154:(RTOS). This controls the CPU cores, memory, and peripherals. Applications must request access to those resources via APIs like fork(), malloc(), and write(). The RTOS is a monolithic collection of libraries that manages task scheduling, memory partitioning, and device I/O. This large block of code needs to be safety certified and bug free to be secure. A separation kernel relies on hardware virtualization functionality to do the heavy lifting. This creates efficient, tamper-proof, and non-bypassable virtual machines. Hardware resources are robustly partitioned into almost zero overhead VMs populated with a mix of OSes, RTOSes, and bare-metal applications. Mixed criticality safety systems can be constructed that minimize high Design Assurance Levels (DAL) source lines of code (SLOC) counts to reduce certification costs and technical risks of future programs.
147:
internet domains, isolating security functions from application domains, verifying and filtering inter-domain communication. LynxSecure lives underneath applications and operating systems, runs completely transparent and cannot be tampered with. The software can be embedded into a broad class of devices from embedded to IT platforms. The stripped-down design aims to raise assurance of the host by removing the possibility of CPU privilege escalation and provide extremely tight control over CPU scheduling. Rather than attempting to shape system behavior indirectly by issuing commands to platform APIs according to a programming manual, LynxSecure allows developers to directly control system behavior through a unique system architecture specification written by the developer and enforced solely by the processor.
261:
was released in 2009 with the ability to run fully virtualized guest operating systems simultaneously on the same hardware as para-virtualized and real-time operating systems with each running in their own secure partition. Building on LynxSecure 2.0, LynxSecure 3.0 added full virtualization, meaning
146:
Leveraging multi-core CPU hardware virtualization features and smaller than a microkernel (as small as 15kB), LynxSecure is primarily targeted to raise the assurance of systems that perform critical computing functions in regulated environments. Common use cases include; separating critical apps from
173:
architecture so that virtualization can be used in embedded systems with requirements for high assurance. It was also designed to satisfy real-time, high assurance computing requirements used to regulate military and industrial computing environments, such as NIST, NSA Common
Criteria, and NERC CIP.
275:
included changes which increased performance for fully virtualized guest operating systems and added 64-bit and
Symmetric Multi-processing (SMP) guest OS virtualization support. Additionally, a device-sharing facility for systems with limited physical devices was added that complemented existing
262:
that guest operating systems can run unmodified on top of LynxSecure. Other features in LynxSecure 3.0 included 1) Addition of para-virtualized 64-bit Linux as a guest OS. 2) Security enhancements for supporting audit & built-in tests 3) Flexible scheduling and 4) enhanced bootloader.
276:
direct device assignment mechanism that had been available in previous versions of LynxSecure. By implementing a new secure device virtualization mechanism, managed from a secure partition on LynxSecure, limited physical devices could be virtualized and shared between guest OSes.
255:, released in 2008, featuring multiprocessing; support for POSIX, Linux ABI, and ARINC; device assignment capabilities that allows devices to be assigned to specific guest operating systems; and a configuration tool for platform configuration and security policy definition.
165:
real-time operating systems, as well as full virtualization of the
Windows operating system. It was also announced in 2020 that LynxSecure would support FreeRTOS, the market share leader in real-time operating systems, as a Guest OS.
268:
added support for the Intel Core i7 and i5 processor families and enabled new configurations of guest operating systems as well as an updated version (4.7) of the
Luminosity Integrated Development Environment (IDE).
1161:
528:
480:
282:
brought LynxSecure to the Arm® architecture for the first time. The initial port was available on the Xilinx Zynq
Ultrascale+ MPSoC and was displayed at Arm TechCon.
499:
303:
1182:
399:
170:
438:
836:
473:
1149:
374:
1215:
1116:
1234:
466:
413:
755:
543:
122:
138:
designed for safety and security critical applications found in military, avionic, industrial, and automotive markets.
581:
322:
182:
41:
1078:
560:
151:
135:
30:
810:
761:
766:
746:
223:
203:
Supports multiple heterogeneous operating system environments on the same physical hardware including Intel VT
1171:
1111:
1063:
1058:
855:
507:
1176:
1141:
1045:
877:
349:
751:
613:
101:
90:
1091:
1053:
1021:
907:
902:
718:
125:
73:
980:
897:
806:
713:
1211:
1096:
923:
673:
565:
553:
236:
128:
1121:
995:
85:
57:
1106:
959:
938:
334:
350:"FreeRTOS on LynxSecure Enables Complex Industrial Systems with a Path to Certification"
1126:
1068:
601:
489:
240:
206:
Supports
Symmetric MultiProcessing (SMP) and 64-bit addressing for high-end scalability
1228:
882:
801:
796:
219:
Multithreaded small-footprint run-time environment for secure application development
1166:
1155:
872:
841:
786:
1101:
954:
703:
663:
596:
1199:
1026:
791:
781:
606:
512:
131:
78:
25:
1031:
623:
233:
178:
458:
150:
With a traditional architecture, all hardware resources are owned by the
439:"LynuxWorks Announces LynxSecure 5.0 Virtualization Performance Booster"
1005:
985:
964:
725:
635:
538:
195:
1131:
990:
933:
928:
892:
831:
771:
698:
683:
678:
628:
591:
576:
533:
162:
66:
1086:
741:
693:
668:
548:
227:
210:
158:
62:
1000:
776:
708:
688:
640:
400:"LynxSecure 3.0 Separation Kernel Hypervisor for High Assurance"
462:
887:
618:
586:
181:-based fixed-cyclic scheduler to manage processing time, but
222:
Multiprocess, multithreaded environment through virtualized
375:"What Are the Most Popular Real-Time Operating Systems?"
304:"Lynx Software Technologies announces LynxSecure 6.0"
1192:
1140:
1077:
1044:
1014:
973:
947:
916:
865:
854:
824:
734:
656:
649:
521:
506:
96:
84:
72:
56:
40:
24:
500:Comparison of platform virtualization software
302:Inc, Lynx Software Technologies (2017-10-25).
171:MILS (Multiple Independent Levels of Security)
474:
8:
1183:Generic Network Virtualization Encapsulation
19:
862:
653:
518:
481:
467:
459:
18:
209:100% binary compatibility for Linux, or
110:/lynxsecure-separation-kernel-hypervisor
414:"LynuxWorks enhances LynxSecure kernel"
291:
330:
320:
194:Designed to support both CC EAL-7 and
169:LynxSecure is built to conform to the
837:System Center Virtual Machine Manager
7:
1150:Distributed Overlay Virtual Ethernet
297:
295:
157:LynxSecure supports paravirtualized
561:LDoms / Oracle VM Server for SPARC
398:EE Times, Online magazine (2009).
14:
1216:List of computer system emulators
1117:Symantec Workspace Virtualization
177:By default, LynxSecure uses an
373:Marketing, Ian Ferguson | VP.
1:
216:MILS architecture conformance
185:policies are also permitted.
948:Virtual kernel architectures
437:Eddy, Nathan (2011-03-04).
183:dynamic priority scheduling
1251:
348:DornerWorks (2021-02-01).
152:real-time operating system
136:Lynx Software Technologies
31:Lynx Software Technologies
1208:
762:Parallels Desktop for Mac
497:
52:
36:
767:Parallels Server for Mac
747:Microsoft Virtual Server
248:Key Updates and Releases
1235:Virtualization software
1172:Virtual security switch
1112:Remote Desktop Services
1064:Remote Desktop Services
1059:Citrix Virtual Desktops
974:Related kernel features
308:GlobeNewswire News Room
230:, LynxOS or LynxOS OSes
1177:Virtual Extensible LAN
917:Application containers
878:iCore Virtual Accounts
200:Time-space partitioned
752:Parallels Workstation
614:VMware Infrastructure
47:6.0 / October 2017
1092:Citrix Virtual Apps
1054:Citrix Virtual Apps
908:Workload Partitions
719:Virtual DOS machine
213:-based applications
189:Additional features
21:
898:Solaris Containers
807:VMware Workstation
714:Windows on Windows
333:has generic name (
323:cite press release
1222:
1221:
1212:List of emulators
1040:
1039:
850:
849:
820:
819:
674:Cooperative Linux
566:Logical partition
129:separation kernel
116:
115:
1242:
888:Linux Containers
863:
654:
519:
483:
476:
469:
460:
453:
452:
450:
449:
434:
428:
427:
425:
424:
410:
404:
403:
395:
389:
388:
386:
385:
370:
364:
363:
361:
360:
345:
339:
338:
332:
328:
326:
318:
316:
315:
299:
239:support in full
112:
109:
107:
105:
103:
58:Operating system
22:
1250:
1249:
1245:
1244:
1243:
1241:
1240:
1239:
1225:
1224:
1223:
1218:
1204:
1188:
1136:
1107:Microsoft App-V
1073:
1036:
1010:
969:
960:User-mode Linux
943:
912:
857:
846:
816:
730:
645:
510:
502:
493:
487:
457:
456:
447:
445:
436:
435:
431:
422:
420:
412:
411:
407:
397:
396:
392:
383:
381:
372:
371:
367:
358:
356:
347:
346:
342:
329:
319:
313:
311:
310:(Press release)
301:
300:
293:
288:
250:
191:
144:
123:least privilege
100:
48:
17:
12:
11:
5:
1248:
1246:
1238:
1237:
1227:
1226:
1220:
1219:
1209:
1206:
1205:
1203:
1202:
1196:
1194:
1190:
1189:
1187:
1186:
1180:
1174:
1169:
1164:
1159:
1153:
1146:
1144:
1138:
1137:
1135:
1134:
1129:
1127:VMware ThinApp
1124:
1119:
1114:
1109:
1104:
1099:
1094:
1089:
1083:
1081:
1075:
1074:
1072:
1071:
1069:VMware Horizon
1066:
1061:
1056:
1050:
1048:
1042:
1041:
1038:
1037:
1035:
1034:
1029:
1024:
1018:
1016:
1012:
1011:
1009:
1008:
1003:
998:
993:
988:
983:
977:
975:
971:
970:
968:
967:
962:
957:
951:
949:
945:
944:
942:
941:
936:
931:
926:
920:
918:
914:
913:
911:
910:
905:
900:
895:
890:
885:
880:
875:
869:
867:
860:
852:
851:
848:
847:
845:
844:
839:
834:
828:
826:
822:
821:
818:
817:
815:
814:
804:
799:
794:
789:
784:
779:
774:
769:
764:
759:
749:
744:
738:
736:
732:
731:
729:
728:
723:
722:
721:
711:
706:
701:
696:
691:
686:
681:
676:
671:
666:
660:
658:
651:
647:
646:
644:
643:
638:
633:
632:
631:
626:
616:
611:
610:
609:
604:
602:VMware vSphere
594:
589:
584:
579:
574:
569:
563:
558:
557:
556:
551:
541:
536:
531:
525:
523:
516:
504:
503:
498:
495:
494:
490:Virtualization
488:
486:
485:
478:
471:
463:
455:
454:
429:
418:automation.com
405:
390:
365:
340:
290:
289:
287:
284:
280:LynxSecure 6.0
273:LynxSecure 5.0
266:LynxSecure 4.0
259:LynxSecure 3.0
253:LynxSecure 2.0
249:
246:
245:
244:
241:virtualization
231:
220:
217:
214:
207:
204:
201:
198:
190:
187:
143:
140:
114:
113:
98:
94:
93:
88:
82:
81:
76:
70:
69:
60:
54:
53:
50:
49:
46:
44:
42:Stable release
38:
37:
34:
33:
28:
15:
13:
10:
9:
6:
4:
3:
2:
1247:
1236:
1233:
1232:
1230:
1217:
1213:
1207:
1201:
1198:
1197:
1195:
1191:
1184:
1181:
1178:
1175:
1173:
1170:
1168:
1165:
1163:
1160:
1157:
1154:
1151:
1148:
1147:
1145:
1143:
1139:
1133:
1130:
1128:
1125:
1123:
1120:
1118:
1115:
1113:
1110:
1108:
1105:
1103:
1100:
1098:
1095:
1093:
1090:
1088:
1085:
1084:
1082:
1080:
1076:
1070:
1067:
1065:
1062:
1060:
1057:
1055:
1052:
1051:
1049:
1047:
1043:
1033:
1030:
1028:
1025:
1023:
1020:
1019:
1017:
1015:Orchestration
1013:
1007:
1004:
1002:
999:
997:
994:
992:
989:
987:
984:
982:
979:
978:
976:
972:
966:
963:
961:
958:
956:
953:
952:
950:
946:
940:
937:
935:
932:
930:
927:
925:
922:
921:
919:
915:
909:
906:
904:
901:
899:
896:
894:
891:
889:
886:
884:
883:Linux-VServer
881:
879:
876:
874:
871:
870:
868:
866:OS containers
864:
861:
859:
853:
843:
840:
838:
835:
833:
830:
829:
827:
823:
812:
808:
805:
803:
802:VMware Server
800:
798:
797:VMware Fusion
795:
793:
790:
788:
785:
783:
780:
778:
775:
773:
770:
768:
765:
763:
760:
757:
753:
750:
748:
745:
743:
740:
739:
737:
733:
727:
724:
720:
717:
716:
715:
712:
710:
707:
705:
702:
700:
697:
695:
692:
690:
687:
685:
682:
680:
677:
675:
672:
670:
667:
665:
662:
661:
659:
655:
652:
648:
642:
639:
637:
634:
630:
627:
625:
622:
621:
620:
617:
615:
612:
608:
605:
603:
600:
599:
598:
595:
593:
590:
588:
585:
583:
580:
578:
575:
573:
570:
567:
564:
562:
559:
555:
552:
550:
547:
546:
545:
542:
540:
537:
535:
532:
530:
527:
526:
524:
520:
517:
514:
509:
505:
501:
496:
491:
484:
479:
477:
472:
470:
465:
464:
461:
444:
440:
433:
430:
419:
415:
409:
406:
401:
394:
391:
380:
376:
369:
366:
355:
351:
344:
341:
336:
324:
309:
305:
298:
296:
292:
285:
283:
281:
277:
274:
270:
267:
263:
260:
256:
254:
247:
242:
238:
235:
232:
229:
225:
221:
218:
215:
212:
208:
205:
202:
199:
197:
193:
192:
188:
186:
184:
180:
175:
172:
167:
164:
160:
155:
153:
148:
141:
139:
137:
133:
130:
127:
124:
120:
111:
99:
95:
92:
89:
87:
83:
80:
77:
75:
71:
68:
64:
61:
59:
55:
51:
45:
43:
39:
35:
32:
29:
27:
23:
1167:Open vSwitch
1156:Ethernet VPN
873:FreeBSD jail
842:Virt-manager
787:Virtual Iron
571:
446:. Retrieved
442:
432:
421:. Retrieved
417:
408:
393:
382:. Retrieved
379:www.lynx.com
378:
368:
357:. Retrieved
353:
343:
312:. Retrieved
307:
279:
278:
272:
271:
265:
264:
258:
257:
252:
251:
176:
168:
156:
149:
145:
118:
117:
26:Developer(s)
1102:InstallFree
1079:Application
955:Rump kernel
735:Independent
704:SheepShaver
664:Basilisk II
657:Specialized
597:VMware ESXi
513:hypervisors
354:DornerWorks
331:|last=
91:Proprietary
1210:See also:
1200:BlueStacks
1027:Kubernetes
1022:Amazon ECS
996:namespaces
792:Virtual PC
782:VirtualBox
582:Proxmox VE
572:LynxSecure
448:2021-07-13
423:2021-06-20
384:2021-06-20
359:2021-06-20
314:2021-07-13
286:References
132:hypervisor
119:LynxSecure
79:Hypervisor
20:LynxSecure
16:Hypervisor
1032:OpenShift
903:Virtuozzo
856:Operating
624:XenServer
234:Microsoft
179:ARINC 653
126:real-time
108:/products
1229:Category
1193:See also
1185:(GENEVE)
554:KubeVirt
508:Hardware
492:software
142:Overview
1179:(VXLAN)
1142:Network
1046:Desktop
1006:seccomp
986:cgroups
965:vkernel
756:Extreme
726:Win4Lin
636:XtratuM
539:Hyper-V
237:Windows
224:Red Hat
97:Website
86:License
1158:(EVPN)
1152:(DOVE)
1132:ZeroVM
1097:Dalvik
991:chroot
981:BrandZ
934:lmctfy
929:Podman
924:Docker
893:OpenVZ
858:system
832:Ganeti
811:Player
772:PearPC
699:PikeOS
684:DOSEMU
679:DOSBox
650:Hosted
629:XCP-ng
607:vCloud
592:SIMMON
577:PikeOS
568:(LPAR)
534:CP/CMS
522:Native
196:DO-178
163:LynxOS
67:LynxOS
1162:NVGRE
1122:Turbo
1087:Ceedo
825:Tools
742:bhyve
694:86Box
669:Bochs
549:oVirt
529:Adeos
443:eWEEK
228:Linux
211:POSIX
159:Linux
134:from
121:is a
104:.lynx
63:Linux
1001:eBPF
777:QEMU
709:SIMH
689:PCem
641:z/VM
335:help
243:mode
161:and
106:.com
74:Type
65:and
939:rkt
619:Xen
587:QNX
544:KVM
102:www
1231::
1214:,
441:.
416:.
377:.
352:.
327::
325:}}
321:{{
306:.
294:^
226:,
813:)
809:(
758:)
754:(
515:)
511:(
482:e
475:t
468:v
451:.
426:.
402:.
387:.
362:.
337:)
317:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.