National Security Agency Information Assurance Guidance for Systems Based on a Security Real-Time Operating System: Systems Security Engineering

The emergence of commercial off-the-shelf (COTS) real-time operating systems (RTOS) with the capability to support processing data at multiple classification levels on a single processor while maintaining the necessary data separation has generated significant interest, particularly by embedded system developers. The opportunity to leverage this technology to reduce size, weight and power requirements or to provide more capabilities within an existing footprint drove the need for appropriate Information Assurance (IA) guidance to enable these gains. The National Security Agency (NSA) established a cross-organizational team to develop the necessary IA guidance and this document is the product of that effort. Within this document the term Security Real- Time Operating System (SRTOS) is defined as a separation kernel-based RTOS that has undergone an appropriate security evaluation. Four operational scenarios are described in detail with the intent that any given embedded system would be similar to one of them. For three of the scenarios detailed IA guidance is provided that can be tailored and applied. The IA guidance for the fourth scenario is that it be re-architected because any reasonable IA guidance would not provide sufficient protection to counter the threat. The IA guidance provided in this document addresses many topics including the robustness level of components, layering components, component re-evaluation, use of cache and direct memory access, partitioning, scheduling, communications, devices, covert channel analysis, initialization, life cycle protection measures, and other topics. This IA guidance is targeted at the systems engineers and Information Systems Security Engineers (ISSE) that are developing embedded systems that will be based on a SRTOS and will perform security critical functions such as the separation of data at multiple classification levels. The table below is a summary of the topics and IA guidance. It is provided as an aid to the IA practitioner and a snapshot of the document's content.