Measurement instruments secure even with standard operating systems

The core element of any operating system is its kernel, which holds the greatest number of privileges in the system and provides applications with the mechanisms they need to run correctly. Modern operating systems offer a very wide range of functions, most of which are located in the kernel. A kernel which offers only the most necessary mechanisms in order to ensure that the individual applications are encapsulated, and that communication between them is secure, is called a microkernel. It is several orders of magnitude smaller than the kernels of established operating systems, and is thus more resistant to errors. Microkernels can provide software security in the form of manipulation detection and system stability. The algorithms necessary to ensure correct measurement and calculation thus run in a secure environment, but still have to be checked for correctness.

At PTB, a configurable software system architecture has been developed which is based on a microkernel. The microkernel encapsulates the actual operating systems in modules (known as virtual machines – VMs), and serves as an additional layer of protection. The operating systems can continue to load their usual programs and drivers, but can communicate with each other and access hardware only via the microkernel. The system architecture is based on a modular design. In this design, the individual virtual machines comply with the requirements of the Measuring Instruments Directive of the European Union (MID) as well as those of WELMEC 7.2 Software Guide. These modules can be seen in the image on the right: Secure GUI; Key & Signature Manager; Storage Manager; Download Manager; Connection Manager; and Communication Monitor. This ensures a legally compliant architecture which executes all functions which are relevant to legal metrology in such a way that these functions are secure and can be monitored. In addition, software which is not legally relevant (N) is separated from software which is legally relevant (L). All computations which are subject to legal control are executed in the L-VM, all others in the N-VM. This strict separation ensures that legally relevant software programs are not influenced by legally non-relevant software.

This project will be continued in cooperation with the Technische Universität Berlin, which is developing a novel microkernel that will be, at least in parts, mathematically formally verified to prevent typical operating system errors from arising. This is important for measuring instruments which are required to prove their correctness for legal purposes (such as for those used in road transportation). The system architecture proposed was implemented on an evaluation board using this microkernel.