Information Assurance and Integrated Modular Avionics

1
Information Assurance and Integrated Modular
Avionics

• IEEE Systems Conference 2008
• April 9, 2008
• David Pierce, PhD
• Systems/Software/IA Engineer
• GE Aviation (formerly Smiths Aerospace)
• Co-Author Justin Littlefield

2
Points of Discussion

• Integrated Modular Avionics
• Information Assurance
• Certification
• Evaluation of System Properties
• Composability Problems
• Conclusions

3
Integrated Modular Avionics

• Why IMA?
• Addresses avionics concerns such as
• Power, volume, weight, cost
• Adds flexibility to Systems Engineering
• Addresses certification
• Opens up systems architecture

4
Integrated Modular Avionics

• Why IMA?
• May increase parts of certification
• But is offset by later cert efforts
• Need open standards, ARINC 653
• Coordination between parties

5
Integrated Modular Avionics

• Notional IMA Architecture
• Provides basis for discussion
• Separation of properties
• Interface definition
• Analysis
• Interested in the operating system and
  application interface
• Also need properties from the platform
  abstraction layer to assist

6
(No Transcript)
7
Information Assurance

• Protection of data for the sake of data
• Protection of data for the sake of personnel
• Increasing requirements from DoD, DHS, FAA, such
  as NIST 800, FISMA, DIACAP

8
Information Assurance

• Multiple Levels of Security (MLS)
• Separation Kernel (SK)
• Certify with specific IA properties

9
Information Assurance

• For IMA provide
• Data separation
• Information flow control
• Must be NEAT
• Non-bypassable
• Evaluatable
• Always-invoked
• Tamperproof

10
Certification

• Certification requires specific processes
• Safety assurance processes generally assume
  good-willed people
• Security cert generally assume ill-willed people
• Certification may/may not contribute to system
  development

11
Certification

• DO-178B provides 67 objectives for the
  development process
• Objectives are included or not based on level of
  cert desired
• Level E requires nothing, Level A requires
  everything, the rest are in between
• Includes requirements, architecture, and
  traceability

12
Certification

• Common Criteria (CC) has levels EAL1 up to EAL7
  or Low-, Mid-, and High Robustness
• EAL4 and below have rough equivalents in DO-178B
• EAL5-7 and high robustness have significantly
  greater processes than DO-178B

13
Certification

• Some examples of CC security functions
• Class FAU Security audit
• Class FCO Communication
• Class FCS Cryptographic support
• Class FDP User data protection
• Class FIA Identification and authentication
• Class FMT Security management
• Class FPR Privacy
• Class FPT Protection of the TSF
• Class FRU Resource utilization
• Class FTA TOE access
• Class FTP Trusted path/channels

14
Certification

• Some examples of CC assurance processes
• Class ADV Development
• Class AGD Guidance documents
• Class ALC Life cycle support
• Class ATE Tests
• Class AVA Vulnerability assessment
• Class ACO Composition

15
Evaluation of System Properties

• IMA and IA have specific properties in each of
  the component parts
• Interface definitions (speed, protocol, labeling)
• Functions (data separation in specific context,
  information flow, configuration)
• Represent these properties in our system model
  for evaluation

16
Evaluation of System Properties

• System models can have many forms
• In IA cert, generally have 3 levels, informal,
  semi-formal, and formal
• These have varied levels of usefullness dependent
  on the task at hand
• More formal is not necessarily better

17
Evaluation of System Properties

• Informal is typically a shall statement
• Semi-formal has more structure, such as UML
• Formal is strict mathematical model

18
Composability Problems

• Open standards promote interfaces which assist
  composability
• Certification supports verification of composed
  system
• Specific tasks of assurance can aid
  composability, such as traceability and
  executable/analyzable models

19
Conclusions

• Composability remains a difficult issue for IMA
  and IA properties
• Assurance methods may assist with composability
  but do not resolve it
• More formal methods do not necessarily help