Layered Assurance Workshop D-MILS Technology Achievements 1
Distributed MILS (D-MILS) Technology
Achievements Rance DeLong
Layered Assurance Workshop D-MILS Technology Achievements 2
A Brief MILS/D-MILS Refresher n MILS is a component-based approach for the construction, assurance, and
certification of dependable systems that encourages a commercial marketplace of off-the-shelf high-assurance components
n MILS can be understood as a two phase approach: t Architecture
• Abstract policy architecture represented with “boxes” (operational components) and “arrows” (interactions)
• System purpose is achieved by behavior of the operational components and their interactions
• Assumption: the architecture will be strictly enforced t Implementation
• A robust resource-sharing platform composed of MILS foundational components creates strongly isolated “exported resources”
• Components individually developed and assured according to standard specifications
• Components compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
Layered Assurance Workshop D-MILS Technology Achievements 3
MILS Policy Architecture
C2
C4 C1
C3
C5
Circles represent���architectural���components ���(subjects /���objects)
Arrows represent���interactions
Suitability of the architecture for some purpose���presumes that the architect’s assumptions are met���in the implementation of the architecture diagram.
C6
The absence of an ���arrow is as significant���as the presence of one
This component���has no interaction ���with any other
Components are���assumed to perform���the functions specified���by the architect���(trusted���components enforce���a local policy)
The architecture���expresses an ���interaction policy���among a collection ���of components
Trusted Subject
Layered Assurance Workshop D-MILS Technology Achievements 4
MILS Platform – Provides Straightforward Implementation of Policy Architecture
Architecture
Implementation SK, with other MILS ���foundational components,���form the MILS Platform���allowing operational���components to share���physical resources while���enforcing Isolation and ���Information Flow Control
Validity of the architecture���assumes that the only���interactions of the circles ���(operational components) is through the arrows ���depicted in the diagram
R 1
R 2
R 3 R 5
R 4
MILS Platform
Layered Assurance Workshop D-MILS Technology Achievements 5
The MILS Platform: Resource-Sharing Components
Exported ���Resources
⊕ Additive���Composition
additive compositionality – e.g., Partitioning Kernel ⊕ Partitioning Net = Partitioning (Kernel + Net) MP = MILS Platform + D-MILS includes limited versions of Net(work) and Con(sole)
* D-MILS does not include MILS FS, EA and Aud components
SW HW
SW MP
SW HW
SW HW
SK Net+ Con+ FS*
⊕ ⊕ ⊕ ⊕
EA* Aud*
SW HW
SW MP
D-MILS Distributed MILS node
⊕
Layered Assurance Workshop D-MILS Technology Achievements 6
Distributed MILS
n A single policy architecture may span multiple D-MILS nodes expressed in declarative MILS-AADL
n Guarantees similar to a single MILS node: isolation, information flow control, determinism
n Determinism over network could be achieved in various ways – in D-MILS we use Time-Triggered Ethernet (TTE)
n Must configure and schedule the network and the processors of the nodes coherently
n Support verification of architectural properties, presentation of assurance case, and generation of configuration with integrated automation with the greatest practical use of existing verification technology
Layered Assurance Workshop D-MILS Technology Achievements 7
Distributed MILS: Policy architecture deployment spanning nodes
Node Hardware SK
MNS
Node Hardware SK
MNS
Node Hardware
SK ⊕ MNS ���Foundational Plane + →
Node Hardware
Subjects Subjects Subjects
Layered Assurance Workshop D-MILS Technology Achievements 8
Distributed MILS Platform – MILS nodes with deterministic communication
TTEthernet
Enables: Realization of deterministic distributed MILS architectures
A Distributed MILS Platform:
Node Hardware
SK ⊕ MNS ���Foundational Plane
Node Hardware
SK MNS
SK MNS
SK MNS
SK MNS
Node Hardware Node Hardware Node Hardware
SK MNS
TTE Switch TTE Switch
TTE Switch
Layered Assurance Workshop D-MILS Technology Achievements 9
D-MILS Technology Areas
n Graphical and Declarative Languages (front-end) t Architecture Analysis and Design Language, MILS extended subset (MILS-AADL) t Goal Structuring Notation (GSN)
n Integration of GSN and MILS-AADL t Structure of GSN assurance case informed by information gleaned from MILS-AADL model
n Representations and Transformations t Semantics preserving transformation between front-end languages and intermediate and back-
end languages of the analysis tools
n Compositional Verification t Reduce verification of system to independent verification of its parts t Properties to verify and appropriate verification strategies and tools
n Compositional Assurance Cases t Modular GSN t Rely / guarantee argumentation
n Configuration Compiler t Generate configuration information for D-MILS nodes and connecting TT network infrastructure t Configuration constrained by actual physical resources available
n D-MILS Platform t Separation kernel with extended configuration t MILS Network Subsystem with TTEthernet
Layered Assurance Workshop D-MILS Technology Achievements 10
Technology Work Package Relationships
WP1 Requirements Specification
WP2 Graphical & Declarative Languages
WP3 Representation Semantics & Transforms
WP4 Compositional Verification
WP5 D-MILS Platform Configuration Compiler
WP6 Separation Kernel Extensions
WP7 Integration & Evaluation
WP8 Dissemination & Exploitation
WP9 Project Management
MILS-AADL Annotations Verification framework
Assurance Case
Deployment Flexible Targeting
Technical Platform
Representations Transformations
Layered Assurance Workshop D-MILS Technology Achievements 11
Summary of D-MILS Project Technology Achievements
n Coordinated “top-to-bottom” and “end-to-end” strategy has been demonstrated – from declarative system description language, through verification, to platform deployment and execution
n Basis for increased confidence that system meets requirements, through modelling, analysis, and construction.
n D-MILS Declarative language t MILS-AADL extended subset of standard AADL, syntax and formal semantics t compiler implementation with translations to languages of the backend tools in the D-MILS tool chain
n D-MILS Assurance Case t Automated support for compositional assurance with modular assurance case guided by declarative language features t Integration of verification results
n Compositional Verification t Application of Contract-Based Design (CBD) to MILS – critical to MILS refinement claims t Integrated framework providing a high degree of verification automation and simulation
n D-MILS Configuration Compiler t Automated configuration of distributed platform to distributed mode t Coherent details of system deployment across multiple nodes t Method to ensure configuration correctness
n D-MILS Distributed Platform t Operational deterministic distributed platform based on: t Extended separation kernel (LynxSecure) t MILS Network System t Extended deterministic networking (TTEthernet) t MILS Console System
n D-MILS Industrial Demonstration and Evaluation t Use and assessment of D-MILS tool chain for modeling/verification/deployment of two industrial use cases t fortiss Smart Microgrid t Frequentis Voice Services
Layered Assurance Workshop D-MILS Technology Achievements 12
More about selected accomplishments
Layered Assurance Workshop D-MILS Technology Achievements 13
WP2 Declarative Language & WP3 Semantics and Transformations
n Prior to D-MILS t SLIM dialect of AADL t COMPASS analysis tools
n Accomplishments of D-MILS t MILS-AADL syntax and formal semantics
including MILS features, ops and data types t Translations to SMV/BIP/Prolog t Integration of annotations for property
specifications, contracts, and deployment t Analysis of cryptographically masked info flow t Slicing-based verification procedure for info
flow properties supporting encryption
Layered Assurance Workshop D-MILS Technology Achievements 14
WP2 Declarative Language & WP3 Semantics and Transformations
n WP2: Languages t Definition and parsing of MILS-AADL t Extended data types and operations t XML metamodel and export
n WP3: Semantics and Transformations t Definition of formal semantics t Support for translation to SMV/BIP/Prolog and XML for GSN
Layered Assurance Workshop D-MILS Technology Achievements 15
WP4 Compositional Verification
n Prior to D-MILS, these tools and their analyses t COMPASS t nuSMV, OCRA t BIP
n Accomplishments of D-MILS t Integrated verification framework t Contract-Based Design applied to MILS-AADL t New algorithms, including invariants and temporal logics t New and extended properties and compositional analyses
• Functional requirements • Security • Safety • Real-time • Hybrid systems • Timed systems • Uniform Verification of Parameterized Systems • Deadlock freedom • Transitive non-interference
Layered Assurance Workshop D-MILS Technology Achievements 16
nuXm
v
nuXm
v
Compositional Verification Tool Chain
MILS-AADL analysis
Contract refinement
Temporal logic
entailment
Model checking of
liveness
Model checking of invariant
Contract-based
fault-tree analysis
FTA as param
synthesis
COMPASS extended with contract-based analysis
OCRA extended with EUF
New translation to OCRA
nuXmv extended with EUF
CO
MPA
SS
OCRA
nuXm
v xSA
P
OCRA
New algorithm for temporal logics with infinite-state systems New algorithm
for invariants with infinite-state systems
Layered Assurance Workshop D-MILS Technology Achievements 17
WP4 Compositional Assurance
n Prior to D-MILS t Manual construction of assurance case t Manual confirmation of completeness and
correspondence to system design n Accomplishments of D-MILS
t Assurance argument pattern catalogue t Automation of assurance argument creation
with pattern instantiation from models by Model-Based Assurance Case (M-BAC) tool
t Integration of assurance argument with design and verification by Weaving model with explicit mapping to system models
Layered Assurance Workshop D-MILS Technology Achievements 18
Con: components
trusted software components: {trusted software components}
Con: enviroProps
assumed environmental properties: {assumed environmental properties}
Goal: verifResults
Results of formal verification demonstrate {formal property} is satisfied
Goal: formalConf
There is sufficient confidence in the formal verification results
Sol: verifResults
{formal verification results for {formal
property}}
Goal: formalVerif
Formal verification proves that the MILS- AADL model satisfies {formal property}
Goal: formalVerifError
Formal verification proves that the extended MILS-‐ AADL error model satisfies {formal property}
Goal: errorModel
MILS-‐AADL error model of {system} is complete and correct
Con: errorModel
{MILS-‐AADL error model}
Where {property type} = safety
Con: platformProps
properties of D-‐MILS platform: {assumed platform properties}
Goal: propSat
{formal property} is satisfied in the MILS-AADL system model
Goal: verification
Verification using {technique} gives trustworthy results
{technique} process
{error model} process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
Con: components
trusted software components: {trusted software components}
Con: enviroProps
assumed environmental properties: {assumed environmental properties}
Goal: verifResults
Results of formal verification demonstrate {formal property} is satisfied
Goal: formalConf
There is sufficient confidence in the formal verification results
Sol: verifResults
{formal verification results for {formal
property}}
Goal: formalVerif
Formal verification proves that the MILS- AADL model satisfies {formal property}
Goal: formalVerifError
Formal verification proves that the extended MILS-‐ AADL error model satisfies {formal property}
Goal: errorModel
MILS-‐AADL error model of {system} is complete and correct
Con: errorModel
{MILS-‐AADL error model}
Where {property type} = safety
Con: platformProps
properties of D-‐MILS platform: {assumed platform properties}
Goal: propSat
{formal property} is satisfied in the MILS-AADL system model
Goal: verification
Verification using {technique} gives trustworthy results
{technique} process
{error model} process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
Con: components
trusted software components: {trusted software components}
Con: enviroProps
assumed environmental properties: {assumed environmental properties}
Goal: verifResults
Results of formal verification demonstrate {formal property} is satisfied
Goal: formalConf
There is sufficient confidence in the formal verification results
Sol: verifResults
{formal verification results for {formal
property}}
Goal: formalVerif
Formal verification proves that the MILS- AADL model satisfies {formal property}
Goal: formalVerifError
Formal verification proves that the extended MILS-‐ AADL error model satisfies {formal property}
Goal: errorModel
MILS-‐AADL error model of {system} is complete and correct
Con: errorModel
{MILS-‐AADL error model}
Where {property type} = safety
Con: platformProps
properties of D-‐MILS platform: {assumed platform properties}
Goal: propSat
{formal property} is satisfied in the MILS-AADL system model
Goal: verification
Verification using {technique} gives trustworthy results
{technique} process
{error model} process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
Con: components
trusted software components: {trusted software components}
Con: enviroProps
assumed environmental properties: {assumed environmental properties}
Goal: verifResults
Results of formal verification demonstrate {formal property} is satisfied
Goal: formalConf
There is sufficient confidence in the formal verification results
Sol: verifResults
{formal verification results for {formal
property}}
Goal: formalVerif
Formal verification proves that the MILS- AADL model satisfies {formal property}
Goal: formalVerifError
Formal verification proves that the extended MILS-‐ AADL error model satisfies {formal property}
Goal: errorModel
MILS-‐AADL error model of {system} is complete and correct
Con: errorModel
{MILS-‐AADL error model}
Where {property type} = safety
Con: platformProps
properties of D-‐MILS platform: {assumed platform properties}
Goal: propSat
{formal property} is satisfied in the MILS-AADL system model
Goal: verification
Verification using {technique} gives trustworthy results
{technique} process
{error model} process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
Goal: activityTrust _Process
{Activity} is sufficiently trustworthy
Process
D-MILS assurance argument patterns
M-BAC pattern editor
D-MILS system models
D-MILS system models
D-MILS system models
Weaving model
D-MILS assurance case
Compositional Assurance Tool Chain
Layered Assurance Workshop D-MILS Technology Achievements 19
WP5 MILS Platform Configuration Compiler
n Prior to D-MILS t Single system, no distributed or global view t No interoperability of diverse products t No cohesive implementation of “MILS Platform” t No traceability of deployment to design spec
n Accomplishments of D-MILS t Global configuration of distributed MILS system t Flows from high-level design specification t Flexible targeting based on adapters t Configuration representation standard emerging t Configuration correctness validation
Layered Assurance Workshop D-MILS Technology Achievements 20
Configuration Compiler
MCNF Backend
Frontend
Policy Architecture
MILS-AADL
D-MILS Platform
MILS-AADL
SK Configuration
XML
GIFP Configuration
XML
Network Configuration
XML
MPCC annotations
Prolog Engine
MPCC: MILS Platform
Configuration Compiler
User Interface
User Interaction
Flexible retargeting by adapters
MILS to Prolog translator
MCNF External
Representation (Prolog or XML)
Layered Assurance Workshop D-MILS Technology Achievements 21
WP6 D-MILS Platform - SK extensions
n Prior to D-MILS t Independent separation kernel implementation and
standalone configuration t “D-MILS Platform” as an integration of SK, MILS Network
System, and MILS Console was only a concept (MNS and MCS did not previously exist)
n Accomplishments of D-MILS t Distributed MILS Platform from integration of LynxSecure
and MNS/TTEthernet + MCS t Security extensions to TTEthernet t Deterministic system: nodes and communication t Operational support for distributed architectures t Platform configuration tools now connected through D-
MILS tool chain all the way back to the MILS-AADL system model
Layered Assurance Workshop D-MILS Technology Achievements 22
WP7 Industrial Demonstrations
n Detailed evaluations performed n Frequentis Voice Service (FVS)
t MILS AADL specs for FVS t Prototype MILS Console system
n fortiss Smart Micro Grid (SMG) t MILS AADL specs for SMG t Starlight example – MILS-AADL to
configuration to running demo n Provide excellent feedback for future
development of D-MILS tools/platform
Layered Assurance Workshop D-MILS Technology Achievements 23
Summary and Lessons Learned
n Our goals were ambitious and we are very proud of our accomplishments.
n We’ve learned much about what needs to be done to improve usability and applicability of tools and platform t Improvements for platform performance t Integration, modularity, and UI of tools t Methodology and supporting features t Extension to dynamic systems t Upgrade TRL of all components