Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren.

Published byImogene Crawford Modified over 8 years ago

Similar presentations

Presentation on theme: "© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren."— Presentation transcript:

1 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren Cofer, Konrad Slind – Rockwell Collins Mike Whalen – University of Minnesota High Integrity Language Technology 20 October 2014

2 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. HACMS– Security of Cyber Physical Systems 2 Security vulnerabilities that can lead to safety hazards

3 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Evidence in the model How can we make high-level claims about correctness? Combine heterogeneous evidence from multiple sources –Galois: IVORY DSL –NICTA: Sel4 Microkernel –Boeing: Internal Processes and Best Practices 3

4 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases A reasoned and compelling argument, supported by a body of evidence, that a system, service or organization will operate as intended for a defined application in a defined environment –GSN community standard V1 A graphical representation of an argument supported by evidence May address different system aspects –Safety –Security –Correctness 4

5 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases Goal Structuring Notation (GSN) is used in several tools –Goals: claims about the system –Strategy: argues why a goal is true –Assumptions –Solution: leaf level evidence 5

6 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases Positives –Informal –Can include many different sources of evidence –Understandable by domain experts –Captures structure of argument Negatives –Informal –Not strongly tied to the system design –Semantics are loose (English is ambiguous) 6

7 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Assurance Cases Negatives –Informal –Not strongly tied to the system design –Semantics are loose (English is ambiguous) Resolute: An Assurance Case Language for Architecture Models –Use a logic to generate an assurance case –Make the structure of the system architecture dictate the structure of the assurance case –Use an architectural design language with defined semantics (AADL) 7

8 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute Language Claims and rules for satisfying those claims Rules and claims parameterized by AADL types Assurance cases instantiated with elements from AADL model 8 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q))

9 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute Logic Rules are sufficient but not complete –No closed world assumption (similar to other logic programing languages) This means a claim can never be used in a negative context –“The absence of evidence is not evidence of absence” Resolute supports computations which can be used in a negative context 9 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q))

10 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Tool Environment Implemented as an annex in AADL Uses Xtext to work fluidly in OSATE 10 process implementation Main_Loop.Impl subcomponents SS: thread Sensors; CCT: thread Command_Control_Telemetry; RC: thread Radio_Control; SN: thread Stability_Navigation; MC: thread Motor_Control; DC: thread Decrypt; annex resolute {** prove only_receive_gs(this.MC) prove schedulable(this) **}; end Main_Loop.Impl;

11 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 11 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory"

12 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 12 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes

13 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 13 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory

14 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 14 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory

15 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 15 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory

16 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 16 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory

17 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 17 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory

18 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 18 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory

19 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 19 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory “System.Proc2.Thread3” Writes to own memory

20 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 20 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory “System.Proc2.Thread3” Writes to own memory “System.Proc2.Thread3” Written in Ivory

21 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Failed Assurance Cases Unlike traditional assurance cases, Resolute can produce a failed assurance case –Claims that are false are shown in red so the assurance case can be debugged Failures may occur if the architecture changes, or if external analysis fails 21

22 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. 22 memory_protected(p : process) <= ** "The memory of process " p " is protected from alterations by other processes" ** property(p, SMACCM::OS) = "SeL4" or (property(p, SMACCM::OS) = "eChronos" and forall (mem : memory). bound(p, mem) => forall (q : process). bound(q, mem) => memory_safe_process(q)) memory_safe_process(p : process) <= ** "The process " p " only writes to its own memory space" ** forall (t : thread). contained(t, p) => memory_safe_thread(t) memory_safe_thread(t : thread) <= ** "The thread " t " only writes to its own memory space" ** ivory_thread(t) ivory_thread(t : thread) <= ** "The thread " t " is generated from Ivory" ** property(t, SMACCM::Language) = "Ivory" Process “System.Proc1” protected from other processes Process “System.Proc1” Writes to own memory “System.Proc1.Thread1” Writes to own memory “System.Proc1.Thread1” Written in Ivory “System.Proc1.Thread2” Writes to own memory “System.Proc1.Thread2” Written in Ivory Process “System.Proc2” Writes to own memory “System.Proc2.Thread3” Writes to own memory “System.Proc2.Thread3” Written in Ivory

23 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Analysis Results 23 Failed assurance case Successful assurance case

24 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Research Vehicle Architecture 24

25 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. AADL model 25

26 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Properties from SMACCM Project 26 Wireless network Encrypt Key command User Ground Station Comm Unknown credentials command Attacker Attacker A Comm Key Actuator Control Laws Validate Vehicle Mission computerFlight computer Internal bus The motor controller only receives messages from the trusted ground station. All messages received by the radio reach the motor controller. All connections are accurate/non-bypassable. Requires memory-safety Decrypt

27 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Proper use of encryption Threads before authentication Classification of inputs UAV motors only execute commands from the ground station Secure Delivery 27

28 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Thread only writes to to its own memory space Thread local state protected by RTOS Memory Safety 28 Requires guarantees from eChronos RTOS and Ivory-Tower component generation

29 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Future Work 29 Integration with other assurance case tools –We currently support CertWare Support for other GSN types Integration with other AADL analyses –Internal: Schedulability, Fault Analysis –External: HOL, SMT Solvers Support for other AADL semantics

30 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Common tools: Formal Methods Workbench Trusted Build Architecture Translation seL4 eChronos A B C Assumption: Input < 20 Guarantee: Output < 2*Input Assumption: Input < 20 Guarantee: Output < Input + 15 Assumption: none Guarantee: Output = Input1 + Input2 Assumption: Input < 10 Guarantee: Output < 50 Architecture Analysis Architecture Models OSATE Resolute Assurance Case AGREE Behavioral Analysis Lute Structural Analysis Kind/JKind 30

31 © Copyright 2014 Rockwell Collins, Inc. All rights reserved. Comments/Questions? 31

Download ppt "© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren."

Similar presentations

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
PowerPoint Presentation for Dennis & Haley Wixom, Systems Analysis and Design, 2 nd Edition Copyright 2003 © John Wiley & Sons, Inc. All rights reserved.

PowerPoint Presentation for Dennis & Haley Wixom, Systems Analysis and Design, 2 nd Edition Copyright 2003 © John Wiley & Sons, Inc. All rights reserved.
Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.

Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.

Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.
Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.

Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.
Trust, Privacy, and Security Moderator: Bharat Bhargava 1 Coordinators: Bharat Bhargava 1, Csilla Farkas 2, and Leszek Lilien 1 1 Purdue University and.

Trust, Privacy, and Security Moderator: Bharat Bhargava 1 Coordinators: Bharat Bhargava 1, Csilla Farkas 2, and Leszek Lilien 1 1 Purdue University and.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Industrial Avionics Working Group 19/04/07 Architecture Integration.

Industrial Avionics Working Group 19/04/07 Architecture Integration.
© Copyright 2011 John Wiley & Sons, Inc.

© Copyright 2011 John Wiley & Sons, Inc.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Course Instructor: Aisha Azeem

Course Instructor: Aisha Azeem
Exmouth House 3–11 Pine Street London EC1R 0JH T +44 20 7832 5850 F +44 20 7832 5853 E W CAE – Next generation and Building.

Exmouth House 3–11 Pine Street London EC1R 0JH T F E W CAE – Next generation and Building.
SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08.

SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08.
© Janice Regan, CMPT 128, Jan. 2007 0 CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

Similar presentations

Ads by Google