Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Todd Carpenter, Chief Engineer, Adventium LabsDr. John Hatcliff, Dr. Robby, Kansas State University
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency (HSARPA), Cyber Security Division (DHS S&T/HSARPA/CDS) BAA HSHQDC‐14‐R‐B0005, the Government of Israel and the National Cyber Bureau in the Government of Israel via contract number D16PC00057. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland
Security, the U.S. Government, the Government of Israel or the National Cyber Bureau in the Government of Israel.
Modeling, Analysis, and Code Generationfor Applications Targeting seL4
This work is supported by the Air Force Research Laboratory under Contract No. FA8750‐19‐C‐0527. The views, opinions and/or findings contained in this presentation are those of the authors and should not be construed as an official Air Force Research Laboratory position.
This work is supported by DARPA under CASE. The views, opinions and/or findings contained in this presentation are those of the authors and should not be construed as an official DARPA position.
Agenda
• Starting point – seL4‐based cyber‐physical‐system
• Deployment Challenges – the need
• Modeling and Code Generation – the approach
• System‐level Analysis and Integration – the benefits
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 2
ISOSCELES Demonstrator: Infusion Pump• Prototype infusion pump includes– Timers, HDMI GUI, mouse, GPIO, networking,
file system storage– Secure logging, remote drug library update,
network time protocol• Highly disaggregated platform – no VM• Genode (18.08) on seL4 or NOVA• seL4 total image size: ~47MB• Intel x86, Intel Atom, QEMU, VirtualBox• Auto‐generated C++ for safety‐critical component• Auto‐generated Genode configuration from AADL• Continuous integration development
environment
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 3
ISOSCELES is a safe and secure IoT device platform demonstrator
ISOSCELES Separation Architecture• Time and Space Separation
• Least Privilege• Minimal Complexity
• Trust Relations• Cryptographic Basis
• Model‐based Development
• Common Services
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 4
SeparationLayer
OEM Device Hardware
OEMApplications
ISOSCELESPlatform Services
Flash
Separation kernel (seL4)
Timers RAMSensors/Actuators
NetworkInterface MMU CPU
HMIDevice
HSMTPM
Power
Storage Cyber PhysicalAccess Layer
Crypto & KeyManagement
RemoteUpdate
DeviceConfigurationFirewall
UserInterfaceLoggingAuthentication
& AuthorizationDeviceControlTime
SafetyApplication Partition
Standard Partition(s)
BusinessApplications
Real‐time Partition(s)
ControlApplications
Genode
Highly disaggregated architecture maximizes benefits of separation
Public, Safety, and Security Critical Enclaves
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 5
Disaggregation can reduce certification burden
HTTPSDownloader
Router &Firewall
NetworkDevice Driver
Guard
Downloads
Staging
File System(Sensitive)
StorageDevice Driver
Chassis SensorsMonitor
Pump MotorFlow SensorManual
RateSupervisor
SafetyComponent
OperationsComponent
Flow RateController
GPIO Device Driver
Network Interface Card Storage Medium
DownloadRequests
File Updater
File System(Application)
CKMSRequest
Crypto & KeyManagement
CKMSResponse
Set Point
Set Point
Pump StatusChassis Status
ROMThreadDevice
Legend
Example Pump Inputs:• Networking• Time• Certificates• Operating Libraries
• GPIO• User Interface
Need: How do you integrate?
seL4 Brick Walls vs Information Flow
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 6
Example Pump Inputs:• Networking• Time• Certificates• Operating Libraries
• GPIO• User Interface
HTTPSDownloader
Router &Firewall
NetworkDevice Driver
Guard
Downloads
Staging
File System(Sensitive)
StorageDevice Driver
Chassis SensorsMonitor
Pump MotorFlow SensorManual
RateSupervisor
SafetyComponent
OperationsComponent
Flow RateController
GPIO Device Driver
Network Interface Card Storage Medium
DownloadRequests
File Updater
File System(Application)
CKMSRequest
Crypto & KeyManagement
CKMSResponse
Set Point
Set Point
Pump StatusChassis Status
ROMThreadDevice
Legend
Bridge ofKhazad dum?
Model‐Based Development for seL4
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 7
Risk Management(Safety, Security, Reliability)
Assurance CasesV & V Evidence
RegulatoryArtifacts
PlatformRun‐Time Environment
PlatformDeployment
& Configuration FrameworkPlatform Configuration
Data61 CAmkES(genode)
Device Requirements
Platform Assets
Architecture Specification
AADL OSATE
Use models as entry point, not an auxiliary effort
DHS ISOSCELES DARPA CASE
AFRL MAILLE ARMY CCDC METAL‐V
NASA CAFFMAD
SystemArchitectureAADL Model
Architecture Model for System‐Level Analysis
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 8
Safety & Reliability• FTA• FMEA• STPA
Data Integration & Quality• Data precision & accuracy• Temporal correctness• Interface compatibility• Delta‐change analysis• Standards compliance
Real‐time Performance• Execution time & Deadline• Deadlock or race• Latency• Schedule generation & analysis
Security• Separation• Confidentiality• Integrity• Availability
Resources• Data Bandwidth• CPU Bandwidth• Memory• Power• Weight
Increase key length
Increases CPU demandWhich increases WCETImpacts temporal correctness
New hazard
AADL supports virtual integration on Joint Multi‐Role Future Vertical Lift
MILS, RMF,MAILLE (future)
Architecture Analysis & Design Language (AADL) • Originated from DARPA, Standardized by SAE in 2004 (SAE AS 5506)• Enables architectural analysis to predict the effects of integrating software,
hardware and system components• Strong, well‐defined semantics promotes model exchange and reuse• Deferred specification makes AADL easy to use throughout the design lifecycle• Annexes address:– ARINC 653– Behavior– Communication– Code Generation– Error Modeling (Safety)– Requirements– Security
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 9
Process
Thread
Subprogram
Temporal Boundary
Code
Processor
Bus
Memory Device
System
Binding
AADL picks up where FACE and SysML leave off
Integration Challenges
Future Airborne Capability Environment (FACE)
Example data modeling concerns• Which altitude• Units• Representation
AADL
Example system integration concerns• Temporal and spatial separation• Communications mechanism• Dispatch model• Information flow• Rates• Latency• Dispatch state
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 10
A BAlice Bob
altitude A Baltitude
You want to catch mismatches early: shift left
Example Model Based Development
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 11
Modeling ActivityOrganize into componentsChose spatial & temporal partitioning strategyDesign inter‐component communication(+ Fault Mitigation, performance, etc.)
Model‐based Graphical View (AADL) Model‐based Textual View (top level AADL)
UAV including AFRL OpenUxASMission Computer
GroundStation
FlightPlanner
WaypointManager
FlightController
Radio Serial
System Concept (DARPA CASE Example)
Code generation for seL4 can leverage existing virtual integration models
AFRL SBIR: MAILLE Information Flow Analysis
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 12
1. Use MBSE to specify:• Top level design• Security domains• Desired flow properties• System building blocks• Separation kernel• Essential services
2. Invoke MAILLE to analyze requirements satisfaction
3. Use visualizer to explore flows4. Updates design to resolve issues5. Use IVE to refine and verify critical
components
Flow Visualization
Model‐based Flow Specification
MAILLE will address inter‐ and intra‐component flows
Paths Extracted from Architecture Model
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 13
Internal dependency graph HTML5 (current)
User‐driven Interactions and rendered results
Information flow user interface supports complex queries
Army AMRMC DARPA I2O
Air Force AFRL
Auto‐generated Sequence Chart
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 14HAMR ‐ Hatcliff ‐‐ © 2019 Kansas State University
Sequence chart helps visualize temporal component of information flow
Platform‐independent C code generation for AADL RT APIs
KSU HAMR Code Generation for seL4
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 15
Auto‐Generated Run‐Time
CommunicationInfrastructure
Code for Platform
Component Infrastructurein C, talking to seL4
communication mechanisms
seL4 Interpartition
Communicationin C
Application code in C ‐‐Platform‐independent because it only talks to
AADL RT APIs
Auto‐generated Component Infrastructure Code for Platform
Application Code
Code gen forCommunicationInfrastructure
Platformconfiguration information
HAMR ‐ Hatcliff ‐‐ © 2019 Kansas State University
Code gen forComponent &
ThreadingInfrastructure
Multiple targets: CAmkES, Minix, Linux
Code gen for Application APIs
Application Code Development
AADL Computational Model
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 16
Selectedthreadpattern
Implied API pattern for application code
to access AADLRun‐Time Services
Developer configurescomputational model
Selected communication
pattern
HAMR ‐ Hatcliff ‐‐ © 2019 Kansas State University
AADL Port & ConnectionProperties
• Event• Data• Temporal Separation• …
AADL ThreadProperties
• Periodic• Sporadic• Hybrid• …
Well‐defined run‐time semantics reduce vendor lock
AADL Models as Program Feature Directives
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 17
Selection of dispatch protocol property specifies the component structure and the infrastructure code linking the communication and scheduler to the component business logic.
The run‐time system invokes auser‐programmed method
timeTriggered() at regular intervalsas specified via the PERIOD property.
PeriodicSporadicEvents from other threads
inP1: in event port
inP2: in event data port
The run‐time system invokesa user‐programmed methodhandle<port name>(…) uponthe arrival of an event atthe associated port.
properties Dispatch_Protocol => Periodic; Period => 5 Hz;
properties Dispatch_Protocol => Sporadic; Period => 20 Hz;
Formal semantics support both analysis and generation
Interface Code Generation from AADL
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 18
Auto‐generated Interface to Microkernel Capability Primitives
Component (AADL model)
outP4: out event port sendoutP4()
outP5: out event data port myType5 sendoutP5(value: myType5)
Publish events on out event ports
outP6: out data port myType6 setoutP6(value: myType6)
Put value from an out data port
inP1:in event porthandleinP1() {..}
inP2:in event data port myType2handleinP2(value: MyType2) {..}
inP3:in data port myType3getinP3() : MyType3
In event ports have handlers
Get value from an in data port
Semantic consistency between models and deployed implementation
Auto‐generated component application code skeletons provides threading/dispatching structure and maps port APIs to underlying
communication infrastructure
MAILLE IVE Concept
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 19
Resulting Safe and Secure Embedded SystemSeparation Layer
ExampleMission
Applications
DisaggregatedPlatformServices
Separation kernel (seL4)
Storage Cyber PhysicalAccess Layer
Crypto & KeyManagement
RemoteUpdate
DeviceConfiguration
Firewall Logging Authentication& AuthorizationTime
Networking
Guard
Model‐based Flow Specification
Unclassified SensorAcquisition Domain A
Components
Real‐time Safety‐critical Control Domain B
Components
ClassifiedInformation Domain C
Components
Flow‐Enforcing Configuration and Code Generation
Domain A
Domain BDomain C
Flow Analysis and VisualizationHA
MR Ve
rification En
vironm
ent
Current Status• Model‐driven reference separation architecture provides strong foundation for safety and security
• Analysis and reporting tools for regulatory artifacts reduces burden on manufacturers and reviewers
• Code generation from AADL to CAmkES and C• Code generation can be factored through Slang –a safety‐critical subset of Scala – to provide automated source code verification and integration with JVM‐based languages like Java, Scala
• Flexible backend can support a variety of middleware and platform targets
• Ongoing focus on information flow analysis (DARPA CASE, AFRL MAILLE)
2019‐09‐24 © 2016‐2019 Adventium Labs, KSU 20