LynxSecure is a least privilege real-time separation kernel hypervisor from Lynx Software Technologies designed for safety and security critical applications found in military, avionic, industrial, and automotive markets.

Leveraging multi-core CPU hardware virtualization features and smaller than a microkernel (as small as 15kB), LynxSecure is primarily targeted to raise the assurance of systems that perform critical computing functions in regulated environments. Common use cases include; separating critical apps from internet domains, isolating security functions from application domains, verifying and filtering inter-domain communication. LynxSecure lives underneath applications and operating systems, runs completely transparent and cannot be tampered with. The software can be embedded into a broad class of devices from embedded to IT platforms. The stripped-down design aims to raise assurance of the host by removing the possibility of CPU privilege escalation and provide extremely tight control over CPU scheduling. Rather than attempting to shape system behavior indirectly by issuing commands to platform APIs according to a programming manual, LynxSecure allows developers to directly control system behavior through a unique system architecture specification written by the developer and enforced solely by the processor.

With a traditional architecture, all hardware resources are owned by the real-time operating system (RTOS). This controls the CPU cores, memory, and peripherals. Applications must request access to those resources via APIs like fork(), malloc(), and write(). The RTOS is a monolithic collection of libraries that manages task scheduling, memory partitioning, and device I/O. This large block of code needs to be safety certified and bug free to be secure. A separation kernel relies on hardware virtualization functionality to do the heavy lifting. This creates efficient, tamper-proof, and non-bypassable virtual machines. Hardware resources are robustly partitioned into almost zero overhead VMs populated with a mix of OSes, RTOSes, and bare-metal applications. Mixed criticality safety systems can be constructed that minimize high Design Assurance Levels (DAL) source lines of code (SLOC) counts to reduce certification costs and technical risks of future programs.

LynxSecure supports paravirtualized Linux and LynxOS real-time operating systems, as well as full virtualization of the Windows operating system. It was also announced in 2020 that LynxSecure would support FreeRTOS, the market share leader in real-time operating systems, as a Guest OS.

LynxSecure is built to conform to the MILS (Multiple Independent Levels of Security) architecture so that virtualization can be used in embedded systems with requirements for high assurance. It was also designed to satisfy real-time, high assurance computing requirements used to regulate military and industrial computing environments, such as NIST, NSA Common Criteria, and NERC CIP.

By default, LynxSecure uses an ARINC 653-based fixed-cyclic scheduler to manage processing time, but dynamic priority scheduling policies are also permitted.

LynxSecure 2.0, released in 2008, featuring multiprocessing; support for POSIX, Linux ABI, and ARINC; device assignment capabilities that allows devices to be assigned to specific guest operating systems; and a configuration tool for platform configuration and security policy definition.

LynxSecure 3.0 was released in 2009 with the ability to run fully virtualized guest operating systems simultaneously on the same hardware as para-virtualized and real-time operating systems with each running in their own secure partition. Building on LynxSecure 2.0, LynxSecure 3.0 added full virtualization, meaning that guest operating systems can run unmodified on top of LynxSecure. Other features in LynxSecure 3.0 included 1) Addition of para-virtualized 64-bit Linux as a guest OS. 2) Security enhancements for supporting audit & built-in tests 3) Flexible scheduling and 4) enhanced bootloader.