Mils-based information flow control in the avionic domain: A case study on compositional architecture and verification

Software architectures in the aerospace domain are becoming more and more integrated and interconnected for functional and architectural reasons (Integrated Modular Avionics, IMA), which exacerbates potential security problems of avionic software. As a consequence, security considerations are gaining importance for the general ≫airworthiness≪ of modern aircrafts, and proper security assurance requires increasing effort. In this paper, we report on-going work in the SeSaM research project. We propose to leverage modularity as a key to obtain more secure software and higher assurance of this claimed security with reasonable effort. Using Multiple Independent Levels of Security (MILS), we present a case study on how an application can be systematically designed, secured, and proven secure by adopting a composite evaluation approach reflecting the modular system architecture. More specifically, we employ a separation kernel as the foundation for a security-critical application, and we investigate how a security evaluation can be achieved systematically and with reduced effort if we evaluate underlying kernel and dependent application independently before joining these partial results to obtain an overall evaluation verdict. Thus, we illustrate how a compositional approach may ease security design and security assurance of IMA architectures.

[1]  Gerwin Klein,et al.  Formal System Verification for Trustworthy Embedded Systems , 2011 .

[2]  Steven P. Miller Will This Be Formal? , 2008, TPHOLs.

[3]  Michael Paulitsch,et al.  MILS-related information flow control in the avionic domain: A view on security-enhancing software architectures , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[4]  G. Bartley,et al.  Certification concerns of Integrated Modular Avionics (IMA) systems , 2008, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[5]  J. Rushby,et al.  The MILS component integration approach to secure information sharing , 2008, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[6]  Matthew Wilding,et al.  A Separation Kernel Formal Security Policy , 2003, ACL 2003.

[7]  John McLean,et al.  Applying Formal Methods to a Certifiably Secure Software System , 2008, IEEE Transactions on Software Engineering.

[8]  Sergey Tverdyshev,et al.  Extending the GWV Security Policy and Its Modular Application to a Separation Kernel , 2011, NASA Formal Methods.

[9]  E. Schoitsch,et al.  Modular certification support — the DECOS concept of generic safety cases , 2008, 2008 6th IEEE International Conference on Industrial Informatics.

[10]  Cynthia E. Irvine,et al.  Separation Kernel Protection Profile Revisited: Choices and Rationale , 2010 .

[11]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[12]  Paul Saitta,et al.  Trike v.1 Methodology Document [Draft] , 2005 .

[13]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[14]  A. Wilson,et al.  Incremental certification and Integrated Modular Avionics , 2009, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[15]  J. van Leeuwen,et al.  Theorem Proving in Higher Order Logics , 1999, Lecture Notes in Computer Science.

[16]  Tim Kelly,et al.  The Who, Where, How, Why And When of Modular and Incremental Certification , 2007 .

[17]  D. Kleidermacher,et al.  MILS virtualization for Integrated Modular Avionics , 2008, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[18]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.