Military Embedded Systems

Shades of gray? Green Hills sees red over Wind River's Brown comments


November 03, 2009

Chris A. Ciufo

General Micro Systems, Inc.

Shades of gray? Green Hills sees red over Wind River's Brown comments

When elephants dance ? oh, heck. You know the rest.

The battle between Green Hills Software and Wind River Systems is legendary. Both companies compete ferociously in the market for Real-Time Operating Systems (RTOSs) and increasingly in the safety-critical/secure RTOS space. Software is at the heart of every CPU core, and choosing both the processor and RTOS is a strategic decision made at the highest levels within every design and marketing team. It’s a winner-take-all battle: Once an RTOS is designed into a program, there’s no changing it until the platform goes End-Of-Life (EOL), 10+ years later.

Before I continue, first a little disclosure so you can assess the credibility of this writer. Firstly, I’ve known Green Hills since about 1985 when the company was commissioned by my employer – Advanced Micro Devices – to create the compiler for the then-new Am29000 microprocessor. GHS was in Pasadena, CA at the time and I would visit them monthly for software progress reports. As for Wind River, I have a close working relationship with company executives that extends to when I knew them at many of their former employers. I often moderate paid webinars for Wind River (what my company calls “E-casts”). I’ve written about or edited so many articles and interviews from both companies that I’ve lost count. In short: I’m friendly to both and try to be fair in my reporting.

But in my Q&A with Wind River published in the October 2009 issue of Military Embedded Systems “'EAL 6+' says it all – or does it? Q&A with Marc Brown, Vice President, VxWorks Product Strategy and Marketing for Wind River Systems,” Brown makes several statements about Green Hills that have irked Green Hills' president, Dan O’Dowd. Not known as bashful in his claims about the competition, O’Dowd’s rebuttal to Brown’s comments is pretty strong, and can be found here: Green Hills called me in advance and gave me a heads-up that it was coming and offered a chance to interview Green Hills executives to hear their side of the situation.

At issue are two key points:

1. Wind River believes that the right way to build a secure operating system (such as Green Hills’ INTEGRITY-178B or Wind River’s VxWorks MILS 2.0) is to start from the ground up.

2. Brown asserts that Green Hills’ INTEGRITY-178B is “… only certified under ‘High Robustness’; they did not certify under EAL 6+. They originally said they did, and they still say they do. But if you look at NIAP, they did not actually add in the necessary requirements to comply with EAL 6+.”

I’ve done some digging into these two items, and here’s what I’ve found. You can draw your own conclusions. I’m certain that Wind River will weigh in with their own clarifications, and we’ll print those, too.

Issue No. 1: The right way to build a secure operating system is to start from the ground up.

Both companies are in 100 percent agreement, though they tell different stories. The version of INTEGRITY-178B certified by the NSA’s National Information Assurance Partnership (NIAP) is “IN-ICR750-0101-GH01_Rel running on Compact PCI card, version CPN 944-2021-021 with PowerPC, version 750CXe.” Green Hills asserts that this is based upon the same Separation Kernel (SK) that was shipped with the original version of INTEGRITY when it debuted in 1995. Though updated over the years to the version that was designed into the Joint Strike Fighter (JSF) in 2000 and submitted eight years ago for NIAP certification, Green Hills said they indeed started from the ground up to build a secure RTOS. Their point: They started with the goal of a secure RTOS from the very beginning.

Issue No. 2: INTEGRITY-178B is not certified to EAL 6+, only to ‘High Robustness.’

This one stumped me, too. When I fact-checked Brown’s assertions after the original interview (March 2009), I discovered that NIAP’s list of validated products says “High Robustness,” followed by the Separation Kernel Protection Profile (SKPP) “PP_SKPP_HR_V1.03”. There’s no mention on the validated products list of “EAL 6+,” leading one to believe that claims of EAL 6+ are inaccurate. In fact, the actual details in the SKPP overview have this perplexing statement by SAIC, the company performing the certification process:

“Science Application International Corporation (SAIC) determined that the TOE [Target Application Environment] doesn’t satisfy any EAL defined in the Common Criteria, but rather fulfills the High Robustness requirements as defined in the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03, 29 June 2007. The TOE, when configured as specified in the installation guides and user guides, satisfies all of the security functional requirements stated in the Security Target.”



But in fact, the actual NIAP approval certificate indicates “EAL 6+, High Robustness” (see Figure 1). At this time, I’m unable to explain the comment by SAIC – mostly because this eight-year approval process is hugely complex, and I’m no expert.


Figure 1: The actual NIAP approval certificate for Green Hills Software's INTEGRITY-178B indicates “EAL 6+, High Robustness."




This isn’t merely splitting hairs: The VPL table seems to agree with the SAIC statement and appears to be missing the “EAL 6+” part, although the actual certificate takes precedence. O’Dowd told me that “High Robustness” is a much harder superset of criteria beyond merely achieving EAL 6+. In fact – and here’s where I’ll take his word for it – the aforementioned Protection Profile is said to have 133 additional “explicit requirements over and above 154 EAL 7 requirements” needed “merely” for EAL 7 – which is itself a superset of EAL 6+. In short: High Robustness is supposed to be better than EAL 6+ ­ and the NIAP certificate says INTEGRITY-178B has achieved both.

I’m sure we’ve not heard the last of this, as Wind River will undoubtedly feel compelled to comment on O'Dowd's rather controversial press release. However, Wind River has a history of ignoring Green Hills’ shots across the bow by taking the high road. I, for one, would like to get to the bottom of this as I’ve pointed out some confusing circular logic in the NIAP documentation. If you’re like me, I’m having a tough time figuring out why both sides’ arguments seem to make rational sense. How can both be right?

For now, this Green (Hills) vs. (Marc) Brown argument makes me blue.

More to follow, I’m sure.