LynxSecure

LynxSecure is a least privilege real-time separation kernel hypervisor from Lynx Software Technologies designed for safety and security critical applications found in military, avionic, industrial, and automotive markets.

Overview
Leveraging multi-core CPU hardware virtualization features and smaller than a microkernel (as small as 15kB), LynxSecure is primarily targeted to raise the assurance of systems that perform critical computing functions in regulated environments. Common use cases include; separating critical apps from internet domains, isolating security functions from application domains, verifying and filtering inter-domain communication. LynxSecure lives underneath applications and operating systems, runs completely transparent and cannot be tampered with. The software can be embedded into a broad class of devices from embedded to IT platforms. The stripped-down design aims to raise assurance of the host by removing the possibility of CPU privilege escalation and provide extremely tight control over CPU scheduling. Rather than attempting to shape system behavior indirectly by issuing commands to platform APIs according to a programming manual, LynxSecure allows developers to directly control system behavior through a unique system architecture specification written by the developer and enforced solely by the processor.

With a traditional architecture, all hardware resources are owned by the real-time operating system (RTOS). This controls the CPU cores, memory, and peripherals. Applications must request access to those resources via APIs like fork, malloc, and write. The RTOS is a monolithic collection of libraries that manages task scheduling, memory partitioning, and device I/O. This large block of code needs to be safety certified and bug free to be secure. A separation kernel relies on hardware virtualization functionality to do the heavy lifting. This creates efficient, tamper-proof, and non-bypassable virtual machines. Hardware resources are robustly partitioned into almost zero overhead VMs populated with a mix of OSes, RTOSes, and bare-metal applications. Mixed criticality safety systems can be constructed that minimize high Design Assurance Levels (DAL) source lines of code (SLOC) counts to reduce certification costs and technical risks of future programs.

LynxSecure supports paravirtualized Linux and LynxOS real-time operating systems, as well as full virtualization of the Windows operating system. It was also announced in 2020 that LynxSecure would support FreeRTOS, the market share leader in real-time operating systems, as a Guest OS.

LynxSecure is built to conform to the MILS (Multiple Independent Levels of Security) architecture so that virtualization can be used in embedded systems with requirements for high assurance. It was also designed to satisfy real-time, high assurance computing requirements used to regulate military and industrial computing environments, such as NIST, NSA Common Criteria, and NERC CIP.

By default, LynxSecure uses an ARINC 653-based fixed-cyclic scheduler to manage processing time, but dynamic priority scheduling policies are also permitted.

Additional features

 * Designed to support both CC EAL-7 and DO-178
 * Time-space partitioned
 * Supports multiple heterogeneous operating system environments on the same physical hardware including Intel VT
 * Supports Symmetric MultiProcessing (SMP) and 64-bit addressing for high-end scalability
 * 100% binary compatibility for Linux, or POSIX-based applications
 * MILS architecture conformance
 * Multithreaded small-footprint run-time environment for secure application development
 * Multiprocess, multithreaded environment through virtualized Red Hat, Linux, LynxOS or LynxOS OSes
 * Microsoft Windows support in full virtualization mode

Key Updates and Releases
LynxSecure 2.0, released in 2008, featuring multiprocessing; support for POSIX, Linux ABI, and ARINC; device assignment capabilities that allows devices to be assigned to specific guest operating systems; and a configuration tool for platform configuration and security policy definition.

LynxSecure 3.0 was released in 2009 with the ability to run fully virtualized guest operating systems simultaneously on the same hardware as para-virtualized and real-time operating systems with each running in their own secure partition. Building on LynxSecure 2.0, LynxSecure 3.0 added full virtualization, meaning that guest operating systems can run unmodified on top of LynxSecure. Other features in LynxSecure 3.0 included 1) Addition of para-virtualized 64-bit Linux as a guest OS. 2) Security enhancements for supporting audit & built-in tests 3) Flexible scheduling and 4) enhanced bootloader.

LynxSecure 4.0 added support for the Intel Core i7 and i5 processor families and enabled new configurations of guest operating systems as well as an updated version (4.7) of the Luminosity Integrated Development Environment (IDE).

LynxSecure 5.0 included changes which increased performance for fully virtualized guest operating systems and added 64-bit and Symmetric Multi-processing (SMP) guest OS virtualization support. Additionally, a device-sharing facility for systems with limited physical devices was added that complemented existing direct device assignment mechanism that had been available in previous versions of LynxSecure. By implementing a new secure device virtualization mechanism, managed from a secure partition on LynxSecure, limited physical devices could be virtualized and shared between guest OSes.

LynxSecure 6.0 brought LynxSecure to the Arm® architecture for the first time. The initial port was available on the Xilinx Zynq Ultrascale+ MPSoC and was displayed at Arm TechCon.