A few weeks passed since ESE Congress in Sindelfingen took place. So, it’s time for a retrospect on an interesting part of the congress, which was the 2019 workshop about multiple independent level of security (MILS). Security experts from different companies gave interesting lectures about their scope on MILS: Lively and deep discussions on the different design and verification approaches, including their relation to MILS imparted new views to the participants.

The community was very engaging and discussions continued well after the official end of the workshop. Let me say this in advance: We are already looking forward to the next workshop! So, while you are waiting for the next year with us, we give you a brief summary of the presented topics:

Sergey Tverdyshev (SYSGO) gave an introduction to MILS, including its architectural approach of MILS; with stable concepts that are prevailing and relevant for over 40 years. His presentation included news since the last 2018 MILS workshop, e.g. two separation kernels have been obtained Common Criteria for Information Technology Security certifications. There is also ongoing work at Common Criteria Users’ Forum, e.g. there was a survey on separation kernels and their security requirements. Moreover, in the certMILS research project on the compositional certification of MILS systems, a MILS design has received one of the first IECEE IEC 62443-4-1 industrial communication network security standard certifications ever; and in the CITADEL research project on critical infrastructure protection using adaptive MILS systems, new work has been done, including demonstrations in voice processing and subway environments. Thus, we see a raising curve of adaptations of the MILS concepts and results.

CertMILS in Railway

Do you like to know more about CertMILS? Have a look at this.

Pierre Girard (Gemalto) used the challenge of securing cars as a motivational example, taken from his work. Pierre then gave an overview of different options to create assurance via deploying security functionality such as e.g. cryptographic keys in a distributed system, ranging from process isolation, via dedicated coprocessors, dedicated cores to dedicated chips. He gave an example where the PikeOS MILS separation kernel used keys stored in a dedicated secure environment.

Daniel Schreckling (BMW) presented a future oriented architecture to integrate security monitors in an E/E architecture. In a typical safety critical system there is not necessarily a central entity and he suggested that individual components itself provide security policies in a decentral way. The information flows and security policies implied by the local reference monitors can be checked via offline static model checking and/or online dynamic model checking. The kind of information flow monitoring and / or control needed could be provided by dedicated hardware and / or MILS systems.

Juan Sanchez (DEKRA) works in security testing. He reported on his experiences of IEC 62443 and Common Criteria penetration testing. He mentioned, based on examples, typical vulnerabilities that he was able to exploit in systems in general. For instance, in a blackbox testing of a communication dongle he was able to extract data such as vehicle identification numbers from unencrypted Bluetooth, access lightning control via OBD-II and upload of malicious files to the customer servers. We discussed the type of devices Juan typically gets on the table today and discovered vulnerabilities. We discussed how security level of these devices could be increased by using the MILS concept.

Daniele Lacamera (wolfSSL) showed small footprint implementations of cryptographic implementations, which are e.g. widely used in automotive embedded systems. Certification activity includes FIPS. MILS separation kernels are often used to protect the cryptographic keys and operations of these cryptographic algorithms e.g. in mixed criticality systems.

At the component level, we discussed the use of hardware/software boundary for separation. At the system level, we discussed the distribution of monitors/reference managers and how to strike a balance between flexibility and centralization, e.g. the extent a system shall be observed by static / dynamic analysis. Discussions also touched broader topics, even including applicability of quantum cryptography. In summary: This seems to reflect that MILS as a whole can be viewed as a design concept, in scope perhaps similar to the design concept of operating system, and therefore familiarity with this pattern has many viewpoints (from the component level, from the system level, from a verification level, from a certification level).