features
Predictable Security:
Security Analysis Extends Use of
High-Performance Chip
What would help a soldier crouching at the edge of a battlefield, a firefighter intently peering at the horizon, and a tornado tracker racing through the countryside? They would benefit from real-time pictures of what they cannot see provided through the high-assurance collection, processing, and dissemination of airborne imagery.
Rockwell-Collins used a technology developed by the SEI to enable the high-assurance handling of data from multiple sensors having varying levels of security, such as airborne imagery, using a powerful, fast, integrated circuit called a field programmable gate array (FPGA).
|
What High Assurance Means
for Software A system that controls an aircraft’s actions in flight, for instance, must be high assurance, as must one that carries out satellite communication. |
“One FPGA does the work of thousands of computers,” says Yves LaCerte, a Rockwell-Collins systems engineer in Cedar Rapids, Iowa. It is easier to develop applications on an FPGA, too, reducing the cost and time to market, according to LaCerte. And the chip can be reprogrammed at runtime—to fix bugs, for example, which can lower maintenance-engineering costs.
“Typically, you use a high-assurance processor to securely tag variable input. Rockwell-Collins wanted to demonstrate the high-assurance potential of FPGAs,” LaCerte explains. “Because FPGA behavior is more complex, architecture-level definition and analysis are needed.”
Meanwhile, at the SEI in Pittsburgh, Pa., Jörgen Hansson began investigating ways to use the Architecture Analysis & Design Language (AADL) and the Open Source AADL Tool Environment (OSATE) to model system architecture and analyze it for data quality attributes, including security.
“By verifying security using an architecture model, we can validate confidentiality and integrity and also determine that sanitization is done in a controlled way,” Hansson says. Sanitization is the lowering of security levels; controlled sanitization assures that lowering security occurs only within allowed boundaries. Hansson’s work culminated in an OSATE plug-in for security analysis.
Using AADL and Hansson’s OSATE security-analysis tool, LaCerte built a prototype system that demonstrates “the correctness of the FPGA architecture and the correctness of the system’s behavior.”
|
AADL, a Language for
Collaboration In particular, Lewis notes the AVSI (Aerospace Vehicle Systems Institute) and SPICES (Support for Predictable Integration of mission Critical Embedded Systems). The AVSI uses AADL to demonstrate model- based validation of a system through architecture models. SPICES, an Information Technology for European Advancement (ITEA) project, offers designers of distributed, real-time, embedded systems a modeling, analysis, generation, and integration environment based on AADL. |
The SEI and Rockwell-Collins stand out among the organizations leading development and transition of AADL. From the SEI, Peter Feiler provides technical leadership, and Bruce Lewis—an SEI resident affiliate from the U.S. Army Aviation and Missile Research, Development, and Engineering Center—runs the Society of Automotive Engineers (SAE) subcommittee guiding enhancement and expansion of the standard. Rockwell-Collins participates in the development of the AADL standard, publishes papers about the standard, creates example models, and demonstrates how to incorporate AADL into the development life cycle. Because of that involvement and interest, LaCerte learned of Hansson’s OSATE security analysis plug-in.
While his achievement is significant for FPGAs and their use, LaCerte sees that the work he began with AADL and the security-analysis plug-in can go further. “We need to certify FPGAs for high-assurance use according to the NSA [National Security Agency] common criteria. AADL can be used to generate the artifacts needed to obtain that certification,” LaCerte says.
Hansson’s work goes on, as well. “We are currently investigating how to conduct tradeoff analysis by evaluating the effects of security on performance and resource usage.”
For more information about model-based engineering and architectural modeling analysis, contact Jörgen Hansson at hansson@sei.cmu.edu.