MILS is a component-based approach to secure and dependable systems design and implementation that encourages a marketplace of general-purpose commercial components, leading to lower development cost
MILS is a two phase approach (John Rushby’s “Modern MILS”):
Design a Policy Architecture
Abstract architecture diagram represented by “boxes and arrows”
Operational components and architecture achieve system purpose
Assumes the architecture (components and connectors) will be strictly enforced in the implementation
Implement the policy architecture on a robust resource-sharing platform
MILS foundational components (FCs) enable sharing of physical resources, creating strongly separated “exported resources”
FCs should be individually developed and assured according to standardized specifications
FCs compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
MILS provides a compositional approach to construction, assurance, and system certification
The document provides an introduction to CITADEL, which aims to develop an innovative platform for adaptive systems based on the Multiple Independent Levels of Security (MILS) architectural approach. CITADEL builds upon previous research in static and distributed MILS and aims to extend MILS to support dynamic and distributed adaptive systems while maintaining assurability through design-time analysis and runtime assurance. The CITADEL framework adds new planes such as monitoring, adaptation, and certification assurance to the MILS platform to enable closed-loop control of dynamic reconfiguration. The project team for CITADEL includes experts in MILS, separation kernels, and other relevant areas from previous MILS research projects.
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
This training module overviews the role, interfaces, structure and functionality of the Adaptation Plane, and explains how to start the components which comprise the Adaptation Plane. The module focuses on the information necessary to understand the start-up and operation of the Adaptation
Plane, which is needed in order to deploy the Adaptation Plane as part of the CITADEL Platform.
Key elements
Dynamic Distributed MILS platform
Dynamic MILS platform with deterministic networking
Mechanisms for dynamic reconfiguration and configuration introspection
Declarative dynamic architecture modeling and verification
Language to describe reconfigurable systems architecture, component models, failure models and fault propagation
Theory and framework for dynamic reconfiguration
Theory and framework for adaptation
Language to express critical properties to be verified
Compositional verification framework
Monitoring, Adaptation, Configuration, & Certification Assurance Planes
Assurance-based security evaluation methodology and runtime mechanisms for just-in-time certification of adaptive systems
This is a synopsis of my presentation to the NATO C4ISR Conference in Bucharest on 26th March 2014. NATO is keen to learn the lessons from networked operations in the Afghan theater, and build these into their mission networking plans.
This presentation draws on IBM’s experience in defence projects, NATO concept developments and recent exercises, and puts forward our key learning points & recommendations.
Federated Application Centric Infrastructure (ACI) Fabrics for Dual Data Cent...Joel W. King
The document discusses how Cisco's Application Centric Infrastructure (ACI) can implement two fabrics across dual data centers to provide disaster recovery. It describes how World Wide Technology designed an ACI solution in its Advanced Technology Center with federated controllers that replicate tenant configurations between the primary and backup data centers. This allows for consistent application policies while the common and infrastructure fabrics maintain independent IP addressing and routing.
Cloud computing offers much promise to the military by addressing the fundamentals of increasing mission agility / complexity in a climate of economic constraint. This presentation - given to the NATO IST-125 panel in Ankara, Turkey on the 11th Jun 2015 - analyses cloud usage in three project case studies then specifically considers the SECURITY challenge and how this can be addressed as cloud evolves in future.
(LinuxCon Japan 2016)
Linux has become one of the most important software to run the Civil Infrastructure Systems such as power plants, water distribution, traffic control and healthcare. However, existing software platforms are not yet industrial grade (in addressing safety, reliability and other requirements for infrastructure). At the same time, rapid advances in machine-to-machine connectivity are driving change in industrial system architectures.
The Linux Foundation establishes "Civil Infrastructure Platform(CIP)" as a new collaborative project. CIP aims to develop a super long-term supported open source "base layer" of industrial grade software. This base layer enables the use of software building blocks that meet requirements of industrial and civil infrastructure projects. In this talk, we will explain the technical details and focuses of this project.
The document provides an introduction to CITADEL, which aims to develop an innovative platform for adaptive systems based on the Multiple Independent Levels of Security (MILS) architectural approach. CITADEL builds upon previous research in static and distributed MILS and aims to extend MILS to support dynamic and distributed adaptive systems while maintaining assurability through design-time analysis and runtime assurance. The CITADEL framework adds new planes such as monitoring, adaptation, and certification assurance to the MILS platform to enable closed-loop control of dynamic reconfiguration. The project team for CITADEL includes experts in MILS, separation kernels, and other relevant areas from previous MILS research projects.
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
This training module overviews the role, interfaces, structure and functionality of the Adaptation Plane, and explains how to start the components which comprise the Adaptation Plane. The module focuses on the information necessary to understand the start-up and operation of the Adaptation
Plane, which is needed in order to deploy the Adaptation Plane as part of the CITADEL Platform.
Key elements
Dynamic Distributed MILS platform
Dynamic MILS platform with deterministic networking
Mechanisms for dynamic reconfiguration and configuration introspection
Declarative dynamic architecture modeling and verification
Language to describe reconfigurable systems architecture, component models, failure models and fault propagation
Theory and framework for dynamic reconfiguration
Theory and framework for adaptation
Language to express critical properties to be verified
Compositional verification framework
Monitoring, Adaptation, Configuration, & Certification Assurance Planes
Assurance-based security evaluation methodology and runtime mechanisms for just-in-time certification of adaptive systems
This is a synopsis of my presentation to the NATO C4ISR Conference in Bucharest on 26th March 2014. NATO is keen to learn the lessons from networked operations in the Afghan theater, and build these into their mission networking plans.
This presentation draws on IBM’s experience in defence projects, NATO concept developments and recent exercises, and puts forward our key learning points & recommendations.
Federated Application Centric Infrastructure (ACI) Fabrics for Dual Data Cent...Joel W. King
The document discusses how Cisco's Application Centric Infrastructure (ACI) can implement two fabrics across dual data centers to provide disaster recovery. It describes how World Wide Technology designed an ACI solution in its Advanced Technology Center with federated controllers that replicate tenant configurations between the primary and backup data centers. This allows for consistent application policies while the common and infrastructure fabrics maintain independent IP addressing and routing.
Cloud computing offers much promise to the military by addressing the fundamentals of increasing mission agility / complexity in a climate of economic constraint. This presentation - given to the NATO IST-125 panel in Ankara, Turkey on the 11th Jun 2015 - analyses cloud usage in three project case studies then specifically considers the SECURITY challenge and how this can be addressed as cloud evolves in future.
(LinuxCon Japan 2016)
Linux has become one of the most important software to run the Civil Infrastructure Systems such as power plants, water distribution, traffic control and healthcare. However, existing software platforms are not yet industrial grade (in addressing safety, reliability and other requirements for infrastructure). At the same time, rapid advances in machine-to-machine connectivity are driving change in industrial system architectures.
The Linux Foundation establishes "Civil Infrastructure Platform(CIP)" as a new collaborative project. CIP aims to develop a super long-term supported open source "base layer" of industrial grade software. This base layer enables the use of software building blocks that meet requirements of industrial and civil infrastructure projects. In this talk, we will explain the technical details and focuses of this project.
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
The document discusses the HICLASS research program which aims to enable UK industry to build the most complex, connected, and cyber-secure avionic systems. It is a £32 million project over 4 years led by Rolls-Royce with 16 funded partners and 2 unfunded partners. The project will develop integrated solutions to address increasing challenges with system integrity, complexity, connectivity, security, and safety as systems continue to grow in scale and complexity. It will focus on developing technologies in areas like model-based development, verification, security, and future hardware platforms.
FORUM PA 2015 - Microservices with IBM Bluemixgjuljo
This document discusses Bluemix, microservices, and a demo. Bluemix is IBM's cloud platform for building, running, and managing applications using open standards. It discusses how microservices applications are built using independent, self-contained services that communicate over well-defined interfaces. This allows for cross-functional teams and independent scaling of services. The demo then shows a microservices application deployed to Bluemix using Docker containers, MongoDB, and other technologies.
Dmg tem2011-0718-02 norton cmd disa mitre overview - v9jakreile
This document discusses the Department of Defense's strategy for supporting commercial mobile devices (CMDs). It outlines goals such as evolving infrastructure to support mobile devices, establishing a common application environment, and enabling mobile device security. Key policy issues discussed include security, spectrum use, and application management. The document also summarizes several DoD pilots and efforts related to developing CMD policy and capabilities.
The document discusses teaching information technology architectures. It presents an architectural approach that consists of key tenets including architectural principles, framework, process model, and methodology. The approach is applied to developing an enterprise mobility viewpoint for modeling mobile enterprise architectures. Specifically, it proposes a conceptual model for a mobile enterprise architecture framework that defines stakeholder concerns and sub-viewpoints to model the mobile business, data, applications, and infrastructure.
The document summarizes a workshop on models held by the EFFECTS+ Systems & Networks Cluster. The workshop aimed to identify publicly available models, areas of collaboration between projects, and gaps in existing approaches. Presentations covered various modeling approaches from different projects. Results included plans to classify models, publish a survey, hold follow-up meetings, and initiate specific multilateral cooperations between projects in areas like SCADA systems, privacy, services, and security evaluation.
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)Bob Marcus
Informal overview of some major US governmental projects with suggestions on how to engineer systems and services interoperability using a standards-based framework.
A Decentralized Reference Architecture for Cloud-native Applications Asanka Abeysinghe
The number of microservices running in enterprises increases daily. As a result, service composition, governance, security, and observability are becoming a challenge to implement and incorporate. A “cell-based” architecture is an approach that can be applied to current or desired development and technologies to address these issues. This technology-neutral approach helps cloud-native dev teams become more efficient, act in a more self-organized manner, and speed overall release times.
In this talk, Asanka will introduce the "cell-based" architecture, which is decentralized, API-centric, cloud-native and microservices friendly. He will explain the role of APIs in the cell-based approach, as well as examine how real applications are built as cells. Asanka will explore the metrics and approaches that can be used to measure the effectiveness of the architecture and explore how organizations can implement the cell approach.
Simulation Based Acquisition - Past or Future?Andy Fawkes
Presented at TDW-Live - Congresbury, Bristol - 15 Nov 2018. TDW-Live is a conference for aerospace, defence and space technical information and product support professionals. This presentation described simulation and the latest developments. It covered the history of simulation based acquisition and parallels with the current day digital twin or digital sibling and lessons learned.
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterPhil Agcaoili
This document summarizes an RSA Cloud Security Alliance meeting where Phil Agcaoili and Dennis Hurst presented on cloud security topics. It discusses NIST's definition of cloud computing including its essential characteristics and service/deployment models. It also summarizes the Cloud Controls Matrix, a project to develop standardized cloud security controls mapped to frameworks like COBIT and ISO 27001. The document lists the 11 domains and 98 controls included in the Cloud Controls Matrix as well as its development team and contributors. Finally, it briefly discusses the Consensus Assessment Initiative for performing shared security assessments of cloud providers.
apidays LIVE LONDON - A Decentralized Reference Architecture for Cloud-native...apidays
apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs
A Decentralized Reference Architecture for Cloud-native Applications
Asanka Abeysinghe, Chief Technology Evangelist at WSO2
Cloud computing allows users to access software, storage, and computing power over the internet. It provides scalable resources and services to customers on-demand. There are several cloud deployment models including public, private, community, and hybrid clouds. The three main service models are infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Cloud computing provides businesses benefits like reduced costs and time to market. Technical benefits include automation, auto-scaling, and improved development cycles. Security and loss of control are concerns that need to be addressed for cloud adoption.
Simulation Based Acquisition - Has its Time Come?Andy Fawkes
Presented at the ITEC Advanced Engineering Conference - Stuttgart, Germany - 16 May 2018. Originating in the US DoD in the 1990s, Simulation Based Acquisition or SBA aimed to exploit the then advances in M&S and data management to reduce the time, risk, and resources associated with the defence acquisition and support process. Both technical and non-technical barriers caused SBA to fall out of fashion in the 2000s. We are now in a different era technologically and societally, with the increasing digitisation of manufacturing industries and wider human activities and the drive towards Industry 4.0. Many of the technologically hurdles to SBA are likely to be overcome with advances in simulation, data and AI. However, what is clear from SBA is that to realise its full potential requires significant organisational and cultural change within research and acquisition organisations and wider industry.
Organizations rely on cloud computing as a cost-effective and efficient method to harness and access data using the Internet and improve their productivity and performance. With a cloud computing credential as part of your skill set, you will be able to contribute to this IT service and stand apart from your peers.
TUV SUD’s Certified Cloud Computing Elementary Professional (TCCEP) is one of the most industry-recognized cloud computing certifications globally.
To know more about Cloud Computing Elementary Professional Certification trainings worldwide,
please contact us at -
Email :support@invensislearning.com
Phone - US +1-910-726-3695,
Website : https://www.invensislearning.com
This document discusses cybersecurity frameworks and provides an overview of the most popular frameworks. It begins by defining frameworks, regulations, standards and guidelines. Some of the main benefits of frameworks mentioned are providing a comprehensive security baseline, enabling measurement and benchmarking, and demonstrating maturity. Twelve of the most popular frameworks are then listed and described briefly. The document outlines different types of frameworks and provides tips for choosing an appropriate framework based on mandatory requirements, country practices, industry usage, certification needs, organization size and maturity. It also discusses mappings between frameworks and attributes of information security controls.
CWIN17 Utrecht / cg u services - frank van der walCapgemini
The document discusses building blocks for digital transformation, including cloud infrastructure, artificial intelligence, data tools, and targeted applications. It recommends an architecture that is engineered for distribution, using microservices that can be deployed independently and communicate through APIs. The challenges of a microservices architecture include maintenance due to varied skills required, latency from network hops, data sharing between services, and manageability of a network of services. Digital transformation creates both digital and enterprise IT that require different approaches to exploration and security. An integration reference architecture is proposed with systems of engagement, integration layers, and systems of record.
The COI will establish standards and processes to enable the
sharing of geospatial intelligence information among the National Geospatial-
Intelligence Agency, the Defense Intelligence Agency, and the National
Reconnaissance Office to improve situational awareness and support to
military operations.
This document summarizes key information from a presentation on security architecture in the IoT age. It discusses the risks of vulnerabilities being exploited in embedded devices, as seen with Stuxnet. It recommends resources for credible cybersecurity information, including the Information Assurance Support Environment site. The document also summarizes guidance on the Risk Management Framework and Security Technical Implementation Guides.
An assurance case provides an argument to justify certain claims about a system, based on evidence concerning both the system and the environment in which it operates.
The principal advance offered by assurance cases compared to other forms of assurance is provision of an explicit argument connecting evidence to claims.
The idea of structured argument is to facilitate modular comprehension and assessment of the case.
This material provides guidelines in form of a presentation of the Context Awareness - component of the Adaptation Plane.
The Context Awareness is a component which implements a mechanism to identify the current context under which the CITADEL framework as well as an application is used/operated.
To identify the current context, the Context Awareness will use run-time data provided by the Monitoring Plane as input on one hand and a pre-defined context model on the other hand.
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
The document discusses the HICLASS research program which aims to enable UK industry to build the most complex, connected, and cyber-secure avionic systems. It is a £32 million project over 4 years led by Rolls-Royce with 16 funded partners and 2 unfunded partners. The project will develop integrated solutions to address increasing challenges with system integrity, complexity, connectivity, security, and safety as systems continue to grow in scale and complexity. It will focus on developing technologies in areas like model-based development, verification, security, and future hardware platforms.
FORUM PA 2015 - Microservices with IBM Bluemixgjuljo
This document discusses Bluemix, microservices, and a demo. Bluemix is IBM's cloud platform for building, running, and managing applications using open standards. It discusses how microservices applications are built using independent, self-contained services that communicate over well-defined interfaces. This allows for cross-functional teams and independent scaling of services. The demo then shows a microservices application deployed to Bluemix using Docker containers, MongoDB, and other technologies.
Dmg tem2011-0718-02 norton cmd disa mitre overview - v9jakreile
This document discusses the Department of Defense's strategy for supporting commercial mobile devices (CMDs). It outlines goals such as evolving infrastructure to support mobile devices, establishing a common application environment, and enabling mobile device security. Key policy issues discussed include security, spectrum use, and application management. The document also summarizes several DoD pilots and efforts related to developing CMD policy and capabilities.
The document discusses teaching information technology architectures. It presents an architectural approach that consists of key tenets including architectural principles, framework, process model, and methodology. The approach is applied to developing an enterprise mobility viewpoint for modeling mobile enterprise architectures. Specifically, it proposes a conceptual model for a mobile enterprise architecture framework that defines stakeholder concerns and sub-viewpoints to model the mobile business, data, applications, and infrastructure.
The document summarizes a workshop on models held by the EFFECTS+ Systems & Networks Cluster. The workshop aimed to identify publicly available models, areas of collaboration between projects, and gaps in existing approaches. Presentations covered various modeling approaches from different projects. Results included plans to classify models, publish a survey, hold follow-up meetings, and initiate specific multilateral cooperations between projects in areas like SCADA systems, privacy, services, and security evaluation.
2004 Net-centric Systems and Services Interoperability Engineering (NESSIE)Bob Marcus
Informal overview of some major US governmental projects with suggestions on how to engineer systems and services interoperability using a standards-based framework.
A Decentralized Reference Architecture for Cloud-native Applications Asanka Abeysinghe
The number of microservices running in enterprises increases daily. As a result, service composition, governance, security, and observability are becoming a challenge to implement and incorporate. A “cell-based” architecture is an approach that can be applied to current or desired development and technologies to address these issues. This technology-neutral approach helps cloud-native dev teams become more efficient, act in a more self-organized manner, and speed overall release times.
In this talk, Asanka will introduce the "cell-based" architecture, which is decentralized, API-centric, cloud-native and microservices friendly. He will explain the role of APIs in the cell-based approach, as well as examine how real applications are built as cells. Asanka will explore the metrics and approaches that can be used to measure the effectiveness of the architecture and explore how organizations can implement the cell approach.
Simulation Based Acquisition - Past or Future?Andy Fawkes
Presented at TDW-Live - Congresbury, Bristol - 15 Nov 2018. TDW-Live is a conference for aerospace, defence and space technical information and product support professionals. This presentation described simulation and the latest developments. It covered the history of simulation based acquisition and parallels with the current day digital twin or digital sibling and lessons learned.
RSA: CSA GRC Stack Update for the CSA Atlanta ChapterPhil Agcaoili
This document summarizes an RSA Cloud Security Alliance meeting where Phil Agcaoili and Dennis Hurst presented on cloud security topics. It discusses NIST's definition of cloud computing including its essential characteristics and service/deployment models. It also summarizes the Cloud Controls Matrix, a project to develop standardized cloud security controls mapped to frameworks like COBIT and ISO 27001. The document lists the 11 domains and 98 controls included in the Cloud Controls Matrix as well as its development team and contributors. Finally, it briefly discusses the Consensus Assessment Initiative for performing shared security assessments of cloud providers.
apidays LIVE LONDON - A Decentralized Reference Architecture for Cloud-native...apidays
apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs
A Decentralized Reference Architecture for Cloud-native Applications
Asanka Abeysinghe, Chief Technology Evangelist at WSO2
Cloud computing allows users to access software, storage, and computing power over the internet. It provides scalable resources and services to customers on-demand. There are several cloud deployment models including public, private, community, and hybrid clouds. The three main service models are infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Cloud computing provides businesses benefits like reduced costs and time to market. Technical benefits include automation, auto-scaling, and improved development cycles. Security and loss of control are concerns that need to be addressed for cloud adoption.
Simulation Based Acquisition - Has its Time Come?Andy Fawkes
Presented at the ITEC Advanced Engineering Conference - Stuttgart, Germany - 16 May 2018. Originating in the US DoD in the 1990s, Simulation Based Acquisition or SBA aimed to exploit the then advances in M&S and data management to reduce the time, risk, and resources associated with the defence acquisition and support process. Both technical and non-technical barriers caused SBA to fall out of fashion in the 2000s. We are now in a different era technologically and societally, with the increasing digitisation of manufacturing industries and wider human activities and the drive towards Industry 4.0. Many of the technologically hurdles to SBA are likely to be overcome with advances in simulation, data and AI. However, what is clear from SBA is that to realise its full potential requires significant organisational and cultural change within research and acquisition organisations and wider industry.
Organizations rely on cloud computing as a cost-effective and efficient method to harness and access data using the Internet and improve their productivity and performance. With a cloud computing credential as part of your skill set, you will be able to contribute to this IT service and stand apart from your peers.
TUV SUD’s Certified Cloud Computing Elementary Professional (TCCEP) is one of the most industry-recognized cloud computing certifications globally.
To know more about Cloud Computing Elementary Professional Certification trainings worldwide,
please contact us at -
Email :support@invensislearning.com
Phone - US +1-910-726-3695,
Website : https://www.invensislearning.com
This document discusses cybersecurity frameworks and provides an overview of the most popular frameworks. It begins by defining frameworks, regulations, standards and guidelines. Some of the main benefits of frameworks mentioned are providing a comprehensive security baseline, enabling measurement and benchmarking, and demonstrating maturity. Twelve of the most popular frameworks are then listed and described briefly. The document outlines different types of frameworks and provides tips for choosing an appropriate framework based on mandatory requirements, country practices, industry usage, certification needs, organization size and maturity. It also discusses mappings between frameworks and attributes of information security controls.
CWIN17 Utrecht / cg u services - frank van der walCapgemini
The document discusses building blocks for digital transformation, including cloud infrastructure, artificial intelligence, data tools, and targeted applications. It recommends an architecture that is engineered for distribution, using microservices that can be deployed independently and communicate through APIs. The challenges of a microservices architecture include maintenance due to varied skills required, latency from network hops, data sharing between services, and manageability of a network of services. Digital transformation creates both digital and enterprise IT that require different approaches to exploration and security. An integration reference architecture is proposed with systems of engagement, integration layers, and systems of record.
The COI will establish standards and processes to enable the
sharing of geospatial intelligence information among the National Geospatial-
Intelligence Agency, the Defense Intelligence Agency, and the National
Reconnaissance Office to improve situational awareness and support to
military operations.
This document summarizes key information from a presentation on security architecture in the IoT age. It discusses the risks of vulnerabilities being exploited in embedded devices, as seen with Stuxnet. It recommends resources for credible cybersecurity information, including the Information Assurance Support Environment site. The document also summarizes guidance on the Risk Management Framework and Security Technical Implementation Guides.
An assurance case provides an argument to justify certain claims about a system, based on evidence concerning both the system and the environment in which it operates.
The principal advance offered by assurance cases compared to other forms of assurance is provision of an explicit argument connecting evidence to claims.
The idea of structured argument is to facilitate modular comprehension and assessment of the case.
This material provides guidelines in form of a presentation of the Context Awareness - component of the Adaptation Plane.
The Context Awareness is a component which implements a mechanism to identify the current context under which the CITADEL framework as well as an application is used/operated.
To identify the current context, the Context Awareness will use run-time data provided by the Monitoring Plane as input on one hand and a pre-defined context model on the other hand.
CITADEL configuration and reconfiguration synthesisRamnGonzlezRuiz2
This material provides a thorough presentation of the CITADEL Reconfiguration Plane, hereafter denoted XP, from high-level design to low-level implementation and deployment on the CITADEL platform.
The document discusses the Adaptive MILS Evidential Tool Bus (AM-ETB) which is used to create and maintain certification evidence for adaptive MILS systems. The AM-ETB uses assurance case patterns to develop modular assurance cases. It coordinates the execution of verification tools to generate evidence and update assurance cases. The AM-ETB implementation includes a pattern repository, evidence repository, workflow engine, tool agents, and assurance case repository.
This document discusses configuring communications monitoring by implementing features and signatures from network traffic and learning a white-box model. It describes extracting feature values from packet fields using Python expressions and gathering them in a feature file. Signatures are defined as Python boolean expressions mapped to alert IDs. A white-box model is learned from a training set and stored in a histograms file, which can be tuned by adjusting likelihood values and bins. The steps are demonstrated on a bottle filling plant use case monitoring Modbus traffic.
This document provides an overview of communications monitoring within the CITADEL framework. It discusses various monitoring methods including signature-based monitoring, white-box anomaly detection, and association rules. Signature-based monitoring specifies known malicious situations as signatures to detect. White-box anomaly detection learns a model of normal communications and flags deviations as anomalous. The document also describes how monitoring interacts with the specification and other CITADEL planes.
This document provides an overview of state monitoring in the context of the CITADEL project. It discusses the monitoring plane and how it is used to monitor components in the operational plane and resources in the foundational plane. It also describes how the Kaspersky Security System can be used for state monitoring by specifying monitoring policies and integrating them with the system modeling framework. The document outlines different sources of monitoring data and policies and how a layered implementation approach separates concerns between the monitoring, operational, and foundational planes.
This document discusses the configuration of a state monitoring module. It describes generating monitors for components, sensors for input ports, and converting monitoring properties into policies. The document also outlines the monitoring library generator, generic and CITADEL APIs, supported SLIM types and operators, and examples of initialization and monitoring loops.
This document discusses software modeling and verification using formal methods. It provides an introduction to formal methods, their motivation and applications. It then discusses the role of formal methods in the CITADEL project, including modeling dynamic architectures, specification of monitors and properties, verification, monitor synthesis, adaptation and assurance case generation. Key aspects of modeling dynamic architectures in CITADEL are parametrized architecture modeling, dynamic architecture modeling, specification of monitors and properties.
This document describes the modeling, testing, and verification of system models which are used by
the MILS Adaptation System. Several example models are provided in this document, with one of
them developed in a step-by-step manner. Video demonstrations which accompany this document
demonstrate the use of supporting tools.
In this training submodule we outline the core workings of the MILS Adaptation System (for details please refer to the project deliverable D4.3 [1]) and we describe how to create the artifacts which are taken as input by the MILS Adaptation System. Specifically, we focus on the Adaptation Engine, the core component of the MILS Adaptation System.
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMHODECEDSIET
Time Division Multiplexing (TDM) is a method of transmitting multiple signals over a single communication channel by dividing the signal into many segments, each having a very short duration of time. These time slots are then allocated to different data streams, allowing multiple signals to share the same transmission medium efficiently. TDM is widely used in telecommunications and data communication systems.
### How TDM Works
1. **Time Slots Allocation**: The core principle of TDM is to assign distinct time slots to each signal. During each time slot, the respective signal is transmitted, and then the process repeats cyclically. For example, if there are four signals to be transmitted, the TDM cycle will divide time into four slots, each assigned to one signal.
2. **Synchronization**: Synchronization is crucial in TDM systems to ensure that the signals are correctly aligned with their respective time slots. Both the transmitter and receiver must be synchronized to avoid any overlap or loss of data. This synchronization is typically maintained by a clock signal that ensures time slots are accurately aligned.
3. **Frame Structure**: TDM data is organized into frames, where each frame consists of a set of time slots. Each frame is repeated at regular intervals, ensuring continuous transmission of data streams. The frame structure helps in managing the data streams and maintaining the synchronization between the transmitter and receiver.
4. **Multiplexer and Demultiplexer**: At the transmitting end, a multiplexer combines multiple input signals into a single composite signal by assigning each signal to a specific time slot. At the receiving end, a demultiplexer separates the composite signal back into individual signals based on their respective time slots.
### Types of TDM
1. **Synchronous TDM**: In synchronous TDM, time slots are pre-assigned to each signal, regardless of whether the signal has data to transmit or not. This can lead to inefficiencies if some time slots remain empty due to the absence of data.
2. **Asynchronous TDM (or Statistical TDM)**: Asynchronous TDM addresses the inefficiencies of synchronous TDM by allocating time slots dynamically based on the presence of data. Time slots are assigned only when there is data to transmit, which optimizes the use of the communication channel.
### Applications of TDM
- **Telecommunications**: TDM is extensively used in telecommunication systems, such as in T1 and E1 lines, where multiple telephone calls are transmitted over a single line by assigning each call to a specific time slot.
- **Digital Audio and Video Broadcasting**: TDM is used in broadcasting systems to transmit multiple audio or video streams over a single channel, ensuring efficient use of bandwidth.
- **Computer Networks**: TDM is used in network protocols and systems to manage the transmission of data from multiple sources over a single network medium.
### Advantages of TDM
- **Efficient Use of Bandwidth**: TDM all
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELgerogepatton
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
A SYSTEMATIC RISK ASSESSMENT APPROACH FOR SECURING THE SMART IRRIGATION SYSTEMSIJNSA Journal
The smart irrigation system represents an innovative approach to optimize water usage in agricultural and landscaping practices. The integration of cutting-edge technologies, including sensors, actuators, and data analysis, empowers this system to provide accurate monitoring and control of irrigation processes by leveraging real-time environmental conditions. The main objective of a smart irrigation system is to optimize water efficiency, minimize expenses, and foster the adoption of sustainable water management methods. This paper conducts a systematic risk assessment by exploring the key components/assets and their functionalities in the smart irrigation system. The crucial role of sensors in gathering data on soil moisture, weather patterns, and plant well-being is emphasized in this system. These sensors enable intelligent decision-making in irrigation scheduling and water distribution, leading to enhanced water efficiency and sustainable water management practices. Actuators enable automated control of irrigation devices, ensuring precise and targeted water delivery to plants. Additionally, the paper addresses the potential threat and vulnerabilities associated with smart irrigation systems. It discusses limitations of the system, such as power constraints and computational capabilities, and calculates the potential security risks. The paper suggests possible risk treatment methods for effective secure system operation. In conclusion, the paper emphasizes the significant benefits of implementing smart irrigation systems, including improved water conservation, increased crop yield, and reduced environmental impact. Additionally, based on the security analysis conducted, the paper recommends the implementation of countermeasures and security approaches to address vulnerabilities and ensure the integrity and reliability of the system. By incorporating these measures, smart irrigation technology can revolutionize water management practices in agriculture, promoting sustainability, resource efficiency, and safeguarding against potential security threats.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
2. Key characteristics of MILS
The Open Group Training - Context - MILS Architectural Approach 2
3. Key characteristics of Modern MILS
MILS is a component-based approach to secure and dependable systems
design and implementation that encourages a marketplace of general-
purpose commercial components, leading to lower development cost
MILS is a two phase approach (John Rushby’s “Modern MILS”):
Design a Policy Architecture
● Abstract architecture diagram represented by “boxes and arrows”
● Operational components and architecture achieve system purpose
● Assumes the architecture (components and connectors) will be
strictly enforced in the implementation
Implement the policy architecture on a robust resource-sharing platform
● MILS foundational components (FCs) enable sharing of physical
resources, creating strongly separated “exported resources”
● FCs should be individually developed and assured according to
standardized specifications
● FCs compose “additively” to form a distributed trusted sharing
substrate, the MILS Platform
MILS provides a compositional approach to construction, assurance, and
system certification
The Open Group Training - Context - MILS Architectural Approach 3
4. History and Future of
MILS
Pre-MILS, Classic, Modern, and Progressive MILS
and beyond
The Open Group Training - Context - MILS Architectural Approach 4
5. We define the “Eras” in the emergence
and evolution of MILS 1980-2020
Pre-MILS
“Classic” MILS
“Modern” MILS
“Progressive” MILS
MILS 2020 and beyond
Overview of the “reservoir” of present
and past MILS research and development
activities
History and Future of MILS
The Open Group Training - Context - MILS Architectural Approach 5
6. Seminal work by John Rushby
Study of ongoing secure systems efforts 1980
Design and Verification of Secure Systems – original
Separation Kernel paper 1981
Separability 1982-1983
Non-interference and channel control 1982-1992
Partitioning for security and safety 1999-2003
MILS research at SRI 2004-2012 Rushby-DeLong
MILS is born and advances through its “Eras”
“Classic” MILS 2000-2007 various parties
“Modern” MILS 2008-2012 Rushby-DeLong
“Progressive” MILS 2012-Present, DeLong et al
● Distributed MILS (D-MILS project)
● Dynamic MILS and Adaptive MILS (CITADEL project)
● Heterogeneous (CPU/GPU/FPGA) MILS Platforms (PHANTOM
project)
The Open Group Training - Context - MILS Architectural Approach 6
The Birth of MILS and its Evolution
7. The Emergence of “MILS”
“MILS”, by that name, emerged circa 2000
Originally “MILS” stood for Multiple Independent Levels of Security. In 2007
members of The Open Group’s Real Time and Embedded Systems (RTES) Forum
recognized that the expanded acronym was not an accurate characterization* and
took a decision to henceforth regard “MILS” not as an acronym but as a proper
name for the architectural approach.
MILS was initiated in part upon a recognition that commercial partitioning kernels
for avionic safety could be applied to high assurance security.
Strong partitioning (“separation” or “isolation”) provides a basis for the prevention
of information flow, upon which “controlled information flow” can be established.
This led to the rediscovery of Rushby’s Separation Kernel (SK), in the Design and
Verification of Secure Systems (1981), to become the foundation for MILS.
Development of Common Criteria “protection profiles” for partitioning kernels (The
Open Group) and for separation kernels (NSA) ensued from 2000 until 2008.
Other associated protection profile developments were also undertaken.
The Open Group’s Real Time and Embedded Systems (RTES) Forum
became the home to an active community of interest in MILS (the “MILS
Initiative”).
The Open Group Training - Context - MILS Architectural Approach 7
* “multiple levels of security” is easily confused with multilevel security (MLS), which is a legitimate
application of MILS, but the implied ordering of “levels” does not accurately characterize MILS.
“Multiple independent domains” would be more accurate, but even the use of “independent” is not
generally valid.
8. The Evolution and the Eras of “MILS”
2000-2007 This is the Era of “Classic MILS” during which MILS proliferated
The seminal work of Rushby was recognized and built upon
Other contributors included: Vanfleet, Dransfield, Alves-Foss, Harrison, Oman, Taylor,
Greeve, Wilding, Richards, Uchenick, Millen, Delange, Calloni, Hardin, DeLong, Beckwith
2004 – Rushby at SRI International, who had been working on safety, now became
engaged with the MILS community
2004-2012 Research on MILS was funded on several projects at SRI International
2008 – Rushby declared the advent of “Modern MILS” as the concepts had crystalized
2008-2012 – The Era of “Modern MILS”, in addition to establishing the foundations,
spawned the ideas of principled delivery, configuration & initialization, just-in-time
MILS certification, as well as distributed, dynamic & adaptive MILS
2012-2019 and beyond – the Era of “Progressive MILS”, built on Modern MILS results
Principled Delivery, Configuration and Initialization of MILS Components & Integrations
Distributed MILS – assured scalable distributed deterministic systems
Dynamic MILS – assured reconfigurable systems, cloud computing, IoT systems
Adaptive MILS – assured critical infrastructures, adaptive & resilient systems
Heterogeneous MILS – non-separation kernel-based MILS platforms (CPU, GPU, FPGA)
Mixed-Critical MILS – assured mixed-critical cyber-physical systems
Autonomous MILS – assured self-healing, adaptive, and intelligent cyber-phys systems
The Open Group Training - Context - MILS Architectural Approach 8
9. History and Future of
MILS
Overview of a palette of
MILS research and development
(The Reservoir of MILS)
The Open Group Training - Context - MILS Architectural Approach 9
10. Implementation
Science
StandardsAssurance &
Certification
Products
Dissemination
Vision
Constitution
Manifesto
Lecture
Notes
RTI
OIS
GHS
Math/
Logic
Lynx WRS
SKPP
MPPP
Concepts
Compos.
Certif’n
DCI
Galois
System Integrators
Example
CCAE
LAW
Who and What?
Overview of
MILS Research and
Commercial Activities*
Activity Categories
Research
CDSs
MCSPP
MNSPP
LM
EADS
ICCC
RCI
DASC
TOG
RCI
Found’nl
Comps
Opera’nl
Comps
Compos.
Assur. Cases
Inter-op
Assemblies
Ref Impls
TOG Mils™
Scheme
SYSGO
The Open Group
Ongoing
AADL
DeterLab
MASPPMILCOM
Devel’t
Practice
Mils™
D-MILS
Future
Thales
Distributed
MILS
EURO-MILS
MILS Workshop
Smart
Phone
Product
Evals
MCNF
Patterns
D-MILS
EURO-MILS
D-MILS
EURO-MILS
D-MILS
EURO-MILS
MFSPP
MEAPP
Commercial
UNSW
Reservoir
of MILS
TSE
UGA
Conf
papers
TU/e SRI
T-Systems
IK4
atsec
* and others not
mentioned due
to space limits
Mixed-Crit
MILS
Autonomous
MILS
MILS-
AADL
GD NGC
Raytheon
CITADEL
PHANTOM
CITADEL
CITADELPHANTOM
GSN, CAE,
SACM
CertMILS
FBK
Dynamic
MILS
Adaptive
MILS
CITADEL
The Open Group Training - Context - MILS Architectural Approach 10
11. Concepts of the MILS
architectural approach
MILS “policy architecture”
Components, Connections and Local Policies
The Open Group Training - Context - MILS Architectural Approach 11
12. We say “The MILS Architectural Approach” rather
than “The MILS Architecture”
An architecture is a specific collection of
components and their connections
The term “MILS architecture” is sometimes used in
error to refer not to a specific architecture but to
an approach.
Thus, we are careful to say “MILS Architectural
Approach” or just “MILS approach”
(If there is any “MILS architecture”, it is the
architecture of the MILS platform, that is, the
collection of foundational components and their
connections that comprise the platform.)
The specific architecture of an application
developed using the MILS architectural approach
we refer to as a “policy architecture”
The MILS Architectural Approach
The Open Group Training - Context - MILS Architectural Approach 12
13. MILS Policy Architecture
C2
C4C1
C3
C5
Circles represent
architectural
components
(subjects /
objects)
Arrows represent
interactions
Suitability of the architecture for some purpose
presumes that the architect’s assumptions are met
in the implementation of the architecture diagram.
C6
The absence of an
arrow is as significant
as the presence of one
This component
has no interaction
with any other
Components are
assumed to perform
the functions specified
by the architect
(trusted
components enforce
a local policy)
The architecture
expresses an
interaction policy
among a collection
of components
Trusted
Subject
The Open Group Training - Context - MILS Architectural Approach 13
14. A specific composition of MILS Foundational Components
(FCs), we are primarily concerned with the first three:
Separation Kernel (the minimal MILS platform)
MILS Network System (MNS)
MILS Console System (MCS)
Others (defined but not yet implemented)
● MILS File System (MFS)
● MILS Extended Attributes (MEA)
● MILS Audit System (MAS)
Most of the MILS foundational components comprise both
hardware and software (and firmware if present)
Specifically, these foundational components are not just
software!
E.g. a Separation kernel is the software and the processor it
runs on; a MILS Console System is the software and the
user interface devices, controllers, and associated firmware
and drivers; a MILS File System is the storage device, the
controller, the firmware, the file system software, and APIs.
The Open Group Training - Context - MILS Architectural Approach 14
MILS Platform
15. The Distributed MILS Platform
SW
HW
SW
HW
SK MNS MCS
Exported
Resources
Additive
Composition
SW
HW
additive compositionality property – e.g., a
Partitioning kernel Partitioning network system
= Partitioning (kernel + network system)
MNS = MILS Network System
MCS = MILS Console System
Console for
some AppsDistributed MILS nodes
The minimal MILS platform is SK alone.
The Distributed MILS Project (EC FP7)
implemented Distributed MILS nodes
with SK and MILS Network System (MNS)
(MNS) using Time-Triggered Ethernet,
and one of the D-MILS demonstrators
implemented a special-purpose
MILS Console System (MCS).
CITADEL implements a new MNS
using Time-Sensitive Networking (TSN)
with a new SK.
An updated version of the D-MILS
MCS was developed for CITADEL.
The Open Group Training - Context - MILS Architectural Approach 15
Min
16. MILS Platform – Provides Straightforward
Realisation of Policy Architecture
Architecture
Realisation
SK, with other MILS
foundational components,
form the MILS Platform
allowing operational
components to share
physical resources while
enforcing Isolation and
Information Flow Control
Validity of the architecture
assumes that the only
interactions of the circles
(operational components)
is through the arrows
depicted in the diagram
R 1
R 2
R 3
R 5
R 4
MILS Platform
The Open Group Training - Context - MILS Architectural Approach 16
17. “Modern MILS” Platform Architecture – a composition of
foundational components creating one or more Operational Planes
P 1
P 2
Separation Kernel
P 3
P 5
P 4 Configuration Data
Configuration Data
CONFIGURATIONPLANE
FOUNDATIONAL PLANE
OPERATIONAL PLANE
MFS
MNS
MEA
MCS
MILS Platform
The MILS Platform is
an abstraction of the
Foundational Plane
The MILS Foundational Plane
is the composition of MILS
foundational components
The Configuration
Plane runs off-
line in static MILS
Operational Plane(s) comprise
operational components of the
application’s policy architecture
The Open Group Training - Context - MILS Architectural Approach 17
18. MILS Platform
Q 2
Q 5
R 4
The Open Group Training - Context - MILS Architectural Approach 18
Isolated Subsystems as Distinct “Operational” Planes
R 1
R 2
R 3
R 5
R 4
Q 2
Q 5 R 3Q1
R 4
MILS PlatformOPERATIONAL PLANE
R 1
R 2
R 3
R 4
R 5
MILS PlatformOPERATIONAL PLANE Q1 R 3
The two disconnected
components of this policy
architecture represent
distinct subsystems or
applications …
… and may be
thought of as distinct
operational planes.
… and may be
considered as distinct
operational planes.
Planes can be used as a convenient
organisational principle to facilitate
conceptual understanding or graphical
representation of complex systems
19. Applications as Operational Planes
Distinct subsystems of an application, or
Distinct applications
E.g., a communications subsystem sharing
a platform with a cyber-physical control
subsystem
Major subsystem planes of extended MILS
Operational planes dedicated to system
support functions
E.g., Monitoring Plane, Configuration Plane
Using Planes in a complex system
The Open Group Training - Context - MILS Architectural Approach 19
20. The Open Group Training - Context - MILS Architectural Approach 20
MILS Foundational, Operational, Monitoring, and
Configuration Planes
P 1
P 2
Separation Kernel
P 3
P 5
P 4
Configuration Data
Configuration Data
Configuration Data
CONFIGURATIONPLANE
FOUNDATIONAL PLANE
OPERATIONAL PLANE
MONITORING PLANE
MFS
MNS
MEA
MCS
PERFORMANCE
DEBUG
HEALTH
RESOURCE
MILS Platform
MILS Platform
21. Distributed MILS Platform
Scalability beyond a single computer
Geographic distribution
Dynamic MILS Platform
Standalone or Distributed MILS Platform
Extended for dynamic reconfiguration
Mode changes and/or generalized reconfiguration
Basis for a wide range of adaptation strategies
Adaptive MILS Systems
Dynamic MILS Platform plus adaptation framework
Adapt operational system to changing conditions
Resilience to environment changes and failures
Extensions to basic MILS concepts
and additional capabilities provided
The Open Group Training - Context - MILS Architectural Approach 21
22. CITADEL Project use case demonstrators
Partners represent use cases needing one
or more of the MILS extension aspects:
distributed, dynamic, and adaptive
Multiple critical infrastructure domains:
● Communications
● Transportation
● Manufacturing
All use cases are assurance-critical
Demonstration of extensions
The Open Group Training - Context - MILS Architectural Approach 22
24. CITADEL builds on Distributed MILS*:
Policy architecture deployment spanning nodes
Node Hardware
SK
MNS
Node Hardware
SK
MNS
Node Hardware
SK MNS
Foundational Plane+
Node Hardware
Subjects SubjectsSubjects
* European Commission FP7
ICT-2011.1.4 Trustworthy ICT
Project #318772
2012 – 2015
Distributed MILS concept
originated with the
MILS Network System
(MNS) Protection
Profile in 2010
Distributed MILS nodes D-MILS platform
Minimum of SK and MNS
foundational components
The Open Group Training - Context - MILS Architectural Approach 24
25. MNS exports logically
unidirectional “wormholes”
that span D-MILS nodes
Node Hardware
SK MNS
Foundational Plane
Node Hardware
Subjects
Wormhole
D-MILS Node 1 D-MILS Node 2
Relocatable subjects communicate
with resources without
knowing on what node the
resource resides. (A subject
that controls a local device
on a node is not relocatable.)
This “global information flow
policy” defines three
inter-node flows.
The Open Group Training - Context - MILS Architectural Approach 25
26. The Distributed MILS Platform
SW
HW
SW
HW
SK MNS MCS
Exported
Resources
Additive
Composition
SW
HW
additive compositionality property – e.g., a
Partitioning kernel Partitioning network system
= Partitioning (kernel + network system)
MNS = MILS Network System
MCS = MILS Console System
Console for
some AppsDistributed MILS nodes
The minimal MILS platform is SK alone.
The Distributed MILS Project (EC FP7)
implemented Distributed MILS nodes
with SK and MILS Network System
(MNS) using Time-Triggered Ethernet.
One of the D-MILS demonstrators
implemented a special-purpose
MILS Console System (MCS).
CITADEL implements a new MNS
using time-sensitive networking (TSN)
with a new SK.
An updated version of the D-MILS
MCS was developed for CITADEL.
The Open Group Training - Context - MILS Architectural Approach 26
Min
28. Overview of Dynamic MILS
Conventional approaches to high-confidence systems
have been static: fixed implementation, thoroughly
scrutinized through analysis and testing
SKPP* described several feasible options for
reconfiguration of separation kernels
Dynamic total configuration change – requires restart
Constrained selective configuration change –
unchanged portion of system continues to operate
Dynamic MILS platform has reconfiguration mechanisms
and (potentially) a configuration change policy
Configuration change monitor constrains configuration
change according to configuration change policy(ies)
Training - Context -
MILS Architectural
* Separation Kernel Protection Profile
The Open Group 28
29. Dynamic MILS Configuration Change Examples
F2
F4F1
F3
F5
F2
F4F1
F3
F6
F2
F4F1
F3
1a 1b 1c
2a 2b 2c 2d 2e
Example 1
Example 2
The Open Group Training - Context - MILS Architectural Approach 29
1a and 2a represent current configuration states …
… 1c and 2e represent target configuration states
30. Dynamic MILS – a foundation for robust
adaptation and resilience
Classic MILS – robust systems through simplicity
Extended with reconfiguration mechanisms
And policy-driven reconfiguration constraints
Within a flexible framework for the integration of
new resilience strategies and techniques
A hierarchy of monitors and decision procedures
mediate requests for, and execution of,
configuration change operations
Anticipated, routine changes executed
“deterministically”
Response to unanticipated change may consult
higher-level models to dynamically synthesize new
target configurations
Training - Context -
MILS ArchitecturalThe Open Group 30
31. The MILS architectural approach along with a statically
configurable MILS platform enables a designer to create a
vast array of high-assurance systems backed by an
assurance case that includes the guarantees provided by
the platform, allowing high levels of traditional certification.
The MILS architectural approach along with a distributed
MILS platform enables a designer to create scalable and
physically distributed, deterministic, high-assurance MILS
systems with assurance case for the distributed platform,
allowing high levels of traditional certification.
The MILS architectural approach along with a dynamically
reconfigurable (distributed) MILS platform enables a
designer to create systems that can assume new
configurations while in operation. While this enables a
designer to create (in principle) almost any imaginable
MILS system, the new capabilities come with added
assurance burdens, and challenges for traditional
certification practice.
MILS Assurance and Certification
The Open Group Training - Context - MILS Architectural Approach 31
32. Dynamic vs Adaptive
MILS Systems
The Open Group Training - Context - MILS Architectural Approach 32
33. The dynamically reconfigurable MILS
platform poses at least two new
challenges:
The assurance of the dynamically
reconfigurable MILS foundational
components and their composition as a
reconfigurable platform.
The assurance of applications and systems
that take advantage of the reconfigurable
platform to adapt to changing conditions.
Reconfiguration and Adaptation as a
new quality
The Open Group Training - Context - MILS Architectural Approach 33
34. This is a bounded problem and it is not
too difficult to see how to solve it.
The platform must maintain its key
characteristics between reconfigurations.
The mechanisms of reconfiguration must
behave in a way allows one to
demonstrate that the platform can
maintain its key characteristics over
sequences of reconfiguration operations
subject to certain specific constraints.
The formal models must provide the
above to enable an assurance case for the
reconfigurable platform.
Assurance of the Dynamic MILS Platform
The Open Group Training - Context - MILS Architectural Approach 34
35. This is a potentially open-ended problem,
and it is not easy to see how to solve it in
its most general case.
In order to further our own rule of
“conservative extensions” of MILS, we
want to do this in a way that preserves
the ability to achieve assurance.
Therefore, formal models must exist to
provide objective evidence as a basis for
an assurance case.
And, we must convince certification
authorities to embrace a paradigm they
have previously regarded untenable.
Assurance of dynamically reconfigured systems
The Open Group Training - Context - MILS Architectural Approach 35
36. Traditionally, for certification, a system
along with supporting artifacts, was
presented to a certifier for approval to
operate in an environment that met
specific assumptions.
In the past, a system that was modified
by its developer to account for new
requirements or operating assumptions
could be re-certified by resubmission with
modified artifacts for reconsideration.
The modified system was subject to
similar scrutiny before approval.
Traditional Certification Paradigm
The Open Group Training - Context - MILS Architectural Approach 36
37. For a dynamically reconfigurable certified
system, the scrutiny for recertification
must somehow be incorporated into the
reconfiguration cycle.
The certification criteria must be
precisely specified and made objectively
checkable.
This is how we conceptualize the model
of dynamically reconfigurable systems.
Modeling dynamic reconfiguration
The Open Group Training - Context - MILS Architectural Approach 37
38. …
Operational
Interval
Trace of
System
States
s0
1
Configuration
Property
Conformance Property
Requirements R
R – requirements specification
- conformance property
- interval configuration property
The Open Group Training - Context - MILS Architectural Approach 38
Static
Configuration Requirements
are fixed
Conformance property captures
the Requirements and can be
objectively evaluated
Configuration property
represents a strict relation on
the configuration state data
The system exhibits a trace of
states that conform to the
configuration property
39. …
1
Operational
Interval 1
…
2
Operational
Interval 2
Trace of
System
States
s0
1
s0
2
Interval Configuration
Properties
Conformance Property
Requirements R
Rk – requirements specification
- conformance property
i - interval configuration property
The Open Group Training - Context - MILS Architectural Approach 39
Total Configuration
Change
restart
Requirements
are fixed
Conformance property captures
the Requirements and can be
objectively evaluated
A distinct new
configuration is
evaluated
according to the
Conformance
Property
The system is
restarted with the
new configuration
A new
operational
interval
exhibits
new
behaviours
40. …
1
Operational
Interval 1
…
2
Operational
Interval 2
Trace of
System
States
state
s0
1
s0
2
Interval Configuration
Properties
Conformance Property
Requirements R
. . .
R
R – requirements specification
- conformance property
i - interval configuration property R - reconfiguration transition
. . .
The Open Group Training - Context - MILS Architectural Approach 40
Dynamic
Configuration Change Requirements
are fixed
Conformance property captures
the Requirements and can be
objectively evaluated
Distinct new
configurations
are evaluated
according to the
Conformance
Property
The system transitions
to a new configuration
without restart
A new
operational
interval
exhibits
new
behaviours
41. Reconfiguration Big and Small Steps
Current
Config
Dynamic Re-Configuration Primitives
Target
Config
Reconfiguration
Plan
1 -> 2
1 2
R
RIndividual
Configuration
Properties
Parameterized Architecture
Properties
System Requirements
…
Big-Step
Re-Configuration
Transition
Small-Step
Configuration
State Transitions
Configuration State
The Open Group Training - Context - MILS Architectural Approach 41
R
1 2
42. Ability to model and analyze dynamic
platforms and adaptive systems
Ability to maintain now for dynamic
systems the potential for high assurance
levels and certification that was achieved
in static MILS
“Just-in-time certification” – Ability to
re-certify on-the-fly and to produce an
assurance case and supporting evidence
(Certification Assurance Artifact) on-
demand
New challenges posed by Dynamic
and Adaptive MILS
The Open Group Training - Context - MILS Architectural Approach 42
43. More challenges of Dynamic MILS (1)
Traditional safety-critical domains have long,
stable deployments
New applications for cyber physical systems target
fast-changing and unpredictable environments
SKPP identified added assurance burden of
dynamic reconfiguration – this burden must be met
Starting from static MILS systems and their
assurance cases, we conservatively extend MILS
to achieve high-assurance adaptive systems
Has clear advantage over approaches to resilience
that do not start with a rigorous foundation
Training - Context -
MILS ArchitecturalThe Open Group 43
44. More challenges of Dynamic MILS (2)
Additional assurance burden
Reconfiguration mechanisms add complexity
Mechanisms for proposing new configurations
as solutions to problems posed by changing
environment
Techniques for “safely” changing configuration
without disrupting unchanged portions
“Simple assurance” of a static system
Single execution session maintains critical
invariants
Thoroughly analyzed for certification and
approval to operate
Training - Context -
MILS ArchitecturalThe Open Group 44
45. More challenges of Dynamic MILS (3)
Assurance of reconfiguration transitions
Change the configuration state
Move to a new set of invariants (or properties)
– Interval Configuration Property
Overarching System Configuration Property
governs permissible changes to interval
configuration property
● Captured in CITADEL parameterized architectures
May be generalized to deeper hierarchies,
including Requirements Change
● May be extended in the future with adaptation
techniques that pose greater assurance challenges
Training - Context -
MILS ArchitecturalThe Open Group 45
47. MILS provides a platform on which to
establish and enforce an architecture
with high assurance.
But how can we have assurance that the
architecture achieves our intended
objectives?
We design the architecture to reflect the
properties we desire of the system.
Then we reason from the properties of
the components, and the manner of their
composition, to the properties of the
system.
Architectural Aspect of Assurance
The Open Group Training - Context - MILS Architectural Approach 47
48. Assurance can be scalable if done
compositionally.
We start with what a system (or a
component) relies upon from its
operational environment, and claim the
guarantees it can make under those
conditions.
We can decompose a system into
subsystems and components separately
build, and its assurance case into
subclaims, separately justified.
Compositional Assurance
The Open Group Training - Context - MILS Architectural Approach 48
49. System,
subsystem or
component
Inputs =
<In1, … , Inn>
a tuple
Composition Fundamentals
Inputs and Outputs; Relies and Guarantees
Relies Guarantees
Operational Environment
Behavior B( Inputs, Outputs ) or Property P( Inputs, Outputs )
are relations on traces, each property defining a set of traces
In1
Inn
Outputs =
<Out1, … , Outm>
a tupleOut1
Outm
Inputs =
trace( Inputs )
(a sequence
of tuples)
Outputs =
trace( Outputs )
(a sequence
of tuples)
...
...
The Open Group Training - Context - MILS Architectural Approach 49
50. S
Inputs Outputs
c
c
c
c
c
System S is made from
Components (or subsystems) c
Relation:
S ( Inputs, Outputs )
Relies and Guarantees are
properties: P ( Inputs, Outputs )
Relies Guarantees
S satisfies P if S is a subset* of P
traces(S) a subset of traces (P)
* More precisely, the sets of traces generated by S and P
The Open Group Training - Context - MILS Architectural Approach 50
51. A
B
C
Policy Architecture Assurance – Incremental
Rely/Guarantee (R/G) Compositional Reasoning
Relies Guarantees
S
A
B
a)
b)
c)
A
B
composite
composite’
R/G composition of A and B
A as part of a composite
B becomes part of new composite’ which is then composed with C to form S
A
Relies
Guarantees
The Open Group Training - Context - MILS Architectural Approach 51
52. Concrete and abstract components under composition
A
guarantee
rely (assume)
Bguarantee
rely (assume)
A B
Abstract and concrete component A
(may write as AA and AC to distinguish)
The concrete component is a refinement
of the abstract component. The abstract
component is greater in the sense that
it admits a greater set of behaviors.
connector
AA
ConcreteAbstract
We consider compositions of abstract components and
refinements of such compositions that preserve the
rely / guarantee relationships
Abstract components may have
rely / guarantee relationship
A connector represents
an information flow or
causality between components
>
ports
The Open Group Training - Context - MILS Architectural Approach 52
53. Abstract and concrete policy architecture elements
ComponentA ComponentC
ConnectorA
Abstract
Component
(container)
Concrete
(refined)
Component
Concrete is a
proper refinement
of abstract
Concrete not a
proper refinement
of abstract (e.g., I/O)
ConnectorC
Abstract
Connector
Concrete
Connectors
Refinements of abstract connector:
•buffered message passing
•synchronous rendezvous
•shared memory with synch.
•shared memory w/o synch.
•etc.
ComponentA >
ComponentC
ComponentA ≤≥
ComponentC
A refinement may later
be further refined( )
Information flow
or causality
Mode or
mechanism
Conn.
port
The Open Group Training - Context - MILS Architectural Approach 53
54. Abstract components: realised by units or composites
ComponentA
ComponentC
1
Abstract
Component
(container)
Concrete
Unit realisation
(monolithic)
Can serve for
the abstract
component
ComponentC
2
Concrete
Composite
realisation
Can serve for
the abstract
component
Equivalent unit
and composite
realisations are
interchangeable
with respect to
the abstract
component
≈
The Open Group Training - Context - MILS Architectural Approach 54
55. Example: Abstract policy architecture
of Rushby’s “Red-Crypto-Black” System
R
H
C
B
RedA
CryptoA
Header bypassA
BlackA
One may delete the dot
indicating the existence
a port associated with an
abstract component when
a connecter shown in an
architecture diagram makes
Its existence obvious.
Trusted local
policy-enforcing
component
Un-trusted
component
“Red-Crypto-Black” system:
Red is connected to a Red network
with sensitive data. This system
is presumed to be connected
to a mirror image across the Black
network.
Black is connected to a
network that cannot
protect sensitive data.
Therefore the data must
be encrypted on the Black
network.
The Open Group Training - Context - MILS Architectural Approach 55
56. Properties required of “Red-Crypto-Black” system
established architecturally by relying on properties of trusted
components H and C and the form of the composition
R
H
C
B
RedA
CryptoA
Header bypassA
BlackA
r h
cb
i o
Annotate connectors
Define properties
P ( Inputs, Outputs )
= plaintext ( i ) ∧
nonplaintext ( o )
H nonplaintext ( h )
C nonplaintext ( c )
plaintext ( i )
Trusted local
policy-enforcing
component
Un-trusted
component
The Open Group Training - Context - MILS Architectural Approach 56
57. Realisation of “Red-Crypto-Black” System
Step 1: architecture + un-trusted components
R
H
C
B
RedC
CryptoA
Header bypassA
BlackC
r h
cb
i o
Trusted local
policy-enforcing
component
Un-trusted
component
P ( Inputs, Outputs )
= plaintext ( i ) ∧
nonplaintext ( o )
The Open Group Training - Context - MILS Architectural Approach 57
58. Realisation of “Red-Crypto-Black” System
Step 2: policy-enforcing component Header bypass
R
H
C
B
RedC
CryptoA
Header bypassC
BlackC
r h
cb
i o
P ( Inputs, Outputs )
= plaintext ( i ) ∧
nonplaintext ( o )
Trusted local
policy-enforcing
component
Un-trusted
component
The Open Group Training - Context - MILS Architectural Approach 58
59. Realisation of “Red-Crypto-Black” System
Step 3: policy-enforcing component Crypto
R
H
C
B
RedC
CryptoC
Header bypassC
BlackC
r h
cb
i o
P ( Inputs, Outputs )
= plaintext ( i ) ∧
nonplaintext ( o )
Trusted local
policy-enforcing
component
Un-trusted
component
The Open Group Training - Context - MILS Architectural Approach 59
60. Assurance cases for static MILS
Pioneered in the D-MILS project with
assurance case patterns and automation
Modular presentation of argumentation and
evidence for system properties
Structured according to system model and
dependent on platform assurance case
Dynamic assurance cases for Adaptive
MILS Framework
Patterns to cover dynamic architectures
Just-in-time maintenance of assurance
case for current configuration
“Certifier-in-the-Box” – give certifiers
confidence that approach is trustworthy
The Open Group Training - Context - MILS Architectural Approach 60
MILS Assurance Cases
61. A MILS System Assurance Case
Compose assurance cases using Assume-Guarantee Reasoning
MILS System assurance requires the validity of three sub-cases
Assumptions from MILS System assurance case become obligations on the sub-cases
MILS
System
Claims
Sub-case
Sub-case
Sub-case
Policy Architecture
Environment
MILS System High-Level
Assurance Argument
MP
Claims
PA
Claims
Policy Architecture
Assurance Argument
MILS Platform
Assurance Argument
Env
Claims
Environment
Assurance Argument
Assume GuaranteeGuarantee Assume
MILS Platform
The Open Group Training - Context - MILS Architectural Approach 61
62. The MILS Platform (MP) Assurance Case
Compose assurance cases using Assume-Guarantee Reasoning
Assumptions of the MP assurance case are obligations on the MSK, MNS and MCS
components’ assurance cases
Assured Claims from component assurance cases become evidence for MP assurance case
MP
Claims
Sub-case
Sub-case
Sub-case
Inference rule
Inference rule
MILS Platform
Assurance Argument
MSK
Claims
MNS
Claims
MCS
Claims
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
MSK Assurance
Argument
MNS Assurance
Argument
MCS Assurance
Argument
Assume GuaranteeGuarantee
The Open Group Training - Context - MILS Architectural Approach 62
Evidence
Evidence
Evidence
63. The MILS architectural
approach as realised in
CITADEL
The Dynamic MILS Platform
The Open Group Training - Context - MILS Architectural Approach 63
64. Each Dynamic MILS platform foundational component provides
primitives for dynamic (re-)configuration
Together these primitives provide a coherent reconfiguration
interface for the MILS platform
Each distributed MILS node has a Configuration Change Agent to
carry out reconfiguration instructions of the Configuration Plane
The Dynamic MILS Platform
The Open Group Training - Context - MILS Architectural Approach 64
Dynamically
reconfigurable
Separation
Kernel
Dynamically
reconfigurable
MILS Network
System (MNS)
Dynamically
reconfigurable
Distributed
MILS Platform
Dynamic (Re-)Configuration Primitives
Configuration
Change Agent(s)
Dynamically
reconfigurable
Time-Sensitive
Network Devs
Dynamically reconfigurable MILS Platform Node(s)
65. The MILS architectural
approach as realised in
CITADEL
The CITADEL Framework for Adaptive Systems
The Open Group Training - Context - MILS Architectural Approach 65
66. CITADEL
property spec
language
Language
translation
Dynamic
Separation
kernel
Dynamic
TTEthernet
Configuration
Change
Monitor Adaptive MILS
Evidential Tool
Bus
Static
Config
Tools
Configuration
Change Agent
Dynamic MILS
Platform
CITADEL
modeling
language Offline
Verification
Framework
Runtime
Monitoring
plug-in
framework
Offline
Configuration
Synthesis
Online
config’n
synth
Adaptive MILS
Runtime
Adaptation
System
Monitoring
System
Online
Verification
Framework
Dynamic
MNS
Certification
Assurance
Artefact
Repository
Config
Dynamic Config’n Primitives
Config
Chg
Policy
Adaptive MILS
Evidential Tool
Bus
CITADEL MILS Platform with Adaptation
The Open Group Training - Context - MILS Architectural Approach 66
67. CITADEL Adaptive MILS Framework (CF)
Key elements
Dynamic Distributed MILS platform
● Dynamic MILS platform with reconfigurable deterministic networking
● Mechanisms for dynamic reconfiguration and configuration introspection
Declarative dynamic architecture modelling and verification
● Language to describe reconfigurable systems architecture, component
models, failure models and fault propagation
● Theory and framework for dynamic reconfiguration
● Theory and framework for adaptation
● Language to express critical dynamic system properties to be verified
● Compositional verification framework
Monitoring, Adaptation, Configuration, & Certification Assurance Planes
Assurance-based security evaluation methodology and runtime
mechanisms for just-in-time certification of adaptive MILS systems
The Open Group Training - Context - MILS Architectural Approach 67
68. The key characteristics of MILS
The beginnings and the evolution of
the MILS architectural approach
The concepts underlying the MILS
architectural approach
The extensions of progressive MILS
and the challenges they pose
The role of assurance in MILS
The realisation of the MILS
architectural approach in CITADEL
Summary of what’s been described
The Open Group Training - Context - MILS Architectural Approach 68
69. The Open Group Training - Context - MILS Architectural Approach 69
Planes of the CITADEL Framework (CF)
Separation Kernel FOUNDATIONAL PLANE
OPERATIONAL PLANE(S)
MONITORING PLANE / FW
MFS
MNS
MEA MCS
Fault Diagnoser
COMMSTATE
RESOURCE
P 1
P 2
P 3
P 5
P 4
MILS Platform
MILS Platform
CONFIGURATION
ADAPTATIONPLANE
Target
Config
CONFIGURATIONPLANE
Config
Cmds
Config
Cmds
Config
Cmds
FDI
Exceptions
Exceptions
Exceptions
Exceptions
Introspection
Observations & Events
Certification
Assurance
Artifact