From a DO-178B Certified Separation Kernel to Common Criteria Security Certification

DO-178B avionic software safety has been largely based upon the assumption that rigorous development and verification processes are uniformly applied to the entire product (that is typically small or developed from scratch and is extensively tested). On the other hand, security certification by the Common Criteria (CC) traditionally has had also in mind the analysis and gradual improvement of existing systems. For such scenarios, just redoing the entire design is not feasible. This leads to a slightly different emphasis in the presentation of artifacts which is of interest not only in a CC certification context but also when for example reviewing requirement-based descriptions of systems.

In cooperation with the DFKI evaluation laboratory, we have drafted a security target instantiating security properties (Security Functional Requirements, SFRs) of the PikeOS separation kernel that has undergone certification for DO-178B. The security target initially had been based on the Separation Kernel Protection Profile (SKPP) but is now done stand-alone, without using a protection profile, compatible with the current version of the CC. In the German research project SeSaM [SeS11] we prepare Common Criteria certification artifacts for a DO-178B certified separation kernel for a high-level CC certification. We report on our approach and experiences generating artifacts from a DO-178B/DO-178C perspective and on lessons learned when dealing with the CC.