The Hidden Risks of Using Linux in Aviation Systems

This paper presents a certification-oriented, system-level argument that Linux is fundamentally unsuitable for safety-critical avionics. Because Linux is a feature-rich, high-performance general-purpose OS, it exhibits open and dynamic execution semantics that cannot be finitely bounded or frozen at integration time. Two consequences follow. First, airworthiness infeasibility: an oversized TCB, prohibitive DO-330 toolchain qualification burden, and continuous patch churn that prevents stable, certifiable baselines. Second, semantic complexity: temporal non-isolation and spatial non-isolation, materializing as mutable logical-to-physical mappings, driver-induced contamination of global kernel state, and lack of fault containment. We consolidate these observations into an avionics-oriented OS evaluation framework that makes certification implications explicit—closed-world timing analysis at the partition level, provable spatial and fault isolation, TCB minimization, and lifecycle-stable evidence under DO-178C/DO-330 and ARINC 653. The framework turns architectural properties into concrete certification risks and provides actionable guidance for OS selection and governance in integrated modular avionics.