Software is a key component of present-day aerospace systems. Increased reliability is required from operating systems that host critical software applications.
Wind River’s VxWorks is a real-time operating system that is widely used in the aerospace industry. Missions using VxWorks include the Mars Reconnaissance Orbiter, the Phoenix Mars Lander, the Deep Impact space probe, Spirit and Opportunity Mars Exploration Rovers, and Stardust.
Mike Deliman, Senior Engineering Specialist at Wind River Systems, answered a few questions related to the new VxWorks MILS Platform 2.0.
DJ: What is VxWorks MILS Platform 2.0?
Mike Deliman: VxWorks MILS Platform 2.0 is a platform for creating systems that are evaluatable to high levels of the Common Criteria / Evaluated Assurance Level scale. VxWorks MILS 2.0 separation kernel is currently under evaluation by NIAP labs to an EAL 6+ level. The VxWorks MILS 2.0 Platform contains a separation kernel and technology to allow you to create multi-partitioned software systems where each partition can be evaluated to handle multiple independent levels of security (MILS) or to handle multiple levels of security (MLS). The long-and-short of it is similar to a VxWorks 653 flight OS, you can use a VxWorks MILS 2 platform to design a single platform that is capable of replacing multiple legacy systems. In other words, like a VxWorks 653 flight system, you can create a single modern system to replace multiple legacy systems, reducing Space, Weight and Power (SWaP) requirements.
DJ: What is a separation kernel and how did the concept make its way into software development for the aerospace industry?
M.D.: Separation Kernels allow you to take a single modern high-powered CPU and use it to replace several legacy systems. There are many examples of separation kernels and paradigms for their use. ARINC 653 defines a time and memory-space partitioning paradigm, services, and an API that must be provided (the Application Executive, or APEX). We have a platform – VxWorks 653 – that implements the ARINC 653 APEX separation and API. Separation Technologies are becoming quite popular, many are called “Hypervisors”. There are many Hypervisors out in cyberspace, the “Type 1” Hypervisors can all be thought of as forms of separation kernels. The Aerospace industry is a prime target for separation technologies because of the need to reduce the “SWaP” factors.
DJ: How does the VxWorks MILS separation kernel improve the reliability of aerospace applications?
M.D.: The VxWorks MILS separation kernel could be used to allow a single satellite to fulfill multiple missions. For instance, there may be a number of sensors and experiments on board, some for civilian / educational interests, some for NASA, some for research entities, perhaps some for the USAF. A MILS kernel could be used to collect, encode, and steer data safely, providing assurance that the data will not be mixed until it is in a state deemed “safe” for mixing. A satellite running a MILS separation kernel to handle such data wrangling could combine and satisfy multiple mission masters. If I were to be asked to design such a system, I would most likely recommend a flight computer separate from the science computer. Even if the science and flight SW were to share a single CPU, the separation technology would help ensure that no problems on any science application could affect any of the other science applications or any flight applications. In this way the flight system would be protected from anomalous events in the science packages, and the overall system would benefit from improved reliability.
DJ: John Rushby introduced the concept of separation kernel in order to provide multilevel secure operation on general-purpose multi-user systems. Do software applications developed for the aerospace industry (and I have in mind software running on micro-controllers) have the level of complexity that would require a separation kernel?
M.D.: Concentrating on the micro-controller aspect, no, most single (federated) systems running one micro-controller (or even several) do not even need a 32-bit processor dedicated to their operation. However, with a proper separation kernel and time-sliced architecture, you could use one modern high-speed 32-bit CPU to control and monitor a large number of smaller systems, and ensure any faults occurring on those control-and-monitor loops are contained. And as noted above, in a system used to satisfy requirements of multiple masters (agencies), MILS-style data separation may be the only way to keep satellite weight within limits and provide the information assurance the agencies require.
DJ: What features make the VxWorks operating system reliable and secure?
M.D.: Focusing on the VxWorks family of operating systems and the VxWorks OS API, VxWorks has been used in millions of devices over more than two decades of service, in applications as simple as MP3 players and as complex as autonomous space exploring robots, and as life-critical as telerobotic surgeons. There is no way a software company could anticipate the wide range of use that our customers have dreamed up and implemented. The VxWorks family of OSes share a common ancestry of code and all can benefit from bugs discovered and fixed in any of the family line.
Focusing on the VxWorks MILS platform, the separation kernel was designed expressly in compliance with the SKPP (the Protection Profile for separation kernels), with a focus on controlling embedded applications that require some degree of real-time control.
DJ: What are the features that make VxWorks a real-time operating system?
M.D.: Determinism is king in the real-time world. The ability to react to events in the real world with a high degree of determinism is what gives VxWorks its hard real-time responsiveness. This hard-determinism is carried over into all of the VxWorks family line, including our separation kernels and VxWorks SMP.
DJ: What toolchain is shipped with VxWorks? What programming languages are supported by the toolchain?
M.D.: Depending on the VxWorks package, one or more toolchains may be supplied and supported. For the most part, various versions of the Wind River Complier (formerly “Diab”), and various versions of the Gnu tools are supplied / supported with VxWorks. For the VxWorks MILS 2 platform we use a couple of versions of the GNU tool chains, specially modified for the parts they are used to build.
DJ: What hardware is targeted by the platform? Is an actual board necessary for development of applications or is an emulated target environment available for software engineers?
M.D.: Specifically, chips we are targeting include the following:
– Freescale 8641D (CW VPX6-165)
– Freescale 8548 (Wind River SBC8548)
– Intel Core 2 Duo (Supermicro C2SBC-Q)
– Freescale P2020, P1011, P4080 (future)
– Intel Atom, Nehalem (future)
We currently support Simics as the only simulation environment available for the VxWorks MILS platform.
Wind River Systems was founded in Berkeley, California in 1981. Intel bought Wind River Systems for a reported $884 million in July 2009. VxWorks real-time operating system is one of the Wind River flagship products.