Military Embedded Systems

'EAL 6+' says it all - or does it? Q&A with Marc Brown, Vice President, VxWorks Product Strategy and Marketing for Wind River Systems


October 27, 2009

Editor's note: To be or not to be ? EAL 6+ certified: That is the question. Apologies to William Shakespeare, but you get the point. With EAL 6 (or 6+) certification becoming the latest trend among embedded software vendors, the criteria for achieving such should be fairly straightforward ? or is it? Marc Brown, VP over VxWorks Product Strategy and Marketing at Wind River Systems, reveals what he claims are misassumptions about EAL 6+, as the company?s VxWorks MILS Platform 2.0 undergoes NSA/NIAP evaluation for EAL 6+ compliance. He also has a thing or two to say about the company?s recent acquision by Intel, multicore, and a clarified focus for the future. Edited excerpts follow.

MIL EMBEDDED: Wind River recently announced its VxWorks MILS Platform 2.0, which is now listed on the NSA-operated National Information Assurance Partnership’s (NIAP’s) website1 as “In Evaluation” for compliance to High Robustness and Common Criteria Evaluation Assurance Level (EAL) 6+. What was the impetus?

BROWN: We’ve got a pretty long history with products that have been safety-certified. And there are quite a few people using VxWorks 653 as well as our certified VxWorks products for safety-critical applications such as avionics. VxWorks MILS Platform 2.0, though, is really our first widely available platform for highly secure environments. It’s designed for cases where there are different levels of data, whether it’s data at different classification levels – maybe unclassified, classified, secret, or top secret – or data from coalition partners, for example, and these need to coexist securely on the same hardware system. There are many more applications these days that have security requirements on how to handle that data. Unfortunately, for many organizations today, the only way they know how to deal with different levels of security is to use redundant hardware or systems. Instead of having one computer on your desk, there might be two or three computers, each based on different security levels and the actual hardware line that they plug into.

VxWorks MILS provides a development environment that allows systems with multiple levels of security to be collapsed into a single system, and the operating system itself provides the data separation required to deal with these multiple levels of security or data classification. This reduces the costs for our military: For example, soldiers on the battlefield might need to carry two or three mobile handheld radios, each handling communications at different security levels, but now they can use one single radio that provides the same secure communication services. Separation is becoming a mandatory requirement these days.

MIL EMBEDDED: How have NSA and NIAP played into VxWorks MILS 2.0’s development?

BROWN: We’re working very closely with NSA and NIAP, certainly, to do our evaluation. We’ve really tried to take a different approach from some other companies in that we’ve developed the MILS separation kernel from the ground up to be compliant with the U.S. government protection profile for separation kernels2. We’re not tweaking or trying to force any new requirements into an existing product.

We’re working closely with NSA and the University of Idaho on the formal methods evaluation. The end goal is that once someone buys this particular environment, if they need to change the hardware, a re-evaluation will be as cost-effective as possible in that they won’t have to recertify the entire system. They’ll be able to reuse certification artifacts for the majority of the system, and only need to re-evaluate the lowest layers of software that have been affected by the change in hardware.

MIL EMBEDDED: Tell me a little more about VxWorks MILS 2.0 itself.

BROWN: VxWorks MILS 2.0 provides a Separation Kernel (SK) as well as a number of other key capabilities, but I won’t go through all of them now. VxWorks MILS 2.0 is really focused on providing key SK capabilities, interpartition communication capabilities, and networking capabilities. This release supports the Power Architecture. Other architectures will be supported in the near future.

MIL EMBEDDED: What’s the significance of the SK technology in VxWorks MILS 2.0?

BROWN: I think one thing of significance to note with VxWorks MILS 2.0, at least from a technical perspective, is that VxWorks MILS 2.0 was built using a Type 1 hypervisor technology. There are two approaches: You can either go with a Type 2 hypervisor, which basically utilizes an operating system to act as a hypervisor. Or you can use a Type 1 hypervisor that’s a separate technology that’s very lightweight, very small, and provides the fundamental services. In this case, it provides the services necessary to be compliant with the Separation Kernel Protection Profile (SKPP), suitable for EAL 6+ certification levels, but provides for better system performance than a Type 2 hypervisor-based system. Our VxWorks 653 platform uses Type 1 hypervisor-based virtualization to achieve very high performance, even with dozens of user-mode partitions.

In addition, we have the VxWorks guest operating system that can be utilized in the partitions, really giving VxWorks users great API compatibility so they can take their applications and plug them into a MILS environment. And at that point, they’ve got these applications that they can now reuse in a fully secure environment.

MIL EMBEDDED: When you say a Type 1 hypervisor is “very small,” how many lines of code are we talking about?

BROWN: I don’t think we’ve released the number of lines of code, but it is definitely in the lower thousands of lines of code.

MIL EMBEDDED: What role does the SKPP play in EAL 6+ certification?

BROWN: The SKPP provides guidelines for developing a separation kernel, which is what actually goes through certification. We have a developed a separation kernel based on the NSA-approved SKPP that will go through the EAL 6+/high robustness certification.

MIL EMBEDDED: How is this different or similar to how Green Hills got its INTEGRITY-178 RTOS certified?

BROWN: It’s different. Green Hills took a Type 2 hypervisor approach. And they only certified under “high robustness”; they did not certify under EAL 6+, as they did not actually add in the necessary requirements to comply with EAL 6. We’re actually taking a very similar Type 1 hypervisor-based approach as LynuxWorks, but we think it’s important for us to be certified under both the common criteria EAL 6 and also under “high robustness.”

MIL EMBEDDED: You’re telling me certification to EAL 6+ is different from being certified and categorized as “high robustness.” Those two terms are not analogous3?

BROWN: That’s correct. They’re very similar, but there are two or three requirements that actually need to be added into the “high robustness” definition to fulfill the requirements of EAL 6. One of the reasons Green Hills is not listed on NIAP’s website under systems evaluated at EAL 6+ is that there are certain requirements that have to be satisfied in addition to developing in compliance to the SKPP.

MIL EMBEDDED: When will VxWorks MILS 2.0 be certified?

BROWN: Our current plan is for certification to be accomplished by the end of 2011.

MIL EMBEDDED: Wind River’s ARINC 653 partitioned OS is a completely different kernel from the one we’re talking about now, correct?

BROWN: Yes, exactly. They’re both based on virtualization technologies, but VxWorks MILS 2.0 was designed to comply with the guidelines in the SKPP to achieve certification to EAL 6+ and “high robustness.”

MIL EMBEDDED: By now everyone knows about Intel’s recent acquisition of Wind River. Can you make any comments in respect to what we’ve talked about?

BROWN: There’s intent for Wind River to maintain its independence and continue driving forward with its defined plans. I think we’ve got some really strong roadmaps and strategies laid out – for various architectures such as Intel, PowerPC, ARM, and MIPS – that span the next 18 months to 3 years that we’re going to continue to drive forward.

MIL EMBEDDED: About five years ago, we were hearing lots of awful things about the platform strategy that Wind River had launched, which was confusing a lot of people. There was a transition out of Tornado. There was also the “Hell no, we’ll never do Linux,” then “Guess what – now we’re doing Linux.” But I think Wind River is well sorted at this point in time. Where is your focus now?

BROWN: We’ve clarified our focus much more. It’s great because we’ve got broad coverage across many vertical markets. And then some of the new technology disruptions, especially multicore, have been really good for Wind River in that they have allowed us to apply a lot of the technological history that our company’s built up. It’s amazing to me when I hear about processors in the works with hundreds of cores versus the dual- or quad-core processors that people are already struggling with. I think customers will need operating systems that can somewhat shield them from the complexity of the processor while also being optimized. That’s a big area that we’re highly focused on.

MIL EMBEDDED: With FPGA companies focusing on interfacing with  lots of different cores, might it seem natural to Wind River that operating systems like VxWorks are going to have to find their way a lot more formally into FPGA-based and multicore designs?

BROWN: Yes, definitely. It’s been amazing for us to watch some of the new processors coming to market with dedicated acceleration engines – built into a multicore design – that are very vertical market-centric. They’re certainly useful in the networking and wireless markets, and we have heard that the industry is going to see more and more multicore chips with FPGAs. If there’s an FPGA on the silicon, you can basically tailor that chip for any particular vertical market. So it’s only natural that an operating system such as VxWorks or Linux actually will be able to support that.

Marc Brown is Vice President, VxWorks Product Strategy and Marketing for Wind River Systems. He has more than 18 years of experience in the development and deployment of highly technical mission-critical systems. He also served as VP of Product Marketing and Strategy for Borland Software and held senior management positions at IBM and Rational and technical positions at Motorola and Corning.  He can be contacted at [email protected].

Wind River 510-749-2238

1 NIAP’s listing of validated products can be found at:

2 NIAP’s certification documentation can be found (and subsequently downloaded) from:

3 An interview with Green Hills CTO Dave Kleidermacher can be found at:


Featured Companies

Wind River

500 Wind River Way
Alameda, CA 94501