Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures

Similar documents
Model-Based Engineering for the Development of ARINC653 Architectures

ARINC653 annex: examples

ARINC653 toolset: Ocarina, Cheddar and POK

POK. An ARINC653-compliant operating system released under the BSD licence. Julien Delange, European Space Agency

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

ARINC653 and AADL. Julien Delange Laurent Pautet

ARINC653 AADL Annex Update

Modelling Avionics Architectures

Model-Based Engineering for the Development of ARINC653 Architectures

Generating high-integrity systems with AADL and Ocarina. Jérôme Hugues, ISAE/DMIA

Institut Supérieur de l Aéronautique et de l Espace Ocarina: update and future directions

The TASTE MBE development toolchain - update & case-studies

POK, an ARINC653-compliant operating system released under the BSD license

OSATE Analysis Support

POK User Guide. POK Team

Learn AADL concepts in a pleasant way

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

From MDD back to basic: Building DRE systems

Access control models and policies. Tuomas Aura T Information security technology

The MILS Partitioning Communication System + RT CORBA = Secure Communications for SBC Systems

Update on AADL Requirements Annex

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Access control models and policies

Access control models and policies

Query Language for AADLv2, Jérôme Hugues, ISAE Serban Gheorghe, Edgewater

OBJECT ORIENTED SYSTEM DEVELOPMENT Software Development Dynamic System Development Information system solution Steps in System Development Analysis

CSE Computer Security

This is an author-deposited version published in: Eprints ID: 3664

Introduction to AADL analysis and modeling with FACE Units of Conformance

An Implementation of the Behavior Annex in the AADL-toolset Osate2

AADL : about code generation

RAMSES. Refinement of AADL Models for the Synthesis of Embedded Systems. Etienne Borde

Security Models Trusted Zones SPRING 2018: GANG WANG

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

UML&AADL 11 An Implementation of the Behavior Annex in the AADL-toolset OSATE2

Model-Driven Engineering Approach for Simulating Virtual Devices in the OSATE 2 Environment

MILS Multiple Independent Levels of Security. Carol Taylor & Jim Alves-Foss University of Idaho Moscow, Idaho

Policy, Models, and Trust

Labels and Information Flow

Executable AADL. Real Time Simulation of AADL Models. Pierre Dissaux 1, Olivier Marc 2.

Green Hills Software, Inc.

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Towards AADL to SystemC mapping for partitioned systems. Etienne Borde Laurent Pautet Marc Gatti

Data quality attributes in network-centric systems

To cite this document

Model Editing & Processing Tools. AADL Committee, San Diego February 4th, Pierre Dissaux. Ellidiss. Technologies w w w. e l l i d i s s.

An Information Model for High-Integrity Real Time Systems

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

HAMES Review at SRI, 7 October 2008 partly based on Layered Assurance Workshop 13, 14 August 2008, BWI Hilton and based on Open Group, 23 July 2008,

WIP: Layered Assurance of Security Policies for an Embedded OS

CSE Computer Security

Theoretical Corner: The Non-Interference Property

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

AADL v2.1 errata AADL meeting Sept 2014

Influential OS Research Security. Michael Raitza

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

The Ocarina Tool Suite. Thomas Vergnaud

Institut Supérieur de l Aéronautique et de l Espace Constraints Annex Implementation Approach

Presentation of the AADL: Architecture Analysis and Design Language

Security-by-Contract for Applications Evolution in Multi-Application Smart Cards

Using the MPU with an RTOS to Enhance System Safety and Security

Operational Semantics. One-Slide Summary. Lecture Outline

Access Control Mechanisms

Lecture 09. Ada to Software Engineering. Mr. Mubashir Ali Lecturer (Dept. of Computer Science)

CASE TOOLS LAB VIVA QUESTION

AADL to build DRE systems, experiments with Ocarina. Jérôme Hugues, ENST

Access Control. Discretionary Access Control

Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems

CSE543 - Computer and Network Security Module: Virtualization

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End

Presentation of the AADL: Architecture Analysis and Design Language

Access Control Models

Lecture 4: Bell LaPadula

Computer Security. Access control. 5 October 2017

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler so far

Intrusion Detection Types

Complex Access Control. Steven M. Bellovin September 10,

System-level co-modeling AADL and Simulink specifications using Polychrony (and Syndex)

AEROSPACE STANDARD. SAE Architecture Analysis and Design Language (AADL) Annex Volume 3: Annex E: Error Model Annex RATIONALE

Discretionary Vs. Mandatory

Applying MILS to multicore avionics systems

AADL Subsets Annex Update

COS 320. Compiling Techniques

The role of semantic analysis in a compiler

Modelling of PnP Weapon Systems with AADL Protocol Behaviour

Taming Multi-Paradigm Integration in a Software Architecture Description Language

AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment

AADL Requirements Annex Review

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

AADL Generative Implementation Annex

Towards Formal Evaluation of a High-Assurance Guard

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far

Modeling and verification of memory architectures with AADL and REAL

Summary. Final Week. CNT-4403: 21.April

AADL Inspector Tutorial. ACVI Workshop, Valencia September 29th, Pierre Dissaux. Ellidiss. Technologies w w w. e l l i d i s s.

Using the AADL for mission critical software development paper presented at the ERTS conference, Toulouse, 21 January 2004

Model Verification: Return of experience

Identity-based Access Control

Anatomy of a Compiler. Overview of Semantic Analysis. The Compiler So Far. Why a Separate Semantic Analysis?

Transcription:

Introduction Problem: security and reliability Purpose: design and implementation of safe/secure systems Help system designers to describe their requirements Ensure safety and security policies enforcement Make it simple, quickly and easily usable Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures 1 Julien Delange Modeling domains of safety and security using AADL

Contents Safety and security requirements: what and why? Existing approaches: benefits and limits AADL: how to model and verify safety/security concerns 2 Julien Delange Modeling domains of safety and security using AADL

Contents Safety and security requirements: what and why? Existing approaches: benefits and limits AADL: how to model and verify safety/security concerns 3 Julien Delange Modeling domains of safety and security using AADL

Security: what and why? Avoid data sharing at several security levels E.g: top-secret data not accessible to an unevaluated entity Main actors: objects and subjects Objects represent data evaluated at a security level (secret, ) Subjects perform operations (read/write) on objects Security policy: set of rules Allowed operations according to a security clearance E.g: Bell-Lapadula, Biba, Chinese Wall, Top secret Top secret Secret 4 Julien Delange Modeling domains of safety and security using AADL

Safety: what and why? Safety properties and requirements Timing, communication, data types, Depend on your system (domain, constraints, ) Enforced across the system Enforce safety Fault handling (e.g: exceptions) Fault-containment (e.g: limit fault propagations) Identify and handle failures Reduce their impact locally, avoid their propagation globally 5 Julien Delange Modeling domains of safety and security using AADL

Contents Safety and security requirements: what and why? Existing approaches: benefits and limits AADL: how to model and verify safety/security concerns 6 Julien Delange Modeling domains of safety and security using AADL

Technics for safe and secure systems ARINC653 (avionics standard) Safety goal, reduce faults propagation No statement about security MILS (methodology) Separated software components, depend on their security level Formal verification (design-time) Model checking, arithmetic languages Need to be related with implementation Programming languages Verification at compile-time (e.g: SPARK/Ada, Eiffel) Specific to a language 7 Julien Delange Modeling domains of safety and security using AADL

Interesting facts Software isolation, fault-containment (ARINC653 & MILS) Avoid fault propagation across partitions Isolate software as more as possible Classification of components (MILS) Single Level Security (SLS) Multiple Single Level Security (MSLS), isolation between flows Multiple Level Security (MLS), no isolation Security policy enforcement (MILS) Reduce information leakage, security policy breakage 8 Julien Delange Modeling domains of safety and security using AADL

Security and safety in AADLv1 Security levels and safety requirements as properties Added to each component New semantic tokens needed No dedicated component for partition Process component with some properties, no specific runtime Isolation concept not present Error model annex Failures and fault-propagation modeling 9 Julien Delange Modeling domains of safety and security using AADL

What to expect from AADL version 2? Partitioned architectures modeling Isolation across partition Dedicated runtime for each partition Provide facilities to model security & safety requirements Security and safety level(s) of each component Make their representation more consistent Security and safety policies enforcement Assembly of components don t break requirements Communication enforces safety/security policies 10 Julien Delange Modeling domains of safety and security using AADL

Contents Safety and security requirements: what and why? Existing approaches: benefits and limits AADL: how to model and verify safety/security concerns 11 Julien Delange Modeling domains of safety and security using AADL

New components in AADLv2 Virtual bus component Modeling protocol stacks, communication channels Virtual processor component Modeling processor cores, runtime part, Not physical components Describe components properties and requirements Specify requirements of hardware or software entities Affect related components 12 Julien Delange Modeling domains of safety and security using AADL

Virtual processor for partition handling Dedicated runtime for each partition Subset of functionalities accessible only for one partition Properties and requirements for each partition Fault-containment for partition s faults Virtual processor + Process = partition! Space isolation modeled with process components Partition s runtime aspects modeled with virtual processor Time isolation modeled with the main processor component Partition s address space Partitioned/separation kernel Partition s runtime 13 Julien Delange Modeling domains of safety and security using AADL

Virtual bus as safety/security class Virtual bus as a security layer Describe the requirements of a component/connection/port Use a component instead a bunch of properties Common layer for safety & security Contains requirements and properties E.g: security timing requirements, Improve model s consistency Hierarchical layers One layer can extend another virtual bus secure properties Security_Level => Secret; end secure; virtual bus implementation secure.classa properties Data_Domain => A; end secure.classa; virtual processor partition properties Provided_Virtual_Bus_Class => (classifier (secure.classa)); end partition; 14 Julien Delange Modeling domains of safety and security using AADL

Safety and security requirements analysis Component s classification Use components classification (MLS, SLS, ) Detect illegal declarations and potential optimization Fault-containment analysis Fault propagation across partitions Security and safety policies enforcement Compatibility between security/safety classes Check components aggregation, communications legality Model consistency against partitioned architectures 15 Julien Delange Modeling domains of safety and security using AADL

Plane example Voice communication Pilot talks to passengers and crew Isolate communication flows Several security layers Critical and unclassified Partitioned architectures Separate security levels Runtime s internals modeling MLS component Safety layer Security layers Inherit requirements of safety layer Partition (process + virtual processor) 16 Julien Delange SLS component Modeling domains of safety and security using AADL

Verification tools OSATE plugins Check model against Bell-Lapadula security policy Verify communication timing requirements Verification patterns compliant with AADLv1 Ocarina and POK verification tools Ocarina, AADL toolsuite (see http://aadl.enst.fr) POK, partitioned kernel and middleware AADLv2 compliance Check models against Bell-Lapadula and Biba security policies Analyze fault-containment across partitions 17 Julien Delange Modeling domains of safety and security using AADL

Towards code generation for partitioned systems Code generation patterns for AADLv1 Generate distributed, real-time and embedded-compliant code New patterns for AADLv2 Generate automatically safe and secure code! Compliance with ARINC653/MILS Generate partition, configuration items, failure handler Enforce model s semantics Reduce impact of application-code errors 18 Julien Delange Modeling domains of safety and security using AADL

Conclusion Objectives: ensure security and safety with AADL models Take advantage of virtual processors and buses Combine safety and security in a same class Model partitioned systems Verification of security/safety requirements Error early detected, fixed at low cost Design, verify and implement safe and secure system Map AADL concepts to partitioned architectures 19 Julien Delange Modeling domains of safety and security using AADL

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback