Next Events

more events

The SeSaM project

SeSaM is a joint research project of DFKI GmbH, EADS Innovation Works, Fraunhofer IESE, and SYSGO AG, funded by the IT security program of the German Ministry of Education and Research (BMBF).

The aim of the project is to create a foundation for the development and certification of high-assurance operating system components. In particular, the project is about virtualization for centralized platforms that run applications of different criticality. A focus is set on the early development phase, that is, on the definition of security requirements that result in the formulation of a corresponding security policy. Initially this should be done in a generic way using existing approaches and then be instantiated for a concrete system.

The development of high-assurance operating systems must consider a certification according to high (and highest) assurance levels of the Common Criteria for IT Security Evaluation (CC). Therefore, work will be focused on the creation of a protection profile (PP) for the generic part and a security target (ST) for the instantiation. To support a maximal reification and to ensure further development capability up to EAL 6/7, formal methods shall be provided fitting the requirements and policies that have been identified. A further innovative (research) aspect is vertical modularity: this means that when considering the security architecture of a composed product, security properties of the components are separately evaluated, and then the security properties of the evaluated components are reused for the certification of the composed product.

Today, virtualization technologies are being used in safety- and security-critical application domains to consolidate heterogeneous legacy infrastructure grown over decades, a good example being aerospace. Another application domain is the growing networking of terminal devices that poses new requirements for the data security of embedded systems. Thus, virtualization will be very likely the basis for the entire domain of embedded systems, as well as a key technology for IT systems in general. As an ideal foundation for such virtualization solutions, so-called microkernels have to meet both security and safety requirements. The SeSaM project shall strengthen competency in the field of high-assurance microkernels, develop assurance techniques for applied security assurance, and support future product developments.

Microkernels – Developed in Germany

Essential parts of microkernel technologies been developed in Germany, such as the L4 microkernel family. The PikeOS microkernel has proved DO-178B certifiable – for example, it was successfully deployed in Airbus A350 and A400M. The DO-178B safety attestation provides an excellent foundation to do a certification with respect to security requirements. Use cases for provable secure microkernels comprise such diverse application domains as the secure inter-network architecture (SINA) or software-defined Radio (SDR).

Non-technical Aspects

One specific issue to address when certifying components at the highest levels of security is to comply with respective domestic rules. Given that high-assurance is a matter of trust, the international, mutual recognition of Common Criteria certificates is restricted to assurance levels up to EAL4 –higher assurance levels still require national certification. Today, essential components that are needed for IT security, especially at the operating system level, are currently predominantly based on US technology. Moreover, the current protection profiles used in the Common Criteria for an IT-Security Evaluation (CC) context, such as SKPP, have been developed and certified in the US. However, it is not in the national interest for non-US countries to rely solely on US technology. Therefore, the SeSaM project partners want to provide alternatives. This is why a European CC-certified solution for microkernels makes a lot of sense.

More Details

In detail, the project has the following objectives:

  • Security requirements for virtualization solutions: Considering current state of the art, requirements and policies for virtualization solutions shall be analyzed in an as generic as possible way. Hereby, a conceptual framework is generated that supports developments in the field by establishing definitions and requirements, thus enhancing comparability. In addition to a more general competency obtained in this import segment, a Protection Profile formulated on this basis will considerably ease further certification efforts.
  • Security Target for a microkernel "Made in Germany": A security target for PikeOS will be prepared as a prototypical instantiation of the protection profile. In addition to validating the generic concepts worked out, this shall generate a sustainable basis for a certification of security-critical operating systems in Europe for EAL5
  • Formal Methods: Formal modelling has shown to be extremely useful, especially for requirements analysis. Description methods targeting the identified notions in virtualization solutions allow a further development to EAL6/7 and strengthen security competency, which will play a decisive role in the future.
  • Modular development and certification: Modular development and certification are indispensable – however in their vertical dimension (refinement) they lead to problems that are still not fully mastered. In the context of refining security requirements, a modular certification process shall also be worked out on a formal level. The aim is to find an appropriate solution that both leads to manageable proof obligations and is adequate for the implementation of PikeOS.

Presentations & Publications

Feb 20, 2013, 11:15-11:50, Avionics Europe, Munich - Germany
"MILS-related information flow control in the avionic domain: software architectures and verification".

Oct 17, 2012, Digital Avionics Systems Conference (DASC), Williamsburg - Virginia
"MILS-Based Information Flow Control in the Avionic Domain: A Case Study on Compositional Architecture and Verification"http://www.dasconline.org/

Sep 18, 2012, International Common Criteria Conference (ICCC), Paris - France
"CC compositional certification for MILS virtualization platforms" 
http://www.iccc2012paris.com/en/program/agenda/  

June 25, 2012, WORCS (Workshop on Open Resilient human-aware Cyber-physical Systems), Boston
"MILS-related information flow control in the avionic domain: A view on security-enhancing software architectures"http://dx.doi.org/10.1109/DSNW.2012.6264665

March 22, 2012, Avionics Europe, Munich - Germany
"Safe and Secure Virtualization: From a DO-178B Certified Separation Kernel to Common Criteria Security Certification"

Oct 18 2011, SAE 2011 AeroTech Congress & Exhibition, Toulouse - France
"From a DO-178B Certified Separation Kernel to Common Criteria Security Certification", session “Avionics Safety & Integrity”http://papers.sae.org/2011-01-2777

 

Print this page
Newsletter  |  Contact  |  Imprint  |  General Terms and Conditions