Aerospace & Defense Technology - April 2022 - 19

Mission-Critical Systems
When these systems demand certain
real-time events be addressed in a deterministic,
predictable and immediate
way, interference - whether created accidentally
such as through poorly written
applications, or maliciously (e.g. cyberattacks)
- becomes a significant issue.
The strategy to mitigate these issues is
multifold, incurring the provable isolation
of applications from each other;
architecting systems such that the fundamental
elements of a system that
keeps humans safe and secure cannot be
altered if an application fails or misbehaves;
and early recognition of - and
recovery from - systems being compromised.
A
Separation Kernel Hypervisor
Defined
A separation kernel is a special type of
bare metal hypervisor that only does
separation. More specifically, it is a tiny
piece of carefully crafted code (as small
as 15 KB) that utilizes modern hardware
virtualization features to:
1. Define fixed virtual machines (VMs)
2. Control information flows.
Separation kernels contain no device
drivers, no user model, no shell access,
and no dynamic memory; these ancillary
tasks are all pushed up into guest
software running in the VMs. This simple,
elegant architecture results in a
minimal implementation that-while
less convenient for desktop use-is an
excellent fit for embedded real-time and
safety-critical systems.
The separation kernel concept was
first described by John Rushby in his
1981 paper Design and Verification of
Secure Systems. Rushby writes:
" ...the task of a separation kernel is to
create an environment which is indistinguishable
from that provided by a physically
distributed system: it must appear as if
each regime is a separate, isolated machine
and that information can only flow from
one machine to another along known external
communication lines. "
Rushby's idea is that separation is
too important to be managed by the
OS. The OS is large, complex, and
responsible for many things, and thus
extremely difficult to make " waterAerospace
& Defense Technology, April 2022
Applications
Bare-metal
Separation kernel hypervisor
Interrupt mgmt.
Scheduler
Core 0
Interrupt mgmt.
Scheduler
Core 1
Interrupt mgmt.
Scheduler
Core 2
Multi-core processor
Figure 2. Partitioned Virtual Machine
tight " from a security perspective. He
realized that the best way to build a
secure computer system would be to
factor out the management of separation
from the OS into a new kind of
kernel focused exclusively on separation.
He called this new kernel a separation
kernel. The separation kernel
should be small and simple enough
that it can be intimately examined and
fully understood to the point of being
formally proved to be correct.
Separation kernel use-cases were initially
secure workstations responsible
for high security government and DoD
www.aerodefensetech.com
ADT Feature 4 - Mission-Critical Systems 0422_1.indd 19 Intro
Cov
ToC
+
-
A
µ
applications requiring separation of
Top Secret, Secret, and Confidential
information classifications. Embedded
military network communications systems
such as secure radio gateways followed,
and more recently separation
kernels have found application as a
superior hypervisor in embedded systems
and in safety-critical avionics systems
seeking stronger separation to
manage multi-core interference.
Despite this, separation kernels have
remained a niche concept predominantly
acknowledged in the security
industry.
19
Interrupt mgmt.
Scheduler
Core n
Applications
Applications
Guest OS
Guest OS
(RTOS)
(3rd Party)
Guest OS
(Linux)
Use-case
under test
Microbenchmark
Process
Use-case under test
RTOS
Microbenchmark
Separation kernel
Multicore CPU
(partitioning hypervisor)
Multicore CPU
Bare-metal
virtual machine
Figure 1. RTOS versus Separation Kernel Approach
Partitioned
Virtual Machine
(VM) 0
VM 1
VM 2
VM n
Applications
3/14/22 4:06 PM
È
http://www.aerodefensetech.com http://info.hotims.com/82320-869
Aerospace & Defense Technology - April 2022

Table of Contents for the Digital Edition of Aerospace & Defense Technology - April 2022
