Security and memory-protection features secure Joint Strike Fighter contract for Green Hills real-time software
By John McHale
SANTA BARBARA, Calif. — Engineers at Lockheed Martin in Bethesda, Md., needed a real-time operating system (RTOS) that had strong memory protection and security capabilities for their design of the U.S. F-35 Joint Strike Fighter (JSF) aircraft. So they chose the Integrity RTOS from Green Hills Software in Santa Barbara, Calif.
Lockheed Martin experts also will use the Green Hills and AdaMulti 2000 tools to develop software for the aircraft. The U.S. Department of Defense selected Lockheed Martin's design for the JSF at the end of last year in a potential $200 billion award, the largest in the country's history. Avionics software developed by Lockheed Martin will run on airborne PowerPC processors operating under the Integriy RTOS.
"Integrity is an outstanding product that we are very excited about," says John Ledyard, software manager at Lockheed Martin. "Green Hills involved us early in product definition and as a result Integrity meets our needs. An embedded RTOS with virtual memory support and the capability to meet security standards was a key enabler in the design of our mission critical software.
"In the past, we would have to develop a custom RTOS and modify development tools at a significant cost," Ledyard continues. "With Integrity, and its tight integration with the excellent AdaMulti software development tools, we are able to focus our efforts on our strengths, which are in application software development and integration. This will result in reduced cost and risk for us and our customers."
Code security and safety-critical aspects of the Green Hills Integrity software were crucial to Lockheed Martin's selection, says John Carbone, vice president of marketing at Green Hills. "The Integrity RTOS, together with Green Hills' AdaMulti integrated development environment (IDE), and Ada 95/C/C++ compilers provides a complete single-vendor RTOS and development solution for developing real-time mission and safety-critical software systems capable of meeting the security and safety standards of ISO/IEC 15408 (Common Criteria) and RTCA DO-178B."
Integrity features advanced memory protection capabilities, an optional ARINC-653 partition scheduler, dynamic download, task- and system-level debug, a configurable real-time EventAnalyzer, POSIX support, and TCP/IP networking. It is also the first memory-protected RTOS to be offered on a royalty-free basis, company officials say.
RTOS security was an important consideration for the JSF team because little bugs in software can bring down a whole system, Carbone says. For example if a RTOS has several tasks running at once, a bug in one task can affect the other tasks and eventually corrupt the entire system, he explains.
In terms of security there are about three levels of RTOSs -zero, one, and two, Carbone says. Level zero would contain RTOSs such as the Wind River VxWorks 5.4, which has very little memory protection and is susceptible to bugs, he says. RTOSs at level zero have virtually nothing to protect them in these situations, Carbone adds.
RTOSs at level one, such as VxWorks AE, QNX, LynxOS, and Linux have memory protection that protects simultaneously running tasks from one another by enabling tasks to run independently Carbone says.
Still, Carbone admits, the corrupted task can still affect the uncorrupted tasks indirectly by draining the resources of the RTOS, he says.
Integrity, however, is secure in even this circumstance, which is why it stands alone in level two, Carbone claims. Green Hills engineers have accomplished this through guaranteed resource availability, which enables designers to set the specific time domain and space domain of each task, he says.
In other words each task is allotted a certain amount of time (time domain) to perform its function and a certain amount of memory (space domain), Carbone explains. The time and memory are for that task and that task alone, therefore if another task is corrupted, it is not only contained through memory protection but cannot bring the system down by draining time and memory from other tasks, he says.
Each task is budgeted a certain amount of time and memory much the same way different elements of a corporation are budgeted with money, Carbone explains. However, unlike a corporation they cannot infringe on one another, he adds.
At the lowest level, the Integrity kernel employs an object-oriented design and access verification to protect against inadvertent and malicious kernel access problems such as invalid kernel addresses and invalid system call parameters, Green Hills officials say.
The kernel design also guarantees bounded computation times by eliminating the need for features such as dynamic memory allocation and heuristic scheduling. Underlying hardware mechanisms are used to provide full system memory protection of all components, including user applications, device drivers, and inter-address space communications. Clocks and timers are protected with access permissions and implemented entirely in software, company officials say.
Integrity is also tightly integrated with the Green Hills AdaMulti IDE. Together with Green Hills' family of optimizing Ada 95, C, and C++ compilers, AdaMulti automates all aspects of embedded software development, including editing, source-level debugging, program building, run-time error checking, version control, and code/performance optimization, Green Hills officials say. Integrity also features ISIM, an RTOS simulator that enables programmers to develop and test their code on a PC or workstation without the need for target hardware. Integrity also includes the EventAnalyzer, which enables viewing of system and user events in a graphical display, company officials say.
For more information on the Integrity RTOS or Green Hills Software contact the company by phone at 800-789-9695, by e-mail at [email protected], or on the World Wide Web at http://www.ghs.com.