R&D Projects

SeSaM Project

R&D Projects

SeSaM Project

The SeSaM Project

SeSaM is a joint research project of DFKI GmbHAirbus,Fraunhofer IESE, and SYSGO AG,
funded by the IT security program of the German Ministry of Education and Research (BMBF).

The aim of the project is to create a foundation for the development and certification of high-assurance operating system components. In particular, the project is about virtualization for centralized platforms that run applications of different criticality. A focus is set on the early development phase, that is, on the definition of security requirements that result in the formulation of a corresponding security policy. Initially this should be done in a generic way using existing approaches and then be instantiated for a concrete system.

The development of high-assurance operating systems must consider a certification according to high (and highest) assurance levels of the Common Criteria for IT Security Evaluation (CC). Therefore, work will be focused on the creation of a protection profile (PP) for the generic part and a security target (ST) for the instantiation. To support a maximal reification and to ensure further development capability up to EAL 6/7, formal methods shall be provided fitting the requirements and policies that have been identified. A further innovative (research) aspect is vertical modularity: this means that when considering the security architecture of a composed product, security properties of the components are separately evaluated, and then the security properties of the evaluated components are reused for the certification of the composed product. 
Today, virtualization technologies are being used in safety- and security-critical application domains to consolidate heterogeneous legacy infrastructure grown over decades, a good example being aerospace. Another application domain is the growing networking of terminal devices that poses new requirements for the data security of embedded systems. Thus, virtualization will be very likely the basis for the entire domain of embedded systems, as well as a key technology for IT systems in general. As an ideal foundation for such virtualization solutions, so-called microkernels have to meet both security and safety requirements. The SeSaM project shall strengthen competency in the field of high-assurance microkernels, develop assurance techniques for applied security assurance, and support future product developments.


Essential parts of microkernel technologies been developed in Germany, such as the L4 microkernel family. The PikeOS microkernel has proved DO-178B certifiable

Non-technical Aspects

One specific issue to address when certifying components at the highest levels of security is to comply with respective domestic rules. Given that high-assurance is a matter of trust, the international, mutual recognition of Common Criteria certificates is restricted to assurance levels up to EAL4

More Details

In detail, the project has the following objectives:

  • Security requirements for virtualization solutions: Considering current state of the art, requirements and policies for virtualization solutions shall be analyzed in an as generic as possible way. Hereby, a conceptual framework is generated that supports developments in the field by establishing definitions and requirements, thus enhancing comparability. In addition to a more general competency obtained in this import segment, a Protection Profile formulated on this basis will considerably ease further certification efforts.
  • Security Target for a microkernel "Made in Germany": A security target for PikeOS will be prepared as a prototypical instantiation of the protection profile. In addition to validating the generic concepts worked out, this shall generate a sustainable basis for a certification of security-critical operating systems in Europe for EAL5
  • Formal Methods: Formal modelling has shown to be extremely useful, especially for requirements analysis. Description methods targeting the identified notions in virtualization solutions allow a further development to EAL6/7 and strengthen security competency, which will play a decisive role in the future.
  • Modular development and certification: Modular development and certification are indispensable

Presentations & Publications

Feb 20, 2013, 11:15-11:50, Avionics Europe, Munich - Germany
"MILS-related information flow control in the avionic domain: software architectures and verification".

Oct 17, 2012, Digital Avionics Systems Conference (DASC), Williamsburg - Virginia
"MILS-Based Information Flow Control in the Avionic Domain: A Case Study on Compositional Architecture and

Sep 18, 2012, International Common Criteria Conference (ICCC), Paris - France
"CC compositional certification for MILS virtualization platforms"

June 25, 2012, WORCS (Workshop on Open Resilient human-aware Cyber-physical Systems), Boston
"MILS-related information flow control in the avionic domain: A view on security-enhancing software architectures"

March 22, 2012, Avionics Europe, Munich - Germany
"Safe and Secure Virtualization: From a DO-178B Certified Separation Kernel to Common Criteria Security Certification"

Oct 18 2011, SAE 2011 AeroTech Congress & Exhibition, Toulouse - France
"From a DO-178B Certified Separation Kernel to Common Criteria Security Certification", session “Avionics Safety & Integrity”


In the press

Spiegel Online: "Deutschland will wichtige Systeme abkapseln"
Wirtschaftswoche: "Bundesregierung plant Windows-Schutzhülle gegen Hacker"
Computerwoche: "SeSaM und SaSER - kritische IT-Infrastruktur soll sicherer werden"