By Paul Parkinson
Earlier this week, I had the opportunity to attend the 2nd International Workshop on MILS: Architecture and Assurance for Secure Systems in Prague, which was organised by the EURO-MILS consortium, and was co-hosted with the HiPEAC 2016 conference on computing architecture, programming models, compilers and operating systems for embedded and general-purpose architecture.
I was very interested to hear about the experiences gained using the Multiple Independent Levels of Security (MILS) architecture in recent projects, and in particular the increasingly diverse range of applications where MILS is being used. This is no longer just used for high-assurance civil and military applications, but increasingly in other systems where cyber security is becoming a more and more important requirement. These included earth observation satellites, energy smart grid systems, and also automotive dashboard applications.
There were also a number of recurring themes during the workshop; one which particularly stood out was composability. This was discussed in the context of a compositional system design whereby a component in a MILS system could be replaced with another. There was also discussion about compositional security certification, and how this could be undertaken using a “Non-interference composed evaluation” methodology. These approaches could enable the development of reusable components which could be used to develop high-assurance systems at affordable cost.
A number of the presenters also made reference to the increasing use of Architecture Analysis and Design Language (AADL) in the development of MILS systems. AADL is designed for the specification, analysis, design and auto code generation of distributed real-time distributed systems, and has in recent years been used in the development of complex safety-critical avionics systems. It was interesting to hear that the experience of AADL and mature toolset support could be used for the system modelling of MILS systems.
I also had the opportunity to present a paper “Applying MILS to Multicore Avionics Systems”, which discussed the design and implementation considerations for MILS on the P4080 multicore processor and the implementation of a number of MILS uses cases including a Cross-Domain System (CDS) network gateway, and consolidation of aircraft data network domains. If you’re planning developing a system which needs to support multiple domains / security classifications, you may wish to consider reading it.
Finally, I couldn’t visit Prague without taking the opportunity to dash outside to take a few photos of this stunning city, and even the snow, ice and sub-zero temperatures wasn’t enough to put me off running along Most Legií (Legion Bridge) to take a few shots of Prague Castle.