Supporting multiple levels of criticality

Current safety-critical embedded systems provide support for increasingly diverse and complex tasks, whose levels of criticality can be extremely different. Rather than validating all software to the highest level of confidence, it is more efficient to focus the validation effort on the most critical components. Consequently, it must be ensured that residual design faults in low criticality software cannot corrupt high criticality components. This paper defines an object-oriented integrity policy which ensures that such a property is enforced. Each object is assigned an integrity level related to its criticality. The policy defines rules to access the object methods so that no object can be corrupted by a lower integrity component. Several sorts of objects are accommodated, enabling safety-critical applications to be designed with great flexibility. This is illustrated by a prototype which is implemented on a CORBA-compliant distributed system.

[1]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[2]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[3]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[4]  Chulsoo Kim,et al.  AOS: an avionics operating system for multi-level secure real-time environments , 1994, Tenth Annual Computer Security Applications Conference.

[5]  Tullio Vardanega,et al.  On the development of fault-tolerant on-board control software and its evaluation by fault injection , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[6]  Sushil Jajodia,et al.  Integrating an object-oriented data model with multilevel security , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Jim Gray,et al.  Notes on Data Base Operating Systems , 1978, Advanced Course: Operating Systems.