NEWS AT SEI
This article was originally published in News at SEI on: January 1, 2008
What would help a soldier crouching at the edge of a battlefield, a firefighter intently peering at the horizon, and a tornado tracker racing through the countryside? They would benefit from real-time pictures of what they cannot see provided through the high-assurance collection, processing, and dissemination of airborne imagery.
Rockwell-Collins used a technology developed by the SEI to enable the high-assurance handling of data from multiple sensors having varying levels of security, such as airborne imagery, using a powerful, fast, integrated circuit called a field programmable gate array (FPGA).
“One FPGA does the work of thousands of computers,” says Yves LaCerte, a Rockwell-Collins systems engineer in Cedar Rapids, Iowa. It is easier to develop applications on an FPGA, too, reducing the cost and time to market, according to LaCerte. And the chip can be reprogrammed at runtime—to fix bugs, for example, which can lower maintenance-engineering costs.
What High Assurance Means for Software
For software to be considered high assurance, there must be a convincing argument that the software will always perform (or not perform) key functions.
A system that controls an aircraft’s actions in flight, for instance, must be high assurance, as must one that carries out satellite communication.
“Typically, you use a high-assurance processor to securely tag variable input. Rockwell-Collins wanted to demonstrate the high-assurance potential of FPGAs,” LaCerte explains. “Because FPGA behavior is more complex, architecture-level definition and analysis are needed.”
Meanwhile, at the SEI in Pittsburgh, Pa., Jörgen Hansson began investigating ways to use the Architecture Analysis & Design Language (AADL) and the Open Source AADL Tool Environment (OSATE) to model system architecture and analyze it for data quality attributes, including security.
“By verifying security using an architecture model, we can validate confidentiality and integrity and also determine that sanitization is done in a controlled way,” Hansson says. Sanitization is the lowering of security levels; controlled sanitization assures that lowering security occurs only within allowed boundaries. Hansson’s work culminated in an OSATE plug-in for security analysis.
Using AADL and Hansson’s OSATE security-analysis tool, LaCerte built a prototype system that demonstrates “the correctness of the FPGA architecture and the correctness of the system’s behavior.”
AADL, a Language for Collaboration
AADL is becoming a lingua franca—a common language—for sharing information on problems and solutions among investigators in commercial, research, and academic organizations. In support of that notion, Bruce Lewis, head of the Society of Automotive Engineers subcommittee guiding the standard’s development, points to the many consortia employing the standard.
In particular, Lewis notes the AVSI (Aerospace Vehicle Systems Institute) and SPICES (Support for Predictable Integration of mission Critical Embedded Systems). The AVSI uses AADL to demonstrate model- based validation of a system through architecture models. SPICES, an Information Technology for European Advancement (ITEA) project, offers designers of distributed, real-time, embedded systems a modeling, analysis, generation, and integration environment based on AADL.
The SEI and Rockwell-Collins stand out among the organizations leading development and transition of AADL. From the SEI, Peter Feiler provides technical leadership, and Bruce Lewis—an SEI resident affiliate from the U.S. Army Aviation and Missile Research, Development, and Engineering Center—runs the Society of Automotive Engineers (SAE) subcommittee guiding enhancement and expansion of the standard. Rockwell-Collins participates in the development of the AADL standard, publishes papers about the standard, creates example models, and demonstrates how to incorporate AADL into the development life cycle. Because of that involvement and interest, LaCerte learned of Hansson’s OSATE security analysis plug-in.
While his achievement is significant for FPGAs and their use, LaCerte sees that the work he began with AADL and the security-analysis plug-in can go further. “We need to certify FPGAs for high-assurance use according to the NSA [National Security Agency] common criteria. AADL can be used to generate the artifacts needed to obtain that certification,” LaCerte says.
Hansson’s work goes on, as well. “We are currently investigating how to conduct tradeoff analysis by evaluating the effects of security on performance and resource usage.”
For more information about model-based engineering and architectural modeling analysis, contact us using the link in the For More Information box at the bottom of this page.