page 1 advanced technology center hcss 03 – april 2003 a high-assurance partitioned development...
TRANSCRIPT
![Page 1: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/1.jpg)
HCSS 03 – April 2003 Page 1Advanced Technology Center
A High-Assurance Partitioned Development Environment
David Greve and Matthew Wilding
Rockwell Collins Advanced Technology CenterCedar Rapids, IA
{dagreve, mmwildin}@rockwellcollins.com
John Launchbury and Peter White Galois Connections, Inc.
HCSS 03April 2003
![Page 2: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/2.jpg)
HCSS 03 – April 2003 Page 2Advanced Technology Center
Rockwell Collins
Advanced Communication and Aviation Equipment– Air Transport, Business, Regional, and Military Markets
– $2.5 Billion in Sales
Headquartered in Cedar Rapids, IA – 17,000 Employees Worldwide
– Advanced Technology Center• Advanced Computing Systems
![Page 3: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/3.jpg)
HCSS 03 – April 2003 Page 3Advanced Technology Center
Advanced Technology Center
The Advanced Technology Center (ATC) identifies, acquires, develops and transitions value-driven technologies to support the continued growth of Rockwell Collins.
The Advanced Computing Systems department addresses emerging technologies for high assurance computing systems with particular emphasis on embedded systems.
The Formal Methods Center of Excellence applies mathematical tools and reasoning to the problem of producing high assurance systems.
Commercial Systems Government Systems
Advanced Technology Center
Air TransportBusiness and RegionalDisplaysSATCOMFlight Guidance SystemsData Management SystemsPassenger Systems
Military Joint StrikeJTRSKC-135GPS / Navigation
![Page 4: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/4.jpg)
HCSS 03 – April 2003 Page 4Advanced Technology Center
Outline
Integrated Modular Avionics Intrinsic Partitioning Partitioning for Security Formal Verification AAMP7 Development Environment
“Security is about separationComp;uters are about sharing”
-Brian Snow, Dept. of DefenseApril 1, 2003
![Page 5: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/5.jpg)
HCSS 03 – April 2003 Page 5Advanced Technology Center
Federated Architecture
One Computer System For Each Unique Function– Autopilot
– Flight Management
– Displays
Limited Dependencies Between Functions– Exchange of Sensor and Control Data
– Provides Strong Functional Isolation
System Certification– All Components Considered Together
– Verification of Components Acting Together
– “You don’t certify a single application, you certify an entire system”
FirewallsKey ManagementEncryption
![Page 6: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/6.jpg)
HCSS 03 – April 2003 Page 6Advanced Technology Center
Integrated Modular Avionics (IMA)
One Computer System For Many Distinct Functions– Leverage Improved Computing Capability
– Reduce Hardware Related Costs
Incremental Certification– Functions verified ONCE, INDEPENDENTLY, and only to the LEVEL
APPROPRIATE to their criticality
– Composition of functions retains individual certification
– Crucial for IMA
What About Functional Interaction?– No longer physically isolated
– Without isolation, must consider interaction
– PARTITIONING provides necessary isolation
MILS
![Page 7: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/7.jpg)
HCSS 03 – April 2003 Page 7Advanced Technology Center
Partitioning
Partitioning– Isolating, both in space and in time, two or more functions executing
concurrently on the same computer system
– Enables composition of two or more previously distinct functions onto a single computer system
Isolation – Spatial
• Memory management unit• Provides Read/Write protection between partitions
– Temporal• Periodic Partition switching• Watchdog Timer
If You Can Keep Them Separate (Partitioning)Then You Can Bring Them Together (Composition)
![Page 8: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/8.jpg)
HCSS 03 – April 2003 Page 8Advanced Technology Center
Conceptual System Composition
ABC
C
B
AABC
A B C
uPR O CM E M
I/OA
B
C
uPR O CM E M
I/O
uPR O CM E M
I/O
M ULTIPLE PRO C ESSO R S
uPR O C
A
B
C
A
B
C
A,B ,C
M ULTIPLE PARTITIO N S
Legacy Modernized
![Page 9: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/9.jpg)
HCSS 03 – April 2003 Page 9Advanced Technology Center
Real-Time Partitioning Considerations
Partition Latency– Time Between Successive Executions of a Given Partition
– Can Be Minimized by Increasing Partition Switch Rate
Partition Switch Overhead– Processor Activity Associated with Partition Context Switching
– Limits Maximum Partition Switch Rate
Interrupts– Interrupts Cannot Change Partition Time Allocations
– Interrupts Must Be Partitioned, Too.
![Page 10: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/10.jpg)
HCSS 03 – April 2003 Page 10Advanced Technology Center
Outline
Integrated Modular Avionics Intrinsic Partitioning Partitioning for Security Formal Verification Development Environment
![Page 11: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/11.jpg)
HCSS 03 – April 2003 Page 11Advanced Technology Center
Intrinsic Partitioning
Intrinsic Partitioning
– Computing Platform Enforces Data Isolation
– Technique Pioneered by Rockwell Collins, ATC
– Provides Real-Time Performance
– Addresses IMA Concerns
![Page 12: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/12.jpg)
HCSS 03 – April 2003 Page 12Advanced Technology Center
Multi-Tasking OS
Functions
Hardware System Configuration
Scheduling Data Structures
Process State
Heap
Call Stack
Variables
Peripherals
Processor Configuration
System Data Structures
Operating System
BIOS
![Page 13: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/13.jpg)
HCSS 03 – April 2003 Page 13Advanced Technology Center
Micro Kernel Partitioning
Partitioning Data Structures
Functions
Hardware
OS
Micro Kernel
![Page 14: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/14.jpg)
HCSS 03 – April 2003 Page 14Advanced Technology Center
Intrinsic Partitioning
Partitioning Data Structures
Functions
Hardware
OS
![Page 15: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/15.jpg)
HCSS 03 – April 2003 Page 15Advanced Technology Center
Intrinsic Partitioning
Micro-Coded Partitioning Kernel– Minimal Code, Functionality, and State
– Analyzable, Fast, and Efficient
Simple Data Structures– Supports “Virtual Machine” Partitioning
• Each Partition Has Its Own Operating System
– Hierarchical Scheduling
Dedicated Interrupts– Partition Switch Interrupt
– Power Down Warning Interrupt
– Access Violation Interrupt
– ABORT (Mild Reset)
– Partition-Aware Interrupts
Supports High Assurance, Evaluatable Architectures
![Page 16: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/16.jpg)
HCSS 03 – April 2003 Page 16Advanced Technology Center
Partition Management Unit Architecture
RFU
DEBUGCTRL
ALU
DXU
LFU
MICROSEQUENCER
INTERRUPTCONTROLLER
PARTITIONTIMERS
A
WD
RD
A
FD
FD
DE
BU
GM
ON
ITO
R
ME
MO
RY
PR
OT
EC
TIO
N
ST
AT
ICR
AM
ADDRESS / WRITE DATA
READ DATA
INT
A
EBM
BIU
MDU
D
CS
Intrinsic Partitioning Implemented In JEM1– functionality enforced with off-chip Partition Management Unit (PMU)
PMU Designed into AAMP7 microprocessor
![Page 17: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/17.jpg)
HCSS 03 – April 2003 Page 17Advanced Technology Center
Outline
Integrated Modular Avionics Intrinsic Partitioning Partitioning for Security Formal Verification Development Environment
![Page 18: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/18.jpg)
HCSS 03 – April 2003 Page 18Advanced Technology Center
Separation Kernel
Concept First Published in 1980’s– Building Block for Secure Systems
– Decomposes Challenge of Building Secure System• Allows Applications to Enforce and Manage Own Security Policy
– Provides High Assurance Separation
Effective Security Policies Must Be– Always Invoked
– Non-Bypassable
– Tamper Proof
– Evaluatable
Separation Kernels Support Security Policies with– Information Flow Control
– Data Isolaton
– Sanitization (Periods Processing)
![Page 19: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/19.jpg)
HCSS 03 – April 2003 Page 19Advanced Technology Center
Application Level Security Policy
X Y Z
Firewall- Always Invoked- Non-Bypassable- Tamper Proof- Evaluatable
![Page 20: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/20.jpg)
HCSS 03 – April 2003 Page 20Advanced Technology Center
Security Kernel Services
X Y Z
- Always Invoked- Non-Bypassable- Tamper Proof- Evaluatable
Information Flow
Data Isolation
Sanitization
![Page 21: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/21.jpg)
HCSS 03 – April 2003 Page 21Advanced Technology Center
Intrinsic Partitioning for Security
IMA very similar to MILS– Originally Relied on Physical Separation, Now on Partitioning
– Isolation of Concerns: Incremental Certification
Intrinsic Partitioning is a “Separation Kernel” designed into the processing platform– Separation as a System Design Philosophy
Formal Analysis– Mandated for Highest Security Certifications
– Intrinsic Partitioning Designed with Formal Verification in Mind• Limited Functionality, Limited Problem Scope
– Lowest Level Implementation• Independent of Software• Simplest Level to Implement/Verify Separation
![Page 22: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/22.jpg)
HCSS 03 – April 2003 Page 22Advanced Technology Center
Outline
Integrated Modular Avionics Intrinsic Partitioning Partitioning for Security Formal Verification Development Environment
![Page 23: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/23.jpg)
HCSS 03 – April 2003 Page 23Advanced Technology Center
Formal Process
Formal Process– Process Adheres to Conventional or Accepted Methods or Standards
– Specific Steps are Taken, Specific Documentation is Produced
Rigorous Process – Forces Attention to Easily Overlooked Details
Not “Formal Methods”– Complementary Concepts
![Page 24: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/24.jpg)
HCSS 03 – April 2003 Page 24Advanced Technology Center
Formal Methods– Discipline in which Mathematical Reasoning is Applied to the
Development or Verification of Computer Systems
– Formal Languages• Rigorously Defined Syntax and Semantics (Meaning)
– Formal Tools• Computer Programs that Manipulate Formal Languages• Employ Logic and Rules of Inference
Rigorous Specification– Forces Attention to Easily Overlooked Details
Part of Formal Process– DO-178B
• Alternative Means
– Common Criteria• Required Part of Certification Process
Formal Methods
X < X + 1
(P & Q) => P
![Page 25: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/25.jpg)
HCSS 03 – April 2003 Page 25Advanced Technology Center
Formal Specification– Rigorous Mathematical Description of System
– Many Formal Languages/Tools• Manipulated by Computational Means
Formal Validation– Consistency and Completeness
Formal Synthesis– Derivation of Implementation from Specification
• Kestrel, Derivation Reasoning Systems
Formal Verification– Proof of Correspondence Between Implementation and Specification
– Mechanical Proof Systems• Model Checkers, Equivalence Checkers• Theorem Provers (PVS, HOL, ACL2, etc.)
Formal Techniques
S
I
M M
![Page 26: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/26.jpg)
HCSS 03 – April 2003 Page 26Advanced Technology Center
RC Formal Methods History
Rockwell Collins Formal Methods History– FY94: Microcode correctness for AAMP5 (NASA Langley)– FY96: Microcode correctness for AAMP-FV (NASA Langley) – FY97-99 Avionics Application Partitioning (DARPA) – FY98: High-Speed Executable Formal Model of the JEM1 (IR&D) – FY99: Autopilot Mode Confusion (NASA Langley)– FY99-01: CAPS Analysis (IR&D)– FY02-FY03: AAMP7 partitioning analysis (IR&D)
![Page 27: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/27.jpg)
HCSS 03 – April 2003 Page 27Advanced Technology Center
CAPS Analysis (microcode correctness proofs)
I - CAPS Instruction Set ModelStart state
End state
End state
M - CAPS Microarchitecture Model
Single Microcode Line Specs
Abstract Microcode Block Specs
Microcode Block Specs
Rockwell Collins’ microcode verification work presented Tuesday.
![Page 28: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/28.jpg)
HCSS 03 – April 2003 Page 28Advanced Technology Center
Formalized Separation Kernel Security Policy
Informal Security Policy– Information Flow Control
– Data Isolation
– Sanitization
Need for Formalize– Precise Mathematical Description
– Suitable for Formal Analysis
Formal Security Policy– Infiltration
– Exfiltration
– Mediation
X Y Z
X Y Z
X Y Z
![Page 29: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/29.jpg)
HCSS 03 – April 2003 Page 29Advanced Technology Center
(No) Exfiltration
(defthm Exfiltration (implies (not (Direct-Interaction-Allowed (Current-Partition st) y)) (equal (Accessible-Information y (Step-System st)) (Accessible-Information y st))))
X Y Z
![Page 30: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/30.jpg)
HCSS 03 – April 2003 Page 30Advanced Technology Center
(No) Infiltration
(defthm Infiltration (implies (and (equal (Kernel-State st1) (Kernel-State st2)) (equal y (Current-Partition st1)) (equal (Accessible-Information y st1) (Accessible-Information y st2))) (equal (Accessible-Information y (Step-System st1)) (Accessible-Information y (Step-System st2)))))
X Y Z
![Page 31: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/31.jpg)
HCSS 03 – April 2003 Page 31Advanced Technology Center
(No) Mediation(defthm Mediation (implies (and (Direct-Interaction-Allowed (Current-Partition st1) z) (equal (Kernel-State st1) (Kernel-State st2)) (equal (Accessible-Information (Current-Partition st1) st1)
(Accessible-Information (Current-Partition st1) st2) (equal (Accessible-Information z st1) (Accessible-Information z st2))) (equal (Accessible-Information z (Step-System st1)) (Accessible-Information z (Step-System st2)))))
X Y Z
![Page 32: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/32.jpg)
HCSS 03 – April 2003 Page 32Advanced Technology Center
Effort
ACL2-checked Proofs– Currently connecting Implementation Model to Security Policy using the
ACL2 theorem proving system
– Prior Rockwell Collins FM Work Crucial• Schedule• Capability
![Page 33: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/33.jpg)
HCSS 03 – April 2003 Page 33Advanced Technology Center
Outline
Integrated Modular Avionics Intrinsic Partitioning Partitioning for Security Formal Verification Application Development Environment
![Page 34: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/34.jpg)
HCSS 03 – April 2003 Page 34Advanced Technology Center
Development Environment Project Overview
Backplane ROM imageConfiguration
FACADE(simulator interface)
AAMP7Code
AAMP7ISA model
CryptolSpec ACL2
SpecGenerate
Generate
Proof
Theorems
HandwrittenAAMP7 Code
AAMP7 Development Environment - Cryptol - Instruction-level code proofs - Partitioning support
Work with John Launchbury and Peter White of Galois Connections
![Page 35: Page 1 Advanced Technology Center HCSS 03 – April 2003 A High-Assurance Partitioned Development Environment David Greve and Matthew Wilding Rockwell Collins](https://reader035.vdocument.in/reader035/viewer/2022070418/5697c0291a28abf838cd7545/html5/thumbnails/35.jpg)
HCSS 03 – April 2003 Page 35Advanced Technology Center
Summary
Integrated Modular Avionics– Safety-Critical Avionics Integration Concept
Intrinsic Partitioning– “Separation Kernel” in a MILS Computing Platform
Partitioning for Security– Application-Level Firewalls Supported
Formal Verification– Provides High Assurance Intrinsic Partitioning
AAMP7 development environment– Supports high-assurance application development exploiting
intrinsic partitioning