Wednesday, March 1, 2006
MILS Operating Systems: Safety and Security
How will avionics systems process and exchange data at multiple levels of security simultaneously within a small footprint? The U.S. Air Force Research Lab thinks commercial-based software will be up to the task and is using standards Thesuch as DO-178B a
At A Glance:
Protecting multiple levels of sensitive data on U.S. military aircraft today requires duplicative hardware--a costly and inefficient solution. We describe an alternative approach, using commercial-based software and cover:
In the real-time operating systems (RTOS) domain, near the bottom of the military avionics food chain, MILS is the big idea. If successful, however, deeply embedded MILS software--short for Multiple Independent Levels of Security--could have implications far beyond an individual avionics box. If successful, MILS could make the processing of data at multiple levels of security more affordable and efficient. It could even enhance the utility of the global information grid (GIG), the planned U.S. military network that would connect many airborne platforms and other users and optimally operate across a range of security levels.
MILS hardware devices already have appeared: Rockwell Collins received National Security Agency (NSA) certification for a MILS cryptographic device last August. An effort to pursue a software implementation of the MILS architecture is well advanced, however, and promises greater flexibility at far lower aggregate cost. "If you do [MILS] in hardware, it's only certified for that particular piece of hardware," says Jahn Luke, who manages the MILS software project sponsored by the U.S. Air Force Research Lab (AFRL). "Is the market big enough to support [iterative MILS] hardware upgrades?"
The software-based approach to multilevel data security is designed to isolate and protect different classes of data and separate resource-sharing applications from each other, based on security and operational priorities. Central to the concept is the employment of reusable, commercial off-the-shelf (COTS) software components in order to make MILS applications practical and affordable. The separation of resource-sharing applications--based on their level of flight criticality--is already possible, thanks to guidance such as ARINC 653 and DO-178B. But MILS would take separation a big step further, into the data security domain.
Although the jury is still out, AFRL and NSA have backed the concept. And designers of COTS operating systems and middleware, systems integrators and software test labs are working overtime to build, test and achieve approval of MILS-compliant components, as well as to prove that they work together to prevent data leakage and data corruption. MILS is a requirement on F-22 and F-35 fighter aircraft. If it proves its worth, the architecture may be appropriate for the Joint Tactical Radio System (JTRS) and various aircraft modernization programs.
Nuts and Bolts
Originally proposed by Stanford Research Institute's John Rushby in the early 1980s, the MILS concept was adopted by NSA and AFRL, as microprocessor technology made it a more realistic venture. The architecture has three layers: the COTS operating system (or separation kernel), COTS middleware, and security functions like guards and data downgraders that "scrub" data from a higher security level to a lower one. MILS backers hope that this modular approach to security will make MILS systems easier to approve.
"The separation kernel creates steel-reinforced partitions for applications and their associated middleware components," explains Joseph Jacob, senior vice president of Objective Interface Systems (OIS), which is developing MILS middleware. Separation kernels, according to discussions of the MILS architecture, enforce data separation, control the information flow between partitions, prevent data leakage, and limit any damage to a single partition.
Only the separation kernel is "privileged"--or able to run without any restriction--but its size is strictly limited. This design approach simplifies evaluation of the kernel by making its required mathematical verification more achievable. "If a problem happens in a particular partition," Jacob continues, "it can't cascade over or tunnel into other applications." This type of protection is assured through the EAL-7 (evaluation assurance level-7) approach, he says. EAL-7 and EAL-6+--the objective under AFRL's MILS project--are high-assurance designations under the Common Criteria, a set of security standards.
Given the size of the separation kernel--as small as 4,000 lines of code--"most of what you would see in an operating system, such as device drivers, gets pushed up into the middleware," Jacob says. Middleware also incorporates elements such as the partitioning communications system (PCS). The PCS extends the separation kernel's control to intersystem communication, plus traditional middleware, such as the common object request broker architecture (CORBA) and data distribution service (DDS).
Air Force Project
Much of what has been achieved so far is courtesy of AFRL's MILS project, supported by the F-22 and F-35 program offices. The project is driving the effort to evaluate and certify COTS operating systems and middleware products.
Funded and unfunded participants in the project include integrators Boeing, Lockheed Martin Aeronautics, Raytheon and Northrop Grumman; RTOS vendors Green Hills Software, LynuxWorks and Wind River Systems; middleware vendor OIS; Rockwell Collins in a data security role; and Science Applications International Corp. (SAIC), a test lab certified by the National Information Assurance Partnership (NIAP). NIAP is a collaboration between NSA and the National Institute of Standards and Technology (NIST).
MILS is important because of the separation aspect, explains Luke. An airplane or unmanned air vehicle (UAV) must not leak classified data to the outside world. And as more platforms begin to link up to the GIG, security becomes more critical. If the GIG is going to have multiple levels of security, it's important "to have a foundational architecture in place to support that," Luke asserts.
Green Hills' Integrity-178B operating system is planned for the F-35's core processor and is slated for an upgrade to the F-22's integrated core processor. JTRS also is a possible candidate for MILS. The radio program has a multiple single-level security (MSLS) requirement, Luke says, which means that the devices would have to separate data securely and simultaneously. Typically, that translates to physical separation, i.e., duplicative hardware, which would be an issue for small handheld radios. Green Hills has taken major steps toward MILS approval of Integrity-178B. SAIC, a NIAP lab, is working with the RTOS company to perform the security certification review. Rockwell Collins, meanwhile, is producing the "formal methods" to be submitted with SAIC's results to NSA for evaluation. (Formal methods are a collection of mathematical techniques for describing and verifying software and hardware systems.) Luke expects NSA to complete its review in 2007. After that, the product will be certified to EAL-6+. Many challenges remain, but certification of a separation kernel will be a major milestone.
AFRL is assisting the Green Hills group to generate formal methods evidence and is funding OIS to develop a "protection profile," or MILS spec, for middleware. A protection profile for operating systems already exists in draft form. Wind River and LynuxWorks are not yet under contract, but the goal is to get all three RTOS certified. "We want competition," declares Luke.
"Integrity-178B is designed to meet the EAL-6+ standard," says David Kleidermacher, Green Hills' vice president of engineering. "On the seven-level EAL scale, no operating system has previously been certified beyond EAL-5+." The EAL-6+ level "definitely supports at least two levels" of data separation, says AFRL's Luke.
LynuxWorks recently unveiled a prototype version of its LynxSecure separation kernel, which it says is designed to support EAL-7. LynxSecure has been built using virtualization technology to meet MILS requirements.
"LynxSecure uses time and space partitioning features also found in our LynxOS-178 RTOS," says Robert Day, LynuxWorks' vice president of marketing. "But to meet our `correct by construction' certification objectives and a high level of scalability, LynxSecure was built from the ground up to support virtualization, 64-bit processing and dual-core processors." Virtualization is the use of a separation kernel to provide secure partitions, each of which can contain its own operating system.
Historically, LynuxWorks has been a strong proponent of Linux/Unix, open standard applications for avionics. It's a position that, at first glance, would seem to exclude them from the MILS space. But that's not the case, argues Day. The company's DO-178B (Level A) LynxOS-178 operating system and its LynxSecure separation kernel are designed to keep Linux applications safely separated from each other and the rest of the world. At press time, LynuxWorks had previewed a demo version of LynxSecure, showing the benefits of the separation kernel technology when running multiple Linux applications in parallel.
Wind River Systems is working on a version of its VxWorks RTOS that is designed to meet MILS requirements and comply with EAL-7. "We've been working on the secure version of VxWorks for about two years with four aerospace vendors," says Chip Downing, industry marketing manager for aerospace and defense. "The MILS-compliant VxWorks has the separation kernel protection profile built into it. It also comes with a security policy database, a secure audit log, secure boot and secure delivery."
The RTOS also is designed to keep what Downing terms "hostile vendors"--competing avionics solutions providers--satisfied that their proprietary products are insulated from each other when stored on a common VxWorks database. "To make this happen, our SRTOS [secure RTOS] is based on the same time and space partitioning used by our ARINC 653 platform, except that we've added much more security," he says. "Specifically, our system knows the security levels and constraints of each application running within the system, knows how to allocate time and space resources to each effectively, and how to keep different security levels separate without compromising processing speed."
OIS' solution, PCSexpress, is based on the partitioning communications system architecture. PCSexpress provides a highly robust method for separating and securing multiple levels of classified data in a single network, Jacob says.
"We've been working very closely with [AFRL] and NSA, as well as with Rockwell Collins, Raytheon, Lockheed Martin and Boeing, to bring together all the parts of the new MILS architecture," he says. "We've come up with a middleware layer that is extremely secure and efficient, achieving at least an EAL-6+ certification and most likely an EAL-7 certification."
Planned for release in the first quarter of 2006, PCSexpress is to be fully compatible with commercially available MILS separation kernels from Green Hills Software, LynuxWorks and Wind River Systems.