Connecting your Coffee-Shop Laptop to a Life-critical System

Transcription

1 Connecting your Coffee-Shop Laptop to a Life-critical System Jean Arlat, Yves Deswarte, Youssef Laarouchi, Éric de Nadai, David Powell 57th IFIP 10.4 working group meeting, Ishigaki, Japan, January 2010

2 Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion

3 Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion

4 t Case study 1: electronic flight-book Take-off computation Onboard computer Airport Pilot Onboard equipment Airline Company

5 t Case study 1: electronic flight-book Take-off computation Onboard computer Airport Pilot Onboard equipment Airline Company

6 Case study 2: maintenance laptop Onboard equipment Pilot Maintenance engineer Flight logbook Maintenance terminal Paper manuals Electronic manuals

7 Case study 2: maintenance laptop Onboard equipment Pilot Maintenance engineer Flight logbook Maintenance terminal Paper manuals Maintenance laptop

8 Motivations Less manual intervention reduce stopover time and delays Laptop flexibility and convenience single mobile interface COTS hardware and operating system economic genericity and flexibility

9 Enabling technologies Totel et al s "multi-level integrity" model [FTCS-28] framework for executing tasks of different criticality levels in a single system requires a trusted computing base (TCB) to isolate levels and mediate the flow of data applies fault-tolerance techniques to allow data to flow from low levels to higher levels Platform virtualization techniques provide isolation and mediation between virtual machines attractive approach for implementing TCB

10 Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion

11 Criticality and confidence Criticality Severity of task failure Criticality of task Categorize severity (& criticality) in discrete levels according to consequence of failure e.g., none, minor, major, dangerous, catastrophic Confidence Criticality of task Confidence in task execution Convenient to categorize confidence in discrete levels that correspond with levels of criticality

12 Confidence attributes Validation (of a module) effort deployed in assuring that a module meets its specifications - e.g., DO-178B for software, DO-254 for hardware Credibility (of sources) belief in source(s) of data input to a module - e.g., expertise of human operator - e.g., reliability and accuracy of data sensor Integrity (of resources) degree of trust that module's code, data and other resources, are free from corruption

13 Levels of criticality and confidence Task criticality Execution confidence Very high High Medium Low Failure severity Module validation Source credibility Resource integrity

14 Levels of criticality and confidence Task criticality Execution confidence Very high High Medium Low Failure severity Module validation Source credibility Resource integrity

15 Levels of criticality and confidence Task criticality Execution confidence Very high High Medium? + +? DO-178B Low : "Dissimilar software verification methods may be reduced from those used to verify single version software if it can be shown that the resulting potential loss of system function is acceptable as determined Failure by the system safety assessment process." severity Module validation Source credibility Resource integrity

16 Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion

17 Isolation Separation of data flows (& other dependencies) Confidence Very high High Medium Low

18 Mediation Control of data flows Confidence Very high High Medium Low

19 Totel's model Allows controlled updward data flows e.g., likelihood check Confidence Very high O2 writes O3 O2 writes O4 High O3 reads O4 Medium Low TCB: Trusted Computing Base VO: Validation Object

20 Totel's model Allows controlled updward data flows cross-check Confidence Very high O2 writes O3 O2 writes O4 High O3 reads O4 Medium Low TCB: Trusted Computing Base VO: Validation Object

21 Common sources Potential common-mode fault? Confidence Very high High source (O2) at same level of confidence as final consumer (O1) source (O4) at lower level of confidence as final consumer (O1) Medium Low TCB: Trusted Computing Base VO: Validation Object

22 Common sources Potential common-mode fault Confidence Very high High Medium Low TCB: Trusted Computing Base VO: Validation Object

23 Bridging the complexity gap... Confidence Must be simple Very high High Medium Can be less simple & more vulnerable Low TCB: Trusted Computing Base VO: Validation Object

24 Bridging the complexity gap......with proxies Confidence Must be simple Very high High TCB VO Proxy Medium Can be less simple & more vulnerable Low TCB: Trusted Computing Base VO: Validation Object

25 TCB implementation Totel prototypes (1998) CORBA-compliant middleware Micro-kernel Current work Hypervisor

26 Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion

27 Platform virtualization Confidence Very high High Medium Low VM VM VM VM VM Hypervisor or Virtual Machine Monitor

28 Virtualization techniques Hypervisor Hypervisor Host system Hardware Hardware Type 1 Type 2 e.g., Xen e.g., VMware

29 Some certified hypervisors Polyxène Bertin Technologie CC EAL 5 certification LynxSecure LynuxWorks "Designed to CC EAL-7 and DO-178B level A" INTEGRITY Secure Virtualization Green Hills Software, Inc. "Built on the world's only CC EAL6+ High- Robustness-certified OS technology" - (INTEGRITY-178B separation kernel certified to CC EAL-6+)

30 Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion

31 Connecting a laptop Flight management Aircraft management Aircraft information system "Off-board"

32 Connecting a laptop?

33 Connecting a laptop Model MVC design pattern for HMI Controller View View Visual presentation Controller Logic (responses to user events) Model Back-end database

34 Diverse OS s with virtualization Model VO Model Controller Controller View Safe VM View Hypervisor Hardware

35 Solution 1 : custom-bred operator... + =? Vishnu Janus

36 Solution 2 : custom-built software Model VO Model Controller Controller View Safe VM Hypervisor Hardware

37 Solution 3 : I/O interception Model VO Model Controller Controller Controller' View View Safe VM View Hypervisor Hardware

38 View Controller Model Interception options Model Controller Event/Action Event/Action View SWING JVM instructions JVM OS instructions Safe VM SWING JVM instructions JVM OS instructions Hypervisor VNC Client Graphic Driver XEN Hardware

39 View Model Implementation to aircraft equipment 6' Model VO 6" Controller View 3 Controller' 3 Controller AspectJ 2 View 2 AspectJ SWING SWING SWING JVM JVM Safe VM JVM Hypervisor 1 7 Error XEN Hardware

40 Model Controller?! 6" VO View Controller' Model View Implementation 6' 3 3 Controller AspectJ 2 View 2 AspectJ SWING SWING SWING JVM JVM Safe VM JVM Hypervisor 1 7 Error XEN Hardware

41 Implementation X 6' X?! X Model 6" VO Controller View Controller' View 2 AspectJ AspectJ SWING SWING SWING JVM JVM JVM Safe VM Model Controller View Hypervisor 1 7 Error XEN Hardware Reboot Change laptops Revert to maintenance terminal Go to the beach...

42 Replica Non-Determinism Can cause false positives Timing current solution : - over-dimensioned timeout on 2nd response 170 µs Multi-threading current solution : - 3 threads are independent - outputs of each thread are identified and validated independently

43 Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion

44 Conclusion Virtualization attractive solution for implementing multiple levels of confidence on a single machine Assumes hypervisor can be trusted at highest level of confidence Proof-of-concept prototype maintenance laptop application Future work relaxing constraints imposed to avoid false positives dealing with non-determinism in a more general way guarantee integrity of platform from boot to run-time