Distributed MILS Project Work-in-Progress
Rance DeLong
D-MILS Project WiP 1 © 2013 D-MILS Project
Distributed MILS (D-MILS) Project
European Commission FP7 Project #318772 December 2012 – December 2015
D-MILS Project Consortium Partners Fondazione Bruno Kessler – Italy Fortiss – Germany Frequentis – Austria LynuxWorks – France RWTH Aachen University – Germany The Open Group – United Kingdom – Lead TTTech – Austria Université Joseph Fourier – France University of York – United Kingdom
D-MILS Project WiP 2 © 2013 D-MILS Project
Short MILS Review MILS is a component-based approach for the construction, assurance, and
certification of dependable systems that encourages a commercial marketplace of off-the-shelf high-assurance components
MILS can be understood as a two phase approach: Architecture
• Abstract policy architecture represented with “boxes” (operational components) and “arrows” (interactions)
• System purpose is achieved by behavior of the operational components and their interactions
• Assumption: the architecture will be strictly enforced Implementation
• A robust resource-sharing platform composed of MILS foundational components creates strongly isolated “exported resources”
• Components individually developed and assured according to standard specifications
• Components compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
D-MILS Project WiP 3 © 2013 D-MILS Project
MILS Policy Architecture
C2
C4 C1
C3
C5
Circles represent���architectural���components ���(subjects /���objects)
Arrows represent���interactions
Suitability of the architecture for some purpose���presumes that the architect’s assumptions are met���in the implementation of the architecture diagram.
C6
The absence of an ���arrow is as significant���as the presence of one
This component���has no interaction ���with any other
Components are���assumed to perform���the functions specified���by the architect���(trusted���components enforce���a local policy)
The architecture���expresses an ���interaction policy���among a collection ���of components
Trusted Subject
D-MILS Project WiP 4 © 2013 D-MILS Project
Assumptions Implicit in the Architecture Represent Two Primitive Policies
C2 C1
1. Isolation
Only explicitly permitted ���causality, data flow, or interference,���is permitted. The architecture���permits this flow. Only C1 or C2���can cause the flow, C3 can not. The���flow is directional and intransitive.
These components / connections have���no interaction with ���each other
C2 C1
2. Information ���Flow Control
C3
D-MILS Project WiP 5 © 2013 D-MILS Project
The MILS Platform: Resource-Sharing Components
Exported ���Resources
⊕ Additive���Composition
additive compositionality – e.g., Partitioning Kernel ⊕ Partitioning Net = Partitioning (Kernel + Net) MP = MILS Platform + D-MILS includes limited versions of Net(work) and Con(sole)
* D-MILS does not include MILS FS, EA and Aud components
SW HW
SW MP
SW HW
SW HW
SK Net+ Con+ FS*
⊕ ⊕ ⊕ ⊕
EA* Aud*
SW HW
SW MP
D-MILS Distributed MILS node
⊕
D-MILS Project WiP 6 © 2013 D-MILS Project
MILS Platform – Provides Straightforward Implementation of Policy Architecture
Architecture
Implementation SK, with other MILS ���foundational components,���form the MILS Platform���allowing operational���components to share���physical resources while���enforcing Isolation and ���Information Flow Control
Validity of the architecture���assumes that the only���interactions of the circles ���(operational components) is through the arrows ���depicted in the diagram
R 1
R 2
R 3 R 5
R 4
MILS Platform
D-MILS Project WiP 7 © 2013 D-MILS Project
MILS Foundational, Operational, Monitoring, and Configuration Planes
P 1
P 2
Separation Kernel ⊕
P 3 P 5
P 4
Configura)on Data
Configura)on Data
Configura)on Data
CO
NFI
GU
RAT
ION
PLA
NE
FOUNDATIONAL PLANE
OPERATIONAL PLANE
MONITORING PLANE
MFS MNS
MEA
MCS
PERFORMANCE DEBUG
HEALTH
RESOURCE
MILS Platform
MILS Platform
D-MILS Project WiP 8 © 2013 D-MILS Project
Inspiration for Distributed MILS: Policy architecture deployment spanning nodes
Node Hardware SK
MNS
Node Hardware SK
MNS
Node Hardware
SK ⊕ MNS ���Foundational Plane + →
Node Hardware
Subjects Subjects Subjects
D-MILS Project WiP 9 © 2013 D-MILS Project
Distributed MILS
A single policy architecture may span multiple D-MILS nodes expressed in declarative MILS-AADL
Guarantees similar to a single MILS node: isolation, information flow control, determinism
Determinism over network could be achieved in various ways – in D-MILS we use Time-Triggered Ethernet (TTE)
Must configure and schedule the network and the processors of the nodes coherently
Support verification of architectural properties, presentation of assurance case, and generation of configuration with integrated automation with the greatest practical use of existing verification technology
D-MILS Project WiP 10 © 2013 D-MILS Project
D-MILS Technology and Application Areas
Graphical and Declarative Languages (front-end) Architecture Analysis and Design Language, MILS extended subset (MILS-AADL) Goal Structuring Notation (GSN)
Integration of GSN and MILS-AADL Structure of GSN assurance case informed by information gleaned from MILS-AADL model
Representation Semantics and Transformations Semantics preserving transformation between front-end languages and intermediate and back-end languages of
the analysis tools
Compositional Verification Reduce verification of system to independent verification of its parts Properties to verify and appropriate verification strategies and tools
Compositional Assurance Cases Modular GSN - Rely / guarantee argumentation
Configuration Compiler Generate configuration information for D-MILS nodes and connecting TT network infrastructure Configuration constrained by actual physical resources available and other semantic analyses
D-MILS Platform TTEthernet – Distributed MILS network drivers and configuration LynxSecure separation kernel with MILS Networking Subsystem (MNS)
D-MILS Industrial Demonstrators Smart Micro Grid – fortiss Voice Services – Frequentis
D-MILS Project WiP 11 © 2013 D-MILS Project
D-MILS Technology Areas
Architecture Analysis and
Design Language
Inter- mediate
Languages
Verification Framework
D-MILS Configuration
Compiler
D-MILS Platform
Extended Separation
Kernel
Ext. Time Triggered Ethernet
Extended Configuration
tools
Assurance Framework
Goal Structuring Notation
Behavior Annotation Property
Annotation
D-MILS Platform
Configuration Compiler
Integration GSN & AADL
Graphical & Declarative Languages
Compositional Verification
Compositional Assurance Case
Representation Semantics and Transformations
Pre-existing products LSK TTE
Distributed MILS Technology Elements
Artifact generation/use
Resource availability
Technology Application
Tool Input / Output Artifact
Tool
Modified or new component
Application demonstrator
MNS
MILS-AADL ext’d subset
Representations &
Transformations
Configuration Compiler
GSN Assur. Case
SK Config’n
TTE Config’n
Separation Kernel
TT Ethernet
Verification System
Verification Evidence
fortiss Smart Microgrid
Frequentis Voice Services
Resource Inventory
MCS
D-MILS Platform
Automation
System Purpose
System Properties
GSN Integration
D-MILS Project WiP 13 © 2013 D-MILS Project
Distributed MILS Platform – MILS nodes with deterministic communication
TTEthernet
Enables: Realization of deterministic distributed MILS architectures
A Distributed MILS Platform:
Node Hardware
SK ⊕ MNS ���Foundational Plane
Node Hardware
SK MNS
SK MNS
SK MNS
SK MNS
Node Hardware Node Hardware Node Hardware
SK MNS
TTE Switch TTE Switch
TTE Switch
D-MILS Project WiP 14 © 2013 D-MILS Project
D-MILS System Assurance Case Structure
Compose assurance cases modularly using Assume-Guarantee Reasoning
D-MILS System assurance requires the validity of three sub-cases
Assumptions from D-MILS System assurance case become obligations on the sub-cases
D-MILS ���System���Goals
Sub-case
Sub-case
Sub-case
Policy Architecture
Environment
D-MILS System High-Level���Assurance Argument
D-MP���Goals
P A ���Goals
Policy Architecture���Assurance Argument
MILS Platform���Assurance Argument
Env���Goals
Environment���Assurance Argument
Assume Guarantee Guarantee Assume
MILS Platform
D-MILS Project WiP 16 © 2013 D-MILS Project
MILS Platform Assurance Case Structure
The D-MILS Platform is composed of three major subsystems: MSK, MNS, MCS
Assumptions from D-MILS Platform assurance case become goals for the components
Assured Goals from component assurance cases become evidence for D-MILS Platform sub-cases
Ground evidence provides the ultimate justification for the assurance case
D-MP���Goals
Sub-case
Sub-case
Sub-case
Inference rule
Inference rule
MILS Platform���Assurance Argument
MSK���Goals
MNS���Goals
MCS���Goals
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
MILS Separation Kernel���Assurance Argument
MILS Network Sys ���Assurance Argument
MILS Console System���Assurance Argument
Assume Guarantee Guarantee
EV
IDEN
CE
D-MILS Project WiP 17 © 2013 D-MILS Project
Demonstrator: fortiss Smart Microgrid
D-MILS Project WiP 18 © 2013 D-MILS Project
Demonstrator: Frequentis Voice Services
cwp... controller working position rce...radio control equipment r-rce...remote rce c-rce...center rce swim...system wide information management
D-MILS Project WiP 19 © 2013 D-MILS Project