The security of any embedded system can only be as secure as the operating systems (OS) upon which it is built. Fundamentally, all resources required for execution should be secured. These include access to memory, CPU, the kernel and hardware resources. The OS needs to provide different levels of privilege for different applications and mediation to verify all accesses and a mechanism must exist to provide resource protection.

In a real time executive, everything is compiled together and runs at the same privilege level. In such a model, there can be no mediation and by default, full access to all resources is available to all elements within the executive. Typically, the memory management unit (MMU) is not utilized and therefore no protection is available.

A monolithic kernel improves this by providing protection at the application level. This model provides applications with separation of privilege and mediation. Protection is provided via the MMU. However, in such a model device drivers, file systems and protocol stacks are all compiled into the kernel and the shortcomings identified for a realtime executive apply equally to a monolithic kernel.

A microkernel, by its nature extends this concept of securing resources to include all elements of the system including applications, drivers, filesystems and stacks. Full separation of privilege and complete mediation are provided. The protection provided by the MMU similarly applies to all system elements. As there is no user modifiable code in the kernel, privilege levels and mediation are not relevant concepts. The kernel does, however, continue to benefit from memory protection.

For added security and resource protection, the QNX partitioning solution provides CPU time and memory guarantees to ensure critical software has the resources it needs to operate correctly. This contains denial of service attacks that attempt to monopolize compute resources and starve system software.

Technology overview

Secure kernel with memory protection

• Kernel cannot be bypassed, enforces consistent access privileges
  
• Protects applications from accessing other's data and resources
  

Security protocols

• Includes IPSec, IKE, SSL, SSH, IP Filtering, NAT and others to enable developers to leverage existing implementations for systems requiring security protocols.
  

Hardware acceleration

• Networking stack takes full advantage of cryptographic acceleration by offloading encryption and authentication algorithms including DES, 3DES, AES, MD5 and SHA-1.
  
• Supports the Open Cryptography Framework to provide application level access to the underlying security hardware.
  

Partitioning for increased security

• Prevents untrusted software from starving critical functions of CPU time and memory
  
• Stops malicious code and and denial of service (DoS) attacks from monopolizing the CPU
  

Adaptive Partitioning

QNX® Neutrino® Adaptive Partitioning is an innovative partitioning approach that provides minimum CPU time guarantees (time budgets) to a set of processes or threads. However, unlike fixed partitioning implementations, adaptive partitions can exceed their minimum CPU time budget if there are spare processing cycles available. This allows the system to make optimal use of CPU time – handling the processing bursts typically found in embedded systems.

Adaptive partitioning can be added to a system with minimal effort – no recoding (or even recompiling) of applications is required to take advantage of adaptive partitioning.

With adaptive partitioning, developers can:

• Improve system security
  
  • Prevents untrusted software from starving critical functions of CPU time
    
  • Stops malicious code and denial of service (DoS) attacks from monopolizing the CPU
    
• Maximize system performance while guaranteeing real time
  
  • Dynamically reassigns CPU cycles from partitions that aren’t busy to partitions that can benefit from extra processing time
    
  • Operates as a traditional priority based thread scheduler when the system is lightly loaded, ensuring highest priority task is executed first
    
  • Allows system to handle peak demands and permits 100% CPU utilization
    
  • Eliminates the over-engineering required by fixed-partitioning approaches, which waste unused cycles and force designers to use more-expensive CPUs
    
• Increase system availability
  
  • Guarantees that error detection and system-recovery operations have the CPU cycles they need to detect and repair faults, for minimal mean time to repair (MTTR)
    
  • Provides operators and administrators with guaranteed access to the user interface (e.g. console, remote terminal) — operators can always determine the system state, regardless of processor load
    
• Improve time to market
  
  • Eliminates complex task-starvation problems during integration phase
    
  • Design and test systems under load
    
• Implement CPU guarantees without changing your code
  
  • Supports standard POSIX programming model
    
  • Allows developers to use familiar design, programming, and debugging techniques
    
  • Developers can launch existing POSIX and QNX Neutrino applications into partitions, with no code changes
    
• Ensure guaranteed response to user input
  
  • CPU guarantees ensure rapid response to user actions (e.g. button push, voice command), no matter how busy the CPU may become
    
• Optimize multimedia performance
  
  • Ensures that media players always get the CPU cycles they need to deliver smooth, continuous playback — eliminates “skipping”