This week we announced the latest update to our VxWorks MILS Platform, (for Multiple Independent Levels of Security) which includes a new High Assurance Network Stack (HANS) and guest OS support for Wind River Linux. In a previous post I discussed the growing importance of security in embedded systems. However, in so-called high assurance environments used by military and government organizations, security is an absolute requirement.
Our VxWorks MILS product provides highly secure partitioning of a system into high, medium and low assurance virtual systems (or boards) that can be high, medium, or low assurance, as needed by the customer's application (hence the "multiple" and "independent levels" in Multiple Independent Levels of Security). VxWorks MILS has been developed in accordance with the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, version 1.03 (SKPP) and is officially listed by NIAP (National Information Assurance Partnership) as being in evaluation to EAL 6+/NSA High Robustness under the CCEVS. Until the advent of a software MILS architecture technology, supporting multiple levels of security was done with duplicated hardware – separate physical systems that provided the "partitioning" required. With the MILS software architecture, it is now possible to consolidate various systems with different security requirements onto one common hardware platform. The reductions in SWAP – size, weight and power advantages – are huge, as are the reductions in security evaluation costs. The following diagram shows a possible VxWorks MILS architecture:
Previous versions of VxWorks MILS already provided VxWorks Guest OS support, so the addition of adding Wind River Linux expands the available operating system choices.
The High Assurance Network Stack that is part of our latest VxWorks MILS update which provides secure network connectivity for the high assurance partitions via the existing network connection on the device. The High Assurance Network Stack lets applications of different security domains share a common physical network connection. This is done by handling the physical and low-level interface to the network within a high assurance partition and relaying data to medium and lower assurance target partitions, which contain the protocol network stacks. Secure and insecure Data from different domains can be discriminated and kept separate in the network data by using a discriminator, such as a IEEE 802.1Q VLAN tags as described in IEEE 802.1Q. The following diagram illustrates the HANS High Assurance Network Stack architecture in VxWorks MILS:
Clearly, more guest OS choices for VxWorks MILS provides a mechanism to reuse existing applications and leverage existing in-house development resources. Adding Wind River Linux allows a huge variety of custom and off-the-shelf applications to be run, at a medium and low assurance level environment. The addition of the High Assurance Networks Stack is critical not only for providing secure connectivity, but for enabling Cross Domain Solutions (CDS). CDS is a large topic on its own, but in a nutshell provides the ability to access or transfer information between two or more security domains (CNSSI 4009). A key to making CDS a reality is secure partitioning and network separation provided in by VxWorks MILS.