An Architecture-Centric Process for MILS Development

Safety-critical embedded systems are now software-reliant and evolving at an incredible pace. With the emerging Internet of Things (IoT) ecosystem, these systems are now interconnected to several networks and exposed to potential attackers. This increases the potential surface of attack and, ultimately, the likelihood of a successful attack that would penetrate the system. Until recently, many security efforts were focused on code analysis, but studies have shown that security is also a matter of good software architecture design and practices. For example, MILS requires isolating security domains in partitions using appropriate security components. However, because embedded systems are evolving quickly, new design methods are now required to overcome the challenges of developing them. In this paper, we introduce a research agenda for a new architecturecentric development approach for MILS systems. This would leverage architecture models and augment them with security information in order to perform the different activities of the development process, including security policy validation, implementation, and testing. Using the same model throughout development improves the consistency of the development process by avoiding any translation between different—and potentially inconsistent—representations. In addition, automating the generation of implementation and tests avoids the traditional mistakes of manual code production, such as bugs and developers’ assumptions about ambiguous requirements.

[1]  Jörgen Hansson,et al.  Model-Based Verification of Security and Non-Functional Behavior using AADL , 2016, IEEE S&P 2016.

[2]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[3]  Julien Delange,et al.  Incremental latency analysis of heterogeneous cyber-physical systems , 2014, REACTION.

[4]  Julien Delange,et al.  Architecture Fault Modeling with the AADL Error-Model Annex , 2014, 2014 40th EUROMICRO Conference on Software Engineering and Advanced Applications.

[5]  Richard Hawkins,et al.  Developing Assurance Cases for D-MILS Systems , 2015, MILS@HiPEAC.

[6]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[7]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[8]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[9]  Julien Delange,et al.  Design, implementation and verification of MILS systems , 2012, Softw. Pract. Exp..

[10]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[11]  J. Rushby,et al.  The MILS component integration approach to secure information sharing , 2008, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[12]  Thomas Noll,et al.  Security Type Checking for MILS-AADL Specifications , 2015, MILS@HiPEAC.

[13]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..