sel4 & agile and resilient embedded systems (ares) · 2018-11-20 · embedded systems (ares) d...

seL4 & Agile and Resilient Embedded Systems

(ARES)D o u g l a s S c h a f e r / P r o g r a m M a n a g e r

I n f o r m a t i o n D i r e c t o r a t e ; N o v e m b e r 1 4 , 2 0 1 8

DISTRIBUTION A. Approved for public release: distribution unlimited. Case Number 88ABW-2018-5644 20181108

• Highly complex & connected

• Multi-vendor; Intellectual property

• Procurement and funding

Challenge

DISTRIBUTION A. Approved for public release: distribution unlimited. Case Number


To a high technology readiness level:

• Design-in embedded system software cybersecurity and resilience

• Decouple computing layers

• Integrate and protect 3rd party applications

• Address three pillars of cybersecurity by developing capabilities aligned with Cyber Survivability Attributes (CSA) 1

• Protect, Mitigate, Recover

• Implement and demonstrate feasibility meeting needs of Air Force weapon systems

1 United States Air Force Systems Security Engineering Guidebook, 8 May 2018, v1.3

ARES and seL4


ARES Architecture & Software

Development


Current SW Environment

CPU Memory Peripherals

Drivers

Operating System

Applications

Security posture, in general:• Tightly coupled• Unsecured communication• Lack of partitioning*• Lack of interface control• Lack of monitoring and

response

Significant cost in time, complexity, and funds to modify

*Some systems implement commercial software separation kernels.


Current SW Environment


Drivers

Operating System

Applications

Image source: https://www.google.com/search?q=cyber+attack

Attacks result in unchecked accesses and adversarial freedom of maneuver

No controls on memory access, processes, interfaces, or boundaries.So, how to protect and assuredly operate mission applications?

Notional depiction for illustration only


ARES SW Environment


Drivers

Operating System

Applications


Hardware Abstraction

Software Separation

Applications

Virtual Machine Manager

Operating SystemSecurity and Resilience

Services

• Fully isolates and controls applications• Restricts permissions and accesses• Protects and monitors

• Processes & memory• Interfaces• Information in-transit

(confidentiality & integrity)• Secures communication via dynamic

encryption• Enforces specified rules and polices

Addresses susceptibilities & monitors behaviorsDISTRIBUTION A. Approved for public release: distribution unlimited. Case Number 88ABW-2018-5644 20181108

Complete SW Development

• Common library support and driver development

• Secure Virtual Machine Manager hosting multiple, concurrent virtual machines

• Interprocess Communication encryption

• Process and memory introspection

• Successful integration of small unmanned system flight and autopilot applications

• Successful testing against cyber attack classes

In-progress SW Development

• Integration of industry flight management and control system

• Implementation within industry-grade small unmanned system flight module

• Flight and cyber assessment testing (4 QTR FY19)


Cyber Assessment


O b j e c t i v e

Create a methodology and metric to

quantitatively assess cyber mission

assurance, enabling:

• Return on investment analysis

• Comparative designs

• Execution evaluation

Align to USAF Systems Security

Engineering Acquisition Guidebook:

Prevent / Mitigate / Recover

M e t h o d o l o g y

• Mission decomposition into mission

essential functions

• System and sub-systems identified

• Failure conditions and behaviors

enumerated

• Protection and mitigation techniques

aligned

• Assess ability to detect, isolate, and

recover

Cyber Mission Assurance


Metric

• Missions exist in elements of time

• Establish:

• Mission time (tm)

• Survival time (ts)

• Assess ability and time to detect, isolate, recover

• Time to detect (td)

• Time to isolate (ti)

• Time to recover (tr)

• Score (1, 0) based on:

Detectability (D) = 1 iff td < tm,

Isolability (I) = 1 iff (td + ti) < ts, and

Recoverability (R) = 1 iff (td + ti + tr) < tm

Mission Capable Mission CapableCompromised Capacity Survival Capacity

Detect Isolate Recover

(td + ti) < ts(td + ti + tr) < tm


DIR Assessment Example (Octo-copter)

For baseline and modified flight system• Assessed failures conditions for DIR• Measures time

Performed decomposition• Identified failure states and types• Aligned mitigation and assessed DIR• Selected design maximizing increase


Summary

• ARES architecture allows use of 3rd party applications

• Decouples and encapsulates

• Tightly controls and monitors, prevents unauthorized actions

• Instill confidentiality, integrity, and authentication

• Leader in SW separation research & development

• Cyber mission assurance assessment and metric

• SW Technology Readiness Level 6+


[email protected]

DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors , Critical Technology, October 2014. Other requests for this document shall be referred to AFRL/RIG.


http://dtic.mil/dtic/submit/distribution_limitations_and_statements.html#three

sel4 & agile and resilient embedded systems (ares) · 2018-11-20 · embedded systems (ares) d...

Documents