Mils-based information flow control in the avionic domain: A case study on compositional architecture and verification

Software architectures in the aerospace domain are becoming more and more integrated and interconnected for functional and architectural reasons (Integrated Modular Avionics, IMA), which exacerbates potential security problems of avionic software. As a consequence, security considerations are gaining importance for the general ≫airworthiness≪ of modern aircrafts, and proper security assurance requires increasing effort. In this paper, we report on-going work in the SeSaM research project. We propose to leverage modularity as a key to obtain more secure software and higher assurance of this claimed security with reasonable effort. Using Multiple Independent Levels of Security (MILS), we present a case study on how an application can be systematically designed, secured, and proven secure by adopting a composite evaluation approach reflecting the modular system architecture. More specifically, we employ a separation kernel as the foundation for a security-critical application, and we investigate how a security evaluation can be achieved systematically and with reduced effort if we evaluate underlying kernel and dependent application independently before joining these partial results to obtain an overall evaluation verdict. Thus, we illustrate how a compositional approach may ease security design and security assurance of IMA architectures.