Distributed MILS Project Work-in-Progress

Rance DeLong

D-MILS Project WiP 1 © 2013 D-MILS Project

Distributed MILS (D-MILS) Project

  European Commission FP7   Project #318772   December 2012 – December 2015

  D-MILS Project Consortium Partners   Fondazione Bruno Kessler – Italy   Fortiss – Germany   Frequentis – Austria   LynuxWorks – France   RWTH Aachen University – Germany   The Open Group – United Kingdom – Lead   TTTech – Austria   Université Joseph Fourier – France   University of York – United Kingdom

D-MILS Project WiP 2 © 2013 D-MILS Project

Short MILS Review   MILS is a component-based approach for the construction, assurance, and

certification of dependable systems that encourages a commercial marketplace of off-the-shelf high-assurance components

  MILS can be understood as a two phase approach:   Architecture

•  Abstract policy architecture represented with “boxes” (operational components) and “arrows” (interactions)

•  System purpose is achieved by behavior of the operational components and their interactions

•  Assumption: the architecture will be strictly enforced   Implementation

•  A robust resource-sharing platform composed of MILS foundational components creates strongly isolated “exported resources”

•  Components individually developed and assured according to standard specifications

•  Components compose “additively” to form a distributed trusted sharing substrate, the MILS Platform

D-MILS Project WiP 3 © 2013 D-MILS Project

MILS Policy Architecture

C2

C4 C1

C3

C5

Circles represent���architectural���components ���(subjects /���objects)

Arrows represent���interactions

Suitability of the architecture for some purpose���presumes that the architect’s assumptions are met���in the implementation of the architecture diagram.

C6

The absence of an ���arrow is as significant���as the presence of one

This component���has no interaction ���with any other

Components are���assumed to perform���the functions specified���by the architect���(trusted���components enforce���a local policy)

The architecture���expresses an ���interaction policy���among a collection ���of components

Trusted Subject

D-MILS Project WiP 4 © 2013 D-MILS Project

Assumptions Implicit in the Architecture Represent Two Primitive Policies

C2 C1

1. Isolation

Only explicitly permitted ���causality, data flow, or interference,���is permitted. The architecture���permits this flow. Only C1 or C2���can cause the flow, C3 can not. The���flow is directional and intransitive.

These components / connections have���no interaction with ���each other

C2 C1

2. Information ���Flow Control

C3

D-MILS Project WiP 5 © 2013 D-MILS Project

The MILS Platform: Resource-Sharing Components

Exported ���Resources

⊕ Additive���Composition

additive compositionality – e.g., Partitioning Kernel ⊕ Partitioning Net = Partitioning (Kernel + Net) MP = MILS Platform + D-MILS includes limited versions of Net(work) and Con(sole)

* D-MILS does not include MILS FS, EA and Aud components

SW HW

SW MP

SW HW

SW HW

SK Net+ Con+ FS*

⊕ ⊕ ⊕ ⊕

EA* Aud*

SW HW

SW MP

D-MILS Distributed MILS node

⊕

D-MILS Project WiP 6 © 2013 D-MILS Project

MILS Platform – Provides Straightforward Implementation of Policy Architecture

Architecture

Implementation SK, with other MILS ���foundational components,���form the MILS Platform���allowing operational���components to share���physical resources while���enforcing Isolation and ���Information Flow Control

Validity of the architecture���assumes that the only���interactions of the circles ���(operational components) is through the arrows ���depicted in the diagram

R 1

R 2

R 3 R 5

R 4

MILS Platform

D-MILS Project WiP 7 © 2013 D-MILS Project

MILS Foundational, Operational, Monitoring, and Configuration Planes

P 1

P 2

Separation Kernel ⊕

P 3 P 5

P 4

Configura)on  Data  

Configura)on  Data  

Configura)on  Data  

CO

NFI

GU

RAT

ION

PLA

NE

FOUNDATIONAL PLANE

OPERATIONAL PLANE

MONITORING PLANE

MFS MNS

MEA

MCS

PERFORMANCE DEBUG

HEALTH

RESOURCE

MILS Platform

MILS Platform

D-MILS Project WiP 8 © 2013 D-MILS Project

Inspiration for Distributed MILS: Policy architecture deployment spanning nodes

Node Hardware SK

MNS

Node Hardware SK

MNS

Node Hardware

SK ⊕ MNS ���Foundational Plane + →

Node Hardware

Subjects Subjects Subjects

D-MILS Project WiP 9 © 2013 D-MILS Project

Distributed MILS

  A single policy architecture may span multiple D-MILS nodes expressed in declarative MILS-AADL

  Guarantees similar to a single MILS node: isolation, information flow control, determinism

  Determinism over network could be achieved in various ways – in D-MILS we use Time-Triggered Ethernet (TTE)

  Must configure and schedule the network and the processors of the nodes coherently

  Support verification of architectural properties, presentation of assurance case, and generation of configuration with integrated automation with the greatest practical use of existing verification technology

D-MILS Project WiP 10 © 2013 D-MILS Project

D-MILS Technology and Application Areas

  Graphical and Declarative Languages (front-end)   Architecture Analysis and Design Language, MILS extended subset (MILS-AADL)   Goal Structuring Notation (GSN)

  Integration of GSN and MILS-AADL   Structure of GSN assurance case informed by information gleaned from MILS-AADL model

  Representation Semantics and Transformations   Semantics preserving transformation between front-end languages and intermediate and back-end languages of

the analysis tools

  Compositional Verification   Reduce verification of system to independent verification of its parts   Properties to verify and appropriate verification strategies and tools

  Compositional Assurance Cases   Modular GSN - Rely / guarantee argumentation

  Configuration Compiler   Generate configuration information for D-MILS nodes and connecting TT network infrastructure   Configuration constrained by actual physical resources available and other semantic analyses

  D-MILS Platform   TTEthernet – Distributed MILS network drivers and configuration   LynxSecure separation kernel with MILS Networking Subsystem (MNS)

  D-MILS Industrial Demonstrators   Smart Micro Grid – fortiss   Voice Services – Frequentis

D-MILS Project WiP 11 © 2013 D-MILS Project

D-MILS Technology Areas

Architecture Analysis and

Design Language

Inter- mediate

Languages

Verification Framework

D-MILS Configuration

Compiler

D-MILS Platform

Extended Separation

Kernel

Ext. Time Triggered Ethernet

Extended Configuration

tools

Assurance Framework

Goal Structuring Notation

Behavior Annotation Property

Annotation

D-MILS Platform

Configuration Compiler

Integration GSN & AADL

Graphical & Declarative Languages

Compositional Verification

Compositional Assurance Case

Representation Semantics and Transformations

Pre-existing products LSK TTE

Distributed MILS Technology Elements

Artifact generation/use

Resource availability

Technology Application

Tool Input / Output Artifact

Tool

Modified or new component

Application demonstrator

MNS

MILS-AADL ext’d subset

Representations &

Transformations

Configuration Compiler

GSN Assur. Case

SK Config’n

TTE Config’n

Separation Kernel

TT Ethernet

Verification System

Verification Evidence

fortiss Smart Microgrid

Frequentis Voice Services

Resource Inventory

MCS

D-MILS Platform

Automation

System Purpose

System Properties

GSN Integration

D-MILS Project WiP 13 © 2013 D-MILS Project

Distributed MILS Platform – MILS nodes with deterministic communication

TTEthernet

Enables: Realization of deterministic distributed MILS architectures

A Distributed MILS Platform:

Node Hardware

SK ⊕ MNS ���Foundational Plane

Node Hardware

SK MNS

SK MNS

SK MNS

SK MNS

Node Hardware Node Hardware Node Hardware

SK MNS

TTE Switch TTE Switch

TTE Switch

D-MILS Project WiP 14 © 2013 D-MILS Project

D-MILS System Assurance Case Structure

 Compose assurance cases modularly using Assume-Guarantee Reasoning

 D-MILS System assurance requires the validity of three sub-cases

 Assumptions from D-MILS System assurance case become obligations on the sub-cases

D-MILS ���System���Goals

Sub-case

Sub-case

Sub-case

Policy Architecture

Environment

D-MILS System High-Level���Assurance Argument

D-MP���Goals

P A ���Goals

Policy Architecture���Assurance Argument

MILS Platform���Assurance Argument

Env���Goals

Environment���Assurance Argument

Assume Guarantee Guarantee Assume

MILS Platform

D-MILS Project WiP 16 © 2013 D-MILS Project

MILS Platform Assurance Case Structure

 The D-MILS Platform is composed of three major subsystems: MSK, MNS, MCS

 Assumptions from D-MILS Platform assurance case become goals for the components

 Assured Goals from component assurance cases become evidence for D-MILS Platform sub-cases

 Ground evidence provides the ultimate justification for the assurance case

D-MP���Goals

Sub-case

Sub-case

Sub-case

Inference rule

Inference rule

MILS Platform���Assurance Argument

MSK���Goals

MNS���Goals

MCS���Goals

Inference rule

Inference rule

Inference rule

Inference rule

Inference rule

Inference rule

MILS Separation Kernel���Assurance Argument

MILS Network Sys ���Assurance Argument

MILS Console System���Assurance Argument

Assume Guarantee Guarantee

EV

IDEN

CE

D-MILS Project WiP 17 © 2013 D-MILS Project

Demonstrator: fortiss Smart Microgrid

D-MILS Project WiP 18 © 2013 D-MILS Project

Demonstrator: Frequentis Voice Services

cwp... controller working position rce...radio control equipment r-rce...remote rce c-rce...center rce swim...system wide information management

D-MILS Project WiP 19 © 2013 D-MILS Project