This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
2. Assurance cases
Developing assurance cases
Assurance cases in CITADEL
Assurance cases in evaluations
Automation of assurance case usage
Agenda
CITADEL training 2atsec information security AB
4. An assurance case provides an argument to
justify certain claims about a system, based on
evidence concerning both the system and the
environment in which it operates.
The principal advance offered by assurance
cases compared to other forms of assurance is
provision of an explicit argument connecting
evidence to claims.
The idea of structured argument is to facilitate
modular comprehension and assessment of
the case.
CITADEL training 4
Assurance case
atsec information security AB
6. Persuasive argumentation and a strong, comprehensive set
of requirements plays a major role in satisfying the claims
of an assurance case.
However, the strength of the arguments and of the
assurance case as a whole depend on the quality and
completeness of the evidence to support high-assurance
claims of security or safety.
Evidence of an assurance case may validate and verify the
requirements through various types of evidence generation such as
testing, simulations, audits and review of artefacts such as design and
guidance documentation and life cycle processes.
In cases where there are multiple ways to demonstrate satisfaction of
goals (i.e. based on different processes) the approach with the most
convincing strategy and evidence is to be chosen.
Evidence
CITADEL training 6atsec information security AB
7. The evidence to substantiate the claims made in
an assurance case should not only consider the
system itself, but should additionally take into
account the operational environment of the
system.
Therefore, the operational environment of the system
should either be considered and included as part of the
evidence, or incorporated as environmental
assumptions.
Hence, it is necessary to specify assumptions under
which the system or design satisfies the claims.
Assumptions
CITADEL training 7atsec information security AB
8. Adaptive MILS systems employ Goal Structured Notation
(GSN) for the development of assurance cases.
GSN assurance cases are constructed and visualised by a
set of GSN elements that collectively establish a goal
structure.
The following elements are used:
GSN
CITADEL training 8
Goal (claim) Strategy
Context
Undeveloped
Goal
Evidence
Assumption
atsec information security AB
9. An assurance case does not replace any specific
technique for analysis or for generating
evidence. It shows the connection between used
techniques and the high level claims.
An assurance case captures the rationale for why
the results of the analyses support our high-level
requirements and goals, and the context for this
support (for example, the assumptions and
scope of any models used).
CITADEL training 9
Why assurance cases?
atsec information security AB
11. There are two different aspects to consider and make use of then
developing an assurance case.
Assurance case argument patterns
● The process of developing an assurance case is simplified through the
introduction of assurance case patterns.
● A catalogue of assurance case argument patterns is developed within the
CITADEL project.
Regulatory standards
● The use of standards can offer various benefits, such as diminishes the
limitations of assurance cases related to confirmation bias. (i.e. only
showing that the system is secure, but not how it is protected against
unsecure states.
● However, it may be difficult to directly apply standards to adaptive MILS
systems, as they comprise a very fast moving field. Instead, the desired
option would be a partly standardised approach towards the instantiation
of the claims made in an argument-based assurance case, as well was
evaluation and certification.
Two aspects of assurance case
CITADEL training 11atsec information security AB
12. Patterns maintain the structure, but not the specific
details, of an argument and therefore can be instantiated
in multiple situations as appropriate.
By building a catalog of patterns (i.e., templates), it is
possible to facilitate the process of assurance case creation
and documentation.
Assurance case patterns offer the benefits of reuse and
repeatability of process, as well as providing some notion
of coverage or completeness of the evidence.
The pattern is instantiated using information provided in
the system model.
CITADEL training 12
Assurance case patterns
atsec information security AB
13. A partly standardised approach towards the
instantiation of the claims made in argument-
based assurance cases.
Comply to ISO/IEC 15026-2, and are extended
with system-specific standards depending on the
nature of the adaptive system.
Standard-based methods provide various
benefits to the development and evaluation of
assurance cases.
13
Standards-based assurance cases
CITADEL trainingatsec information security AB
14. Support the establishment of comprehensive security
requirements.
providing higher assurance of the quality and precision of
claims and sub-claims of which the assurance case is built up.
simplifies the evaluation of the sufficiency of the argument
(during evaluation).
Aid in the specification of evidence required to demonstrate
satisfaction of the requirements.
facilitating the assessment of the sufficiency of the evidence
(during evaluation).
new standards may include new verification approaches to
provide evidence that are better suited to adaptive systems.
Evaluate the system against a consistent set of requirements
that are widely recognised.
time and costs required for certification are kept to a
minimum.
adaptive systems are enabled to comply with certain
standards demanded by legal requirements.
Standards-based method benefits
CITADEL training 14atsec information security AB
16. CITADEL employs a modular approach
Components in the patterns may be modified,
added or deleted at any time.
Both top-down as well as bottom-up.
● Top-down, we divide each claim into components
whose conjunction implies the claim, and recurse
down to sub-claims supported by evidence.
● Bottom-up, we treat each evidentially-supported
sub-claim as an independently settled fact and
conjoin these to produce higher-level sub-claims
that combine recursively to deliver the top claim.
16
Adaptive MILS assurance case
architecture
CITADEL trainingatsec information security AB
18. The patterns developed during the CITADEL project
represent the top claims of the system, the Adaptive
MILS planes and the operational plane.
The Adaptive MILS planes are largely static, i.e. the
planes usually comprise the same sets of components.
System properties pattern
It is the top level pattern of an Adaptive MILS system.
Create argument that an Adaptive MILS system
enforces its required properties. These properties may
regard security, safety, function and real-time
properties.
This pattern includes the Adaptive MILS planes.
Patterns developed for CITADEL
CITADEL training 18atsec information security AB
19. Top level Adaptive MILS argument
CITADEL training 19atsec information security AB
20. The planes consists of compositions and
components, and the goal of the plane is
satisfied when the compositional behaviour of
the compositions and/or components included in
that plane meet their local policies.
Also, the interaction between these must be
ensured as specified in the security policy, which
can be demonstrated through the interface
argument.
Additional patterns exists as modules which can
be added or removed into these plane patterns.
The planes patterns
CITADEL training 20atsec information security AB
21. The operational plane is the application plane of
an Adaptive MILS system.
It is the least pre-defined plane, and can be
further developed manually depending on the
safety and security goals of the application.
This means that it is not as static as the other
Adaptive MILS planes.
A generic argument that the operational plane
guarantees that it’s local policy is met.
Operational plane
CITADEL training 21atsec information security AB
22. The foundational plane includes various
foundation element components:
platform node(s), containing kernel instances
● An argument over each platform node and separation
kernel instance are separated for data and processor time
partitioning.
● An argument that configuration introspection is permitted
by authorised subjects.
MILS network subsystem (NSM) instances
Time Sensitive Network (TSN)
● An argument to ensure that critical information is
delivered timely and that bandwidth is optimised
according to different levels of priority.
Foundational plane
CITADEL training 22atsec information security AB
23. An argument that the monitoring plane provides
a flexible framework for constructing monitoring
applications to ensure continuous correct
functioning of the Adaptive MILS system.
Arguments to obtain monitor data, analyse it for certain
properties or anomalies, and trigger alarms or reports
of the analysis results.
The plane supports state monitoring and
communications monitoring.
Monitoring plane
CITADEL training 23atsec information security AB
24. An argument that the adaptation plane ensures that
adaptations preserve vital overarching properties defined
for the system when developing the adaptation strategy to
adapt to changing environmental conditions or dynamic
repurposing of the system in real-time safety-critical
environments.
The adaptation plane performs dynamic risk assessment
based on context-awareness when developing adaptation
strategies.
An argument that the context-awareness model is correct,
sufficient and assures system safety.
Adaptation plane
CITADEL training 24atsec information security AB
25. The configuration plane develops a
reconfiguration plan, and mediates the use of
the dynamic reconfiguration primitives to the
separation kernel and the network by enforcing
adaptation policies on proposed reconfiguration
plans.
It states an argument that the plane ensures the
establishment of correct configuration and
reconfiguration plans for Adaptive MILS systems.
Also an argument of the dynamic reconfiguration
capabilities.
Configuration plane
CITADEL training 25atsec information security AB
26. It comprises the AM-ETB, which enables tool
integration, as well as the verification and
validation of results.
An argument that the plane verifies that the
model (in current and next configurations chosen
by the adaptation plane) satisfies the system
properties, by generating, collecting and
analysing evidence.
Certification plane
CITADEL training 26atsec information security AB
27. While every claim in an assurance case
should eventually end with an evidence
node, each assurance case pattern does not
necessarily end with an evidence node.
The pattern could, for instance, also be
supported by other argument patterns that
end with evidence nodes.
Such modular patterns have been defined
within the CITADEL project…
Additional argument patterns
CITADEL training 27atsec information security AB
28. Interface pattern
Create an argument that communication between components or
compositions in the architecture only occurs via connections
explicitly defined in the policy architecture.
Threat pattern
Create an argument that threats are sufficiently mitigated.
Modes and transitions / state and transitions patterns
Create arguments that modes/states and transitions between
modes are in accordance with mode models and transition
models.
Composition pattern
Create arguments that formally defined properties of a system are
satisfied by a CITADEL system model and are faithfully implemented by an
Adaptive MILS system.
Process (component) pattern
Create an argument for any process during the development,
real-time adaptation and reconfiguration, and analysis of an
Adaptive MILS system.
Assurance case argument patterns
CITADEL training 28atsec information security AB
29. The process pattern may include one or more properties as
modules within the process.
Tool pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Person pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Organisation pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Artefact pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Technique pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Trusted Software Component pattern
● Create an argument about the trustworthiness of tools used as part of a
process included in the assurance case.
Process Properties Patterns
CITADEL training 29atsec information security AB
33. Before the evaluation, it should be ensured that the
assurance case is correct.
The assurance case itself is reviewed. The soundness of
the assurance case is verified based on four aspects.
These aspects are explained in the following slides.
Once it is determined that the assurance case is sound, we
can use the assurance during the evaluation of an Adaptive
MILS system.
The evaluation is performed by reviewing the assurance case.
33
Evaluation of the assurance case
CITADEL trainingatsec information security AB
34. Completeness of the assurance case
Shows the degree to which the assurance case
has been finished by looking at instantiated
and undeveloped claims.
Sufficiency of the arguments
Is the argument strong enough to support the
conclusions being drawn?
● Standards-based assurance cases has potential to
increase strength of an argument. (standards
indicates requirements)
Soundness of the assurance case
CITADEL training 34atsec information security AB
35. Sufficiency of evidence
Extent to which the evidence supports the
argument.
The integrity and trustworthiness of evidence.
● If evidence collection and analysis process cannot be
assured, evidence can be ruled as inadmissible. (tool
qualification and assurance)
Sufficiency of assumptions
Extent to which assumptions support the
arguments.
● Assumptions about the system
● Assumptions about the system’s environment
Soundness of the assurance case
CITADEL training 35atsec information security AB
36. The assurance case is reviewed
This also focuses on the quality of the evidence.
Human interaction is required for interpretation of the
assurance case.
Interactive presentation of the assurance case…
enables evaluator to encapsulate selected fragments,
and review the assurance case fragment by fragment.
enables evaluator to indicate whether a claim is
satisfied or not, and leave feedback.
shows comprehensive overview of the results or the
evaluation + metric indicating security or safety of the
adaptive system.
Assurance case during evaluations
CITADEL training 36atsec information security AB
37. The performance of the adaptive mils system is
determined on basis of the analysis of the
evidence supporting each of the arguments of
the entire assurance case.
While the analysis will require human
judgement, automated tools may support the
overall assurance case analysis.
The completeness of the requirements, adequacy
of test case and absence of unintended
behaviours should be evaluated with the
assistance of the AM-ETB tool.
Evaluation of performance
CITADEL training 37atsec information security AB
39. AM-ETB stands for Adaptive MILS
Evidential Tool Bus.
The AM-ETB tool is used for this
automation.
It supports the automatic instantiation of
assurance case patterns.
For further information, please refer to the
training material related to AM-ETB.
AM-ETB
CITADEL training 39atsec information security AB