Secure, safety-critical operating systems for avionics

Posted by Courtney Howard

TECHNOLOGY FOCUS, 30 March 2012. The adoption of secure real-time operating system (RTOS) software and related embedded computing security software tools for military embedded systems continues to grow, driven by increased security threats and concerns, real and perceived.

Many pundits agree that the need for information security, especially for critical and classified data, as well as the computing and data storage systems on which it resides, has never been greater. Industry has responded with myriad innovations designed to deliver security and protection at not only the system level, but also at the embedded, component level.

“There is no single architecture, product, or capability that can protect against a continuously evolving threat landscape,” cautions Chip Downing, senior director of Aerospace & Defense at Wind River in Alameda, Calif. “Today’s connected systems need to integrate a wide range of capabilities to achieve continuous security in hostile network environments. Layered, proven security components, along with capabilities to update these system components, need to be integrated to enable continuous application and service availability, while maintaining the required security capability.”

A layered security approach to critical systems and components is just one of Downing’s recommendations to aerospace and defense enterprises and end users. The most important considerations in the selection of an RTOS for aerospace and defense applications, he says, are support for open standards, safety certification, security features, and virtualization support. If a system needs to meet high levels of safety and security assurance, systems designers must have a strategy to achieve these requirements, he says.

“Due to higher system complexity and compressed system budgets, an RTOS with commercial off-the-shelf (COTS) certification evidence is the wisest choice," Downing says. "COTS certification evidence removes significant certification risk whilst lowering program costs."

Aerospace and avionics

“Avionics and aerospace systems have requirements for safety-critical software, and now are requiring security to help prevent malicious fault conditions,” says Robert Day, vice president of LynuxWorks in San Jose, Calif. “DOD [U.S. Department of Defense] environments require security, especially when connected to other systems or networks, which is becoming the norm even in tactical deployments.”

“Some of the most efficient systems deployed today use embedded virtualization technology to create advanced partitioning strategies,” Downing admits. Partitioning enables the integration of multiple applications, using multiple operating systems, onto shared compute platforms. It also enables support for legacy applications, provides a basis for obsolescence management as systems evolve through their life cycle, enables the use of enterprise operating systems on traditional RTOS platforms, and reduces size, weight, and power (SWaP) in next-generation designs through platform sharing, he explains.

Support for modern hardware is a key characteristic to be usable in modern aerospace and defense systems, Day says. “The RTOS needs to support the latest hardware and CPU {central processing unit} technologies -- for example, multi-core and multi-CPU systems. Also, with system consolidation to meet new SWaP-C [size, weight, power, and cost] requirements, support for partitioned and virtualized systems is becoming very important, even in tactical DOD [U.S. Department of Defense] systems.”

Demands on operating systems is increasing, Wind River's Downing points out. “Next-generation systems will be using multi-core processors and, in many cases, heterogeneous multi-core processors that combine state-of-the-art technologies from different silicon IP vendors into a shared compute platform. Systems designers need the capability to pick the highest utility configuration of these processors, whether it is AMP, SMP, supervised, or hypervisor architectures,” Downing recognizes. “The complexity of these systems means that early prototyping and performance analysis is critical to enable the optimum configuration of processing cores and applications; this is best achieved through the use of advanced simulation environments.”

Day also stresses the importance of performance and determinism. “The RTOS needs to be able to react very fast to real-time events and, in many applications, make decisions without user intervention,” he says.

Portable workstations

Portable computing devices, especially laptop computers, can pose security nightmares for individuals, businesses, government organizations, and even entire nations. It is of little doubt why, then, portable workstations are the subject of much attention by today’s technology firms and aerospace and defense enterprises.

Engineers at European IT security specialist secunet Security Networks AG in Essen, Germany, have ported the Secure Inter-Network Architecture (SINA) Multilevel Workstation onto the latest version of the LynuxWorks LynxSecure separation kernel and hypervisor. Government agencies requiring secure separation of multiple networks on a single workstation and enterprise organizations that need to protect sensitive information against malicious threats can securely run multiple SINA sessions at multiple levels of security (MLS) on a single hardware platform. The solution isolates applications and networks into separate partitions to prevent dangerous software interactions and to thwart any zero day or unknown cyber attacks.

Network needs

A vast majority of today’s computing and data storage systems access or reside on a network; this is true even of battlefield environments and scenarios, both which are increasingly network-centric. The Distributed Common Ground System (DCGS), for example, is considered the backbone of the network-centric battlefield, providing access to time-sensitive, actionable intelligence, surveillance, and reconnaissance (ISR) data.

“Our military and allies require relevant, accurate, and timely ISR support to provide commanders the information they need to fight and win counter-insurgency conflicts,” recognizes Judy Burke, vice president of indefinite delivery, indefinite quantity solutions in Lockheed Martin’s Global Training and Logistics (GTL) business in Orlando, Fla. “What’s critical about DCGS-A is that it enhances the speed, accuracy, and relevance of the information available to commanders to aid them in planning and conducting military operations.”

Lockheed Martin supports the U.S. Army’s Distributed Common Ground System (DCGS-A), connecting commanders with hundreds of intelligence data sources. The system’s advanced analytic tools help identify, track, and target hostile forces. Under a two-year task order won in 2011, company engineers are integrating and updating software that will become part of the DCGS-A’s fixed systems; mobile systems, such as those installed on High Mobility Multipurpose Wheeled Vehicles (HMMWVs or Humvees); and embedded systems in the field. A number of the Army’s software programs will be integrated, such as ground station, sensor, and meteorological software, and Lockheed Martin will enhance the user interface.

“To respond to commanders’ most computer-resource intensive and challenging intelligence questions and scenarios, Lockheed Martin is bringing secure cloud edge nodes into the DCGS-A architecture in Afghanistan and Iraq,” Burke explains. “Recent advances in cloud computing technology have brought about an edge node capable of extending the cloud architecture. Because of the reach, we can provide advanced analytics capabilities and more storage capacity to remote locations.”

Mobile networking

Commanders and warfighters long have required mobile networks in theater, and long requested the use of a wireless network. Security concerns and technological hurdles previously prevented such implementations; however, technology firms are taking advantage of secure RTOSs to provide mobile networks in the field. The Trillium telecom protocol and application framework software from Radisys in Hillsboro, Ore., for example, is often run in an RTOS environment.

“Specifically in the aerospace and defense market, we are seeing a rapid uptake of both 3G WCDMA/HSPA+ [Wideband Code Division Multiple Access/High Speed Packet Access] and LTE [Long Term Evolution] mobile network systems for use in battlefield communications,” says Todd Mersch, director of Product Line Management at Radisys. “These deployments require the entire network, from radio access to core, to be run in small-form-factor, ruggedized platforms while still meeting the latency requirements for the air interface.

“For LTE, this relates to Layer 2 functions in the base station where all of the scheduling and data distribution on the air interface must be done within a one-millisecond window -- a system requirement with all elements needing to complete their work in that window,” Mersch clarifies. “So, when you combine the low latency and the small form factor, we have seen the use of commercial RTOS solutions as well as ‘bare metal’ operating environments by many of the chipset providers. In the end, we see an affinity toward commercial, as it balances the performance and serviceability aspects and has experienced an overall push for RTLinux, now that it has matured as a solution.”

Many customers are balancing the trade-off between high performance and low latency vs. serviceability and usability, Mersch adds. “Many RTOS implementations provide relatively limited debugging and management features, as these can impact the overall performance. Limitations or lack of these features can not only impact development schedules, but can also further impact serviceability under unique deployment conditions.”

The “bare metal” operating system (OS) approach is unlikely to survive, Mersch predicts. “It is simply too difficult to program and, more importantly, can be very difficult to debug an issue in the field. The performance benefits are outweighed by the serviceability challenges.”

Ground vehicles

Current combat vehicles, more often than not, carry more electronics systems and solutions than warfighters. The sensitive, mission-critical information that could be gleaned from vehicle-based electronics (vetronics) that are insufficiently protected and secured could jeopardize missions and lives.

General Dynamics UK engineers in London selected the Integrity RTOS from Green Hills Software in Santa Barbara, Calif., as the operating system for all the mission-critical computers they are developing for the British Army’s Scout Specialist Vehicle (SV). Green Hills Software's Multi integrated development environment (IDE) will also be used to build the application code that runs on top of the Integrity operating system on all the computer subsystems in the vehicle.

Variants of the Scout SV military armored vehicle -- including the Scout reconnaissance vehicle, Recce Armored Personnel Carrier, repair vehicle, and recovery vehicle -- will share an open electronic architecture, making the Scout SV fleet easier to maintain, simplifying training, and potentially lowering costs throughout the expected 30-year life of the vehicles. Four main electronic subsystems -- each with its own display for the driver, commander, and gunner (and one additional) -- on Scout SVs will employ Intel Core i5 and Core i7 multi-core architectures running Integrity. The critical subsystems include driving controls, defensive aids, navigation tools, friend or foe recognition, and visual displays, which can receive up to seven live video feeds.

Manned and unmanned avionics

Unmanned aerial vehicles (UAVs) are important for ISR missions, and increasingly are targets of cyber terrorists and hackers. Modern software solutions are helping to secure drones, the technologies they employ, and the information they acquire.

Engineers at the Northrop Grumman Corp. Aerospace Systems sector in Redondo Beach, Calif., chose Wind River’s VxWorks RTOS for the U.S. Navy’s Unmanned Combat Air System Carrier Demonstration (UCAS-D) program, of which the new X-47B is part. Designers at GE Aviation in Evendale, Ohio, also selected VxWorks as the foundation for the backbone of UCAS-D computers, networks, and interfacing electronics, called the Common Core System. Northrop Grumman developers used VxWorks to create, deploy, and maintain critical applications, including safety-critical control systems, for the X-47B tailless unmanned aircraft.

Personnel at Lockheed Martin’s Mission Systems and Sensors Division (MS2) in Owego, N.Y., used the LynxOS RTOS and Luminosity Integrated Development Environment (IDE) from LynuxWorks in conjunction with the United Kingdom’s Airborne Warning and Control System (AWACS). AWACS aircraft provide an early-warning capability by tracking aircraft at extended ranges, as well as relay vital information to commanders on the ground.

Looking ahead

The future of RTOS technology is embedded virtualization, simulation, and a move to standardize security enhanced Android operating system for mobile devices like smart phones and tablet computers, Downing predicts. “We will continue to see multi-core platforms that integrate a wide range of RTOS, mobile, and enterprise operating system environments. This integration will blur the lines of the traditional RTOS industry, and force the suppliers to create highly adaptable, secure platforms that support a rapidly increasing evolution in embedded devices,” he says. “Hardware accelerators and enablers will assist in this transformation.

“The public release of the Security Enhanced (SE) Android project and associated source code is an important foundational step to add a new set of options to create secure Android devices,” Downing adds. “We’re seeing this with the National Security Agency’s move to standardize SE Android.”

David Kleidermacher, chief technology officer of Green Hills Software and Integrity Global Security LLC in Santa Barbara, Calif., is involved in “a firestorm of activity surrounding virtualization, and adding the ability to run Linux and Android on top of [Green Hills’] RTOS. In many ways, this is the future of the RTOS -- being able to handle mixed criticality requirements that include security, safety, and real-time critical applications alongside increasing requirements for rich multimedia and connectivity, app stores, GUIs, etc.”

Company list

CMX Systems
www.cmx.com

DDC-I Inc.
www.ddci.com

ENEA
www.enea.com

Express Logic
www.expresslogic.com

Green Hills Software
www.ghs.com

KADAK
www.kadak.com

LynuxWorks
www.lynuxworks.com

Mentor Graphics
www.mentor.com

Micrium
www.micrium.com

Microsoft Corp.
www.microsoft.com

OAR Corp.
www.rtems.com

OnTime Software
www.on-time.com

QNX Software Systems
www.qnx.com

Quantum3D
www.quantum3d.com

RadiSys
www.radisys.com

Red Hat
www.redhat.com

RTEMS
www.rtems.com

RTXC
www.quadros.com

Secunet
www.secunet.com

Space Shadow
www.spaceshadow.com

TimeSys
www.timesys.com

Wind River Systems
Wind River Systems www.windriver.com

Easily post a comment below using your Linkedin, Twitter, Google or Facebook account.

Most Popular Articles


Wire News provided by   

 

All Access Sponsors


Follow Us On...