The document provides an introduction to CITADEL, which aims to develop an innovative platform for adaptive systems based on the Multiple Independent Levels of Security (MILS) architectural approach. CITADEL builds upon previous research in static and distributed MILS and aims to extend MILS to support dynamic and distributed adaptive systems while maintaining assurability through design-time analysis and runtime assurance. The CITADEL framework adds new planes such as monitoring, adaptation, and certification assurance to the MILS platform to enable closed-loop control of dynamic reconfiguration. The project team for CITADEL includes experts in MILS, separation kernels, and other relevant areas from previous MILS research projects.
3. n Critical infrastructures rely on complex safety- and security-
critical ICT systems operating in unpredictable environments.
n These systems are trust-needy, but often not trustworthy.
n Adaptation is needed to cope with naturally occurring events
and malicious activities of hostile agents.
n Current MILS is trustworthy, but not adaptive.
n CITADEL is intended to provide an innovative platform
technology, methodology and tools for development,
deployment, and certification of adaptive systems.
n CITADEL is based on MILS, an approach featuring modular
construction and compositional assurance, leveraging the
advances of previous EC projects.
n CITADEL should support the certification of Adaptive MILS
systems by maintaining an assurance case and its supporting
evidence in sync with adaptation.
CITADEL Motivation
The Open Group Training - Context - Introduction to CITADEL 3
4. CITADEL Overview
A short history of MILS
The Open Group Training - Context - Introduction to CITADEL 4
5. The Emergence of “MILS”
n “MILS”, by that name, emerged circa 2000
t Originally “MILS” stood for Multiple Independent Levels of Security. In 2007
members of The Open Group’s Real Time and Embedded Systems (RTES) Forum
recognized that the expanded acronym was not an accurate characterization* and
took a decision to henceforth regard “MILS” not as an acronym but as a proper
name for the architectural approach.
t MILS was initiated in part upon a recognition that commercial partitioning kernels
for avionic safety could be applied to high assurance security.
t Strong partitioning (“separation” or “isolation”) provides a basis for the prevention
of information flow, upon which “controlled information flow” can be established.
t This led to the rediscovery of Rushby’s Separation Kernel (SK), in the Design and
Verification of Secure Systems (1981), to become the foundation for MILS.
t Development of Common Criteria “protection profiles” for partitioning kernels
(The Open Group) and for separation kernels (NSA) ensued from 2000 until 2008.
t Other associated protection profile developments were also undertaken.
n The Open Group’s Real Time and Embedded Systems (RTES) Forum
became the home to an active community of interest in MILS (the “MILS
Initiative”).
The Open Group Training - Context - Introduction to CITADEL 5
* “multiple levels” is easily confused with multilevel security (MLS), which is a legitimate application of
MILS, but the implied ordering of “levels” does not accurately characterize MILS. “Multiple independent
domains” would be more accurate, but even the use of “independent” is not generally valid.
6. n Seminal work by John Rushby
t Study of ongoing secure systems efforts 1980
t Design and Verification of Secure Systems – original
Separation Kernel paper 1981
t Separability 1982-1983
t Non-interference and channel control 1982-1992
t Partitioning for security and safety 1999-2003
t MILS research at SRI 2004-2012 Rushby-DeLong
n MILS is born circa 2000 and advanced through its “Eras”
t “Classic” MILS Era 2000-2007 various contributors
t “Modern” MILS Era 2008-2012 Rushby-DeLong
t “Progressive” MILS Era 2012-Present, DeLong et al:
● Distributed MILS (D-MILS project)
● Dynamic MILS and Adaptive MILS (CITADEL project)
● Heterogeneous (CPU/GPU/FPGA) MILS Platforms (PHANTOM
project)
The Open Group Training - Context - Introduction to CITADEL 6
The Birth of MILS and Its Evolution
7. More about the Eras of “MILS”
n 2000-2007 This is the Era of “Classic MILS” during which MILS proliferated
t The seminal work of Rushby was recognized and built upon
t Other contributors included: Vanfleet, Dransfield, Alves-Foss, Harrison, Oman, Taylor,
Greeve, Wilding, Richards, Uchenick, Millen, Delange, Calloni, Hardin, DeLong, Beckwith
n 2004 – Rushby at SRI International, who had been working on safety, now became
engaged with the MILS community
n 2004-2012 Research on MILS was funded on several projects at SRI International
n 2008 – Rushby declared the arrival of “Modern MILS” as the concepts had crystalized
n 2008-2012 – The Era of “Modern MILS”, in addition to establishing the foundations,
spawned the ideas of principled delivery, configuration & initialization, just-in-time
MILS certification, as well as distributed, dynamic & adaptive MILS
n 2012-2019 and beyond – the Era of “Progressive MILS”, built on Modern MILS results
t Principled Delivery, Configuration and Initialization of MILS Components & Integrations
t Distributed MILS – assured scalable distributed deterministic systems
t Dynamic MILS – assured reconfigurable systems, cloud computing, IoT systems
t Adaptive MILS – assured critical infrastructures, adaptive & resilient systems
t Heterogeneous MILS – non-separation kernel-based MILS platforms (CPU, GPU, FPGA)
t Mixed-Critical MILS – assured mixed-critical cyber-physical systems
t Autonomous MILS – assured self-healing, adaptive, and intelligent cyber-phys systems
The Open Group Training - Context - Introduction to CITADEL 7
8. Key characteristics of “Modern MILS”
n MILS is a component-based approach to secure and dependable systems
design and implementation that encourages a marketplace of general-
purpose commercial components, leading to lower development cost
n MILS is a two phase approach (John Rushby’s “Modern MILS”):
t Design a “Policy Architecture”
● Abstract architecture diagram represented by “boxes and arrows”
● Operational components and architecture achieve system purpose
● Assumes the architecture (components and connectors) will be
strictly enforced in the implementation
t Implement the policy architecture on a robust resource-sharing platform
● MILS foundational components (FCs) enable sharing of physical
resources, creating strongly separated “exported resources”
● FCs should be individually developed and assured according to
standardized specifications
● FCs compose “additively” to form a distributed trusted sharing
substrate, the MILS Platform
n MILS provides a compositional approach to construction, assurance, and
system certification
The Open Group Training - Context - Introduction to CITADEL 8
9. MILS Policy Architecture
C2
C4C1
C3
C5
Circles represent
architectural
components
(subjects /
objects)
Arrows represent
interactions
Suitability of the architecture for some purpose
presumes that the architect’s assumptions are met
in the implementation of the architecture diagram.
C6
The absence of an
arrow is as significant
as the presence of one
This component
has no interaction
with any other
Components are
assumed to perform
the functions specified
by the architect
(trusted
components enforce
a local policy)
The architecture
diagram expresses
an interaction policy
among a collection
of components
Trusted
Subject
The Open Group Training - Context - Introduction to CITADEL 9
10. MILS Platform – Enables a Straightforward
Realization of a Policy Architecture
Architecture
Realization
SK, with other MILS
foundational components,
form the MILS Platform
allowing operational
components to share
physical resources while
enforcing Isolation and
Information Flow Control
Validity of the architecture
assumes that the only
interactions of the circles
(operational components)
is through the arrows
depicted in the diagram
R 1
R 2
R 3
R 5
R 4
MILS Platform
The Open Group Training - Context - Introduction to CITADEL 10
11. “Modern MILS” Platform Architecture – a composition of
foundational components creating one or more Operational Planes
P 1
P 2
Separation Kernel ⊕
P 3
P 5
P 4 Configuration Data
Configuration Data
CONFIGURATIONPLANE
FOUNDATIONAL PLANE
OPERATIONAL PLANE
MFS
MNS
MEA
MCS
MILS Platform
The MILS Platform is
an abstraction of the
Foundational Plane
The MILS Foundational Plane
is the composition of MILS
foundational components
The Configuration
Plane runs off-
line in static MILS
Operational Plane(s) are
operational components of
the app policy architecture
The Open Group Training - Context - Introduction to CITADEL 11
13. n Apply MILS’ Conservative Extension Principle:
t When adding new capabilities to MILS, do so without
sacrificing the ability to provide assurance (modeling and
verification of system properties)
n Build upon static MILS and distributed MILS
t Static standalone MILS – simplicity facilitates assurance
t Distributed MILS – conservatively extends static standalone
MILS to static distributed MILS systems with compositional
verification and compositional assurance case automation
n CITADEL – Conservatively extend MILS for adaptive
systems on dynamic and distributed MILS platforms
t Dynamic MILS – conservatively extend static and distributed
MILS platforms with primitives for dynamic reconfiguration
t Enhance modeling and analysis capabilities for dynamism
t Add CITADEL Framework for adaptation – mechanisms for
closed-loop control of dynamic reconfiguration of MILS
foundational, operational, and monitoring planes
t Add runtime assurance maintenance during adaptation
The CITADEL Approach
The Open Group Training - Context - Introduction to CITADEL 13
15. n Dependable – A system is developed from a model
that is analyzable for needed properties
n Reconfigurable – A system configuration can be
changed without restarting the system
n Deployable – There is a deployment framework and
platform for reconfigurable systems
n Distributed – A system can be distributed as the
applications and environment demand
n Scalable – Nodes can be numerous to provide needed
computing resources
n Adaptable – A system can adapt to internal events or
environmental change by reconfiguring
n Assurable – The ability to have high confidence in the
system’s dependability is achieved through design-
time analysis and runtime assurance maintenance
Needed characteristics of CITADEL
The Open Group Training - Context - Introduction to CITADEL 15
16. n Extend MILS platform and tool chain for dynamic and
distributed systems
t Similar guarantees to single static MILS system
t Conservatively extend MILS scalability and adaptive
capabilities while maintaining “assurability” of
platform guarantees
n Specific technology objectives of the project
t Declarative modelling languages
t Compositional verification of dynamic architectures
t Configuration monitor synthesis
t Assurance cases for dynamic systems
t Configuration introspection and dynamic
reconfiguration primitives
t Enforce configuration change policies
t Adaptation – accommodate changing conditions
t Monitoring – sense conditions to trigger adaptation
The Open Group Training - Context - Introduction to CITADEL 16
CITADEL Technology Objectives
18. CITADEL builds on Distributed MILS*:
Policy architecture deployment spanning nodes
Node Hardware
SK
MNS
Node Hardware
SK
MNS
Node Hardware
SK ⊕ MNS
Foundational Plane+ →
Node Hardware
Subjects SubjectsSubjects
* European Commission FP7
ICT-2011.1.4 Trustworthy ICT
Project #318772
2012 – 2015
Distributed MILS concept
originated with the
MILS Network System
(MNS) Protection
Profile work in 2010
Distributed MILS nodes D-MILS platform
Minimum of SK
and MNS foundational
components
The Open Group Training - Context - Introduction to CITADEL 18
19. The MNS exports logically
unidirectional “wormholes”
that span D-MILS nodes
Node Hardware
SK ⊕ MNS
Foundational Plane
Node Hardware
Subjects
Wormhole
Wormhole
Wormhole
D-MILS Node 1 D-MILS Node 2
Relocatable subjects communicate
with resources without
knowing on what node the
resource resides. (A subject
that controls a local device
on a node is not relocatable.)
This example “global
information flow policy”
defines three inter-node
information flows.
The Open Group Training - Context - Introduction to CITADEL 19
20. The Distributed MILS Platform
SW
HW
SW
HW
SK MNS MCS
⊕ ⊕
Exported
Resources
⊕ Additive
Composition
SW
HW
additive compositionality property – e.g., a
Partitioning kernel ⊕ Partitioning network system
= Partitioning (kernel + network system)
MNS = MILS Network System
MCS = MILS Console System
Console for
some AppsDistributed MILS nodes
The minimal MILS platform is SK alone.
The Distributed MILS Project (EC FP7)
implemented Distributed MILS nodes
with SK and MILS Network System
(MNS) using Time-Triggered Ethernet,
and one of the D-MILS demonstrators
implemented a special-purpose
MILS Console System (MCS).
CITADEL implements a new MNS
using time-sensitive networking (TSN)
and with a new SK.
An updated version of the D-MILS
MCS was developed for CITADEL.
The Open Group Training - Context - Introduction to CITADEL 20
Min
21. n The CITADEL Framework for adaptive MILS systems
adds new subsystems (planes) to the MILS platform
n The Configuration Plane of the MILS platform now
must run online because (re)configuration occurs at
runtime
n The Monitoring Plane runs monitoring applications
that generate events from virtual sensors deployed in
the Foundational Plane and Operational Plane(s)
n The Adaptation Plane responds to events from the
Monitoring Plane determining a new configuration and
commanding the Configuration Plane to reconfigure
the Foundational, Monitoring and Operational Planes
n The Certification Assurance Plane maintains a current
Assurance Case for the reconfigured running system
n Some of the verification tools may run online
CITADEL Framework
The Open Group Training - Context - Introduction to CITADEL 21
22. The Open Group Training - Context - Introduction to CITADEL 22
Planes of the CITADEL Framework
Separation Kernel ⊕FOUNDATIONAL PLANE
OPERATIONAL PLANE(S)
MONITORING PLANE / FW
MFS
MNS
MEA MCS
Fault Diagnoser
COMMSTATE
RESOURCE
P 1
P 2
P 3
P 5
P 4
MILS Platform
MILS Platform
CONFIGURATION
ADAPTATIONPLANE
Target
Config
CONFIGURATIONPLANE
Config
Cmds
Config
Cmds
Config
Cmds
FDI
Exceptions
Exceptions
Exceptions
Exceptions
Introspection
Observations & Events
Certification
Assurance
Artifact
24. n The Open Group has been home to the MILS
Initiative activities since the early 2000s
n Many members of the CITADEL project team
have worked previous MILS-based research
projects, including D-MILS, EuroMILS, and
earlier MILS-defining projects.
n The project represents considerable
expertise in MILS, separation kernels, OSs,
networking, system modeling, analysis,
verification, safety certification, security
evaluation, assurance methods, system
integration, and other relevant disciplines.
CITADEL Project Team
The Open Group Training - Context - Introduction to CITADEL 24
25. n The Open Group (UK)
n ATB (DE)
n Technical University of Eindhoven (NL)
n Fondazione Bruno Kessler (IT)
n IK4-IKERLAN (ES)
n Université Grenobles Alpes (FR)
n atsec Information Security (SE)
n Kaspersky Lab (UK)
n OAS (DE)
n SYSGO (DE)
n TTTech (AT)
n J.W. Ostendorf (DE)
n Frequentis (AT)
n UniControls (CZ)
n Q-Media (CZ)
Training - Context - Introduction to CITADEL 25
CITADEL Consortium
The Open Group
27. n The deliverables containing industrial
demonstrator requirements are not public
due to proprietary information.
n The CITADEL technology requirements
reflect those aspects of the demonstrator
requirements that are to be met or
supported by the development partners’
contributions to the CITADEL technology
requirements. The technology
requirements are summarized in the
following section.
Industrial Demonstrator Requirements
The Open Group Training - Context - Introduction to CITADEL 27
29. n Modelling Language to enable
t Specification of hierarchical architectures
t Synchronous and async composition
t Specification of implementation as transition
system
t Explicit specification of spaces of architecture
configurations
t Dynamic activation/deactivation
t Partial and total dynamic reconfiguration
t Effects of faults and failures
t Specification of component and composite
properties
The Open Group Training - Context - Introduction to CITADEL 29
Operational Plane Support (1)
30. n Analysis & Verification
t Accept parameterized and/or dynamic
system models
t User interaction with modelling language
t Compositional verification of global
properties from components
t Covers spectrum of relevant properties
t Tools provide diagnostic feedback
t Also support configuration, adaptation and
certification assurance planes
The Open Group Training - Context - Introduction to CITADEL 30
Operational Plane Support (2)
31. n Detection & Diagnosis
t Analysis and synthesis of runtime
monitors
t Diagnosability – determine whether a
given fault is diagnosable
The Open Group Training - Context - Introduction to CITADEL 31
Operational Plane Support (3)
32. n MILS Platform
t Composition of Foundational Components
t Distributed – multiple MILS nodes
● Separation Kernel and MILS Network System
● Time-sensitive networking (TSN)
t Dynamic – reconfigurable at runtime
● Extension of foundational components to
support dynamic reconfiguration and
configuration introspection
t Adaptive thru the “CITADEL Framework”
● Support of monitoring and adaptation planes
t Assurance is a priority consideration
The Open Group Training - Context - Introduction to CITADEL 32
Foundational Plane (1)
33. n Separation Kernel
t Configuration interface
● Allocation of resources to partitions and subjects
● Subject fine-grained privileges
● Physical and virtual network interfaces
● Support for monitoring
t Dynamic reconfiguration interface
● Modify set of active partitions
● Exchange/replacement of subjects in partition
● Dynamically allocate memory within quotas
● Maintain predictable operation during
reconfiguration
t Distributed MILS support
● MILS Network System support
The Open Group Training - Context - Introduction to CITADEL 33
Foundational Plane (2)
34. n MILS Network System
t Node-qualified resource identifiers
t Inter-node “Wormholes”
● Virtual point-to-point links among subjects
● Standardized inter-subject communication
● “Proxy subjects” for off-node communication
t Single MNS per node managing TSN devices
t Global communications policy enforcement
t Configuration interface supporting initial
configuration and reconfiguration
n Time-Sensitive Network (TSN)
t Deterministic real-time communication over
Ethernet ensuring bounded max latency
t Global time reference
The Open Group Training - Context - Introduction to CITADEL 34
Foundational Plane (3)
35. MILS Node: SK + MNS
The Open Group Training - Context - Introduction to CITADEL 35
36. Network of MILS Nodes
The Open Group Training - Context - Introduction to CITADEL 36
37. n Interaction with Adaptation Planes
n Reconfiguration Planner
t “Big Step” and “Small Step” configuration change
t Receive big step direction from Adaptation Plane
t Develop a plan of small steps to achieve big step
t Interact with Foundational Plane through
reconfiguration primitives to effect reconfiguration
n Configuration State Controller
t Configuration change agent – privileged to perform
primitives and enforce configuration change policies
n Configuration Compiler
t Allocation of resources across distributed system
consistent with constraints
t Scheduling coordination
t Platform configuration targeting
The Open Group Training - Context - Introduction to CITADEL 37
Configuration Plane Requirements
39. Big- and Small-Step Reconfiguration
The Open Group Training - Context - Introduction to CITADEL 39
40. n Monitoring framework
t Communication monitoring
t State monitoring
n Sources of monitoring data
n Monitoring policies and algorithms
n Alerting and reporting mechanisms
n Architecture and compatibility
t Standardized way to construct and deploy
monitor applications
t Placement of virtual sensors
n Security and dependability
n Configuration, reconfiguration and adaptivity
The Open Group Training - Context - Introduction to CITADEL 40
Monitoring Plane Requirements
41. n Interactions with other planes
t Interaction with Monitoring Plane
t Interaction with Configuration Plane
t Interaction with Certification Assurance
Plane
n Adaptation within Configuration
Transition System of architecture model
n Context (situation) awareness
n Abstract reconfiguration plan
n Reconfiguration logging
The Open Group Training - Context - Introduction to CITADEL 41
Adaptation Plane Requirements
42. Adaptation Plane Interactions
The Open Group Training - Context - Introduction to CITADEL 42
Cert. Assurance Plane
Operational plane
Plant FDIR
Sensors
Actuators
Monitoring plane
Adaptation plane
Architecture
Reconfiguration
Planner
Property-
based
monitors
Anomaly
detection
Context
Extractor
User
notification
and feedback
Reconfiguration plane
Platform
Reconfiguration
Planner
Architecture
Reconfiguration
Logger
Architecture
Configuration
Identification
Foundational plane
Configuration
Change Controller
Parametrized
architecture
AM-ETB
User defined
plan/
Pluggable
strategies
Design and
Verification
Tools
Properties
Reconfig.
constraints
Rule-based
Architecture
Reconfiguration
43. n Infrastructure, techniques, and tools for
certification of Adaptive MILS systems
n Assurance case work builds on D-MILS
t Extend for reconfigurable/adaptive
systems
t Adaptive-MILS Evidential Tool Bus (AM-
ETB)
● Provide mechanisms to build assurance case
automatically in running dynamic system
● Pattern-based AC construction
● Construct Certification Assurance Artifact
The Open Group Training - Context - Introduction to CITADEL 43
Certification Assurance Plane Requirements
44. Certification Assurance Plane Components
The Open Group Training - Context - Introduction to CITADEL 44
Assurance
Case
Top
Goals/Props
Platf
Arg(s)
Comp’t
Arg(s)
Compos’n
Arg(s)
Sub-Goals/Props
Provenance
of Evidence
. . .
Config’n
Correctness
Arg(s)
Conformance Property
Evidence
Certification Assurance Artifact Repository
AM-ETB
Verification
Tools
Models Props Configs
A.C.
Patterns
Tool
Flows
Models
Models
Props
Props
Configs
Configs
46. n Modeling language
t CITADEL developed extensions for dynamically
reconfigurable systems to the previously
successful SLIM modeling language derived
from AADL and extended for MILS in D-MILS
t Annotation language permits expression of
properties of the architecture and components
t Dynamic architecture description based on
parameterized architectures to specify the
configuration space
t Augmented with a configuration transition
system to express permitted configuration
changes
Modeling and Verification Tools (1)
The Open Group Training - Context - Introduction to CITADEL 46
47. n Verification tools
t Previously, D-MILS models represented static
architectures
t CITADEL pushes the frontier of formal
verification for dynamic systems by extending
to four analysis domains, resulting from
● Static vs dynamic architecture
● Finite vs infinite instantiation
t Some of the extensions can be addressed by
reducing to D-MILS with minor extensions
t Infinite instantiation domains required new
techniques and tools to be developed for
CITADEL, including runtime verification
Modeling and Verification Tools (2)
The Open Group Training - Context - Introduction to CITADEL 47
48. Modeling and Verification Tools (2)
The Open Group Training - Context - Introduction to CITADEL 48
Finite instantiation Infinite instantiation
Static
architecture
Finite set of models
Infinite set of models
Dynamic
architecture
One model with
finitely many
reconfigurations
One model with
infinitely many
reconfigurations
1 2
3 4
Can be statically analyzed
by D-MILS technology
(+ iteration)
Can be statically analyzed by
reducing to D-MILS extended
with modes
New
techniques and
tools for static
analysis are
under
development
in CITADEL
Can be analyzed for a bounded
reconfiguration horizon by reducing to
D-MILS extended with modes (this is
useful at CITADEL runtime)
50. n A static MILS platform, that is its foundational components,
may be configured with off-line tools and its configuration does
not change at runtime.
n The dynamic MILS platform requires each of its foundational
components to support runtime dynamic configuration change
by providing configuration change primitives.
n CITADEL accomplished this with dynamic configuration
extensions to the Separation Kernel, the MILS Networking
System, and the Time-Sensitive Networking devices.
t Enables changes to subjects, connections, and schedules
t Enables time synchronization across the network to assure
that node schedules remain in sync
Dynamic MILS Platform
The Open Group Training - Context - Introduction to CITADEL 50
52. n CITADEL developed a standardized MILS-
based architectural framework for
adaptive MILS systems
n The framework addresses two aspects of
adaptation
t The maintenance of critical system
properties through integrated monitoring,
adaptation, and reconfiguration
t The maintenance of certification assurance
as the dynamic system is adapted to
operating conditions
Framework for adaptive systems
The Open Group Training - Context - Introduction to CITADEL 52
54. n The CITADEL framework embodies a closed
control loop paradigm
t Basically, the framework attempts to maintain the
specified properties of the system by controlling
the configuration
t The system configuration is the control variable
t The sensors of specified or synthesized monitors
in the Monitoring Plane provide feedback on the
conditions affecting the properties
t The Adaptation Plane embodies the control laws,
determining the need for and commanding
configuration change
t The Configuration Plane is the actuator for
configuration changes
Integrated Monitoring, Adaptation and
Reconfiguration
The Open Group Training - Context - Introduction to CITADEL 54
56. n CITADEL has taken critical steps toward
enabling the certification of dynamic and
adaptive systems
t Providing to certification authorities a basis
for trust in adaptive systems
t CITADEL takes a principled approach to
reconfiguration and adaptation, providing the
means to specify and verify dynamic systems
t CITADEL puts the Certifier-in-the-Box for
Just-in-Time Certification by providing online
mechanisms to maintain valid certification
assurance artifacts available on-demand
Integrated assurance
for certification
The Open Group Training - Context - Introduction to CITADEL 56