Modern computing heavily relies on embedded systems built to solve very specific problems. At the same time, the advent of the Internet of Things means that these systems will be increasingly connected with each other, and the weakest link in terms of security can quickly take down whole networks and physical systems with it in case of hacking. The EURO-MILS project has developed a high-assurance security architecture to prevent such disasters from happening, which is currently being tested in automotive systems.

Digital Economy

EURO-MILS is riding the wave of ‘security by design’ – in a world where many computing systems are built with security as an after-thought rather than a core functionality. This means that instead of producing devices that constantly need to be patched to ensure security – which is inefficient, time-consuming and costly – the four-year project has come up with a small virtualisation platform that offers the secure decomposition of complex embedded systems into independent components. ‘Networked systems need to be aware of surrounding systems and correspondently receive, handle, verify, process and send information. With embedded systems this problem is brought to a whole new level: interconnections create extremely complex systems and it becomes very difficult to guarantee security in systems combining components from various vendors’, says Sergey Tverdyshev, coordinator of EURO-MILS and director R&T at SYSGO. ‘In this context, what we bring to the table is a methodology that enables the system developer to generate security assurance evidence coherently with design decisions. There is no gap between what the system shall do, does, and why it does it correctly.’ The MILS approach As its name suggests, EURO-MILS relies on the Multiple Independent Levels of Security (MILS) approach – a high-assurance security architecture based on the concepts of separation and controlled information flow. ‘The MILS approach provides a way to execute mixed-critical applications on one system and still to have that system certified to the highest security and safety assurance levels. This is extremely interesting for the likes of car infotainment systems: Android applications can run on the same platform as the AUTOSAR applications communicating with the engine,’ says Tverdyshev. Thanks to a separation kernel that has already undergone avionic certification and is deployed in commercial aircrafts, the MILS approach separates system parts into independent security domains that can only exchange data via explicitly defined channels. System resources such as CPUs, CPU time, memory, IO devices or files are assigned to compartments, and the communication channels between these compartments are defined with respect of the required security policies and API. A separation kernel brings separation by default, and any interaction has to be configured explicitly. This keeps the attack surface small and supports well secure development that emphasizes threat modelling at an early stage. A cross-domain approach Over the duration of the project, the team developed use cases for the automotive and avionics industries – respectively a mixed-critical system able to prevent issues such as the recent hack of Jeep’s electronic control unit and infotainment systems, and a gateway between two aircraft domains to control information flow exchanges according to pre-defined security policies and standards. Now, the partners are keeping busy by developing products for various other sectors. ‘For example we are deploying our system in the subway of a European capital,’ says Tverdyshev. ‘Exploiting this cross domain capability is of course very challenging, as we need to smoothly integrate and support existing practices and strong certification requirements for safety-critical systems in each of these sectors.’ This challenge is being tackled by the ‘MILS community’ established in 2014, which will take part in the biggest embedded systems trade-show ‘Embedded World’ in March 2017. ‘Many results have already been translated into commercial products despite the fact that EURO-MILS was a research project, Tverdyshev notes. ‘There are automotive systems that already use project results in on-road testing and pre mass-production stages, and a brand new innovation project will pick up where EURO-MILS left off to target systems deployed in railway control systems, subway communication systems and smart grid control systems.’

Keywords

EURO-MILS, cyber security, embedded systems, MILS, Android, infotainment, automotive, avionics