Compliant Product - Green Hills Software INTEGRITY-178B Separation Kernel, comprising: INTEGRITY-178B Real Time Operating System (RTOS), version IN-ICR750-0402-GH01_Rel (Version 4.2) running on Compact PCI card, version CPN 944-2021-021 w/PowerPC, version 750CXE
Certificate Date: 31 January 2011
Validation Report Number: CCEVS-VR-VID10362-2011
Product Type: Operating System
Conformance Claim: EAL6 Augmented with ACM_AUT.2,ACM_CAP.5,ACM_SCP.3,ADO_IGS.1,ADV_RCR.3,ADV_SPM.3,AGD_USR.1,ALC_DVS.2,ALC_FLR.3,ALC_LCD.2,ALC_TAT.3,ATE_COV.3,ATE_DPT.3,ATE_FUN.2,ATE_IND.3,AVA_MSU.3,AVA_SOF.1
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The Green Hills Software INTEGRITY-178B Separation Kernel TOE is a separation kernel designed to instantiate and separate partitions that serve to host custom applications. The TOE manages access to memory, devices, communications and processor resources to ensure that partitions can be entirely separated and can interact only in well defined ways configured by System Architects.
The TOE is an embedded real time operating system, in that it does not include operating system constructs such as a file system, shell prompt, or user logins. It does schedule partitions to execute on the actual hardware and provides granular scheduling capability to entities (i.e., tasks) operating within a given partition.
The TOE comprises the INTEGRITY-178B IN-ICR750-0402-GH01_Rel real time operating system (RTOS) running on an embedded PowerPC processor on a Compact PCI card. The card plugs into its IT environment via the PCI bus, and due to the PCI hardware implementation, it may be necessary to trust some of the other devices on the bus if present. Devices on the bus, or devices that can be installed on the embedded card directly can be made available to partitions, although the TOE itself does not include any device drivers. Access to such devices can be provided to partitions by mapping their control and data registers to memory regions in a given partition and device drivers can be implemented outside the TOE in the partitions as necessary; though the mapping of some device registers into partitions may require the partition to be trusted as described in the TOE platform documentation.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the Green Hills Software INTEGRITY-178B Separation Kernel TOE meets the security requirements contained in the Security Target - Green Hills Software INTEGRITY-178B Separation Kernel Security Target, Version 4.2, 31 May 2010.
The criteria against which the TOE was judged are largely described in the Common Criteria for Information Technology Security Evaluation version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation was a combination of the Common Methodology for Information Technology Security Evaluation versions 2.3, 3.0, and 3.1 along with methodology developed specifically for this project to address explicitly defined assurance requirements.
Science Application International Corporation (SAIC) determined that the TOE doesn’t satisfy any EAL defined in the Common Criteria, but rather fulfills the High Robustness requirements as defined in the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03, 29 June 2007. The TOE, when configured as specified in the installation guides and user guides, satisfies all of the security functional requirements stated in the Security Target.
Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in September 2010. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report.
The Green Hills Software INTEGRITY-178B Separation Kernel TOE provides security auditing, user data protection, identification and authentication, security management, protection of the TSF, and resource utilization features as they relate to the TOE and hosting of application partitions.
Security Audit: The TOE is capable of auditing security events, placing them into a memory buffer that can be accessed b y an application in a partition configured for that purpose. The TOE can be configured to shut itself down when it detects a security relevant failure within itself.
User Data Protection: The TOE instantiates partitions and allows them to interact only through specifically configured mechanisms. The separation extends even to CPU time where partitions can be given fixed blocks of guaranteed processing time or alternately can be combined into groups that can share blocks of time.
Identification and Authentication: The TOE maintains unique identification of all partitions and available resources so that they are always unambiguously associated.
Security Management: The TOE is intended for use as an embedded component with no capability for direct interaction between authorized individuals and the TSF during runtime. All security management functionality is achieved by the System Architect through the configuration and deployment of the TOE before it becomes operational.
Protection of the TSF: The TOE includes self tests that can run at boot-time and as scheduled by the System Architect to ensure the underlying hardware is working correctly and the TOE binaries have not been corrupted. A System Architect deploying the TOE can use built-in hooks to perform specific functions during boot up and in the event of identified problems.
Resource utilization: Both memory and processor resources are among the resources that can be assigned to partitions. Specific memory regions are assigned and partitions cannot acquire more memory without the TOE being reconfigured while non operational. Also while being configured, a given partition can be given a specific block of guaranteed CPU time or can be pooled with other partitions to share blocks of CPU time.