The certMILS project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 731456.
Ease standard compliance by technical means via MILS, Sven Nordhoff, Holger Blasum, Embedded World Conference 2017
Abstract: You have to develop an embedded system? You need to show its conformance to a safety standard (e.g. IEC 61508, ISO 26262, DO-178) or a security standard (e.g. IEC 62443, Common Criteria)? How does your life get easier by using a MILS design? Using an embedded operating system can help with modularization. Moreover, a *MILS* embedded operating system isolates processes and their resources from each other. Resource management and information flow control enable separation in time and separation in space. In this paper we show standard compliance work units that MILS helps achieving by technical means.
Security by design: Introduction to MILS, Sergey Tverdyshev, Embedded World Conference 2017
Abstract: Abstract: A "security by design" method achieves robustness against programming errors and malicious attacks. A security by design method must be simple to understand. It must be simple to implement, and also to simple to verify. It must enable the developer to create assurance evidence coherent with the design decisions. MILS is a security by design method. In short, application of the MILS approach starts with partitioning the system under design into isolated compartments. System resources, e.g. CPUs, CPU time, memory, IO devices, files, are assigned to compartments. After that the communication channels between compartments are defined with respect to the required API (e.g. POSIX, ARINC, AUTOSAR). Communication and resource sharing between security domains have to be explicit, i.e. everything is forbidden what is not explicitly allowed. In parallel threat modeling is executed, i.e. define system assets to be protected, threat agents and possible malicious actions, system objectives to fight the threats. MILS provides a way to execute mixed-critical applications of different pedigrees on one system. The system as a whole still can be certified to the highest security and safety assurance levels. This makes the approach extremely interesting for modern complex systems, e.g. in a car infotainment system: Android applications can run on the same platform as AUTOSAR applications that communicate with the engine. Until ca. 2000 the MILS concept was mainly used in the US military. Now the commercial interest has picked up. We explain a MILS Architectural Template that simplifies to set up MILS systems. We finish with applications of the MILS concepts across automotive and avionics.
PUBLIC RTD DELIVERABLES
D1.1 : Regulative baseline [M06]
The output is a report that summarises the schemes for certification with special respect to the MILS platform and the pilots in the different EU member states where partners have good access to their own certification authorities, and outlines regulatory options, where these exist.
D1.2 : List of tools and techniques applicable for high and medium assurance for efficient assurance [M12]
List of tools and requirements from standards and regulations that can be covered by the tool functionalities
D1.3 : Compositional security certification methodology [M15]
The output is a report that summarises the choices of the options outlined in D1.1 that certMILS has made.
D2.1 : Protection Profile [M16]
This is a Protection Profile (PP) according to the Common Criteria (CC). The PP serves as “base PP” of the modular PP.
D2.2 : List of extensions of base PP [M16]
This is a list of extensions to the base PP that are available as modules in the modular PP.
D2.3 : Security architecture templates [M16]
The security architecture templates are editable documents that can be instantiated by the pilots. SYSGO as third party will be the lead beneficiary of D2.3.
D2.4 : Guidelines to use and apply PP for all involved stakeholders [M16]
The guidelines to use and apply the PP target system integrators and security evaluators.
D4.1 : Security testing framework: strategy and approach [M09]
Approach, strategy, and architecture for the implementation of security testing framework is described.