SANTA BARBARA, CA November 2, 2009 Green Hills Software, Inc., the world leader in secure operating systems and the largest independent vendor of embedded software solutions, today responded to false and misleading statements made by Marc Brown, vice president, VxWorks Product Strategy and Marketing for Wind River. He is quoted by Military Embedded Systems at www.mil-embedded.com/articles/id/?4281 as saying that Green Hills Softwares INTEGRITY-178B real-time operating system is not certified under EAL6+. In response to a question about the INTEGRITY-178B operating system, he replied:
[Green Hills Software] only certified under high robustness; they did not certify under EAL6+, as they did not actually add in the necessary requirements to comply with EAL6.
This statement is false. The INTEGRITY-178B operating system is certified to EAL6+ (and High Robustness). It is printed directly on the certificate found on the NIAP web site (www.niap-ccevs.org/st/st_vid10119-ci.pdf) and signed by Directors of NIAP and the NSA. The certificate says Assurance Level: EAL6+, High Robustness just above the Original Signed By in the lower left signature block.
Built from the Ground Up for High Robustness
Mr. Brown goes on to say: Weve really tried to take a different approach from some other companiesWere not tweaking or trying to force any new requirements into an existing product. Of course, some other companies and an existing product are indirect references to Green Hills Software and INTEGRITY-178B.
Lets set the record straight: the INTEGRITY operating system was originally designed and developed for the purpose of formal security evaluation with a deep understanding of the mathematical basis of operating system security. The first deployment of the INTEGRITY operating system was for a nuclear weapons delivery system: the B1-B intercontinental nuclear bomber flight systems, navigation systems, and weapons systems. Other early deployments of the INTEGRITY operating system were for equally security critical systems: the B-52 and F-16 aircraft. Today, the INTEGRITY-178B operating system is being designed or has been deployed into almost every major next-generation commercial and military aircraft, including Boeings new 787 Dreamliner, Airbus new A380 and A350 Airliners, Lockheed Martins F-35 Lightning II Joint Strike Fighter, F-22 Raptor, C-130J Super Hercules, and the VH-71 Marine One helicopter, Airbus new A400M military transport, Northrop Grummans B-2 Spirit Stealth Bomber, Boeings C-17 Globemaster III military transport, Sikorskys S-92 helicopter, Airbus A320, A330 and A340 Airliners and Boeings 737, 747, 757, 767 Airliners.
Mr. Brown went on to say, One of the reasons Green Hills is not listed on the NIAPs website under systems evaluated to EAL6+ is that there are certain requirements that have to be satisfied in addition to developing in compliance to the SKPP. We list the INTEGRITY-178B operating system under High Robustness on the NIAP website rather than EAL6+ because an expert in the field (which excludes Wind River Marketing) understands that a High Robustness certification is significantly harder than an EAL6+ or EAL7 evaluation because the U.S. government added 133 explicit requirements over and above 154 EAL7 requirements (including formal methods and NSA penetration testing) from the Common Criteria menu, in order to meet High Robustness: protection of the most valuable resources against the most sophisticated attackers.
On the other hand, to the best of our knowledge, VxWorks MILS 2.0 has never been deployed in anything or certified for anything. Until Wind River has achieved an EAL6+ or High Robustness certification, Wind Rivers pronouncements on security should be given no more weight than medical advice from a medical student.
Wind River Marketing: A Pattern of Certification Promises Broken
Wind Rivers attacks on the INTEGRITY-178B operating system are an attempt to deflect attention from Wind Rivers failure to keep repeated promises to deliver a separation kernel certified to EAL7, EAL6+ or High Robustness for security or certified to DO-178B Level A for safety. Their repeated claims of imminent certification are interspersed with repeated product failures and cancellations:
– 2001: announces VxWorks AE separation kernel, then withdrawn from the market as general product and renamed to AE653 for flight safety market
– 2002: promises EAL7 certification for VxWorks AE653
– 2002: promises DO-178B Level A certification for VxWorks AE653
– 2004: again announces it will meet EAL7 certification for VxWorks AE653
– 2004: promises POSIX Profile 54 conformance certification
– 2006: cancels EAL7 with VxWorks AE653, promises EAL7 for VxWorks MILS
– 2008: cancels EAL7 with VxWorks MILS, promises EAL7 for VxWorks MILS 2.0
Nearing 2010, Wind River has failed to deliver on any of its certification promises for a separation kernel: DO-178B Level A, High Robustness, EAL6+, EAL7, or POSIX Profile 54. When Wind River says certifiable they mean not certified and it may not ever be certified.
Green Hills Engineering: A Pattern of Certification Promises Fulfilled
In contrast, here is a timeline of Green Hills Softwares separation kernel promises and deliveries:
– 1997: releases INTEGRITY RTOS, first customer: Boeing B-1B
– 1999: promises DO-178B Level A certification
– 2002: delivers first of many DO-178B Level A customer certifications
– 2004: promises POSIX.1 conformance certification
– 2004: delivers POSIX.1 conformance certification
– 2005: promises EAL6+ certification
– 2008: delivers first ever NSA and NIAP certified EAL6+ certification
– July 2009 delivers 2nd EAL6+ certification to a PowerPC 7448 customer
– Sept 2009 delivers 3rd EAL6+ certification to a PowerPC 8548 customer
– Oct 2009 delivers 4th, 5th and 6th EAL6+ certifications to PowerPC 8245, 7410 and 7447A customers
INTEGRITY is a single technology, designed from the ground up to meet the highest levels of both safety and security, surrounded by world-leading development tools, an enormous ecosystem of device drivers and middleware, conformance to open standards, ability to run virtualized guest operating systems for maximum portability and reuse, more than a decade of customer success, and backed by a trustworthy, successful, independent vendor.
It is unfortunate that the acquisition of Wind River by Intel, a respected multinational corporation, has not curbed Wind Rivers decade long pattern of irresponsible certification claims, commented Dan ODowd, chief executive officer and founder of Green Hills Software. We had been hearing this misinformation about the INTEGRITY-178B operating system through the grapevine. Now, I think, we know where it is coming from. I demand an immediate retraction and apology from Wind River, and a promise to suppress the propagation of this misinformation by the Wind River organization.
About Green Hills Software
Founded in 1982, Green Hills Software, Inc. is the largest independent vendor of embedded development solutions. In 2008, the Green Hills INTEGRITY-178B RTOS was the first and only operating system to be certified by the NSA to EAL6+ High Robustness, the highest level of security ever achieved for any software product. Our open architecture integrated development solutions address deeply embedded, absolute security and high-reliability applications for the military/avionics, medical, industrial, automotive, networking, consumer and other markets that demand industry-certified solutions. Green Hills Software is headquartered in Santa Barbara, CA, with European headquarters in the United Kingdom. Visit Green Hills Software at www.ghs.com.
Green Hills, the Green Hills logo and INTEGRITY are trademarks or registered trademarks of Green Hills Software, Inc. in the U.S. and/or internationally. Intel is a trademark or registered trademark of Intel Corporation in the United States and other countries. All other trademarks are the property of their respective owners.