Connecting your Coffee-Shop Laptop to a Life-critical System Jean Arlat, Yves Deswarte, Youssef Laarouchi, Éric de Nadai, David Powell 57th IFIP 10.4 working group meeting, Ishigaki, Japan, 21-25 January 2010
Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion
Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion
t Case study 1: electronic flight-book Take-off computation Onboard computer Airport Pilot Onboard equipment Airline Company
t Case study 1: electronic flight-book Take-off computation Onboard computer Airport Pilot Onboard equipment Airline Company
Case study 2: maintenance laptop Onboard equipment Pilot Maintenance engineer Flight logbook Maintenance terminal Paper manuals Electronic manuals
Case study 2: maintenance laptop Onboard equipment Pilot Maintenance engineer Flight logbook Maintenance terminal Paper manuals Maintenance laptop
Motivations Less manual intervention reduce stopover time and delays Laptop flexibility and convenience single mobile interface COTS hardware and operating system economic genericity and flexibility
Enabling technologies Totel et al s "multi-level integrity" model [FTCS-28] framework for executing tasks of different criticality levels in a single system requires a trusted computing base (TCB) to isolate levels and mediate the flow of data applies fault-tolerance techniques to allow data to flow from low levels to higher levels Platform virtualization techniques provide isolation and mediation between virtual machines attractive approach for implementing TCB
Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion
Criticality and confidence Criticality Severity of task failure Criticality of task Categorize severity (& criticality) in discrete levels according to consequence of failure e.g., none, minor, major, dangerous, catastrophic Confidence Criticality of task Confidence in task execution Convenient to categorize confidence in discrete levels that correspond with levels of criticality
Confidence attributes Validation (of a module) effort deployed in assuring that a module meets its specifications - e.g., DO-178B for software, DO-254 for hardware Credibility (of sources) belief in source(s) of data input to a module - e.g., expertise of human operator - e.g., reliability and accuracy of data sensor Integrity (of resources) degree of trust that module's code, data and other resources, are free from corruption
Levels of criticality and confidence Task criticality Execution confidence Very high High Medium Low Failure severity Module validation Source credibility Resource integrity
Levels of criticality and confidence Task criticality Execution confidence Very high High Medium Low Failure severity Module validation Source credibility Resource integrity
Levels of criticality and confidence Task criticality Execution confidence Very high High Medium? + +? DO-178B Low : "Dissimilar software verification methods may be reduced from those used to verify single version software if it can be shown that the resulting potential loss of system function is acceptable as determined Failure by the system safety assessment process." severity Module validation Source credibility Resource integrity
Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion
Isolation Separation of data flows (& other dependencies) Confidence Very high High Medium Low
Mediation Control of data flows Confidence Very high High Medium Low
Totel's model Allows controlled updward data flows e.g., likelihood check Confidence Very high O2 writes O3 O2 writes O4 High O3 reads O4 Medium Low TCB: Trusted Computing Base VO: Validation Object
Totel's model Allows controlled updward data flows cross-check Confidence Very high O2 writes O3 O2 writes O4 High O3 reads O4 Medium Low TCB: Trusted Computing Base VO: Validation Object
Common sources Potential common-mode fault? Confidence Very high High source (O2) at same level of confidence as final consumer (O1) source (O4) at lower level of confidence as final consumer (O1) Medium Low TCB: Trusted Computing Base VO: Validation Object
Common sources Potential common-mode fault Confidence Very high High Medium Low TCB: Trusted Computing Base VO: Validation Object
Bridging the complexity gap... Confidence Must be simple Very high High Medium Can be less simple & more vulnerable Low TCB: Trusted Computing Base VO: Validation Object
Bridging the complexity gap......with proxies Confidence Must be simple Very high High TCB VO Proxy Medium Can be less simple & more vulnerable Low TCB: Trusted Computing Base VO: Validation Object
TCB implementation Totel prototypes (1998) CORBA-compliant middleware Micro-kernel Current work Hypervisor
Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion
Platform virtualization Confidence Very high High Medium Low VM VM VM VM VM Hypervisor or Virtual Machine Monitor
Virtualization techniques Hypervisor Hypervisor Host system Hardware Hardware Type 1 Type 2 e.g., Xen e.g., VMware
Some certified hypervisors Polyxène Bertin Technologie CC EAL 5 certification LynxSecure LynuxWorks "Designed to CC EAL-7 and DO-178B level A" INTEGRITY Secure Virtualization Green Hills Software, Inc. "Built on the world's only CC EAL6+ High- Robustness-certified OS technology" - (INTEGRITY-178B separation kernel certified to CC EAL-6+)
Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion
Connecting a laptop Flight management Aircraft management Aircraft information system "Off-board"
Connecting a laptop?
Connecting a laptop Model MVC design pattern for HMI Controller View View Visual presentation Controller Logic (responses to user events) Model Back-end database
Diverse OS s with virtualization Model VO Model Controller Controller View Safe VM View Hypervisor Hardware
Solution 1 : custom-bred operator... + =? Vishnu Janus
Solution 2 : custom-built software Model VO Model Controller Controller View Safe VM Hypervisor Hardware
Solution 3 : I/O interception Model VO Model Controller Controller Controller' View View Safe VM View Hypervisor Hardware
View Controller Model Interception options Model Controller Event/Action Event/Action View SWING JVM instructions JVM OS instructions Safe VM SWING JVM instructions JVM OS instructions Hypervisor VNC Client Graphic Driver XEN Hardware
View Model Implementation to aircraft equipment 6' Model VO 6" Controller 5 5 4 6 4 View 3 Controller' 3 Controller AspectJ 2 View 2 AspectJ SWING SWING SWING JVM JVM Safe VM JVM Hypervisor 1 7 Error XEN Hardware
Model Controller?! 6" VO 5 5 4 6 4 View Controller' Model View Implementation 6' 3 3 Controller AspectJ 2 View 2 AspectJ SWING SWING SWING JVM JVM Safe VM JVM Hypervisor 1 7 Error XEN Hardware
Implementation X 6' X?! X Model 6" VO Controller 5 5 4 6 4 View Controller' 3 3 2 View 2 AspectJ AspectJ SWING SWING SWING JVM JVM JVM Safe VM Model Controller View Hypervisor 1 7 Error XEN Hardware Reboot Change laptops Revert to maintenance terminal Go to the beach...
Replica Non-Determinism Can cause false positives Timing current solution : - over-dimensioned timeout on 2nd response 170 µs Multi-threading current solution : - 3 threads are independent - outputs of each thread are identified and validated independently
Outline Introduction Levels of confidence Multi-level confidence models Platform virtualization Laptop prototype Conclusion
Conclusion Virtualization attractive solution for implementing multiple levels of confidence on a single machine Assumes hypervisor can be trusted at highest level of confidence Proof-of-concept prototype maintenance laptop application Future work relaxing constraints imposed to avoid false positives dealing with non-determinism in a more general way guarantee integrity of platform from boot to run-time