SEI/CMU Efforts on Assured Systems

Transcription

1 Unclassified//For Official Use Only SEI/CMU Efforts on Assured Systems 15 November 2018 *** Greg Shannon CERT Division Chief Scientist Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Derived from Stempfley, Cunningham et. al., Towards a Consolidated AI Strategy for the SEI, Oct DISTRIBUTION STATEMENT A Distribution Statement A 1

2 Diligent Lawyers Copyright 2018 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non- US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM

3 DoD Federally Funded Research & Development Center Doing what others can t or won t do for DoD priorities (authorization from Congress see FAR language) 3

4 Topics AADL Global Imperative for Formal Methods 4

5 Architecture Analysis & Design Language (AADL) Standard Targets Embedded Software Systems AS 5506 Standard Suite Standards provide long-term industry-wide solutions to support multi-organization model-based engineering In 2008 Aerospace industry initiative chose AADL over SysML and other notations as it specifically addresses embedded software systems AADL captures mission and safety critical embedded software system architectures in virtually integrated analyzable models to discover system level problems early and construct implementations from verified models 5

6 Core AADL language standard [V1 2004, V2 2012, V ] Focused on embedded software system modeling, analysis, and generation Strongly typed language with well-defined semantics for execution of threads, processes on partitions and processor, sampled/queued communication, modes, end to end flows Textual and graphical notation AADL Standard Suite (AS-5506 series) Revision V3 in progress: interface composition, system configuration, binding, type system unification Standardized AADL Annex Extensions Error Model language for safety, reliability, security analysis [2006, 2015] ARINC653 extension for partitioned architectures [2011, 2015] Behavior Specification Language for modes and interaction behavior [2011, 2017] Data Modeling extension for interfacing with data models (UML, ASN.1, ) [2011] AADL Runtime System & Code Generation [2006, 2015] AADL Annexes in Progress Network Specification Annex Cyber Security Annex FACE Annex Requirements Definition and Assurance Annex Synchronous System Specification Annex 6

7 Need for (Cyber) Security Protection U.S. National Defense Strategy (2018) In the first sentence...protect the security of our nation... U.S. National Cyber Strategy (2018) Starts with the words Protecting America s national security U.N. Internet Governance Forum (2018) Only a secure and reliable cyber space can generate and preserve trust in the Internet. 7

8 A Yearning for Assurance Assurance of networked capabilities Internet Weapons systems Critical Infrastructure Assurance of artificial intelligence Machine learning Autonomy Algorithms 8

9 What s Really Needed Ensurance Neither assurance nor insurance is good enough in contested environments Adversaries are too persistent for us to rely on assurances Formal-methods provide Ensurance modulo assumptions, etc. Blending with cryptology-based protocols and mechanisms is very powerful Exceptionally hard for adversaries to compromise Provides the highest-levels of ensurance 9

10 What Is Missing? Ironically, making security mechanisms INVISIBLE INVISIBLE INVISIBLE INVISIBLE INVISIBLE! 10

11 The Pinnacle of Formal Methods? Practices for Attacks Proofs for Classes Types(!!) for Properties 11

12 How Do We Get There? Provide input to update the Federal Cyber Security R&D Strategic Plan federal-cybersecurity-research-and-development Due JANUARY Let policymakers know that we (the R&D community) still don t have the invisible answers yet Goal: Effective, Efficient, Invisible Cybersecurity 12

13 We Need Scalable Capability for HW/SW Formal Reasoning What Is Missing? We need meaningfully trustworthy hardware on which to build much more trustworthy operating systems, more trustworthy networks, and sensible applications that take suitable advantage of such hardware and its supporting technology. We need much greater attention to software development in theory and practice, including realistic methodologies for applying formal methods, and proactive designs for trustworthiness. We need ubiquitous attention to advanced computer literacy, including K-12, college, graduate school, and ongoing training. Slide from P.Neumann sel4 Summit Nov

14 Let s Be Epistemologically Realistic Please Principle of least privilege Slide from P.Neumann sel4 Summit Nov Every program and every privileged user of the system should operate using the least amount of privilege with finest granularity necessary for the given purpose. Saltzer CACM 17(7) Saltzer and Schroeder Proc. IEEE 63(9) Needham AFIPS 41(1) 16 14

15 Discussion 15