Security-critical applications for real-time embedded systems benefit from the PikeOS multiple independent levels of security (MILS) architecture. This MILS architecture offers a separation micro-kernel allowing the combination of trusted and untrusted code on a single hardware platform. PikeOS complies with the MILS architecture concept and allows certification according to the  Common Criteria (CC) standard up to EAL level 7.

Security is provided by the PikeOS separation micro-kernel which serves as hypervisor of one or several guest operating systems, i.e. real-time operating systems (RTOS), run-time environments (RTE) and/or APIs. Most hardware systems have a distinction of privileged and user mode machine instructions. With respect to security, the idea of a hypervisor is to intercept privileged machine instructions of the guest operating system and instead of running it directly on the hardware, first check the rights of the caller against the system configuration and other permission attributes before actual execution. Currently popular desktop operating systems usually have all device drivers managing I/O devices (graphics and network cards, keyboard controllers, pointing devices etc.) integrated into the kernel. This means that a failure in, let's say, a network driver can take down the entire system (“panic” or “bluescreen”). Instead, the modular PikeOS separation micro-kernel has a small set of core services which runs in privileged mode only and provides core services such as scheduling, context switches, process communication and synchronization, interrupt and processor exception handling, whereas device drivers are executed in user mode like any other application code, without access to privileged instructions. The micro-kernel strongly contributes to security properties: when the privileged code base is small, then it is easier to verify against intrusion points for malicious attacks. Of course, a small micro-kernel also has less points that might fault (e.g. it is stored in less memory cells in hardware that might degrade), so there is also a safety dimension.

The Common Criteria for Information Technology Security Evaluation, in short Common Criteria (CC), is an international standard (IEC 15408) for computer security certification and has evolved to be of widespread importance. Common Criteria defines a framework in which computer system users specify their security requirements, vendors implement it and testing laboratories evaluate the products security to determine if they actually meet the claims. Common Criteria are leveled from EAL 1 (lowest) to EAL 7 (highest). So far, only one product (the Tenix data diode that does not contain software) has obtained EAL level 7. Any product that claims conformance to the Common Criteria does this in a high-level document called Security Target (ST). As part of the research project Verisoft XT SYSGO is working on a security target. A formal verification of the PikeOS micro-kernel is underway.

Protection Profiles (PP) can be used to define the security requirements that have to apply to a target of evaluation (TOE) in the case of a CC evaluation. A MILS-based system is part of the TOE, which also includes the processor hardware. In this case, an example of specific PP that can be used to meet the requirements of a high assurance Common Criteria evaluation is the partitioning functional requirements specified in the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, version 1.03 (“SKPP”). Note however that many activities are going on to refine the definition, the implementation and the use of MILS API, related Protection Profiles, and Common Criteria EALs.

Find more information about these different topics, please go to:

MILS:

• Wikipedia entry on Multiple Independent Levels of Security
• The Design and Verification of Secure Systems, John Rushby

Common Criteria:

• The Common Criteria Portal

SKPP: 

• http://niap-ccevs.org/pp/pp_skpp_hr_v1.03/
  Section 1.5 "Glossary of Terms"