MILS Architectural Approach Supporting Trustworthiness of the Iiot Solutions

Total Page:16

File Type:pdf, Size:1020Kb

MILS Architectural Approach Supporting Trustworthiness of the Iiot Solutions MILS Architectural Approach Supporting Trustworthiness of the IIoT Solutions An Industrial Internet Consortium Whitepaper Rance J. DeLong (The Open Group); Ekaterina Rudina (Kaspersky) MILS Architectural Approach Context and Overview 1 Context and Overview ...................................................................................................... 4 1.1 Need for Trustworthy System Operation ............................................................................. 5 1.2 What is MILS today .............................................................................................................. 6 1.3 How MILS Addresses Safety ................................................................................................. 7 1.4 How MILS Addresses Security .............................................................................................. 8 1.5 How MILS Supports Reliability, Resilience, and Privacy ........................................................ 9 2 MILS Concepts .................................................................................................................. 9 2.1 Centralized vs Distributed Security Architecture .................................................................. 9 2.1.1 Domain Isolation .................................................................................................................................. 10 2.1.2 Isolation and Information Flow Control ............................................................................................... 11 2.1.3 Separation as a Basis for the MILS Architectural Approach................................................................. 11 2.2 MILS Policy Architecture .................................................................................................... 12 2.2.1 Policy Architecture ............................................................................................................................... 12 2.2.2 Distributed Policy Architectures .......................................................................................................... 14 2.2.3 Static and Dynamic MILS Policy Architectures ..................................................................................... 15 2.2.4 Realization of a Policy Architecture ..................................................................................................... 16 2.3 MILS Platform .................................................................................................................... 18 2.3.1 Separation Kernel ................................................................................................................................ 18 2.3.1.1 Partitioning Resources into Domains ......................................................................................... 19 2.3.1.2 Support for Interdomain Communication .................................................................................. 20 2.3.1.3 Security Policy Enforcement ...................................................................................................... 21 2.3.1.4 Memory Management ............................................................................................................... 22 2.3.1.5 Scheduling .................................................................................................................................. 23 2.3.1.6 Periods Processing ...................................................................................................................... 23 2.3.1.7 Minimal Interrupt Servicing ....................................................................................................... 24 2.3.1.8 Minimal Synchronization Primitives, Timers and Watchdogs .................................................... 24 2.3.1.9 Instrumentation ......................................................................................................................... 24 2.3.2 Separation-Supporting Hardware ........................................................................................................ 24 2.3.2.1 CPU ............................................................................................................................................. 25 2.3.2.2 Memory Management Unit ....................................................................................................... 26 2.3.2.3 IOMMU ....................................................................................................................................... 28 2.3.3 MILS Platform Foundational Components ........................................................................................... 29 2.3.3.1 MILS Separation Kernel (MSK) ................................................................................................... 31 2.3.3.2 MILS Network System (MNS) ..................................................................................................... 31 2.3.3.3 MILS Console System (MCS) ....................................................................................................... 32 2.3.3.4 MILS File System (MFS) .............................................................................................................. 32 2.3.3.5 MILS Extended Attributes System (MEAS) ................................................................................. 32 2.3.3.6 MILS Audit System (MAS) ........................................................................................................... 33 2.3.3.7 MILS Platform Interface ............................................................................................................. 33 3 MILS Assurance and Trustworthiness for IIoT ................................................................. 34 2 MILS Architectural Approach Context and Overview 3.1 Assurance .......................................................................................................................... 34 3.1.1 Assurance for the MILS Platform and a MILS Policy Architecture ....................................................... 35 3.1.2 Compositional Assurance .................................................................................................................... 36 3.1.3 Assurance Case .................................................................................................................................... 37 3.2 Trust by design .................................................................................................................. 38 3.3 Trust by assurance ............................................................................................................. 40 3.3.1 Reasoning about Noninterference....................................................................................................... 41 3.3.2 Reasoning about Static and Dynamic MILS Policy Architectures ......................................................... 42 3.3.3 Compositional Verification for MILS-based systems ........................................................................... 45 3.4 Assurable Kernel and MILS Platform Components ............................................................. 47 4 MILS Evolution, Examples and Case Studies ................................................................... 47 4.1 MILS Evolution and Key Directions for the Future .............................................................. 47 4.1.1 A Whirlwind Tour of MILS 1980-Present ............................................................................................. 47 4.1.1.1 Pre-MILS Era 1980 ~ 1999 .......................................................................................................... 48 4.1.1.2 Classic MILS Era 2000 ~ 2007 ..................................................................................................... 49 4.1.1.3 Modern MILS Era 2008 ~ 2012 ................................................................................................... 49 4.1.1.4 Progressive MILS Era 2012 ~ Present ......................................................................................... 50 4.1.2 Variations on the MILS Platform .......................................................................................................... 50 4.1.2.1 Distributed MILS Platform .......................................................................................................... 50 4.1.2.2 Dynamic MILS Platform .............................................................................................................. 52 4.1.2.3 Adaptive MILS Framework ......................................................................................................... 53 4.1.2.4 Heterogeneous MILS Platform ................................................................................................... 55 4.2 MILS Case Studies for IIoT .................................................................................................. 56 4.2.1 MILS-based security platform for railway command and control systems ......................................... 56 4.2.2 Distributed MILS Platform for Secure Smart Grids .............................................................................. 60 4.2.3 Adaptive MILS for Resilient ATC Remote Tower Communications ...................................................... 64 4.2.4 Trusted Smart Phone for Enterprise and Personal Communications .................................................. 68 4.3 Next Steps for MILS in IIoT ................................................................................................
Recommended publications
  • Microsoft and Wind River Are Currently in a "Dead Heat" For
    Microsoft and Wind River are currently in a "dead heat" for the top position in sales of embedded operating system software and toolkits, according to Stephen Balacco, embedded software analyst at Venture Development Corp. (VDC). In terms of the sale of real-time operating systems, on the other hand, Balacco said Wind River still maintains a "commanding market leadership position," but noted that Wind River has been "as challenged as any supplier in this market space over the last two years in the face of a slumping telecommunications industry, where they have been highly leveraged for sales, as well as [from] increased competition from royalty-free and Linux OS vendors making inroads." While not disclosing specific market share numbers publicly, VDC provided the following list indicating the market share position in terms of sales revenue, for the leading vendors in the embedded operating system market . 1. Microsoft 2. Wind River 3. Symbian 4. Palm 5. QNX 6. Enea Data 7. Green Hills Software 8. LynuxWorks 9. MontaVista Software 10. Accelerated Technology (Mentor Graphics) Included among key factors identified by VDC as impacting this market were . • Increased focus and emphasis on bundling integrated development solutions that minimize unnecessary and repetitive development and allow OEMs to focus on their core competencies in differentiating their product through the application; • Ability of OS vendors to adapt business models that are flexible in their pricing and terms and conditions in response to a changing set of market requirements spurred on by competitive market forces; and • A telecommunications market that continues to struggle has affected investments in new projects.
    [Show full text]
  • Formal Modelling of Separation Kernels
    The University of York Department of Computer Science Submitted in part fulfilment for the degree of MSc in Software Engineering. Formal Modelling of Separation Kernels Andrius Velykis 18th September 20091 Supervised by Dr Leo Freitas Number of words = 45327, as counted by detex <report.tex> j wc -w. This report consists of 98 pages in total. This includes the body of the report (without blank pages) and Appendix A, but not Appendices B, C, D, E and F. 1Updated transactional operation proofs, 21st September 2009. Abstract A separation kernel is an architecture for secure applications, which benefits from inherent security of distributed systems. Due to its small size and usage in high-integrity environments, it makes a good target for formal modelling and verification. This project presents results from mechanisation and modelling of separation kernel components: a process table, a process queue and a scheduler. The results have been developed as a part of the pilot project within the international Grand Challenge in Verified Software. This thesis covers full development life-cycle from project initiation through design and evaluation to successful completion. Important findings about kernel properties, formal modelling and design decisions are discussed. The developed formal specification is fully verified and contributes to the pilot project aim of creating a formal kernel model and refining it down to implementation code. Other reusable artefacts, such as general lemmas and a new technique of ensuring transactional properties of operations are defined. The results will be curated within the Verified Software Repository. i Robertai. Aˇci¯u. Acknowledgements I would like to thank Dr Leo Freitas for his supervision, encouragement and getting me hooked on formal methods.
    [Show full text]
  • ADSP-BF537 EZ-KIT Lite® Evaluation System Manual
    ADSP-BF537 EZ-KIT Lite® Evaluation System Manual Revision 2.4, April 2008 Part Number 82-000865-01 Analog Devices, Inc. One Technology Way Norwood, Mass. 02062-9106 a Copyright Information ©2008 Analog Devices, Inc., ALL RIGHTS RESERVED. This document may not be reproduced in any form without prior, express written consent from Analog Devices, Inc. Printed in the USA. Limited Warranty The EZ-KIT Lite evaluation system is warranted against defects in materi- als and workmanship for a period of one year from the date of purchase from Analog Devices or from an authorized dealer. Disclaimer Analog Devices, Inc. reserves the right to change this product without prior notice. Information furnished by Analog Devices is believed to be accurate and reliable. However, no responsibility is assumed by Analog Devices for its use; nor for any infringement of patents or other rights of third parties which may result from its use. No license is granted by impli- cation or otherwise under the patent rights of Analog Devices, Inc. Trademark and Service Mark Notice The Analog Devices icon bar and logo, VisualDSP++, the VisualDSP++ logo, Blackfin, the Blackfin logo, the CROSSCORE logo, EZ-KIT Lite, and EZ-Extender are registered trademarks of Analog Devices, Inc. All other brand and product names are trademarks or service marks of their respective owners. Regulatory Compliance The ADSP-BF537 EZ-KIT Lite is designed to be used solely in a labora- tory environment. The board is not intended for use as a consumer end product or as a portion of a consumer end product. The board is an open system design which does not include a shielded enclosure and therefore may cause interference to other electrical devices in close proximity.
    [Show full text]
  • Green Hills Software INTEGRITY-178B Separation Kernel, Comprising
    CCEVS APPROVED ASSURANCE CONTINUITY MAINTENANCE REPORT ASSURANCE CONTINUITY MAINTENANCE REPORT FOR TM Green Hills Software INTEGRITY-178B Separation Kernel, comprising: INTEGRITY-178B Real Time Operating System (RTOS), version IN-ISP448-0100-SK_LMFWPCD2_Rel running on JSF PCD System Processor CCA, version 437140-007 with PowerPC, version 7448 Maintenance Report Number: CCEVS-VR-VID10119-2008a Date of Activity: 31 July 2009 References: Common Criteria document CCIMB-2004-02-009 “Assurance Continuity: CCRA Requirements”, version 1.0, February 2004; Impact Analysis Report, “High Assurance Security Products GHS JSF Panoramic Cockpit Display Separation Kernel Security Impact Analysis, DO-ISP448-0100- SK_LMFWPCD2SIA” High Assurance Security Products GHS Assurance Maintenance Plan, IN-INNNNN- 0101-HASPAMP Documentation Updated: Green Hills Software INTEGRITY-178B Separation Kernel developer evidence Assurance Continuity Maintenance Report: The vendor for the Green Hills Software INTEGRITY-178B Separation Kernel Operating System, submitted an Impact Analysis Report (IAR) to CCEVS for approval on 09 July 2009. The IAR is intended to satisfy requirements outlined in Common Criteria document CCIMB-2004-02-009, “Assurance Continuity: CCRA Requirements”, version 1.0, February 2004. In accordance with those requirements, the IAR describes the changes made to the certified TOE and the security impact of the changes. Changes to TOE: This maintenance activity consists of a functional and hardware platform modification to the Green Hills Software (GHS)
    [Show full text]
  • Research Purpose Operating Systems – a Wide Survey
    GESJ: Computer Science and Telecommunications 2010|No.3(26) ISSN 1512-1232 RESEARCH PURPOSE OPERATING SYSTEMS – A WIDE SURVEY Pinaki Chakraborty School of Computer and Systems Sciences, Jawaharlal Nehru University, New Delhi – 110067, India. E-mail: [email protected] Abstract Operating systems constitute a class of vital software. A plethora of operating systems, of different types and developed by different manufacturers over the years, are available now. This paper concentrates on research purpose operating systems because many of them have high technological significance and they have been vividly documented in the research literature. Thirty-four academic and research purpose operating systems have been briefly reviewed in this paper. It was observed that the microkernel based architecture is being used widely to design research purpose operating systems. It was also noticed that object oriented operating systems are emerging as a promising option. Hence, the paper concludes by suggesting a study of the scope of microkernel based object oriented operating systems. Keywords: Operating system, research purpose operating system, object oriented operating system, microkernel 1. Introduction An operating system is a software that manages all the resources of a computer, both hardware and software, and provides an environment in which a user can execute programs in a convenient and efficient manner [1]. However, the principles and concepts used in the operating systems were not standardized in a day. In fact, operating systems have been evolving through the years [2]. There were no operating systems in the early computers. In those systems, every program required full hardware specification to execute correctly and perform each trivial task, and its own drivers for peripheral devices like card readers and line printers.
    [Show full text]
  • Selection of a New Hardware and Software Platform for Railway Interlocking
    Selection of a new hardware and software platform for railway interlocking Arghya Kamal Bhattacharya School of Electrical Engineering Thesis submitted for examination for the degree of Master of Science in Technology. Espoo 27.04.2020 Supervisor Prof. Valeriy Vyatkin Advisor MSc. Tommi Kokkonen Copyright ⃝c 2020 Arghya Kamal Bhattacharya Aalto University, P.O. BOX 11000, 00076 AALTO www.aalto.fi Abstract of the master’s thesis Author Arghya Kamal Bhattacharya Title Selection of a new hardware and software platform for railway interlocking Degree programme Automation and Electrical Engineering Major Control, Robotics and Autonomous Systems Code of major ELEC3025 Supervisor Prof. Valeriy Vyatkin Advisor MSc. Tommi Kokkonen Date 27.04.2020 Number of pages 82+34 Language English Abstract The interlocking system is one of the main actors for safe railway transportation. In most cases, the whole system is supplied by a single vendor. The recent regulations from the European Union direct for an “open” architecture to invite new game changers and reduce life-cycle costs. The objective of the thesis is to propose an alternative platform that could replace a legacy interlocking system. In the thesis, various commercial off-the-shelf hardware and software products are studied which could be assembled to compose an alternative interlocking platform. The platform must be open enough to adapt to any changes in the constituent elements and abide by the proposed baselines of new standardization initiatives, such as ERTMS, EULYNX, and RCA. In this thesis, a comparative study is performed between these products based on hardware capacity, architecture, communication protocols, programming tools, security, railway certifications, life-cycle issues, etc.
    [Show full text]
  • National Information Assurance Partnership
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report Green Hills Software INTEGRITY-178B Separation Kernel Report Number: CCEVS-VR-10119-2008 Dated: 01 September 2008 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6757 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6757 VALIDATION REPORT Green Hills Software INTEGRITY-178B Separation Kernel ACKNOWLEDGEMENTS Validation Team Shaun Gilmore Santosh Chokhani Ken Elliott Jerry Myers Paul Bicknell Common Criteria Testing Laboratory SAIC, Inc. Columbia, Maryland ii VALIDATION REPORT Green Hills Software INTEGRITY-178B Separation Kernel Table of Contents 1 Executive Summary................................................................1 1.1 Evaluation Details.............................................................2 2 Identification...........................................................................4 3 Threats to Security ..................................................................5 4 Security Policy........................................................................7 5 Assumptions............................................................................8 5.1 Physical Assumptions .......................................................8 5.2 Personnel Assumptions.....................................................8 5.3 Connectivity Assumptions................................................8
    [Show full text]
  • Microkernel Construction Introduction
    Microkernel Construction Introduction Nils Asmussen 04/06/2017 1 / 28 Outline Introduction Goals Administration Monolithic vs. Microkernel Overview About L4/NOVA 2 / 28 Goals 1 Provide deeper understanding of OS mechanisms 2 Look at the implementation details of microkernels 3 Make you become enthusiastic microkernel hackers 4 Propaganda for OS research at TU Dresden 3 / 28 Administration Thursday, 4th DS, 2 SWS Slides: www.tudos.org ! Teaching ! Microkernel Construction Subscribe to our mailing list: www.tudos.org/mailman/listinfo/mkc2017 In winter term: Microkernel-based operating systems (MOS) Various labs 4 / 28 Outline Introduction Monolithic vs. Microkernel Kernel design comparison Examples for microkernel-based systems Vision vs. Reality Challenges Overview About L4/NOVA 5 / 28 Monolithic Kernel System Design u s Application Application Application e r k Kernel e r File Network n e Systems Stacks l m Memory Process o Drivers Management Management d e Hardware 6 / 28 Monolithic Kernel OS (Propaganda) System components run in privileged mode No protection between system components Faulty driver can crash the whole system Malicious app could exploit bug in faulty driver More than 2=3 of today's OS code are drivers No need for good system design Direct access to data structures Undocumented and frequently changing interfaces Big and inflexible Difficult to replace system components Difficult to understand and maintain Why something different? ! Increasingly difficult to manage growing OS complexity 7 / 28 Microkernel System Design Application
    [Show full text]
  • Partitioned System with Xtratum on Powerpc
    Tesina de M´asteren Autom´aticae Inform´aticaIndustrial Partitioned System with XtratuM on PowerPC Author: Rui Zhou Advisor: Prof. Alfons Crespo i Lorente December 2009 Contents 1. Introduction1 1.1. MILS......................................2 1.2. ARINC 653..................................3 1.3. PikeOS.....................................6 1.4. ADEOS....................................7 2. Overview of XtratuM 11 2.1. Virtualization and Hypervisor........................ 11 2.2. XtratuM.................................... 12 3. Overview of PowerPC 16 3.1. POWER.................................... 16 3.2. PowerPC.................................... 17 3.3. PowerPC in Safety-critical.......................... 19 4. Main PowerPC Drivers to Virtualize 20 4.1. Processors................................... 20 4.2. Timer..................................... 21 4.3. Interrupt.................................... 23 4.4. Memory.................................... 24 5. Porting Implementation 25 5.1. Hypercall................................... 26 5.2. Timer..................................... 27 5.3. Interrupt.................................... 28 5.4. Memory.................................... 31 5.5. Partition.................................... 32 6. Benchmark 34 7. Conclusions and Future Work 38 Abstract Nowadays, the diversity of embedded applications has been developed into a new stage with the availability of various new high-performance processors and low cost on-chip memory. As the result of these new advances in hardware, there is a
    [Show full text]
  • Future-Proofing the Connected World: 13 Steps to Developing Secure Iot Products
    Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products Presented by the IoT Working Group Table of Contents Forward Introduction Document Scope The Need for IoT Security IoT Products Can Compromise Privacy IoT products can lend their computing power to launch DDoS Attacks Medical Devices and Medical Standard Protocols are Vulnerable to Attack Drones Are Approaching Mainstream Status and Being Used as a Platform for Reconnaissance Critical national infrastructure can rely on the IoT ecosystem Cars are becoming connected and autonomous Moving Forward Why Development Organizations Should Care About Securing IoT Products IoT Device Security Challenges IoT products may be deployed in insecure or physically exposed environments Security is new to many manufacturers and there is limited security planning in development methodologies Security is not a business driver and there is limited security sponsorship and management support in development of IoT products There is a lack of defined standards and reference architecture for secure IoT development There are difficulties recruiting and retaining requisite skills for IoT development teams including architects, secure software engineers, hardware security engineers, and security testing staff The low price point increases the potential adversary pool Resource constraints in embedded systems limit security options IoT Security Survey Guidance for Secure IoT Development 1. Start with a Secure Development Methodology Security Requirements Security Processes Perform Safety Impact Assessment Perform Threat Modeling 2. Implement a Secure Development and Integration Environment Evaluate Programming Languages OWASP Python Security Project Link Integrated Development Environments Continuous Integration Plugins Testing and Code Quality Processes 3. Identify Framework and Platform Security Features Selecting an Integration Framework Evaluate Platform Security Features 4.
    [Show full text]
  • Embedded Operating Systems and Linux
    Embedded Operating Systems and Linux Amir Hossein Payberah [email protected] 1 Agenda ➲ Embedded Systems ➲ Real Time Systems ➲ Who Are The Players? ➲ Linux As An Embedded OS ➲ Kernel 2.4 vs. 2.6 ➲ Applications And Products ➲ The Embedded OS Market 2 Embedded Systems 3 What is an Embedded OS? ➲ An "embedded system" is any computer sys- tem or computing device that performs a ded- icated function or is designed for use with a specific embedded software application. ➲ Embedded systems may use a ROM-based op- erating system or they may use a disk-based system, like a PC. But an embedded system is not usable as a general purpose computers or devices. 4 What makes a good Embedded OS? ➲ Modular ➲ Scalable ➲ Configurable ➲ Small footprint ➲ Device drivers ➲ etc, etc, etc... 5 Real Time Systems 6 What is Real Time? “A real time system is one in which the correct- ness of the computations not only depends upon the logical correctness of the computation but also upon the time at which the result is produced. If the timing constraints of the sys- tem are not met, system failure is said to have occurred.” Donald Gillies 7 What is Real Time? “Real time in operating systems: The ability of the operating system to provide a required level of service in a bounded re- sponse time.” POSIX Standard 1003.1 8 Hard vs. Soft Real Time ➲ Hard ● Absolute deadlines that must be met ● Example: Braking system controller ➲ Soft ● Time tolerance within which an event can occur ● Example: Multimedia streaming 9 What makes a good Real Time OS? ➲ Multi-threaded and pre-emptible
    [Show full text]
  • Empirical Performance Comparison of Hardware and Software Task Context Switching
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Calhoun, Institutional Archive of the Naval Postgraduate School Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2009-06 Empirical Performance Comparison of Hardware and Software Task Context Switching Schultz, Eric A. Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/46226 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS EMPIRICAL PERFORMANCE COMPARISON OF HARDWARE AND SOFTWARE TASK CONTEXT SWITCHING by Eric A. Schultz June 2009 Thesis Advisor: Cynthia E. Irvine Second Reader: David J. Shifflett Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK ii Form Approved REPORT DOCUMENTATION PAGE OMB No. 0704–0188 The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704–0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202–4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. 1. REPORT DATE (DD–MM–YYYY) 2. REPORT TYPE 3.
    [Show full text]