This content is not included in
your SAE MOBILUS subscription, or you are not logged in.
From a DO-178B Certified Separation Kernel to Common Criteria Security Certification
Technical Paper
2011-01-2777
ISSN: 0148-7191, e-ISSN: 2688-3627
Annotation ability available
Sector:
Language:
English
Abstract
DO-178B avionic software safety has been largely based upon the assumption that rigorous development and verification processes are uniformly applied to the entire product (that is typically small or developed from scratch and is extensively tested). On the other hand, security certification by the Common Criteria (CC) traditionally has had also in mind the analysis and gradual improvement of existing systems. For such scenarios, just redoing the entire design is not feasible. This leads to a slightly different emphasis in the presentation of artifacts which is of interest not only in a CC certification context but also when for example reviewing requirement-based descriptions of systems.
In cooperation with the DFKI evaluation laboratory, we have drafted a security target instantiating security properties (Security Functional Requirements, SFRs) of the PikeOS separation kernel that has undergone certification for DO-178B. The security target initially had been based on the Separation Kernel Protection Profile (SKPP) but is now done stand-alone, without using a protection profile, compatible with the current version of the CC. In the German research project SeSaM [SeS11] we prepare Common Criteria certification artifacts for a DO-178B certified separation kernel for a high-level CC certification. We report on our approach and experiences generating artifacts from a DO-178B/DO-178C perspective and on lessons learned when dealing with the CC.
Recommended Content
Authors
Citation
Blasum, H. and Tverdyshev, S., "From a DO-178B Certified Separation Kernel to Common Criteria Security Certification," SAE Technical Paper 2011-01-2777, 2011, https://doi.org/10.4271/2011-01-2777.Also In
References
- AFRT02 Alves-Foss, Jim Rinker, Bob Taylor, Carol Towards Common Criteria certification for DO-178B compliant airborne software systems 2002 http://www.csds.uidaho.edu/papers/Alves-Foss02b.pdf
- AP09 Almeida, Jose Prochazka, Marek Safe and secure partitioning with PikeOS: Towards integrated modular avionics in space Ouwehand, L. Proceedings of DASIA 2009, DAta Systems In Aerospace, 26 - 29 May, Istanbul ESA Communication Production Office Noordwijk 2009
- BA03 Bennett, M.D. Audsley, N.C. Partitioning support for the L4 microkernel Technical report Department of Computer Science, Univ of York UK 2003 ftp://ftp.cs.york.ac.uk/reports/2003/YCS/366/YCS-2003-366.pdf
- BBBT11 Baumann, Christoph Bormer, Thorsten Blasum, Holger Tverdyshev, Sergey Proving memory separation in a microkernel by code level verification Object/Component/Service-Oriented Real-Time Distributed Computing Workshops (ISORCW), 2011 14th IEEE International Symposium on 25 32 IEEE 2011 http://www-wjp.cs.uni-saarland.de/publikationen/Baumann-AMICS2011.pdf
- Bun07 Bundesamt für Sicherheit in der Informationstechnik (BSI) Guide for the transition from Common Criteria version 2.3 to Common Criteria version 3.1 for ADV requirements 2007 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/BSI_ADV_Migration_Guide_v10_pdf.pdf
- Bun08 Bundesamt für Sicherheit in der Informationstechnik (BSI) and Sirrix AG security technologies Protection profile for high-assurance security kernel http://www.sirrix.com/media/downloads/54500.pdf June 2008
- Com09 Common Criteria Sponsoring Organizations Common criteria for information technology security evaluation July 2009 http://www.commoncriteriaportal.org/thecc.html
- Com11 Common Criteria Portal Certified product list (CSV format) http://www.commoncriteriaportal.org/files/epfiles/products.csv 2011 2011 05 30
- EK95 Engler, Dawson R. Kaashoek, M. Frans Exterminate all operating system abstractions Hot Topics in Operating Systems, 1995, (HotOS-V), Proceedings, Fifth Workshop on 78 83 1995
- Eng05 Engel, Michael Advancing operating systems via aspect-oriented programming PhD thesis Univ Marburg 2005 http://deposit.d-nb.de/cgi-bin/dokserv?idn=981180515
- Fuc10 Fuchsen, Rudolf How to address certification for multi-core based IMA platforms: Current status and potential solutions Digital Avionics Systems Conference (DASC), 2010 IEEE/AIAA 29th 5.E.3-1 5.E.3-11 October 2010
- GMA+11 Gray, Ian Matragkas, Nikos Audsley, Neil C. Indrusiak, Leandro Soares Kolovos, Dimitris Paige, Richard Model-based hardware generation and programming - the MADES approach Object/Component/Service-Oriented Real-Time Distributed Computing Workshops (ISORCW), 2011 14th IEEE International Symposium on 88 96 IEEE 2011
- Gre08 Green Hills Software INTEGRITY-178B separation kernel security target http://www.niap-ccevs.org/cc-scheme/st/vid10119/ 2008
- Hof09 Hoffman, Robert New capability for the warfighter - multilevel secure systems based on a mils architecture 2009 https://www.opengroup.org/rtforum/uploads/40/19821/Wind_River_Presents_MILS_speaker_notes_14.2_MB.pdf
- HRC+04 Ha, Vu Rangarajan, Murali Cofer, Darren D. Rueß, Harald Dutertre, Bruno Feature-based decomposition of inductive proofs applied to real-time avionics software: An experience report ICSE 304 313 IEEE Computer Society 2004
- IBM03 IBM Public version of the security target for PR/SM for the IBM eServer zSeries z900 GA3 and z800 EAL5 certification approved February 2003 http://www.bsi.de/zertifiz/zert/reporte/0557b.pdf
- Inf07 Information Assurance Directorate U.S. government protection profile for separation kernels in environments requiring high robustness. Version 1.03 June 2007 http://www.niap-ccevs.org/cc-scheme/pp/pp_skpp_hr_v1.03/
- KLM+97 Kiczales, Gregor Lamping, John Mendhekar, Anurag Maeda, Chris Lopes, Cristina Videira Loingtier, Jean-Marc Irwin, John Aspect-oriented programming ECOOP 220 242 1997
- KW07 Kaiser, Robert Wagner, Stephan Evolution of the PikeOS microkernel Kuz, Ihor Petters, Stefan M MIKES: 1st International Workshop on Microkernels for Embedded Systems 2007 http://ertos.nicta.com.au/publications/papers/Kuz_Petters_07.pdf
- LHSPS11 Lohmann, Daniel Hofer, Wanja Schröder-Preikschat, Wolfgang Spinczyk, Olaf Aspect-Aware Operating System Development Chiba, Shigeru Proceedings of the 10th International Conference on Aspect-Oriented Software Development (AOSD 2011) 69 80 New York, NY, USA 2011
- LNIM10 Levin, Timothy E. Nguyen, Thuy D. Irvine, Cynthia E. McEvilley, Michael Separation Kernel Protection Profile revisited: Choices and rationale Fourth Annual Layered Assurance Workshop (LAW 2010) Austin, TX, USA 6-7 December 2010 Applied Computer Security Associates 2010 http://fm.csl.sri.com/LAW/2010/
- Mic09 Microsoft Microsoft Windows Server 2008 Hyper-V security target 2009 http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf
- MKK10 Müller, Stephan Krummeck, Gerald Kurth, Helmut Operating system protection profile 2010 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/ReportePP/pp0067b_pdf.pdf
- Mül11 Müller, Kevin Security in embedded systems: Design aspects of a protocol-generic secure gateway based on the MILS system approach Master's thesis Leipzig University of Applied Sciences - HTWK Leipzig, Dept. of Computer Science, Mathematics and Natural Sciences 2011
- NLI06 Nguyen, Thuy D. Levin, Timothy E. Irvine, Cynthia E. High robustness requirements in a Common Criteria protection profile Innovative Architecture for Future Generation High-Performance Processors and Systems, International Workshop on 66 78 Los Alamitos, CA, USA 2006 IEEE Computer Society
- PC86 Parnas, David Lorge Clements, Paul C. A rational design process: How and why to fake it IEEE Trans. Softw. Eng. 251 256 1986
- PG74 Popek, Gerald J. Goldberg, Robert P. Formal requirements for virtualizable third generation architectures Comm. ACM 17 7 412 421 July 1974
- PRS08 Paulitsch, Michael Ruess, Harald Sorea, Maria Non-functional Avionics Requirements Margaria, Tiziana Steffen, Bernhard Leveraging Applications of Formal Methods, Verification and Validation, Third International Symposium, ISoLA 2008 Porto Sani, Greece October 13 15 2008 369 384 Communications in Computer and Information Science 17 Springer
- RTC05 RTCA SC-200 / EUROCAE WG-60 DO-297: Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations Radio Technical Commission for Aeronautics (RTCA), Inc. 1828 L St. NW., Suite 805, Washington, D.C. 20036 November 2005
- RTC11 RTCA SC-205 / EUROCAE WG-71 IP0050_X: Software considerations in airborne systems and equipment certification (DO-178C, draft version X) June 2011 http://forum.pr.erau.edu/SCAS/
- SeS11 SeSaM project. The SeSaM project 2011 http://www.sysgo.com/en/partners/affiliations/the-sesam-project/
- SR11 Soudain, Guillaume Rierson, Leanna SC-205 / WG-71 Information 364 FAQs on low-level requirements and pseudocode 2011 http://forum.pr.erau.edu/SCAS/
- Stu11 Stumpf, Tobias Design eines Virtual Machine Monitors aufbauend auf einem Mikrokern Brauer, W. Halang, Wolfgang A. Holleczek, Peter Eingebettete Systeme, Informatik aktuell 2011(1) 31 40 Springer
- Tve11 Tverdyshev, Sergey Extending the GWV security policy and its modular application to a separation kernel Bobaru, Mihaela Havelund, Klaus Holzmann, Gerard Joshi, Rajeev NASA Formal Methods , volume 6617 of Lecture Notes in Computer Science 391 405 Springer Berlin / Heidelberg 2011
- Wil06 Wilshusen, Gregory C. Information assurance: National partnership offers benefits, but faces considerable challenges Technical report United States Government Accountability Office Washington, D.C. 2006 http://www.gao.gov/new.items/d06392.pdf