You can see the SKPP certification requirements here: <a href="https://www.commoncriteriaportal.org/files/ppfiles/pp_skpp_hr_v1.03.pdf" rel="nofollow noreferrer">https://www.commoncriteriaportal.org/files/ppfiles/pp_skpp_h...</a><p>You can see the Security Target specification and how it conforms here: <a href="https://www.commoncriteriaportal.org/files/epfiles/st_vid10362-st.pdf" rel="nofollow noreferrer">https://www.commoncriteriaportal.org/files/epfiles/st_vid103...</a><p>You can see the certification report here: <a href="https://www.commoncriteriaportal.org/files/epfiles/st_vid10362-vr.pdf" rel="nofollow noreferrer">https://www.commoncriteriaportal.org/files/epfiles/st_vid103...</a><p>Of note in the certification requirements are:<p>"For example, SKPP separation mechanisms, when integrated within a high assurance security architecture, are appropriate to support critical security policies for the Department of Defense (DoD), Intelligence Community, the Department of Homeland Security, Federal Aviation Administration, and industrial sectors such as finance and manufacturing."<p>AVA_VLA_EXP.4 Highly Resistant on page 116:<p>"The NSA evaluator shall perform an independent vulnerability analysis."<p>"The NSA evaluator shall perform independent penetration testing."<p>"The NSA evaluator shall determine that the TOE is resistant to penetration attacks performed by an attacker possessing a high attack potential."<p>First party NSA penetration test and analysis certifying it is appropriate for critical DoD systems. Note that the system is used on the F-35.<p>ADV_FSP_EXP.4 Formal Functional Specification on page 92:<p>"The developer shall provide a formal presentation of the functional specification of the TSF." Formal specification of the code.<p>"The evaluator shall determine that the functional specification is an accurate and complete instantiation of the TOE security functional requirements." Formal specification matches the requirements.<p>ADV_IMP_EXP.3 Structured Implementation of the TSF on page 93:<p>"The developer shall make available, the implementation representation for the entire TSF."
Full source code provided to evaluator.<p>"The implementation representation shall unambiguously define the TSF to a level of detail such that the TSF can be generated without further design decisions."
Source -> Binary translation is verified.
The public behavior of their CEO makes me very skeptical of their public claims about this OS.<p>The CEO has tons of tweets along the lines of (not really exaggerating) "my OS is perfect and cannot be hacked. I have XYZ certification. I used to work on nukes."<p>These are not the words I expect from someone who has <i>actually</i> written a meaningfully "unhackable" OS. I expect discussion of e.g. theorem proving strategies, logic systems, etc., not NIST ABC-123 certs.
Last system I worked on with GHS Integrity was something like a USD $1M+ licensing fee.<p>In terms of usage, it felt like it was in between an RTOS like FreeRTOS, embossed, or Zephyr, and Linux. It used a lot of best practices like statically allocating memory for basically everything, so you knew you had sufficient memory (at least for anything the OS needed) when your application was loaded.
so the problem with "DO-178" OS like vxWorks or ghs is that it's not DO-178. it's a version of the OS that has artifacts to support getting your produce DO-178 certified using it. It's DO-178 "certifiable" maybe.<p>if you need to certify one million lines of OS and a 1/2 million lines of your application, it's handy to have that first bit done for you. Until you find that you have a 1/2 million lines of code that interface with the OS.<p>so we're _done_ with this crap. say we have a 1/2 million lines of our application and 50,000 lines to talk to our hardware, and less than 10,000 for a simple executive. I don't need your scheduler (which doesn't work right), your compilers (which are just buggy old out-of-date ports) or your IDE which is just buggy, old, out-of-date eclipse with a plugin and branding. And I don't need your DO-178 artifacts for a million lines of buggy OS code when I can replace it with less code than that it takes to interface with your bug riddled OS.<p>And when you buy the DO-178 version, don't think it means "has less bugs". DO-178 means that it has specific artifacts including MCDC coverage against requirement based tests. All of that is very expensive. None of that means it works right. If you put your money into checklists and process, guess how much is left for "making it work right".<p>Garbage. If you are responsible for safety-critical software, then <i>you</i> are responsible for safety-critical software. Paying a 3rd party for part of the responsibility would be nice if they took any responsibility, which they don't.<p>So, in conclusion: Pbththththh!!! on the snake oil vendors of safety magic.
being so real rn i thought this was an llm (insert skull emoji) twitter is breaking me<p>might be helpful to change the title to integrity-178 since that appears to be the OS' name while DO-178B is a standard