The SKPP (Separation Kernel Protection Profile) is also known as “U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness.”
The SKPP was written within the framework established by the Common Criteria. SKPP guidelines provide for a systematic assessment of COTS separation kernels under the oversight of the Common Criteria Evaluation and Validation Scheme (CCEVS) in the United States.
The SKPP has stringent requirements for high-assurance separation kernels. By their nature, most COTS avionics partitioning kernels would meet the basic SKPP partitioning requirement. However, a COTS kernel designed before the advent of the SKPP would lack certain architectural characteristics, making the implementation of SKPP security requirements such as information-flow policy enforcement quite challenging.
Although the SKPP contains functional requirements unmet by any pre-existing separtion kernel, the SKPP does admit a degenerate separation-kernel model that some pre-existing separation kernels might be able to attain if the appropriate modifications were undertaken.
The SKPP prescribes many measures aimed at increasing security. The SKPP mandates that the kernel’s functionality be simplified and limited to separating resources to prevent a subjects in one partition from interacting with subjects in other partitions.
Due to the lack of a runtime user-administration interface in embedded systems, the SKPP acknowledges that additional measures are needed to maintain high assurance. The SKPP requires static runtime configuration in most scenarios.
SKPP high-assurance measures include implementation of “the principle of least privilege” so that entities in a system have only as much access to system resources as necesssary for their intended functions. The SKPP also requires that audit records be generated.
SKPP evaluation requires the existence of certain supporting artifacts. Moreover, SKPP mandates that formal methods be used to demonstrate the correspondence between security policy models and the functional specifications in the kernel.
LYNXSECURE SEPARATION KERNEL HYPERVISOR
The LynxSecure Separation Kernel Hypervisor has been built from the ground up to satisfy the SKPP and meet the high-assurance requirements of the MILS architecture. LynxSecure has been designed to be certifiable to Common Criteria EAL-7.