Combining MILS with Contract-Based Design for Safety and Security Requirements

The distributed MILS (D-MILS) approach to high-assurance systems is based on an architecture-driven end-to-end methodology that encompasses techniques and tools for modeling the system architecture, contract-based analysis of the architecture, automatic configuration of the platform, and assurance case generation from patterns. Following the MILS (“MILS” was originally an acronym for “Multiple Independent Levels of Security”. Today, we use “MILS” as a proper name for an architectural approach and an implementation framework, promulgated by a community of interested parties, and elaborated by ongoing MILS research and development efforts.) paradigm, the architecture is pivotal to define the security policy that is to be enforced by the platform, and to design safety mechanisms such as redundancies or failures monitoring. In D-MILS we enriched these security guarantees with formal reasoning to show that the global system requirements are met provided local policies are guaranteed by application components. We consider both safety-related and security-related requirements and we analyze the decomposition also taking into account the possibility of component failures. In this paper, we give an overview of our approach and we exemplify the architecture-driven paradigm for design and verification with an example of a fail-secure design pattern.

[1]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[2]  Moshe Y. Vardi An Automata-Theoretic Approach to Linear Temporal Logic , 1996, Banff Higher Order Workshop.

[3]  Kenneth Kwok-Hei Yiu,et al.  Starlight: Interactive Link , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[4]  Hermann Kopetz,et al.  The time-triggered Ethernet (TTE) design , 2005, Eighth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC'05).

[5]  J. Rushby,et al.  The MILS component integration approach to secure information sharing , 2008, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[6]  Torben Amtoft,et al.  Specification and Checking of Software Contracts for Conditional Information Flow , 2008, FM.

[7]  Christian Schaefer,et al.  What the heck is this application doing? - A security-by-contract architecture for pervasive services , 2009, Comput. Secur..

[8]  Torben Amtoft,et al.  Precise and Automated Contract-Based Reasoning for Verification and Certification of Information Flow Properties of Programs with Arrays , 2010, ESOP.

[9]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[10]  Joost-Pieter Katoen,et al.  Safety, Dependability and Performance Analysis of Extended AADL Models , 2011, Comput. J..

[11]  Koen Claessen,et al.  A liveness checking algorithm that counts , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[12]  Peter Liggesmeyer,et al.  Combination of Safety and Security Analysis - Finding Security Problems That Threaten The Safety of a System , 2013, DECS@SAFECOMP.

[13]  Alessandro Cimatti,et al.  OCRA: A tool for checking the refinement of temporal contracts , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[14]  Stéphane Paul,et al.  Formal Safety and Security Assessment of an Avionic Architecture with Alloy , 2014, ESSS.

[15]  Zdenek Hanzálek,et al.  Case study on combined validation of safety & security requirements , 2014, Proceedings of the 9th IEEE International Symposium on Industrial Embedded Systems (SIES 2014).

[16]  Alberto Griggio,et al.  Verifying LTL Properties of Hybrid Systems with K-Liveness , 2014, CAV.

[17]  Christoph Schmittner,et al.  Security Application of Failure Mode and Effect Analysis (FMEA) , 2014, SAFECOMP.

[18]  Alberto Griggio,et al.  IC3 Modulo Theories via Implicit Predicate Abstraction , 2013, TACAS.

[19]  Marco Bozzano,et al.  Formal Safety Assessment via Contract-Based Design , 2014, ATVA.

[20]  Marco Roveri,et al.  The nuXmv Symbolic Model Checker , 2014, CAV.

[21]  Stephen Chong,et al.  Using Architecture to Reason about Information Security , 2014, TSEC.

[22]  Alessandro Cimatti,et al.  Contracts-refinement proof system for component-based embedded systems , 2015, Sci. Comput. Program..