Integrity OS awarded first high-robustness evaluation
- By William Jackson
- Nov 17, 2008
The National Information Assurance Partnership has awarded the highest level of assurance yet for an operating system to Green Hills Software's Integrity.
Integrity is designed to separate partitions that host custom applications and let computers run applications in a secure environment. The evaluation, announced today, is the first for an operating system at NIAP's high-robustness level.
On behalf of the National Security Agency, NIAP oversees product evaluations to Evaluation Assurance Levels defined in the internationally accepted Common Criteria for security products. Independent laboratories conduct the evaluations.
Science Applications International Corp. reviewed Integrity. Evaluation of Integrity's source code began in 2005.
'SAIC determined that the [Integrity operating system] doesn't satisfy any EAL defined in the Common Criteria but rather fulfills the high-robustness requirements as defined in the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness,' according to NIAP's announcement.
Integrity was awarded an Evaluation Assurance Level of 6+, which means it also meets some requirements for EAL 7.
The evaluation validates that the operating system can be used with high-value assets exposed to hostile operating environments and intentional attacks.
Integrity does not include operating system constructs such as a file system, shell prompt or user log-in, but it does schedule partitions that execute on the hardware and provides granular scheduling capability for tasks operating in partitions. It manages access to memory, devices, communications and processor resources to ensure that partitions can be entirely separated and interact only in well-defined ways configured by system architects.
Integrity was developed in 1997, and a number of agencies ' including the Federal Aviation Administration and the Food and Drug Administration ' have already certified it for use in specific environments. For example, it is used to run avionics systems in the B-1B bomber and a number of fighter planes.
In anticipation of the NIAP evaluation, Green Hills created a new company, Integrity Global Security LLC, to focus on the government and commercial markets for the operating system. The parent company is well-known for providing embedded software, said David Kleidermacher, chief technology officer at Green Hills Software and the new company. Officials hope that a new brand will help expand the market for the operating system.
'It has taken us 10 years' to build the operating system and prove it in use, Kleidermacher said.
Integrity was built to be secure by adhering to a handful of basic principles. They are:
- Minimal complexity. Simple solutions allow the code's security to be mathematically proven.
- Least privilege. Each application gets the minimum amount of access to resources required to do its job. The default is zero.
- Compartmentalization. Critical functions are moved to separate compartments with standard interfaces.
- Formal methods for testing development and configuration management.
Intended for critical embedded systems in which failure could be catastrophic, such as avionics controls, Integrity had to be capable of real-time response with a level of reliability higher than is commonly available in operating systems such as Microsoft Windows, Linux and Unix. Given the changes in the information technology market, Integrity is moving away from strictly embedded systems to more general-purpose uses that allow the operation of critical applications on computers. With the advent of virtualization technology and microprocessor support, Windows and other operating systems can run on top of Integrity, with secure applications segregated on Integrity.
Technologically, Integrity is capable of standing on its own, but company officials see a growing market for secure applications that run on PCs, servers, networking devices, embedded systems and critical infrastructures with Windows, Linux, Mac OS, Solaris, Palm OS, Symbian or VxWorks.
'It's a different environment,' Kleidermacher said of Integrity, adding that application developers are used to working in a Windows environment with 1.5 million device drivers and a familiar look and feel for users. Computers and other devices on those systems could run secure applications separately on Integrity. 'We can consolidate different levels of security on a single PC,' he said.
Kleidermacher said he envisions a consumer market for the operating system, and the new company would like to see it included as preloaded software on items such as laptop and desktop PCs that will be used for sensitive applications such as banking. But the initial markets are likely to be government workers who now use separate computers to access sensitive and classified information.
Integrity runs on an embedded PowerPC processor on a CompactPCI card, but other than drawing power from the card, it has no security dependency on the bus or other devices connected to it. Devices can be made available to partitions, although the operating system does not include any device drivers. Partitions are given access to such devices by mapping their control and data registers to memory regions in a given partition. Device drivers can be deployed in the partitions outside the operating system as necessary.
William Jackson is a Maryland-based freelance writer.