SlideShare a Scribd company logo

Introduction to citadel

R
RamnGonzlezRuiz2

The document provides an introduction to CITADEL, which aims to develop an innovative platform for adaptive systems based on the Multiple Independent Levels of Security (MILS) architectural approach. CITADEL builds upon previous research in static and distributed MILS and aims to extend MILS to support dynamic and distributed adaptive systems while maintaining assurability through design-time analysis and runtime assurance. The CITADEL framework adds new planes such as monitoring, adaptation, and certification assurance to the MILS platform to enable closed-loop control of dynamic reconfiguration. The project team for CITADEL includes experts in MILS, separation kernels, and other relevant areas from previous MILS research projects.

Engineering
1 of 56
Download to read offline
Introduction to CITADEL The Open Group Training - Context - Introduction to CITADEL 1
CITADEL Overview CITADEL Motivation The Open Group Training - Context - Introduction to CITADEL 2
n  Critical infrastructures rely on complex safety- and security- critical ICT systems operating in unpredictable environments. n  These systems are trust-needy, but often not trustworthy. n  Adaptation is needed to cope with naturally occurring events and malicious activities of hostile agents. n  Current MILS is trustworthy, but not adaptive. n  CITADEL is intended to provide an innovative platform technology, methodology and tools for development, deployment, and certification of adaptive systems. n  CITADEL is based on MILS, an approach featuring modular construction and compositional assurance, leveraging the advances of previous EC projects. n  CITADEL should support the certification of Adaptive MILS systems by maintaining an assurance case and its supporting evidence in sync with adaptation. CITADEL Motivation The Open Group Training - Context - Introduction to CITADEL 3
CITADEL Overview A short history of MILS The Open Group Training - Context - Introduction to CITADEL 4
The Emergence of “MILS” n  “MILS”, by that name, emerged circa 2000 t  Originally “MILS” stood for Multiple Independent Levels of Security. In 2007 members of The Open Group’s Real Time and Embedded Systems (RTES) Forum recognized that the expanded acronym was not an accurate characterization* and took a decision to henceforth regard “MILS” not as an acronym but as a proper name for the architectural approach. t  MILS was initiated in part upon a recognition that commercial partitioning kernels for avionic safety could be applied to high assurance security. t  Strong partitioning (“separation” or “isolation”) provides a basis for the prevention of information flow, upon which “controlled information flow” can be established. t  This led to the rediscovery of Rushby’s Separation Kernel (SK), in the Design and Verification of Secure Systems (1981), to become the foundation for MILS. t  Development of Common Criteria “protection profiles” for partitioning kernels (The Open Group) and for separation kernels (NSA) ensued from 2000 until 2008. t  Other associated protection profile developments were also undertaken. n  The Open Group’s Real Time and Embedded Systems (RTES) Forum became the home to an active community of interest in MILS (the “MILS Initiative”). The Open Group Training - Context - Introduction to CITADEL 5 * “multiple levels” is easily confused with multilevel security (MLS), which is a legitimate application of MILS, but the implied ordering of “levels” does not accurately characterize MILS. “Multiple independent domains” would be more accurate, but even the use of “independent” is not generally valid.
n  Seminal work by John Rushby t  Study of ongoing secure systems efforts 1980 t  Design and Verification of Secure Systems – original Separation Kernel paper 1981 t  Separability 1982-1983 t  Non-interference and channel control 1982-1992 t  Partitioning for security and safety 1999-2003 t  MILS research at SRI 2004-2012 Rushby-DeLong n  MILS is born circa 2000 and advanced through its “Eras” t  “Classic” MILS Era 2000-2007 various contributors t  “Modern” MILS Era 2008-2012 Rushby-DeLong t  “Progressive” MILS Era 2012-Present, DeLong et al: ●  Distributed MILS (D-MILS project) ●  Dynamic MILS and Adaptive MILS (CITADEL project) ●  Heterogeneous (CPU/GPU/FPGA) MILS Platforms (PHANTOM project) The Open Group Training - Context - Introduction to CITADEL 6 The Birth of MILS and Its Evolution
More about the Eras of “MILS” n  2000-2007 This is the Era of “Classic MILS” during which MILS proliferated t  The seminal work of Rushby was recognized and built upon t  Other contributors included: Vanfleet, Dransfield, Alves-Foss, Harrison, Oman, Taylor, Greeve, Wilding, Richards, Uchenick, Millen, Delange, Calloni, Hardin, DeLong, Beckwith n  2004 – Rushby at SRI International, who had been working on safety, now became engaged with the MILS community n  2004-2012 Research on MILS was funded on several projects at SRI International n  2008 – Rushby declared the arrival of “Modern MILS” as the concepts had crystalized n  2008-2012 – The Era of “Modern MILS”, in addition to establishing the foundations, spawned the ideas of principled delivery, configuration & initialization, just-in-time MILS certification, as well as distributed, dynamic & adaptive MILS n  2012-2019 and beyond – the Era of “Progressive MILS”, built on Modern MILS results t  Principled Delivery, Configuration and Initialization of MILS Components & Integrations t  Distributed MILS – assured scalable distributed deterministic systems t  Dynamic MILS – assured reconfigurable systems, cloud computing, IoT systems t  Adaptive MILS – assured critical infrastructures, adaptive & resilient systems t  Heterogeneous MILS – non-separation kernel-based MILS platforms (CPU, GPU, FPGA) t  Mixed-Critical MILS – assured mixed-critical cyber-physical systems t  Autonomous MILS – assured self-healing, adaptive, and intelligent cyber-phys systems The Open Group Training - Context - Introduction to CITADEL 7
Key characteristics of “Modern MILS” n  MILS is a component-based approach to secure and dependable systems design and implementation that encourages a marketplace of general- purpose commercial components, leading to lower development cost n  MILS is a two phase approach (John Rushby’s “Modern MILS”): t  Design a “Policy Architecture” ●  Abstract architecture diagram represented by “boxes and arrows” ●  Operational components and architecture achieve system purpose ●  Assumes the architecture (components and connectors) will be strictly enforced in the implementation t  Implement the policy architecture on a robust resource-sharing platform ●  MILS foundational components (FCs) enable sharing of physical resources, creating strongly separated “exported resources” ●  FCs should be individually developed and assured according to standardized specifications ●  FCs compose “additively” to form a distributed trusted sharing substrate, the MILS Platform n  MILS provides a compositional approach to construction, assurance, and system certification The Open Group Training - Context - Introduction to CITADEL 8
MILS Policy Architecture C2 C4C1 C3 C5 Circles represent architectural components (subjects / objects) Arrows represent interactions Suitability of the architecture for some purpose presumes that the architect’s assumptions are met in the implementation of the architecture diagram. C6 The absence of an arrow is as significant as the presence of one This component has no interaction with any other Components are assumed to perform the functions specified by the architect (trusted components enforce a local policy) The architecture diagram expresses an interaction policy among a collection of components Trusted Subject The Open Group Training - Context - Introduction to CITADEL 9
MILS Platform – Enables a Straightforward Realization of a Policy Architecture Architecture Realization SK, with other MILS foundational components, form the MILS Platform allowing operational components to share physical resources while enforcing Isolation and Information Flow Control Validity of the architecture assumes that the only interactions of the circles (operational components) is through the arrows depicted in the diagram R 1 R 2 R 3 R 5 R 4 MILS Platform The Open Group Training - Context - Introduction to CITADEL 10
“Modern MILS” Platform Architecture – a composition of foundational components creating one or more Operational Planes P 1 P 2 Separation Kernel ⊕ P 3 P 5 P 4 Configuration Data Configuration Data CONFIGURATIONPLANE FOUNDATIONAL PLANE OPERATIONAL PLANE MFS MNS MEA MCS MILS Platform The MILS Platform is an abstraction of the Foundational Plane The MILS Foundational Plane is the composition of MILS foundational components The Configuration Plane runs off- line in static MILS Operational Plane(s) are operational components of the app policy architecture The Open Group Training - Context - Introduction to CITADEL 11
CITADEL Overview The concepts of CITADEL The Open Group Training - Context - Introduction to CITADEL 12
n  Apply MILS’ Conservative Extension Principle: t  When adding new capabilities to MILS, do so without sacrificing the ability to provide assurance (modeling and verification of system properties) n  Build upon static MILS and distributed MILS t  Static standalone MILS – simplicity facilitates assurance t  Distributed MILS – conservatively extends static standalone MILS to static distributed MILS systems with compositional verification and compositional assurance case automation n  CITADEL – Conservatively extend MILS for adaptive systems on dynamic and distributed MILS platforms t  Dynamic MILS – conservatively extend static and distributed MILS platforms with primitives for dynamic reconfiguration t  Enhance modeling and analysis capabilities for dynamism t  Add CITADEL Framework for adaptation – mechanisms for closed-loop control of dynamic reconfiguration of MILS foundational, operational, and monitoring planes t  Add runtime assurance maintenance during adaptation The CITADEL Approach The Open Group Training - Context - Introduction to CITADEL 13
CITADEL Overview CITADEL project ambitions The Open Group Training - Context - Introduction to CITADEL 14
n  Dependable – A system is developed from a model that is analyzable for needed properties n  Reconfigurable – A system configuration can be changed without restarting the system n  Deployable – There is a deployment framework and platform for reconfigurable systems n  Distributed – A system can be distributed as the applications and environment demand n  Scalable – Nodes can be numerous to provide needed computing resources n  Adaptable – A system can adapt to internal events or environmental change by reconfiguring n  Assurable – The ability to have high confidence in the system’s dependability is achieved through design- time analysis and runtime assurance maintenance Needed characteristics of CITADEL The Open Group Training - Context - Introduction to CITADEL 15
n  Extend MILS platform and tool chain for dynamic and distributed systems t  Similar guarantees to single static MILS system t  Conservatively extend MILS scalability and adaptive capabilities while maintaining “assurability” of platform guarantees n  Specific technology objectives of the project t  Declarative modelling languages t  Compositional verification of dynamic architectures t  Configuration monitor synthesis t  Assurance cases for dynamic systems t  Configuration introspection and dynamic reconfiguration primitives t  Enforce configuration change policies t  Adaptation – accommodate changing conditions t  Monitoring – sense conditions to trigger adaptation The Open Group Training - Context - Introduction to CITADEL 16 CITADEL Technology Objectives
CITADEL Overview CITADEL architecture The Open Group Training - Context - Introduction to CITADEL 17
CITADEL builds on Distributed MILS*: Policy architecture deployment spanning nodes Node Hardware SK MNS Node Hardware SK MNS Node Hardware SK ⊕ MNS Foundational Plane+ → Node Hardware Subjects SubjectsSubjects * European Commission FP7 ICT-2011.1.4 Trustworthy ICT Project #318772 2012 – 2015 Distributed MILS concept originated with the MILS Network System (MNS) Protection Profile work in 2010 Distributed MILS nodes D-MILS platform Minimum of SK and MNS foundational components The Open Group Training - Context - Introduction to CITADEL 18
The MNS exports logically unidirectional “wormholes” that span D-MILS nodes Node Hardware SK ⊕ MNS Foundational Plane Node Hardware Subjects Wormhole Wormhole Wormhole D-MILS Node 1 D-MILS Node 2 Relocatable subjects communicate with resources without knowing on what node the resource resides. (A subject that controls a local device on a node is not relocatable.) This example “global information flow policy” defines three inter-node information flows. The Open Group Training - Context - Introduction to CITADEL 19
The Distributed MILS Platform SW HW SW HW SK MNS MCS ⊕ ⊕ Exported Resources ⊕ Additive Composition SW HW additive compositionality property – e.g., a Partitioning kernel ⊕ Partitioning network system = Partitioning (kernel + network system) MNS = MILS Network System MCS = MILS Console System Console for some AppsDistributed MILS nodes The minimal MILS platform is SK alone. The Distributed MILS Project (EC FP7) implemented Distributed MILS nodes with SK and MILS Network System (MNS) using Time-Triggered Ethernet, and one of the D-MILS demonstrators implemented a special-purpose MILS Console System (MCS). CITADEL implements a new MNS using time-sensitive networking (TSN) and with a new SK. An updated version of the D-MILS MCS was developed for CITADEL. The Open Group Training - Context - Introduction to CITADEL 20 Min
n  The CITADEL Framework for adaptive MILS systems adds new subsystems (planes) to the MILS platform n  The Configuration Plane of the MILS platform now must run online because (re)configuration occurs at runtime n  The Monitoring Plane runs monitoring applications that generate events from virtual sensors deployed in the Foundational Plane and Operational Plane(s) n  The Adaptation Plane responds to events from the Monitoring Plane determining a new configuration and commanding the Configuration Plane to reconfigure the Foundational, Monitoring and Operational Planes n  The Certification Assurance Plane maintains a current Assurance Case for the reconfigured running system n  Some of the verification tools may run online CITADEL Framework The Open Group Training - Context - Introduction to CITADEL 21
The Open Group Training - Context - Introduction to CITADEL 22 Planes of the CITADEL Framework Separation Kernel ⊕FOUNDATIONAL PLANE OPERATIONAL PLANE(S) MONITORING PLANE / FW MFS MNS MEA MCS Fault Diagnoser COMMSTATE RESOURCE P 1 P 2 P 3 P 5 P 4 MILS Platform MILS Platform CONFIGURATION ADAPTATIONPLANE Target Config CONFIGURATIONPLANE Config Cmds Config Cmds Config Cmds FDI Exceptions Exceptions Exceptions Exceptions Introspection Observations & Events Certification Assurance Artifact
CITADEL Overview CITADEL project team The Open Group Training - Context - Introduction to CITADEL 23
n  The Open Group has been home to the MILS Initiative activities since the early 2000s n  Many members of the CITADEL project team have worked previous MILS-based research projects, including D-MILS, EuroMILS, and earlier MILS-defining projects. n  The project represents considerable expertise in MILS, separation kernels, OSs, networking, system modeling, analysis, verification, safety certification, security evaluation, assurance methods, system integration, and other relevant disciplines. CITADEL Project Team The Open Group Training - Context - Introduction to CITADEL 24
n  The Open Group (UK) n  ATB (DE) n  Technical University of Eindhoven (NL) n  Fondazione Bruno Kessler (IT) n  IK4-IKERLAN (ES) n  Université Grenobles Alpes (FR) n  atsec Information Security (SE) n  Kaspersky Lab (UK) n  OAS (DE) n  SYSGO (DE) n  TTTech (AT) n  J.W. Ostendorf (DE) n  Frequentis (AT) n  UniControls (CZ) n  Q-Media (CZ) Training - Context - Introduction to CITADEL 25 CITADEL Consortium The Open Group
CITADEL Requirements Overview Industrial Demonstrators The Open Group Training - Context - Introduction to CITADEL 26
n  The deliverables containing industrial demonstrator requirements are not public due to proprietary information. n  The CITADEL technology requirements reflect those aspects of the demonstrator requirements that are to be met or supported by the development partners’ contributions to the CITADEL technology requirements. The technology requirements are summarized in the following section. Industrial Demonstrator Requirements The Open Group Training - Context - Introduction to CITADEL 27
CITADEL Requirements Overview Technology Requirements The Open Group Training - Context - Introduction to CITADEL 28
n  Modelling Language to enable t  Specification of hierarchical architectures t  Synchronous and async composition t  Specification of implementation as transition system t  Explicit specification of spaces of architecture configurations t  Dynamic activation/deactivation t  Partial and total dynamic reconfiguration t  Effects of faults and failures t  Specification of component and composite properties The Open Group Training - Context - Introduction to CITADEL 29 Operational Plane Support (1)
n  Analysis & Verification t Accept parameterized and/or dynamic system models t User interaction with modelling language t Compositional verification of global properties from components t Covers spectrum of relevant properties t Tools provide diagnostic feedback t Also support configuration, adaptation and certification assurance planes The Open Group Training - Context - Introduction to CITADEL 30 Operational Plane Support (2)
n  Detection & Diagnosis t Analysis and synthesis of runtime monitors t Diagnosability – determine whether a given fault is diagnosable The Open Group Training - Context - Introduction to CITADEL 31 Operational Plane Support (3)
n  MILS Platform t Composition of Foundational Components t Distributed – multiple MILS nodes ●  Separation Kernel and MILS Network System ●  Time-sensitive networking (TSN) t Dynamic – reconfigurable at runtime ●  Extension of foundational components to support dynamic reconfiguration and configuration introspection t Adaptive thru the “CITADEL Framework” ●  Support of monitoring and adaptation planes t Assurance is a priority consideration The Open Group Training - Context - Introduction to CITADEL 32 Foundational Plane (1)
n  Separation Kernel t  Configuration interface ●  Allocation of resources to partitions and subjects ●  Subject fine-grained privileges ●  Physical and virtual network interfaces ●  Support for monitoring t  Dynamic reconfiguration interface ●  Modify set of active partitions ●  Exchange/replacement of subjects in partition ●  Dynamically allocate memory within quotas ●  Maintain predictable operation during reconfiguration t  Distributed MILS support ●  MILS Network System support The Open Group Training - Context - Introduction to CITADEL 33 Foundational Plane (2)
n  MILS Network System t  Node-qualified resource identifiers t  Inter-node “Wormholes” ●  Virtual point-to-point links among subjects ●  Standardized inter-subject communication ●  “Proxy subjects” for off-node communication t  Single MNS per node managing TSN devices t  Global communications policy enforcement t  Configuration interface supporting initial configuration and reconfiguration n  Time-Sensitive Network (TSN) t  Deterministic real-time communication over Ethernet ensuring bounded max latency t  Global time reference The Open Group Training - Context - Introduction to CITADEL 34 Foundational Plane (3)
MILS Node: SK + MNS The Open Group Training - Context - Introduction to CITADEL 35
Network of MILS Nodes The Open Group Training - Context - Introduction to CITADEL 36
n  Interaction with Adaptation Planes n  Reconfiguration Planner t  “Big Step” and “Small Step” configuration change t  Receive big step direction from Adaptation Plane t  Develop a plan of small steps to achieve big step t  Interact with Foundational Plane through reconfiguration primitives to effect reconfiguration n  Configuration State Controller t  Configuration change agent – privileged to perform primitives and enforce configuration change policies n  Configuration Compiler t  Allocation of resources across distributed system consistent with constraints t  Scheduling coordination t  Platform configuration targeting The Open Group Training - Context - Introduction to CITADEL 37 Configuration Plane Requirements
Configuration Plane Components The Open Group Training - Context - Introduction to CITADEL 38
Big- and Small-Step Reconfiguration The Open Group Training - Context - Introduction to CITADEL 39
n  Monitoring framework t  Communication monitoring t  State monitoring n  Sources of monitoring data n  Monitoring policies and algorithms n  Alerting and reporting mechanisms n  Architecture and compatibility t  Standardized way to construct and deploy monitor applications t  Placement of virtual sensors n  Security and dependability n  Configuration, reconfiguration and adaptivity The Open Group Training - Context - Introduction to CITADEL 40 Monitoring Plane Requirements
n  Interactions with other planes t Interaction with Monitoring Plane t Interaction with Configuration Plane t Interaction with Certification Assurance Plane n  Adaptation within Configuration Transition System of architecture model n  Context (situation) awareness n  Abstract reconfiguration plan n  Reconfiguration logging The Open Group Training - Context - Introduction to CITADEL 41 Adaptation Plane Requirements
Adaptation Plane Interactions The Open Group Training - Context - Introduction to CITADEL 42 Cert. Assurance Plane Operational plane Plant FDIR Sensors Actuators Monitoring plane Adaptation plane Architecture Reconfiguration Planner Property- based monitors Anomaly detection Context Extractor User notification and feedback Reconfiguration plane Platform Reconfiguration Planner Architecture Reconfiguration Logger Architecture Configuration Identification Foundational plane Configuration Change Controller Parametrized architecture AM-ETB User defined plan/ Pluggable strategies Design and Verification Tools Properties Reconfig. constraints Rule-based Architecture Reconfiguration
n  Infrastructure, techniques, and tools for certification of Adaptive MILS systems n  Assurance case work builds on D-MILS t Extend for reconfigurable/adaptive systems t Adaptive-MILS Evidential Tool Bus (AM- ETB) ●  Provide mechanisms to build assurance case automatically in running dynamic system ●  Pattern-based AC construction ●  Construct Certification Assurance Artifact The Open Group Training - Context - Introduction to CITADEL 43 Certification Assurance Plane Requirements
Certification Assurance Plane Components The Open Group Training - Context - Introduction to CITADEL 44 Assurance Case Top Goals/Props Platf Arg(s) Comp’t Arg(s) Compos’n Arg(s) Sub-Goals/Props Provenance of Evidence . . . Config’n Correctness Arg(s) Conformance Property Evidence Certification Assurance Artifact Repository AM-ETB Verification Tools Models Props Configs A.C. Patterns Tool Flows Models Models Props Props Configs Configs
CITADEL Project Accomplishments Summary Modeling and verification tools The Open Group Training - Context - Introduction to CITADEL 45
n  Modeling language t  CITADEL developed extensions for dynamically reconfigurable systems to the previously successful SLIM modeling language derived from AADL and extended for MILS in D-MILS t  Annotation language permits expression of properties of the architecture and components t  Dynamic architecture description based on parameterized architectures to specify the configuration space t  Augmented with a configuration transition system to express permitted configuration changes Modeling and Verification Tools (1) The Open Group Training - Context - Introduction to CITADEL 46
n  Verification tools t  Previously, D-MILS models represented static architectures t  CITADEL pushes the frontier of formal verification for dynamic systems by extending to four analysis domains, resulting from ●  Static vs dynamic architecture ●  Finite vs infinite instantiation t  Some of the extensions can be addressed by reducing to D-MILS with minor extensions t  Infinite instantiation domains required new techniques and tools to be developed for CITADEL, including runtime verification Modeling and Verification Tools (2) The Open Group Training - Context - Introduction to CITADEL 47
Modeling and Verification Tools (2) The Open Group Training - Context - Introduction to CITADEL 48 Finite instantiation Infinite instantiation Static architecture Finite set of models Infinite set of models Dynamic architecture One model with finitely many reconfigurations One model with infinitely many reconfigurations 1 2 3 4 Can be statically analyzed by D-MILS technology (+ iteration) Can be statically analyzed by reducing to D-MILS extended with modes New techniques and tools for static analysis are under development in CITADEL Can be analyzed for a bounded reconfiguration horizon by reducing to D-MILS extended with modes (this is useful at CITADEL runtime)
CITADEL Project Accomplishments Summary Dynamic MILS platform The Open Group Training - Context - Introduction to CITADEL 49
n  A static MILS platform, that is its foundational components, may be configured with off-line tools and its configuration does not change at runtime. n  The dynamic MILS platform requires each of its foundational components to support runtime dynamic configuration change by providing configuration change primitives. n  CITADEL accomplished this with dynamic configuration extensions to the Separation Kernel, the MILS Networking System, and the Time-Sensitive Networking devices. t  Enables changes to subjects, connections, and schedules t  Enables time synchronization across the network to assure that node schedules remain in sync Dynamic MILS Platform The Open Group Training - Context - Introduction to CITADEL 50
CITADEL Project Accomplishments Summary CITADEL framework for adaptive systems The Open Group Training - Context - Introduction to CITADEL 51
n  CITADEL developed a standardized MILS- based architectural framework for adaptive MILS systems n  The framework addresses two aspects of adaptation t The maintenance of critical system properties through integrated monitoring, adaptation, and reconfiguration t The maintenance of certification assurance as the dynamic system is adapted to operating conditions Framework for adaptive systems The Open Group Training - Context - Introduction to CITADEL 52
CITADEL Project Accomplishments Summary Integrated Monitoring, Adaptation and Reconfiguration The Open Group Training - Context - Introduction to CITADEL 53
n  The CITADEL framework embodies a closed control loop paradigm t  Basically, the framework attempts to maintain the specified properties of the system by controlling the configuration t  The system configuration is the control variable t  The sensors of specified or synthesized monitors in the Monitoring Plane provide feedback on the conditions affecting the properties t  The Adaptation Plane embodies the control laws, determining the need for and commanding configuration change t  The Configuration Plane is the actuator for configuration changes Integrated Monitoring, Adaptation and Reconfiguration The Open Group Training - Context - Introduction to CITADEL 54
CITADEL Project Accomplishments Summary Integrated Assurance for Certification The Open Group Training - Context - Introduction to CITADEL 55
n  CITADEL has taken critical steps toward enabling the certification of dynamic and adaptive systems t  Providing to certification authorities a basis for trust in adaptive systems t  CITADEL takes a principled approach to reconfiguration and adaptation, providing the means to specify and verify dynamic systems t  CITADEL puts the Certifier-in-the-Box for Just-in-Time Certification by providing online mechanisms to maintain valid certification assurance artifacts available on-demand Integrated assurance for certification The Open Group Training - Context - Introduction to CITADEL 56

Recommended

Mils architectural approach
Mils architectural approachMils architectural approach
Mils architectural approach
RamnGonzlezRuiz2
 
Model based adaptation training
Model based adaptation trainingModel based adaptation training
Model based adaptation training
RamnGonzlezRuiz2
 
Assurance Cases
Assurance CasesAssurance Cases
Assurance Cases
RamnGonzlezRuiz2
 
Citadel Platform Architecture
Citadel Platform ArchitectureCitadel Platform Architecture
Citadel Platform Architecture
RamnGonzlezRuiz2
 
Communications monitoring
Communications monitoringCommunications monitoring
Communications monitoring
RamnGonzlezRuiz2
 
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK SultanINFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
csandit
 
On the Transition from Design Time to Runtime Model-Based Assurance Cases
On the Transition from Design Time to Runtime Model-Based Assurance CasesOn the Transition from Design Time to Runtime Model-Based Assurance Cases
On the Transition from Design Time to Runtime Model-Based Assurance Cases
Ran Wei
 
Software technologies in defence ppt
Software technologies in defence pptSoftware technologies in defence ppt
Software technologies in defence ppt
Santosh Kumar
 

Recommended

Mils architectural approach
Mils architectural approachMils architectural approach
Mils architectural approach
RamnGonzlezRuiz2
 
Model based adaptation training
Model based adaptation trainingModel based adaptation training
Model based adaptation training
RamnGonzlezRuiz2
 
Assurance Cases
Assurance CasesAssurance Cases
Assurance Cases
RamnGonzlezRuiz2
 
Citadel Platform Architecture
Citadel Platform ArchitectureCitadel Platform Architecture
Citadel Platform Architecture
RamnGonzlezRuiz2
 
Communications monitoring
Communications monitoringCommunications monitoring
Communications monitoring
RamnGonzlezRuiz2
 
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK SultanINFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
csandit
 
On the Transition from Design Time to Runtime Model-Based Assurance Cases
On the Transition from Design Time to Runtime Model-Based Assurance CasesOn the Transition from Design Time to Runtime Model-Based Assurance Cases
On the Transition from Design Time to Runtime Model-Based Assurance Cases
Ran Wei
 
Software technologies in defence ppt
Software technologies in defence pptSoftware technologies in defence ppt
Software technologies in defence ppt
Santosh Kumar
 
Akin Akintayo CV Nov12 04 LinkedIn
Akin Akintayo CV Nov12 04 LinkedInAkin Akintayo CV Nov12 04 LinkedIn
Akin Akintayo CV Nov12 04 LinkedIn
Akinola1
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
Cisco Service Provider
 
A UML Profile for Security and Code Generation
A UML Profile for Security and Code Generation A UML Profile for Security and Code Generation
A UML Profile for Security and Code Generation
IJECEIAES
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
Adm Workshop Program
Adm Workshop ProgramAdm Workshop Program
Adm Workshop Program
Emmanuel Fuchs
 
Introducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform ProjectIntroducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform Project
Yoshitake Kobayashi
 
Introducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure PlatformIntroducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure Platform
Yoshitake Kobayashi
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
AdaCore
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
Scalar Decisions
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
Phil Agcaoili
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Amazon Web Services
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
CSA & GRC Stack
CSA & GRC StackCSA & GRC Stack
CSA & GRC Stack
CloudSecurityAllianceAustralia
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)
Seungjoo Kim
 
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
Loukas Paraschis
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC Process
Seungjoo Kim
 
Certification readiness strategy
Certification readiness strategyCertification readiness strategy
Certification readiness strategy
RamnGonzlezRuiz2
 
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)
Bob Marcus
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Information Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docxInformation Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docx
vickeryr87
 
Information Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docxInformation Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docx
annettsparrow
 

More Related Content

What's hot

Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
Cisco Service Provider
 
A UML Profile for Security and Code Generation
A UML Profile for Security and Code Generation A UML Profile for Security and Code Generation
A UML Profile for Security and Code Generation
IJECEIAES
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco Service Provider
 
Introducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform ProjectIntroducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform Project
Yoshitake Kobayashi
 

What's hot (7)

Akin Akintayo CV Nov12 04 LinkedIn
Akin Akintayo CV Nov12 04 LinkedInAkin Akintayo CV Nov12 04 LinkedIn
Akin Akintayo CV Nov12 04 LinkedIn
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
A UML Profile for Security and Code Generation
A UML Profile for Security and Code Generation A UML Profile for Security and Code Generation
A UML Profile for Security and Code Generation
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
 
Adm Workshop Program
Adm Workshop ProgramAdm Workshop Program
Adm Workshop Program
 
Introducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform ProjectIntroducing the Civil Infrastructure Platform Project
Introducing the Civil Infrastructure Platform Project
 
Introducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure PlatformIntroducing the Civil Infrastructure Platform
Introducing the Civil Infrastructure Platform
 

Similar to Introduction to citadel

Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
Loukas Paraschis
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Information Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docxInformation Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docx
vickeryr87
 
Information Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docxInformation Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docx
annettsparrow
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 

Similar to Introduction to citadel (20)

Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
 
CSA & GRC Stack
CSA & GRC StackCSA & GRC Stack
CSA & GRC Stack
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)
 
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
OIF-plenary-Jan-20-2015_SDN-WAN-Loukas_oif2015.083
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC Process
 
Certification readiness strategy
Certification readiness strategyCertification readiness strategy
Certification readiness strategy
 
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Information Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docxInformation Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docx
 
Information Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docxInformation Sciences 305 (2015) 357–383Contents lists availa.docx
Information Sciences 305 (2015) 357–383Contents lists availa.docx
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
 
Cloud Computing Fundamental Course Preview
Cloud Computing Fundamental Course PreviewCloud Computing Fundamental Course Preview
Cloud Computing Fundamental Course Preview
 
5787355.ppt
5787355.ppt5787355.ppt
5787355.ppt
 
Microservices: A Step Towards Modernizing Healthcare Applications
Microservices: A Step Towards Modernizing Healthcare ApplicationsMicroservices: A Step Towards Modernizing Healthcare Applications
Microservices: A Step Towards Modernizing Healthcare Applications
 
Information flow control for secure cloud computing
Information flow control for secure cloud computingInformation flow control for secure cloud computing
Information flow control for secure cloud computing
 

More from RamnGonzlezRuiz2

More from RamnGonzlezRuiz2 (9)

Citadel training on context awareness solution
Citadel training on context awareness solutionCitadel training on context awareness solution
Citadel training on context awareness solution
 
CITADEL configuration and reconfiguration synthesis
CITADEL configuration and reconfiguration synthesisCITADEL configuration and reconfiguration synthesis
CITADEL configuration and reconfiguration synthesis
 
Adaptive MILS Evidential Tool Bus
Adaptive MILS Evidential Tool BusAdaptive MILS Evidential Tool Bus
Adaptive MILS Evidential Tool Bus
 
Configuring monitoring
Configuring monitoringConfiguring monitoring
Configuring monitoring
 
Advanced tech module - state monitoring
Advanced tech module - state monitoringAdvanced tech module - state monitoring
Advanced tech module - state monitoring
 
State monitoring configuration
State monitoring configurationState monitoring configuration
State monitoring configuration
 
Software Modeling and Verification
Software Modeling and VerificationSoftware Modeling and Verification
Software Modeling and Verification
 
Modeling, Specification and Verification Tools
Modeling, Specification and Verification ToolsModeling, Specification and Verification Tools
Modeling, Specification and Verification Tools
 
Adaptation-Engine traning
Adaptation-Engine traningAdaptation-Engine traning
Adaptation-Engine traning
 

Recently uploaded

RS Khurmi Machine Design Clutch and Brake Exercise Numerical Solutions
RS Khurmi Machine Design Clutch and Brake Exercise Numerical SolutionsRS Khurmi Machine Design Clutch and Brake Exercise Numerical Solutions
RS Khurmi Machine Design Clutch and Brake Exercise Numerical Solutions
Atif Razi
 
Laundry management system project report.pdf
Laundry management system project report.pdfLaundry management system project report.pdf
Laundry management system project report.pdf
Kamal Acharya
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
Online resume builder management system project report.pdf
Online resume builder management system project report.pdfOnline resume builder management system project report.pdf
Online resume builder management system project report.pdf
Kamal Acharya
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
R&R Consult
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
gerogepatton
 

Recently uploaded (20)

Introduction to Casting Processes in Manufacturing
Introduction to Casting Processes in ManufacturingIntroduction to Casting Processes in Manufacturing
Introduction to Casting Processes in Manufacturing
 
RS Khurmi Machine Design Clutch and Brake Exercise Numerical Solutions
RS Khurmi Machine Design Clutch and Brake Exercise Numerical SolutionsRS Khurmi Machine Design Clutch and Brake Exercise Numerical Solutions
RS Khurmi Machine Design Clutch and Brake Exercise Numerical Solutions
 
Laundry management system project report.pdf
Laundry management system project report.pdfLaundry management system project report.pdf
Laundry management system project report.pdf
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
 
Online resume builder management system project report.pdf
Online resume builder management system project report.pdfOnline resume builder management system project report.pdf
Online resume builder management system project report.pdf
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
Vaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdfVaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdf
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
fluid mechanics gate notes . gate all pyqs answer
fluid mechanics gate notes . gate all pyqs answerfluid mechanics gate notes . gate all pyqs answer
fluid mechanics gate notes . gate all pyqs answer
 
Explosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdfExplosives Industry manufacturing process.pdf
Explosives Industry manufacturing process.pdf
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
İTÜ CAD and Reverse Engineering Workshop
İTÜ CAD and Reverse Engineering WorkshopİTÜ CAD and Reverse Engineering Workshop
İTÜ CAD and Reverse Engineering Workshop
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
Top 13 Famous Civil Engineering Scientist
Top 13 Famous Civil Engineering ScientistTop 13 Famous Civil Engineering Scientist
Top 13 Famous Civil Engineering Scientist
 

Introduction to citadel

  • 1. Introduction to CITADEL The Open Group Training - Context - Introduction to CITADEL 1
  • 2. CITADEL Overview CITADEL Motivation The Open Group Training - Context - Introduction to CITADEL 2
  • 3. n  Critical infrastructures rely on complex safety- and security- critical ICT systems operating in unpredictable environments. n  These systems are trust-needy, but often not trustworthy. n  Adaptation is needed to cope with naturally occurring events and malicious activities of hostile agents. n  Current MILS is trustworthy, but not adaptive. n  CITADEL is intended to provide an innovative platform technology, methodology and tools for development, deployment, and certification of adaptive systems. n  CITADEL is based on MILS, an approach featuring modular construction and compositional assurance, leveraging the advances of previous EC projects. n  CITADEL should support the certification of Adaptive MILS systems by maintaining an assurance case and its supporting evidence in sync with adaptation. CITADEL Motivation The Open Group Training - Context - Introduction to CITADEL 3
  • 4. CITADEL Overview A short history of MILS The Open Group Training - Context - Introduction to CITADEL 4
  • 5. The Emergence of “MILS” n  “MILS”, by that name, emerged circa 2000 t  Originally “MILS” stood for Multiple Independent Levels of Security. In 2007 members of The Open Group’s Real Time and Embedded Systems (RTES) Forum recognized that the expanded acronym was not an accurate characterization* and took a decision to henceforth regard “MILS” not as an acronym but as a proper name for the architectural approach. t  MILS was initiated in part upon a recognition that commercial partitioning kernels for avionic safety could be applied to high assurance security. t  Strong partitioning (“separation” or “isolation”) provides a basis for the prevention of information flow, upon which “controlled information flow” can be established. t  This led to the rediscovery of Rushby’s Separation Kernel (SK), in the Design and Verification of Secure Systems (1981), to become the foundation for MILS. t  Development of Common Criteria “protection profiles” for partitioning kernels (The Open Group) and for separation kernels (NSA) ensued from 2000 until 2008. t  Other associated protection profile developments were also undertaken. n  The Open Group’s Real Time and Embedded Systems (RTES) Forum became the home to an active community of interest in MILS (the “MILS Initiative”). The Open Group Training - Context - Introduction to CITADEL 5 * “multiple levels” is easily confused with multilevel security (MLS), which is a legitimate application of MILS, but the implied ordering of “levels” does not accurately characterize MILS. “Multiple independent domains” would be more accurate, but even the use of “independent” is not generally valid.
  • 6. n  Seminal work by John Rushby t  Study of ongoing secure systems efforts 1980 t  Design and Verification of Secure Systems – original Separation Kernel paper 1981 t  Separability 1982-1983 t  Non-interference and channel control 1982-1992 t  Partitioning for security and safety 1999-2003 t  MILS research at SRI 2004-2012 Rushby-DeLong n  MILS is born circa 2000 and advanced through its “Eras” t  “Classic” MILS Era 2000-2007 various contributors t  “Modern” MILS Era 2008-2012 Rushby-DeLong t  “Progressive” MILS Era 2012-Present, DeLong et al: ●  Distributed MILS (D-MILS project) ●  Dynamic MILS and Adaptive MILS (CITADEL project) ●  Heterogeneous (CPU/GPU/FPGA) MILS Platforms (PHANTOM project) The Open Group Training - Context - Introduction to CITADEL 6 The Birth of MILS and Its Evolution
  • 7. More about the Eras of “MILS” n  2000-2007 This is the Era of “Classic MILS” during which MILS proliferated t  The seminal work of Rushby was recognized and built upon t  Other contributors included: Vanfleet, Dransfield, Alves-Foss, Harrison, Oman, Taylor, Greeve, Wilding, Richards, Uchenick, Millen, Delange, Calloni, Hardin, DeLong, Beckwith n  2004 – Rushby at SRI International, who had been working on safety, now became engaged with the MILS community n  2004-2012 Research on MILS was funded on several projects at SRI International n  2008 – Rushby declared the arrival of “Modern MILS” as the concepts had crystalized n  2008-2012 – The Era of “Modern MILS”, in addition to establishing the foundations, spawned the ideas of principled delivery, configuration & initialization, just-in-time MILS certification, as well as distributed, dynamic & adaptive MILS n  2012-2019 and beyond – the Era of “Progressive MILS”, built on Modern MILS results t  Principled Delivery, Configuration and Initialization of MILS Components & Integrations t  Distributed MILS – assured scalable distributed deterministic systems t  Dynamic MILS – assured reconfigurable systems, cloud computing, IoT systems t  Adaptive MILS – assured critical infrastructures, adaptive & resilient systems t  Heterogeneous MILS – non-separation kernel-based MILS platforms (CPU, GPU, FPGA) t  Mixed-Critical MILS – assured mixed-critical cyber-physical systems t  Autonomous MILS – assured self-healing, adaptive, and intelligent cyber-phys systems The Open Group Training - Context - Introduction to CITADEL 7
  • 8. Key characteristics of “Modern MILS” n  MILS is a component-based approach to secure and dependable systems design and implementation that encourages a marketplace of general- purpose commercial components, leading to lower development cost n  MILS is a two phase approach (John Rushby’s “Modern MILS”): t  Design a “Policy Architecture” ●  Abstract architecture diagram represented by “boxes and arrows” ●  Operational components and architecture achieve system purpose ●  Assumes the architecture (components and connectors) will be strictly enforced in the implementation t  Implement the policy architecture on a robust resource-sharing platform ●  MILS foundational components (FCs) enable sharing of physical resources, creating strongly separated “exported resources” ●  FCs should be individually developed and assured according to standardized specifications ●  FCs compose “additively” to form a distributed trusted sharing substrate, the MILS Platform n  MILS provides a compositional approach to construction, assurance, and system certification The Open Group Training - Context - Introduction to CITADEL 8
  • 9. MILS Policy Architecture C2 C4C1 C3 C5 Circles represent architectural components (subjects / objects) Arrows represent interactions Suitability of the architecture for some purpose presumes that the architect’s assumptions are met in the implementation of the architecture diagram. C6 The absence of an arrow is as significant as the presence of one This component has no interaction with any other Components are assumed to perform the functions specified by the architect (trusted components enforce a local policy) The architecture diagram expresses an interaction policy among a collection of components Trusted Subject The Open Group Training - Context - Introduction to CITADEL 9
  • 10. MILS Platform – Enables a Straightforward Realization of a Policy Architecture Architecture Realization SK, with other MILS foundational components, form the MILS Platform allowing operational components to share physical resources while enforcing Isolation and Information Flow Control Validity of the architecture assumes that the only interactions of the circles (operational components) is through the arrows depicted in the diagram R 1 R 2 R 3 R 5 R 4 MILS Platform The Open Group Training - Context - Introduction to CITADEL 10
  • 11. “Modern MILS” Platform Architecture – a composition of foundational components creating one or more Operational Planes P 1 P 2 Separation Kernel ⊕ P 3 P 5 P 4 Configuration Data Configuration Data CONFIGURATIONPLANE FOUNDATIONAL PLANE OPERATIONAL PLANE MFS MNS MEA MCS MILS Platform The MILS Platform is an abstraction of the Foundational Plane The MILS Foundational Plane is the composition of MILS foundational components The Configuration Plane runs off- line in static MILS Operational Plane(s) are operational components of the app policy architecture The Open Group Training - Context - Introduction to CITADEL 11
  • 12. CITADEL Overview The concepts of CITADEL The Open Group Training - Context - Introduction to CITADEL 12
  • 13. n  Apply MILS’ Conservative Extension Principle: t  When adding new capabilities to MILS, do so without sacrificing the ability to provide assurance (modeling and verification of system properties) n  Build upon static MILS and distributed MILS t  Static standalone MILS – simplicity facilitates assurance t  Distributed MILS – conservatively extends static standalone MILS to static distributed MILS systems with compositional verification and compositional assurance case automation n  CITADEL – Conservatively extend MILS for adaptive systems on dynamic and distributed MILS platforms t  Dynamic MILS – conservatively extend static and distributed MILS platforms with primitives for dynamic reconfiguration t  Enhance modeling and analysis capabilities for dynamism t  Add CITADEL Framework for adaptation – mechanisms for closed-loop control of dynamic reconfiguration of MILS foundational, operational, and monitoring planes t  Add runtime assurance maintenance during adaptation The CITADEL Approach The Open Group Training - Context - Introduction to CITADEL 13
  • 14. CITADEL Overview CITADEL project ambitions The Open Group Training - Context - Introduction to CITADEL 14
  • 15. n  Dependable – A system is developed from a model that is analyzable for needed properties n  Reconfigurable – A system configuration can be changed without restarting the system n  Deployable – There is a deployment framework and platform for reconfigurable systems n  Distributed – A system can be distributed as the applications and environment demand n  Scalable – Nodes can be numerous to provide needed computing resources n  Adaptable – A system can adapt to internal events or environmental change by reconfiguring n  Assurable – The ability to have high confidence in the system’s dependability is achieved through design- time analysis and runtime assurance maintenance Needed characteristics of CITADEL The Open Group Training - Context - Introduction to CITADEL 15
  • 16. n  Extend MILS platform and tool chain for dynamic and distributed systems t  Similar guarantees to single static MILS system t  Conservatively extend MILS scalability and adaptive capabilities while maintaining “assurability” of platform guarantees n  Specific technology objectives of the project t  Declarative modelling languages t  Compositional verification of dynamic architectures t  Configuration monitor synthesis t  Assurance cases for dynamic systems t  Configuration introspection and dynamic reconfiguration primitives t  Enforce configuration change policies t  Adaptation – accommodate changing conditions t  Monitoring – sense conditions to trigger adaptation The Open Group Training - Context - Introduction to CITADEL 16 CITADEL Technology Objectives
  • 17. CITADEL Overview CITADEL architecture The Open Group Training - Context - Introduction to CITADEL 17
  • 18. CITADEL builds on Distributed MILS*: Policy architecture deployment spanning nodes Node Hardware SK MNS Node Hardware SK MNS Node Hardware SK ⊕ MNS Foundational Plane+ → Node Hardware Subjects SubjectsSubjects * European Commission FP7 ICT-2011.1.4 Trustworthy ICT Project #318772 2012 – 2015 Distributed MILS concept originated with the MILS Network System (MNS) Protection Profile work in 2010 Distributed MILS nodes D-MILS platform Minimum of SK and MNS foundational components The Open Group Training - Context - Introduction to CITADEL 18
  • 19. The MNS exports logically unidirectional “wormholes” that span D-MILS nodes Node Hardware SK ⊕ MNS Foundational Plane Node Hardware Subjects Wormhole Wormhole Wormhole D-MILS Node 1 D-MILS Node 2 Relocatable subjects communicate with resources without knowing on what node the resource resides. (A subject that controls a local device on a node is not relocatable.) This example “global information flow policy” defines three inter-node information flows. The Open Group Training - Context - Introduction to CITADEL 19
  • 20. The Distributed MILS Platform SW HW SW HW SK MNS MCS ⊕ ⊕ Exported Resources ⊕ Additive Composition SW HW additive compositionality property – e.g., a Partitioning kernel ⊕ Partitioning network system = Partitioning (kernel + network system) MNS = MILS Network System MCS = MILS Console System Console for some AppsDistributed MILS nodes The minimal MILS platform is SK alone. The Distributed MILS Project (EC FP7) implemented Distributed MILS nodes with SK and MILS Network System (MNS) using Time-Triggered Ethernet, and one of the D-MILS demonstrators implemented a special-purpose MILS Console System (MCS). CITADEL implements a new MNS using time-sensitive networking (TSN) and with a new SK. An updated version of the D-MILS MCS was developed for CITADEL. The Open Group Training - Context - Introduction to CITADEL 20 Min
  • 21. n  The CITADEL Framework for adaptive MILS systems adds new subsystems (planes) to the MILS platform n  The Configuration Plane of the MILS platform now must run online because (re)configuration occurs at runtime n  The Monitoring Plane runs monitoring applications that generate events from virtual sensors deployed in the Foundational Plane and Operational Plane(s) n  The Adaptation Plane responds to events from the Monitoring Plane determining a new configuration and commanding the Configuration Plane to reconfigure the Foundational, Monitoring and Operational Planes n  The Certification Assurance Plane maintains a current Assurance Case for the reconfigured running system n  Some of the verification tools may run online CITADEL Framework The Open Group Training - Context - Introduction to CITADEL 21
  • 22. The Open Group Training - Context - Introduction to CITADEL 22 Planes of the CITADEL Framework Separation Kernel ⊕FOUNDATIONAL PLANE OPERATIONAL PLANE(S) MONITORING PLANE / FW MFS MNS MEA MCS Fault Diagnoser COMMSTATE RESOURCE P 1 P 2 P 3 P 5 P 4 MILS Platform MILS Platform CONFIGURATION ADAPTATIONPLANE Target Config CONFIGURATIONPLANE Config Cmds Config Cmds Config Cmds FDI Exceptions Exceptions Exceptions Exceptions Introspection Observations & Events Certification Assurance Artifact
  • 23. CITADEL Overview CITADEL project team The Open Group Training - Context - Introduction to CITADEL 23
  • 24. n  The Open Group has been home to the MILS Initiative activities since the early 2000s n  Many members of the CITADEL project team have worked previous MILS-based research projects, including D-MILS, EuroMILS, and earlier MILS-defining projects. n  The project represents considerable expertise in MILS, separation kernels, OSs, networking, system modeling, analysis, verification, safety certification, security evaluation, assurance methods, system integration, and other relevant disciplines. CITADEL Project Team The Open Group Training - Context - Introduction to CITADEL 24
  • 25. n  The Open Group (UK) n  ATB (DE) n  Technical University of Eindhoven (NL) n  Fondazione Bruno Kessler (IT) n  IK4-IKERLAN (ES) n  Université Grenobles Alpes (FR) n  atsec Information Security (SE) n  Kaspersky Lab (UK) n  OAS (DE) n  SYSGO (DE) n  TTTech (AT) n  J.W. Ostendorf (DE) n  Frequentis (AT) n  UniControls (CZ) n  Q-Media (CZ) Training - Context - Introduction to CITADEL 25 CITADEL Consortium The Open Group
  • 26. CITADEL Requirements Overview Industrial Demonstrators The Open Group Training - Context - Introduction to CITADEL 26
  • 27. n  The deliverables containing industrial demonstrator requirements are not public due to proprietary information. n  The CITADEL technology requirements reflect those aspects of the demonstrator requirements that are to be met or supported by the development partners’ contributions to the CITADEL technology requirements. The technology requirements are summarized in the following section. Industrial Demonstrator Requirements The Open Group Training - Context - Introduction to CITADEL 27
  • 28. CITADEL Requirements Overview Technology Requirements The Open Group Training - Context - Introduction to CITADEL 28
  • 29. n  Modelling Language to enable t  Specification of hierarchical architectures t  Synchronous and async composition t  Specification of implementation as transition system t  Explicit specification of spaces of architecture configurations t  Dynamic activation/deactivation t  Partial and total dynamic reconfiguration t  Effects of faults and failures t  Specification of component and composite properties The Open Group Training - Context - Introduction to CITADEL 29 Operational Plane Support (1)
  • 30. n  Analysis & Verification t Accept parameterized and/or dynamic system models t User interaction with modelling language t Compositional verification of global properties from components t Covers spectrum of relevant properties t Tools provide diagnostic feedback t Also support configuration, adaptation and certification assurance planes The Open Group Training - Context - Introduction to CITADEL 30 Operational Plane Support (2)
  • 31. n  Detection & Diagnosis t Analysis and synthesis of runtime monitors t Diagnosability – determine whether a given fault is diagnosable The Open Group Training - Context - Introduction to CITADEL 31 Operational Plane Support (3)
  • 32. n  MILS Platform t Composition of Foundational Components t Distributed – multiple MILS nodes ●  Separation Kernel and MILS Network System ●  Time-sensitive networking (TSN) t Dynamic – reconfigurable at runtime ●  Extension of foundational components to support dynamic reconfiguration and configuration introspection t Adaptive thru the “CITADEL Framework” ●  Support of monitoring and adaptation planes t Assurance is a priority consideration The Open Group Training - Context - Introduction to CITADEL 32 Foundational Plane (1)
  • 33. n  Separation Kernel t  Configuration interface ●  Allocation of resources to partitions and subjects ●  Subject fine-grained privileges ●  Physical and virtual network interfaces ●  Support for monitoring t  Dynamic reconfiguration interface ●  Modify set of active partitions ●  Exchange/replacement of subjects in partition ●  Dynamically allocate memory within quotas ●  Maintain predictable operation during reconfiguration t  Distributed MILS support ●  MILS Network System support The Open Group Training - Context - Introduction to CITADEL 33 Foundational Plane (2)
  • 34. n  MILS Network System t  Node-qualified resource identifiers t  Inter-node “Wormholes” ●  Virtual point-to-point links among subjects ●  Standardized inter-subject communication ●  “Proxy subjects” for off-node communication t  Single MNS per node managing TSN devices t  Global communications policy enforcement t  Configuration interface supporting initial configuration and reconfiguration n  Time-Sensitive Network (TSN) t  Deterministic real-time communication over Ethernet ensuring bounded max latency t  Global time reference The Open Group Training - Context - Introduction to CITADEL 34 Foundational Plane (3)
  • 35. MILS Node: SK + MNS The Open Group Training - Context - Introduction to CITADEL 35
  • 36. Network of MILS Nodes The Open Group Training - Context - Introduction to CITADEL 36
  • 37. n  Interaction with Adaptation Planes n  Reconfiguration Planner t  “Big Step” and “Small Step” configuration change t  Receive big step direction from Adaptation Plane t  Develop a plan of small steps to achieve big step t  Interact with Foundational Plane through reconfiguration primitives to effect reconfiguration n  Configuration State Controller t  Configuration change agent – privileged to perform primitives and enforce configuration change policies n  Configuration Compiler t  Allocation of resources across distributed system consistent with constraints t  Scheduling coordination t  Platform configuration targeting The Open Group Training - Context - Introduction to CITADEL 37 Configuration Plane Requirements
  • 38. Configuration Plane Components The Open Group Training - Context - Introduction to CITADEL 38
  • 39. Big- and Small-Step Reconfiguration The Open Group Training - Context - Introduction to CITADEL 39
  • 40. n  Monitoring framework t  Communication monitoring t  State monitoring n  Sources of monitoring data n  Monitoring policies and algorithms n  Alerting and reporting mechanisms n  Architecture and compatibility t  Standardized way to construct and deploy monitor applications t  Placement of virtual sensors n  Security and dependability n  Configuration, reconfiguration and adaptivity The Open Group Training - Context - Introduction to CITADEL 40 Monitoring Plane Requirements
  • 41. n  Interactions with other planes t Interaction with Monitoring Plane t Interaction with Configuration Plane t Interaction with Certification Assurance Plane n  Adaptation within Configuration Transition System of architecture model n  Context (situation) awareness n  Abstract reconfiguration plan n  Reconfiguration logging The Open Group Training - Context - Introduction to CITADEL 41 Adaptation Plane Requirements
  • 42. Adaptation Plane Interactions The Open Group Training - Context - Introduction to CITADEL 42 Cert. Assurance Plane Operational plane Plant FDIR Sensors Actuators Monitoring plane Adaptation plane Architecture Reconfiguration Planner Property- based monitors Anomaly detection Context Extractor User notification and feedback Reconfiguration plane Platform Reconfiguration Planner Architecture Reconfiguration Logger Architecture Configuration Identification Foundational plane Configuration Change Controller Parametrized architecture AM-ETB User defined plan/ Pluggable strategies Design and Verification Tools Properties Reconfig. constraints Rule-based Architecture Reconfiguration
  • 43. n  Infrastructure, techniques, and tools for certification of Adaptive MILS systems n  Assurance case work builds on D-MILS t Extend for reconfigurable/adaptive systems t Adaptive-MILS Evidential Tool Bus (AM- ETB) ●  Provide mechanisms to build assurance case automatically in running dynamic system ●  Pattern-based AC construction ●  Construct Certification Assurance Artifact The Open Group Training - Context - Introduction to CITADEL 43 Certification Assurance Plane Requirements
  • 44. Certification Assurance Plane Components The Open Group Training - Context - Introduction to CITADEL 44 Assurance Case Top Goals/Props Platf Arg(s) Comp’t Arg(s) Compos’n Arg(s) Sub-Goals/Props Provenance of Evidence . . . Config’n Correctness Arg(s) Conformance Property Evidence Certification Assurance Artifact Repository AM-ETB Verification Tools Models Props Configs A.C. Patterns Tool Flows Models Models Props Props Configs Configs
  • 45. CITADEL Project Accomplishments Summary Modeling and verification tools The Open Group Training - Context - Introduction to CITADEL 45
  • 46. n  Modeling language t  CITADEL developed extensions for dynamically reconfigurable systems to the previously successful SLIM modeling language derived from AADL and extended for MILS in D-MILS t  Annotation language permits expression of properties of the architecture and components t  Dynamic architecture description based on parameterized architectures to specify the configuration space t  Augmented with a configuration transition system to express permitted configuration changes Modeling and Verification Tools (1) The Open Group Training - Context - Introduction to CITADEL 46
  • 47. n  Verification tools t  Previously, D-MILS models represented static architectures t  CITADEL pushes the frontier of formal verification for dynamic systems by extending to four analysis domains, resulting from ●  Static vs dynamic architecture ●  Finite vs infinite instantiation t  Some of the extensions can be addressed by reducing to D-MILS with minor extensions t  Infinite instantiation domains required new techniques and tools to be developed for CITADEL, including runtime verification Modeling and Verification Tools (2) The Open Group Training - Context - Introduction to CITADEL 47
  • 48. Modeling and Verification Tools (2) The Open Group Training - Context - Introduction to CITADEL 48 Finite instantiation Infinite instantiation Static architecture Finite set of models Infinite set of models Dynamic architecture One model with finitely many reconfigurations One model with infinitely many reconfigurations 1 2 3 4 Can be statically analyzed by D-MILS technology (+ iteration) Can be statically analyzed by reducing to D-MILS extended with modes New techniques and tools for static analysis are under development in CITADEL Can be analyzed for a bounded reconfiguration horizon by reducing to D-MILS extended with modes (this is useful at CITADEL runtime)
  • 49. CITADEL Project Accomplishments Summary Dynamic MILS platform The Open Group Training - Context - Introduction to CITADEL 49
  • 50. n  A static MILS platform, that is its foundational components, may be configured with off-line tools and its configuration does not change at runtime. n  The dynamic MILS platform requires each of its foundational components to support runtime dynamic configuration change by providing configuration change primitives. n  CITADEL accomplished this with dynamic configuration extensions to the Separation Kernel, the MILS Networking System, and the Time-Sensitive Networking devices. t  Enables changes to subjects, connections, and schedules t  Enables time synchronization across the network to assure that node schedules remain in sync Dynamic MILS Platform The Open Group Training - Context - Introduction to CITADEL 50
  • 51. CITADEL Project Accomplishments Summary CITADEL framework for adaptive systems The Open Group Training - Context - Introduction to CITADEL 51
  • 52. n  CITADEL developed a standardized MILS- based architectural framework for adaptive MILS systems n  The framework addresses two aspects of adaptation t The maintenance of critical system properties through integrated monitoring, adaptation, and reconfiguration t The maintenance of certification assurance as the dynamic system is adapted to operating conditions Framework for adaptive systems The Open Group Training - Context - Introduction to CITADEL 52
  • 53. CITADEL Project Accomplishments Summary Integrated Monitoring, Adaptation and Reconfiguration The Open Group Training - Context - Introduction to CITADEL 53
  • 54. n  The CITADEL framework embodies a closed control loop paradigm t  Basically, the framework attempts to maintain the specified properties of the system by controlling the configuration t  The system configuration is the control variable t  The sensors of specified or synthesized monitors in the Monitoring Plane provide feedback on the conditions affecting the properties t  The Adaptation Plane embodies the control laws, determining the need for and commanding configuration change t  The Configuration Plane is the actuator for configuration changes Integrated Monitoring, Adaptation and Reconfiguration The Open Group Training - Context - Introduction to CITADEL 54
  • 55. CITADEL Project Accomplishments Summary Integrated Assurance for Certification The Open Group Training - Context - Introduction to CITADEL 55
  • 56. n  CITADEL has taken critical steps toward enabling the certification of dynamic and adaptive systems t  Providing to certification authorities a basis for trust in adaptive systems t  CITADEL takes a principled approach to reconfiguration and adaptation, providing the means to specify and verify dynamic systems t  CITADEL puts the Certifier-in-the-Box for Just-in-Time Certification by providing online mechanisms to maintain valid certification assurance artifacts available on-demand Integrated assurance for certification The Open Group Training - Context - Introduction to CITADEL 56