.