Security hypervisor

Hypervisor Part 3

Welcome back!

Today we will look at what Mercury Systems, SMP engineering favors in the Hypervisor world. This would be Star Lab’s LURE with Crucible. Mercury supports multiple versions of hypervisors but favors this one.

Star Lab’s LURE with Crucible

Star Lab’s LURE with Crucible hypervisor provides a trusted execution environment that addresses many of the concerns of mission-critical systems. LURE will protect critical software applications, configurations and data from unauthorized access, modification, reverse engineering or theft by malicious insiders.

Crucible is built upon open source and widely deployed Xen Project, and is specifically designed for use in hostile mission-critical environments. Crucible operates as a trusted supervisor within the processor, configuring and controlling both hardware and software resource execution in order to ensure and maintain the integrity of the system’s operation.

It is relatively easy to setup, use and configure to your environment. Mercury Systems is assistance trusted partner and always available to assist our customer with any of this.

Features available with this product that users can select to use, depending on their needs:

• Secure boot
• Authentication control
• Logical Isolation
• Runtime integrity
• Technology protection
• Deterministic performance
• Mission systems compatibility
• Encryption at rest
• MAC
• IP and Data protection
• Integrity and enforcement of configuration
• OS hardening and attack surface reduction
• System Hardware access control

Additional features offered on some platforms:

• Separation kernels
• Intrusion detection
• Contact switching – memory, registers and applications
• Forensics – live analysis vs offline

LynxSecure: Lynx Software Technologies

LynxSecure is a least privilege real-time Separation kernel Hypervisor from Lynx Software Technologies designed for safety and security critical applications found in military, avionic, industrial, and automotive markets. LynxSecure features a very unusual kernel architecture that departs from traditional Unix-like OS and micro kernels. LynxSecure abstracts all exception handling, APIs, I/O services, up into user space. The stripped down design aims to raise assurance of the host by removing the possibility of CPU privilege escalation and provide extremely tight control over CPU scheduling.

LynxSecure supports para-virtualized Linux and LynxOS real-time operating systems, as well as full virtualization of the Windows operating system.

LynxSecure is built to conform to the MILS (Multiple Independent Levels of Security) architecture so that virtualization can be used in embedded systems with requirements for high assurance. By default, LynxSecure uses an ARINC 653-based fixed-cyclic scheduler to manage processing time, but dynamic scheduling policies are also permitted.

LynxOS-178: Lynx Software Technologies

The LynxOS®-178 RTOS is the first hard real-time DO-178B level “A” operating system to offer the interoperability benefits of POSIX® with support for the ARINC 653 APplication EXecutive (APEX).

It is also the first time and space -partitioned, FAA-accepted Reusable Software Component (RSC). It is the only COTS solution supporting both Intel® Pentium® and PowerPC® platforms.

LynxOS-178 RTOS is based on open standards and is designed specifically to fulfill the stringent needs of multithread and multiprocess applications in safety-critical real-time systems. It provides security through Virtual Machine (VM) brick-wall partitions which make it impossible for system events in one partition of the RTOS to interfere with events in another. It’s as if each partition were its own separate computer.

Thank you for following this thread, it has been a pleasure sharing what Mercury Systems is offering to our customers, present and future.