Professional Documents
Culture Documents
Abstract—The aviation industry needs to assure the reliable their reliable operation. Historically reliable operation was
operation of aircrafts. While this reliability has many aspects, assurance by the absence of unacceptable risks factors reasoned
this talk focused on the aspect of information technology for the by the physical conditions of the operational environment.
electronic on- and off-board equipment. Modern architectures of However, the landscape of IT infrastructures has been
avionics, the aircraft's electronic systems, are driven by denser changing, among others also due to increased connectivity of
integration into embedded platforms and the interconnection of systems. This demands additional efforts to protect high-
these systems to each other. In addition, the aircraft's ecosystem assurance systems against criminal attempts to temper with the
demands new connectivity solutions for several stakeholders, e.g. systems. This security protection implies the need on a
passengers, airlines or air traffic management. This trend of
changing mindset and new technologies as the common safety
transferring the previously closed, federated systems into
interconnected Integrated Modular Avionics offering additional
models that rely on static, probabilistic failure conditions are
services introduces the potential risk of threads and increased only limited applicable to security.
attack surfaces allowing intruders to harm the operation of the In safety, a failure condition with a certain, very low
aircraft. To counter these threats is challenge for the aviation likelihood (e.g. 10-9 failures per defined operational hours) can
industry that needs new system design approaches. be acceptable over the full life time of a product. Compared in
The concept of Multiple Independent Levels of Security security, the threat environment changes as new vulnerabilities
(MILS) can provide such a system design for equipment can appear depending on the attacker’s available resources and
operating in high-assurance environments. Due to its properties
time. Also as soon as a vulnerability is exploitable with certain
of separation and controlled information flow, MILS is a
promising design approach for the secure integration of several
efforts, it usually needs immediate attention to fix. Hence,
systems into one hardware platform. While this idea has been goals for developing secure systems are the reduction of the
part of research for the last decades, MILS can also be used as possibilities to introduce vulnerabilities in the code and
software design concept for one embedded system. This approach hardened system designs with means on self-protection to
divides the system under development into several sub-functions avoid propagations of already compromised parts.
that can be implemented and executed inside isolated runtime This paper presents the IT security environment in the field
compartments. Information flows between these compartments
of avionics. It further studies on the design concept of Multiple
are mediated by the MILS platform. This divide-and-conquer
Independent Levels of Security (MILS) that according to
approach decouples critical code from less critical code, limits the
perimeters of the internal software dependencies and allows a literature allows secure system designs. The study implemented
localized verification of sub-functions. a typical avionic use case, a security gateway for information
This paper presents the general security environment to flow control, using the MILS design principles. One goal in
develop and operate avionics, explains the introduced MILS this study was to validate whether MILS as software
software design approach in more detail, provides the identified architecture to implement such a use case is generally possible
advantages and disadvantages using this concept, and discusses and achieves the desired effects to allow evaluable software.
the results of a feasibility study using a common avionic high- Furthermore, we evaluated on positive effects and challenges
assurance system to control the information exchange on security induced by applying MILS.
domain borders.
Keywords—High-assurance, MILS Section II provides related work on the subject of this
paper. Section III describes the environment of security in
I. INTRODUCTION avionics briefly. Section IV introduces the design concept of
Multiple Independent Level of Security (MILS). Section V
High-assurance systems deployed in industries such as
describes the exemplary use case of the avionic gateway.
aviation, automotive or transportation systems, medication or
Section VI concludes this paper.
power grid need to handle a growing demand on system
functionality and complexity with appropriate means to assure
www.embedded-world.eu
II. RELATED WORK IV. MULTIPLE INDEPENDENT LEVELS OF SECURITY (MILS)
Paulitsch et al. [1] provide an extensive overview on The system design concept of Multiple Independent Level
challenges in safety and security for mixed-criticality of Security (MILS) allows the deployment of sub-systems
embedded systems, in particular, by investigating on processing different security levels into one system. This
challenges in avionics and railway systems. The analysis integration allows to better utilize the available processing
covers the important design regularities in both industries but power of modern hardware. MILS uses the properties of
also software and hardware challenges, especially when being Separation of Resources and Controlled Information Flow. For
in the need to use modern hardware. resource separation, the concept needs to deal with two
dimensions:
The architecture of MILS dates back to Rushby who
presented the concept first in 1981 [2]; however, the probably 1. Spatial Separation divides the available processing
most famous document is his MILS constitution from 2008 [3]. resources of a system at one certain time into separated runtime
In this document, Rushby explains MILS as two-step approach environments, so called resource partitions. Such resources are
of 1) logically decomposing the system into components and 2) processors and processing cores, address spaces and memory,
defining the required resources for these components, which or I/O devices. Depending on the design of the control unit
then can be either dedicatedly assigned to one component or assuring these resource separation, some borders between
shared among them. The dedicated assignment of resources resources remain static; however, some resources such as
implies the aspect of separation, while sharing resources aims processing cores needs to be shared during operation.
the aspect of controlled information flow (see Section IV).
2. Temporal Separation solves the sharing of resources in
In a European Project’s report [6], the authors provide their the dimension of time. For this, the control unit assures a
terminology and interpretation of a modern MILS architecture. defined schedule of the integrated sub-systems to allow each
This paper uses this terminology. The here discussed gateway sub-system to process regardless of the behavior of the other
use case enhances the features of a previous publication [2] on sub-systems. Temporal separation introduces the notion of time
the gateway function. Another paper [5] analyses hardware slices, being periodic temporal slots with a certain duration
requirements to perform I/O operations securely in MILS- allowing to process one or more defined sub-systems (or more
based systems. This document provides generic hardware generically tasks).
requirements on novel I/O hardware capable to self-
virtualization. A common known control unit is a software called
Separation Kernel (cf. Fig. 2) assuring both dimensions of
III. SECURITY IN AVIONICS separation: spatial and temporal.
Compared to the long tradition regarding safety, considering
security is newer to avionic (computer) systems. The trend of
e-enabling aircrafts by providing enhanced connectivity
solutions to passengers, operators and controllers demands
system engineers to secure their implementation. While safety
remains the major goal for the development, security supports
the safe operation by preventing harmful and intended attacks
against the systems. Hence, the aviation industry mentions
often “security for safety” as term. For the purpose of security,
the aviation industry has been developing specific guidelines Fig. 2: MILS architecture with a Separation Kernel
to support the secure development side by side with the to separate the available resources into partitions.
available safety standards. Of particular interest are security
standards such as ARINC-664 [7] and ARINC-811 [8], both As such special kernels need to be small in order to support
speaking about security domains on-board of aircrafts (see verification, they attempt to use a static separation between
Fig. 1). The standards of ED-202 [9], ED-203 [10], and ED- resources; hence, usually an assignment of memory and
204 [11] provide guidance for the full life cycle of an aircraft; devices remains static. Dynamic resource allocation and
relocation, e.g. on memory, require much more code
among others covering the steps of development, production,
complexity. However, scheduling of processes on cores
operation, until disposable of the aircraft. remains a dynamic element and needs to be assured by
Separation Kernels.
V. USE CASE: AVIONIC GATEWAY
While investigations on MILS as design concept to
integrate several sub-systems have been part of research in
recent years, this paper uses the MILS idea as software
architecture to divide-and-conquer the software complexity. To
allow a secure data exchange between avionic domains (see
Fig. 1) gateways controlling data that enters or leaves a domain
are of special interest. As aviation performs “security for
Fig. 1: Aircraft security domains according to ARINC 664 [7] and ARINC safety” particularly integrity protection of data entering a
811 [8] domain with higher demands on safety (and thus, security and
assurance) is of interest (cf. data flow from Domain B to B. Gateway Performance
Domain A in Fig. 3). As hardware platform, the gateway uses a high-performance
processing platform with eight cores. Hence, the separation
kernel can also spatially separate the cores among the sub-
functions of the gateway. Assuming the hardware’s
Fig. 3: Gateway to Control Data Flows interconnect to transfer data between cores and memory is
implemented securely, the sub-functions can operate in
A. Gateway Architecture parallel with a spatial security border in between.
In this study, the gateway (cf. Fig. 3) was implemented
using the MILS concept as software architecture. To achieve Fig. 5 shows the internal organization of the Separation
this, the gateway function on exanimating and filtering data Kernel running the described gateway function. Essentially,
flow was decomposed into different sub-functions (cf. Fig. 4), each sub-function of the gateway is represented as a task in the
e.g. such as on handling I/O operations and interaction with Separation Kernel. Each task hosts a number of threads.
hardware (NIC), decoding received network packets (Receiver Threads are the elements to be scheduled and executed by the
Component), handling supported protocols (TFTP or HTTP kernel. Tasks and, hence, all related threads operate on the
Chains), or sending network packets (Transmitter Component). resources defined by the configuration of the spatial
Context Managers operate as connectors between related parts separation. On the temporal dimension, each task is related to
inside of each flow direction in order to exchange information a time partition. However, one time partition can have
on the network flow, e.g. the status of communication sessions. multiple tasks, which share the assigned duration. The
A sub-function having a receiving functionality only performs duration of a time partition is provided by a time slice. A
the recording of audit entries generated by other sub-functions. schedule finally has multiple sequential time slices, which
As all sub-functions run inside resource partitions, each sub- again related to time partitions. However, the same time
function can be developed independently fulfilling its agreed partition can occurs multiple times in the same schedule but in
interfaces. Also, each sub-function has to provide local security different time slices (with different durations). To reduce
protection against other sub-functions, e.g. to avoid mitigation configuration complexity, time slices switch concurrently on
of attacks from already compromised sub-functions; hence,
all cores of the system.
input validation is one mean necessary to be applied.
www.embedded-world.eu
transmitted the next block [14]. To perform the gateway’s gateway function connecting one security domain
filter policy, the file gets reassembled inside the TFTP chain. runs in time partition T1. The filter chains run in T2.
As soon as the entire file is allowed to pass, the file gets As the performance measure is on TFTP traffic only,
segmented again and is transferred to the target domain the HTTP chain remains sleeping and does not
according to the specification of the TFTP. interfere with the measurement. The sub-functions of
the gateway connecting the second security domain
Remember, the used hardware offers multiple processing
operate in T3. The sub-function on auditing is
cores, and hence, allows spatial separation on cores. The
exclusively allowed to run all the time when data
performance analysis uses the following setups:
becomes available. This setup uses a single-core
1. This special configuration operates the gateway in only; hence, omit the light-blue cores configuration
three-core configuration without special time shown in Fig.10.
partitioning enabled (cf. Fig. 8). The sub-functions
connecting the left domain run on one core. The filter
chains run on the second core. The sub-functions
connecting the right domain run on the third core. All
sub-functions implement a cooperative scheduling,
i.e. they process only when data is available and yield
processing time to others when all data has been
consumed.
www.embedded-world.eu
[11] EUROCAE. “ED-204: Continuing Airworthiness Guidance for the Runtime Errors”. In Proc. of the Embedded Real Time Software and
Security of Aircraft Information the Security of Aircraft Information”. Systems (ERTS2’10), pages 1-9, Toulouse, France, 2010
Technical report, European Organisation for Civil Aviation Equipment, [14] Network Working Group. “RFP 1350: The TFTP Procotol”. Revision 2.
2013. 1992
[12] K. Müller, S. Uhrig, F. Nielson, H. R. Nielson, X. Li, M. Paulitsch, and [15] K. J. Hayhurst, D. S. Veerhusen, J. J. Chilenski, L. K. Rierson, “A
G. Sigl. „Automatic Information Flow Validation for High Assurance Pratical Tutorial on Modified Condition/Decision Coverage“.
Systems”. International Journal On Advances in Software, 9(3&4):190- NASA/TM-2001-210876. Technical report. 2001.
205, December 2016.
[16] K. Müller, “Security in Embedded Avionic Systems using the Concept
[13] D. Kästner, S. Wilhelm, S. Nenova, P. Cousot, R. Cousot, J. Feret, A. of Multiple Independent Levels of Security”. PhD thesis. Department of
Miné, X. Rival, and L. Mauborgne. “Astrée: Proving the Absence of Electrical and Computer Engineering, Technical University of Munich.
2017. (unpublished, submitted for grading)