Avionics Architectures: Mechanisms, and Assurance

AbstractAutomated aircraft control has traditionally been divided into distinct "func-tions" that are implemented separately (e.g., autopilot, autothrottle, flight manage-ment); each function has its own fault-tolerant computer system, and dependenciesamong different functions are generally limited to the exchange of sensor and con-trol data. A by-product of this "federated" architecture is that faults are stronglycontained within the computer system of the function where they occur and cannotreadily propagate to affect the operation of other functions.More modern avionics architectures contemplate supporting multiple functionson a single, shared, fault-tolerant computer system where natural fault containmentboundaries are less sharply defined. Partitioning uses appropriate hardware andsoftware mechanisms to restore strong fault containment to such integrated archi-tectures.This report examines the requirements for partitioning, mechanisms for theirrealization, and issues in providing assurance for partitioning. Because partitioningshares some concerns with computer security, security models are reviewed andcompared with the concerns of partitioning.iii

[1]  John Rushby,et al.  Formal Methods and their Role in the Certification of Critical Systems , 1997 .

[2]  Chung Laung Liu,et al.  Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment , 1989, JACM.

[3]  Lui Sha,et al.  Sources of unbounded priority inversions in real-time systems and a comparative study of possible solutions , 1992, OPSR.

[4]  Hermann Kopetz,et al.  Temporal firewalls in large distributed real-time systems , 1997, Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.

[5]  John P. Lehoczky,et al.  The rate monotonic scheduling algorithm: exact characterization and average case behavior , 1989, [1989] Proceedings. Real-Time Systems Symposium.

[6]  Larry L. Peterson,et al.  Defending against denial of service attacks in Scout , 1999, OSDI '99.

[7]  Ira S. Moskowitz,et al.  An analysis of the timed Z-channel , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  Dale Skeen,et al.  The Information Bus: an architecture for extensible distributed systems , 1994, SOSP '93.

[9]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[10]  Virgil D. Gligor,et al.  A Specification and Verification Method for Preventing Denial of Service , 1990, IEEE Trans. Software Eng..

[11]  Eileen M. Dukes Magellan attitude control mission operations , 1993 .

[12]  Wei-Ming Hu,et al.  Reducing timing channels with fuzzy time , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Paul A. Karger,et al.  Storage channels in disk arm optimization , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  Chris J. Harris,et al.  Advanced System Concepts for Future Civil Aircraft—an Overview of Avionic Architectures , 1995 .

[15]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[16]  Carl E. Landwehr A Survey of Formal Models for Computer Security. , 1981 .

[17]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[18]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[19]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[20]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[21]  B. L. Di Vito,et al.  A model of cooperative noninterference for integrated modular avionics , 1999 .

[22]  Peter G. Neumann,et al.  Effects of multilevel security on real-time applications , 1993, Proceedings of 9th Annual Computer Security Applications Conference.

[23]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[25]  Andrew C. Simpson,et al.  Safety through security , 1998, Proceedings Ninth International Workshop on Software Specification and Design.

[26]  Philip Koopman Perils of the PC Cache , 1993 .

[27]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[28]  D. G. Weber,et al.  Formal specification of fault-tolerance and its relation to computer security , 1989, IWSSD '89.

[29]  Gerald J. Popek,et al.  A model for verification of data security in operating systems , 1978, CACM.

[30]  Richard A. Meyer,et al.  A Virtual Machine Time-Sharing System , 1970, IBM Syst. J..

[31]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[32]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[33]  Yuliang Zheng,et al.  A Method to Implement a Denial of Service Protection Base , 1997, ACISP.

[34]  J. Thomas Haigh,et al.  Extending The Non-Interference Version Of MLS For Sat , 1987, 1986 IEEE Symposium on Security and Privacy.

[35]  Robert Lindell,et al.  The Intel 80/spl times/86 processor architecture: pitfalls for secure systems , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[36]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[37]  Robert Grimm,et al.  Application performance and flexibility on exokernel systems , 1997, SOSP.

[38]  Hermann Kopetz,et al.  A Comparison of CAN and TTP , 2000 .

[39]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[40]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[41]  Li Gong,et al.  Secure software architectures , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[42]  Barry D. Gold,et al.  KVM/370 in Retrospect , 1984, 1984 IEEE Symposium on Security and Privacy.

[43]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[44]  Miquel Huguet The protection of the processor status word of the PDP-11/60 , 1982, CARN.

[45]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[46]  Ira S. Moskowitz,et al.  Simple timing channels , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[47]  Keith Loepere Resolving covert channels within a B2 class secure system , 1985, OPSR.

[48]  D.S. Hardin,et al.  Invariant performance: a statement of task isolation useful for embedded application integration , 1999, Dependable Computing for Critical Applications 7.

[49]  Marvin Schaefer,et al.  Program confinement in KVM/370 , 1977, ACM '77.

[50]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[51]  John Rushby,et al.  Dependable Computing for Critical Applications 7 , 1999, Dependable Computing for Critical Applications 7.

[52]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[53]  Virgil D. Gligor A Note on Denial-of-Service in Operating Systems , 1984, IEEE Transactions on Software Engineering.

[54]  Lui Sha,et al.  Priority Inheritance Protocols: An Approach to Real-Time Synchronization , 1990, IEEE Trans. Computers.

[55]  Rick Kasuda,et al.  Spacecraft fault tolerance: The Magellan experience , 1993 .

[56]  C. Richard Attanasio,et al.  Penetrating an Operating System: A Study of VM/370 Integrity , 1976, IBM Syst. J..

[57]  Doug G. Weber,et al.  Fault Tolerance as Self-Similarity , 1993 .

[58]  John M. Rushby,et al.  Proof of separability: A verification technique for a class of a security kernels , 1982, Symposium on Programming.

[59]  Jay Lepreau,et al.  The Flux OSKit: a substrate for kernel and language research , 1997, SOSP.

[60]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[61]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[62]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[63]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[64]  James W. Gray On introducing noise into the bus-contention channel , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[65]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.