Green Hills Software Integrity: A Secure OS At Last

Green Hills Software Integrity 178B operating system is the first, and only, certified Common Criteria Evaluation Assurance Level (EAL) 6+ operating system on the market. Green Hills Software uses Integrity as the basis for a secure PC operating system called Integrity PC and includes Padded Cell Virtualization, a secure hypervisor running within Integrity PC. Integrity Global Security LLC has been formed as a subsidiary of Green Hills Software to market Integrity PC. Integrity PC is provably secure.Integrity PC is the secure, micro-kernel OS which uses the Integrity 178B technology as the base OS, runs on common computers, and provides a secure, segregated environment for device drivers, native programs, and can host virtual machines. Integrity PC's Padded Virtual Cell allows other operating systems such as Windows or Solaris to run on Integrity PC and there is no way for one program or guest OS to subvert the microkernel. Integrity also leverages advanced features in Intel's vPro chipset and the Trusted Computing Group's TPM for a trusted boot process. Integrity LLC engineers even claim to thwart hypervisor root kit.

Common Criteria is an internationally agreed upon set of product security standards and requirements. There are seven levels. The lowest level, EAL 1, simply states the product works as advertised, while the highest level, EAL 7, where the product functions and called the Target of Evaluation in Common Criteria parlance, has undergone penetration testing and the design has been fully documented and formally reviewed. Integrity PC's EAL 6+ testing is less rigorous than an EAL 7 product. There are no EAL 7-certified products to date.

The testing of Integrity 178B was split among SAIC that performed the formal analysis and some of the functional testing and the NSA, which performed some functional and all of the penetration testing, including more esoteric security problems like covert channels. The result is an operating system that is provably secure and resistant to both internal and external attacks. The plus in EAL 6+ means the product also was tested with some features from EAL 7, namely the kernel separation, which means programs, drivers, and the kernel are segregated from each other. Nearly all Common Criteria certified products are only EAL 4-certified since that is the highest evaluation level that doesn't require developers have special skills to create formal design models and proofs and is the highest EAL which an existing product can achieve.

Integrity PC runs device drivers, typically running in the kernel in other OSes, in user space, and brokers all requests for hardware access through the Integrity kernel. That maintains separation between processes, drivers, and applications. In addition, Integrity PC can natively run applications that are compiled using Integrity's SDK's, as well as POSIX-compliant programs. Each application runs in its own space, securely and independent of all other applications.

Padded Cell Virtualization in Integrity PC lets users run multiple operating systems simultaneously, allowing the user to switch back and forth. For example, a laptop could be provisioned with a work virtual machine that is tightly controlled by IT and doesn't allow the user to make any modifications, and a personal virtual machine that is more lax that the user would use for surfing the Internet, private e-mails, etc. No data sharing between virtual computers is allowed, so the user can't cut and paste between operating systems.

The use cases are interesting. For example, VPN software can run on Integrity PC to form a secure tunnel back to a corporate gateway. System policies can be implemented in Integrity PC where the work virtual machine network traffic is only sent over a VPN and is transparent to the user while the personal virtual machine can access the Internet but not the corporate network. The defined policies are implemented in Integrity PC and the user can't disable or modify the policies. That is a powerful tool for ensuring that corporate assets are protected while allowing users, especially traveling users, the freedom to use the Web for personal use. Other hypervisors from Citrix, Microsoft, and VMWare can't boast the same level of separation of virtual machines and provable security methods.

Integrity PC is the first OS that is provably secure and can run securely run other OSes. The missing components, however, are the management tools that enterprises need to manage both the base OS and the hypervisor. Basic start, stop, and provisioning is available today, but enterprises demand more robust and scalable tools. The management tools could come from third-party developers, but Integrity Global Security should probably focus some energy on a management framework to augment Integrity PC.