The certMILS project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 731456.
The certMILS project uses Zenodo as its open research data repository, in order to grant Open Access to scientific publications. Check out our Zenodo community certMILS!
MILS Security Architecture Templates, Tverdyshev, Sergey; Caracuel, Benito; Álvarez, Amelia; Ortaga, Alvaro; Rico, Jose Emilio; Hametner, Reinhard; Blasum, Holger; Kertis, Tomáš; Schulz, Thorsten
Abstract: The certMILS project (http://www.certmils.eu/) aims at easing building and certification of complex critical systems by using a certain architecture for structuring these systems into partitions that run on a separation kernel, called MILS (Multiple Independent Levels of Security / Safety). Once a critical system is structured by use of a separation kernel, then this technical structuring should lend itself also to a similarly logically structured security and safety argument in certification.
Analogous to the separation kernel that is to be used for building a MILS system, this white paper provides a security architecture template that is to be used for the certification of that MILS system.
The target audience of this document is:
- Developers of systems, based on a MILS architecture, providing them a template about how to describe their MILS system.
- Security evaluators of a MILS-based system, giving hints about how the developer description can be used to argue for compliance to Common Criteria (CC) and IEC 62443.
Strategy for Security Certification of the Development and Product Lifecycle in High Assurance Industrial Cyber-Physical Systems, T.Schulz, C. Gries, F. Golatowski, D. Timmermann, SIES 2018
Abstract: High assurance Cyber-Physical Systems (CPS) are the supporting pillars of the critical infrastructure. They support the power grid, the water supply, transportation systems and many other devices, where failure or undefined behaviour lead to risk for loss of life, danger to the environment and defective operational safety of production. Rigorous testing practices have assured reliable behaviour even for failure scenarios in their predictable environments. However, previously isolated systems have become connected to the Internet and expose an attack surface that is hard to predict. While the safety of high assurance CPS is well tested with a controlled residual risk, security risks will rise throughout the deployment of a system. Hence, this paper describes research for a testing methodology to tackle emerging threats and preserve certified security assurance.
Abstract: This paper presents the concept example of how to integrate safety and security using a platform approach. The TAS Control Platform is a SIL4 vital computing platform for railway applications developed within Thales to support many different safety-critical applications. Using common standards, MILS concepts and building up on a generic safety concept, enables the integration of safety and security with TAS Control Platform, while still providing support for legacy applications. With this platform approach many applications can benefit from the consistent safe and secure basis.
In Search for a Simple Secure Protocol for Safety-Critical High-Assurance Applications, T. Schulz, F. Golatowski, D. Timmermann, MILS 2018 workshop, hosted by DSN 2018 conference
Abstract: Security and cryptography protocols are seen by many as black-magic, largely due to their complex mathematical algorithms and entangled state-machines. This complexity has also led to numerous vulnerabilities in past years. Recent developments have simplified conformance requirements, and also introduced formal proofs to mainstream security protocols. In this work-in-progress publication we discuss, how this evolution has greatly improved the situation for critical systems, and how the architecture of MILS systems can raise the confidence for high-assurance systems.
Abstract: MILS (Multiple Independent Levels of Safety and Security) also is also inspired from modular systems such as integrated modular avionics. There are differences though: automotive electronic control units are under much more cost pressure than their avionics counterparts, and Classic AUTOSAR was targeting rather simple systems, with an initial focus on runnables that are compiled together, and we will highlight the difference as well as the evolution of AUTOSAR Adaptive that is much closer to the avionic model. On the other hand, AUTOSAR has a very good standardization momentum, resulting in hundreds of available documents, whereas the smaller MILS community has been less effusive. We map the AUTOSAR standards to MILS, to learn about (1) how well MILS systems can be used for AUTOSAR and vice-versa and (2) what other aspects the communities could mutually learn from.
Ease standard compliance by technical means via MILS, Sven Nordhoff, Holger Blasum, Embedded World Conference 2017
Abstract: You have to develop an embedded system? You need to show its conformance to a safety standard (e.g. IEC 61508, ISO 26262, DO-178) or a security standard (e.g. IEC 62443, Common Criteria)? How does your life get easier by using a MILS design? Using an embedded operating system can help with modularization. Moreover, a *MILS* embedded operating system isolates processes and their resources from each other. Resource management and information flow control enable separation in time and separation in space. In this paper we show standard compliance work units that MILS helps achieving by technical means.
Security by design: Introduction to MILS, Sergey Tverdyshev, Embedded World Conference 2017
Abstract: Abstract: A "security by design" method achieves robustness against programming errors and malicious attacks. A security by design method must be simple to understand. It must be simple to implement, and also to simple to verify. It must enable the developer to create assurance evidence coherent with the design decisions. MILS is a security by design method. In short, application of the MILS approach starts with partitioning the system under design into isolated compartments. System resources, e.g. CPUs, CPU time, memory, IO devices, files, are assigned to compartments. After that the communication channels between compartments are defined with respect to the required API (e.g. POSIX, ARINC, AUTOSAR). Communication and resource sharing between security domains have to be explicit, i.e. everything is forbidden what is not explicitly allowed. In parallel threat modeling is executed, i.e. define system assets to be protected, threat agents and possible malicious actions, system objectives to fight the threats. MILS provides a way to execute mixed-critical applications of different pedigrees on one system. The system as a whole still can be certified to the highest security and safety assurance levels. This makes the approach extremely interesting for modern complex systems, e.g. in a car infotainment system: Android applications can run on the same platform as AUTOSAR applications that communicate with the engine. Until ca. 2000 the MILS concept was mainly used in the US military. Now the commercial interest has picked up. We explain a MILS Architectural Template that simplifies to set up MILS systems. We finish with applications of the MILS concepts across automotive and avionics.
PUBLIC RTD DELIVERABLES
D1.1 : Regulative baseline [M06]
The output is a report that summarises the schemes for certification with special respect to the MILS platform and the pilots in the different EU member states where partners have good access to their own certification authorities, and outlines regulatory options, where these exist.
D1.2 : List of tools and techniques applicable for high and medium assurance for efficient assurance [M12]
List of tools and requirements from standards and regulations that can be covered by the tool functionalities
D1.3 : Compositional security certification methodology [M15]
The output is a report that summarises the choices of the options outlined in D1.1 that certMILS has made.
D2.1 : Protection Profile [M16]
This is a Protection Profile (PP) according to the Common Criteria (CC). The PP serves as “base PP” of the modular PP.
D2.2 : List of extensions of base PP [M16]
This is a list of extensions to the base PP that are available as modules in the modular PP.
D2.3 : Security architecture templates [M16]
The security architecture templates are editable documents that can be instantiated by the pilots. SYSGO as third party will be the lead beneficiary of D2.3.
D2.4 : Guidelines to use and apply PP for all involved stakeholders [M16]
The guidelines to use and apply the PP target system integrators and security evaluators.
D4.1 : Security testing framework: strategy and approach [M09]
Approach, strategy, and architecture for the implementation of security testing framework is described.