KasperskyOS

KasperskyOS is a proprietary, partially POSIX-compliant microkernel-based operating system built from scratch using secure-by-design principles. It was developed by Kaspersky Lab for IT products in industries with strict requirements for cybersecurity, reliability, and operational predictability.^[1] Key use cases are network equipment, industrial control/IoT gateways, smart cars, smart city and transport infrastructure, and other critical-infrastructure uses.^[2]

The operating system protects IT systems from malicious code and the exploitation of vulnerabilities, reducing the risks of accidental or intentional software errors.^[3] It features a minimal trusted kernel, strict isolation of components in user space, default-deny policy enforcement and formal, policy-based control via the Kaspersky Security System. The aim is to create “Cyber Immune” systems that keep critical functions operating even if some parts of the system are attacked via unknown vulnerabilities.^[2]

KasperskyOS is built on its own microkernel, developed from scratch without using third-party code or libraries.^[1] There is a community edition for prototyping and development.^[4]

KasperskyOS combines the MILS (Multiple Independent Levels of Security) and FLASK security architecture approaches with Kaspersky's own technologies.^[5]

In the MILS model, a secure system consists of isolated security domains and a separation kernel that manages interactions between them.^[5]

Communication between processes occurs only through the security monitor (Kaspersky Security System) via typed interfaces. The system therefore remains secure as a whole even if isolated components contain vulnerabilities or malicious code.^[3]

In the FLASK architecture, the security system is divided into policy enforcement, which is handled by the microkernel, and policy decision-making, which is handled by the security monitor. This separation simplifies system analysis and ensures consistency in security policies.^[5]

KasperskyOS is built on a microkernel written in C (C99 standard) comprising approximately 100,000 lines of code, whereas the Linux kernel, for example, had over 40 million lines of code as of 2025.^[6] This compactness reduces the potential attack surface and simplifies formal verification.^[1]

The microkernel implements only essential low-level mechanisms that require privileged execution:

• process and thread scheduling;
• virtual memory management;
• I/O port access control;
• direct memory access (DMA) management;
• synchronization via futexes;
• interrupt handling;
• real-time clock management;
• descriptor management;
• Inter-process communication is strictly synchronous and message-based (request/response);
• interaction with the security subsystem (Kaspersky Security System).^[5]

Drivers, file systems, network stacks, and other components run in user space as isolated processes and communicate with the kernel via system calls.^[3] The microkernel exposes only three system calls, minimizing system vulnerabilities.^[1]

Kaspersky Security System (KSS) is a unified security decision-making center and a centralized security monitor that oversees all interactions between system components.^[3]

The KasperskyOS microkernel delivers a message only if KSS authorizes its delivery based on a defined set of security policies. If the verdict is negative, the transmission is blocked, and steps may be taken to restore normal system operation.

A special policy description language—Policy Specification Language (PSL)—has been developed for designing policies. The PSL syntax allows multiple security models to be combined within a single policy, including finite and state machines, Type Enforcement (TE), Role-Based Access Control (RBAC) models, and others. It is also possible to develop custom policy classes. In PSL, the description is formulated in terms of the task itself.

PSL eliminates the need for developers to write security policy implementations or configure KSS manually. Monitor code optimized for the selected task is generated from the PSL description by a special compiler.^[5]

KasperskyOS supports multiple hardware architectures: x86 / x86 64, ARMv5, ARMv7, ARMv8, MIPS32.

Tested platforms: Intel Generic and Atom CPUs, NXP i.MX series, TI Sitara processors, HiSilicon Kirin platforms, MIPS24k.^[7]

The KasperskyOS Community Edition enables development of educational applications that can run on QEMU (x86_64) or Raspberry Pi 4 Model B.^[3]

2002: Development began under the internal code name “11.11”.^[8]

2012: Eugene Kaspersky publicly announced KasperskyOS for the first time.

2013: Beta testing by partner companies.

2015: Partnership with SYSGO (PikeOS developer) and integration of Kaspersky Security System into third-party OS.

2016: Completion of kernel development and announcement of the first hardware partner

2017: Official release of KasperskyOS.^[9]

2019: Work on a secure mobile OS based on KasperskyOS.

2021: Release of the first commercial product based on KasperskyOS (industrial IoT gateway).

2021: Launch of KasperskyOS Community Edition for educational purposes.

2022: Release of an improved IoT gateway model.

2023–2024: Development of a smartphone prototype and app ecosystem. Launch of the “Kaspersky Appicenter” platform for corporate clients and industrial enterprises.

KasperskyOS is used in sectors that require a high level of cybersecurity, reliability, and deterministic behavior:

• Internet of Things (IoT and IIoT);
• smart infrastructure;
• transportation systems;
• virtual desktop infrastructure (VDI);
• corporate mobile devices.^[3]

Automotive cybersecurity. A secure automotive platform based on KasperskyOS is integrated into the Ajunic high-performance ECU developed by AVL Software and Functions GmbH (Germany) and is intended for use in ADAS and autonomous driving systems.^[10]

Automotive software platforms and gateways. The operating system enables secure in-vehicle communication, over-the-air (OTA) updates, and compliance with industry cybersecurity standards.^[11]

Products based on KasperskyOS are already in use:

Kaspersky IoT Secure Gateway (KISG) 100 — a cyber-immune gateway operating as a data diode, enabling one-way secure data transfer to external systems.

KISG 1000 — an industrial gateway that aggregates device data and transmits it securely to enterprise or cloud environments, with built-in security controls.

Kaspersky Thin Client — a secure thin client providing access to virtual desktop infrastructure via remote desktop protocols.^[3]

Early deployments of the OS also appeared in Kraftway routing/switching gear.

• QNX

0.00 (0 votes) Original source: https://en.wikipedia.org/wiki/KasperskyOS. Read more