compositional certification
play

Compositional Certification John Rushby Computer Science Laboratory - PowerPoint PPT Presentation

Mar 10, 2024 •344 likes •522 views

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Certification: 1 Systems, Components, and Properties Security, for example, is a system property

  1. Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Certification: 1

  2. Systems, Components, and Properties • Security, for example, is a system property • But there is a compelling case to establish a marketplace for security-relevant components (cf. MILS) ◦ Secure file systems, communications subsystems, operating system kernels ◦ Filters, downgraders, authentication services • Want the security of these components to be evaluated • In such a way that security evaluation for a system built on these is largely based on prior evaluations of the components • This is an example of compositional assurance • Wanted for safety and other critical system properties as well as security John Rushby, SR I Compositional Certification: 2

  3. Component-Based Design and Compositional Assurance • Component-based design ◦ Take some off the shelf components ◦ Build some bespoke components ◦ Connect them all together with glue (components) To achieve the required functionality ◦ We understand the functionality of the system by understanding the functions of its components • Compositional assurance ◦ This is the idea that we can provide assurance for properties of a component-based system based on preconstructed assurance for properties of its components John Rushby, SR I Compositional Certification: 3

  4. Why Is Compositional Assurance Hard? • Assurance considers properties, not just function ◦ Properties depend on component interactions as much as on individual component behavior ◦ And must consider what must not happen • Assurance must consider faults and malice ◦ Including those that subvert the design ◦ In particular, those that vitiate the separation into components and bypass the interfaces between them ◦ i.e., those that create unintended interactions • So assurance for components must anticipate this and provide very strong guarantees, and must consider interactions as well as local behavior John Rushby, SR I Compositional Certification: 4

  5. Frameworks for Compositional Assurance • Assurance is about properties delivered at interfaces • So, for compositional assurance, we need: ◦ Precise properties ⋆ Must be meaningful at interfaces ⋄ So they can be evaluated locally ⋆ Must be meaningful in combination ⋄ So they compose to yield evaluable system properties ◦ Precise interfaces (the paths for component interaction) ⋆ There must be no paths for component interaction outside the known interfaces, even in the presence of faults, or of malice in untrusted components • Feasibility of compositional assurance depends on architectural frameworks that guarantee interfaces ◦ E.g., TTA (safety), MILS (security) John Rushby, SR I Compositional Certification: 5

  6. Compositional Analysis • Computer scientists have ways to do compositional verification of programs—e.g., prove ◦ Program A guarantees P if environment ensures Q ◦ Program B guarantees Q if environment ensures P Conclude that A || B guarantees P and Q • Assumes programs interact only through explicit computational mechanisms (e.g., shared variables) • Software and systems can interact through other mechanisms ◦ Computational context: shared resources ◦ Noncomputational mechanisms: the controlled plant • Need eliminate, control, and understand these paths for interaction ◦ Requirement is no unintended interactions John Rushby, SR I Compositional Certification: 6

  7. Unintended Interaction Through Shared Resources • This must not happen • Need an integration framework (i.e., an architecture) that guarantees composability Composability: properties of a component are preserved when it is used within a larger system • This is what partitioning is about in avionics • Or separation in a MILS security context John Rushby, SR I Compositional Certification: 7

  8. Composability Partitioning ensures composability of components • Properties of a collection of interacting components are preserved when they are placed (suitably) in the environment provided by a collection of partitioning mechanisms • Hence partitioning does not get in the way • And the combination is itself composable • Hence components cannot interfere with each other nor with the partitioning mechanisms John Rushby, SR I Compositional Certification: 8

  9. Additivity Partitioning mechanisms compose with each other additively • e.g., partitioning(kernel) + partitioning(network) provides partitioning(kernel + network) Partitioning (composability and additivity) make the world safe for compositional reasoning John Rushby, SR I Compositional Certification: 9

  10. Illustration: MILS Security policy is enforced by trusted subjects (colored circles) interacting over known channels (arrows); prefer many small, simple trusted subjects to few complex ones; can afford this because we can efficiently and securely share physical resources among separate logical circles and arrows Separation Kernel Secure sharing is ensured by foundational components, which enforce partitioning/separation Partitioning TSE File System John Rushby, SR I Compositional Certification: 10

  11. Unintended Interaction Through The Plant • The notion of interface must be expanded to include assumptions about the noncomputational environment (i.e., the plant) ◦ Cf. Ariane V failure (due to differences from Ariane IV) • Compositional reasoning must extend to take the plant into account (i.e., composition of hybrid systems) • Control engineers do this, computer scientists are less familiar with it • Must consider response to failures ◦ Avoid domino effect ◦ Control number of cases (otherwise exponential) • And dynamic system compositions ◦ Medical devices are a good case study John Rushby, SR I Compositional Certification: 11

  12. State of Practice in Compositional Assurance • Not endorsed by any stringent certification regime I am familiar with ◦ Because of the interaction issue: the current way to deal with this is to look at the whole system and inside every component • E.g., the FAA certifies only airplanes, engines, propellers ◦ Some weak mechanisms for components ⋆ Reusable Software Components (AC 20-148) ◦ And for incremental construction of certification ⋆ Integrated Modular Avionics (DO-297/ED-124) ◦ But the initial certification is always whole system, not compositional, and they reserve the right to look inside components • Perhaps we need to rethink the basis for certification John Rushby, SR I Compositional Certification: 12

  13. Approaches to Certification • All assurance is based on arguments that purport to justify certain claims , based on documented evidence • There are two approaches to assurance: standards-based, and goal-based • They differ in how explicit is the claims, evidence, argument structure John Rushby, SR I Compositional Certification: 13

  14. The Standards-Based Approach to Software Certification • E.g., airborne s/w (DO-178B), security (Common Criteria) • Applicant follows a prescribed method (or processes) ◦ Delivers prescribed outputs ⋆ e.g., documented requirements, designs, analyses, tests and outcomes, traceability among these • Standard usually defines only the evidence to be produced • The claims and arguments are implicit • Hence, hard to tell whether given evidence meets the intent • Works well in fields that are stable or change slowly ◦ Can institutionalize lessons learned, best practice ⋆ e.g., evolution of DO-178 from A to B to C • But less suitable with novel problems, solutions, methods John Rushby, SR I Compositional Certification: 14

  15. The Goal-Based Approach to Software Certification • E.g., air traffic management (CAP670 SW01), UK aircraft • Applicant develops an assurance case ◦ Whose outline form may be specified by standards or regulation (e.g., MOD DefStan 00-56) ◦ Makes an explicit set of goals or claims ◦ Provides supporting evidence for the claims ◦ And arguments that link the evidence to the claims ⋆ Make clear the underlying assumptions and judgments ⋆ Should allow different viewpoints and levels of detail • The case is evaluated by independent assessors ◦ Explicit claims, evidence, argument John Rushby, SR I Compositional Certification: 15

  16. A Science of Certification • Certification is ultimately a judgment • But the judgment should be based on rational argument supported by adequate explicit and credible evidence • A Science of Certification would be about ways to develop that argument and evidence • Favor goal-based over standards-based approaches ◦ At the very least, expose and examine the claims, arguments and assumptions implicit in standards • Be wary of demands for more and more evidence, with implicit appeal to diversity and independence ◦ Instead favor explicit multi-legged cases • Use formal (“machinable”) design descriptions ◦ Can then use automated analysis methods John Rushby, SR I Compositional Certification: 16

  17. Summary • We already do component-based design • We urgently need methods for component-based certification ◦ Compositional certification • Crucially dependent on architectural frameworks that eliminate unintended component interactions through shared resources ◦ Partitioning in avionics, separation in MILS security • Need a scientific basis for certification that deals comprehensively with these issues • Goal-based certification provides the best foundation for this • A community effort is needed to move this forward John Rushby, SR I Compositional Certification: 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International

Compositional Certification for MILS John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Cert for MILS: 1 Intuitive Security Architecture Almost all system designs are portrayed in

548 views • 28 slides
Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science

Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science

Beyond Integration: The Challenge of Compositional Assurance John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Compositional Assurance: 1 Assurance and Certification: The Traditional

551 views • 29 slides
1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training Inspection/Audit Establish MoC Status of Operator/ Maintainer Manual, Function Identify CRB Record and Interfaces Result of Form Ground/

618 views • 24 slides
CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO APPLY TO WRITE Once you have logged into the Then under Certification The Certification committee Application Forms may be CAPLA website using

687 views • 37 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA Certification is based on Dr. As Habits of Health Transformational System and is available to all Coaches who want to apply and reinforce their knowledge of

613 views • 19 slides
Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

ASHA Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the CFCC Presentation Overview What is Certification? CCC-A Certification Standards CCC-A Application Process FAQs Keep your

209 views • 19 slides
Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional

Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional

Bruno Gavranovi c SYCO2 Compositional Deep Learning December 18, 2018 1 / 36 Compositional Deep Learning Bruno Gavranovi c Faculty of Electrical Engineering and Computing (FER) University of Zagreb, Croatia bruno.gavranovic@fer.hr

1.22k views • 102 slides
Timer Certification Clinic Timer Certification A prerequisite for training and certification in

Timer Certification Clinic Timer Certification A prerequisite for training and certification in

Timer Certification Clinic Timer Certification A prerequisite for training and certification in all other positions (Descriptions in some of the following slides are as indicated in the rules, although it is not unusual for the referee to

378 views • 10 slides
Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory

Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory

Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory certification is a process that provides formal recognition to the managerial and technical competence of a laboratory performing specific analyses

853 views • 50 slides
AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM

AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM

AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM certification, our consulting team analyses hundreds of site selection criteria with emphasis on the following 10 items Assessment of airport

1.08k views • 75 slides
IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA Certification Options C. Applying for Certification D. Exam Activities Register and Prepare E. Benefits of BABOK studying 2/13/2018, p. 1

127 views • 10 slides
SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us

SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us

SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us OUTCOME OF PRESENTATION Understand the importance of educator certification Ability to create a user id and apply for certification

698 views • 53 slides
Compositional Real-Time Scheduling Framework Insik Shin 1 , Insup Lee 1 1 University of

Compositional Real-Time Scheduling Framework Insik Shin 1 , Insup Lee 1 1 University of

Compositional Framework Bounded Delay Resource Model Schedulability Analysis Utilization Bounds Component Abstraction Conclusion Compositional Real-Time Scheduling Framework Insik Shin 1 , Insup Lee 1 1 University of Pennsylvania 15 November

362 views • 33 slides
Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings Definition of an Energy Performance Scale Jana Bendalov BUILDING TESTING AND RESEARCH INSTITUTE / Slovakia 09 January 2012 1 Context

609 views • 19 slides
ABIM Certification and Maintenance of Certification You You ACC ABIM ACC ABIM Your

ABIM Certification and Maintenance of Certification You You ACC ABIM ACC ABIM Your

ABIM Certification and Maintenance of Certification You You ACC ABIM ACC ABIM Your professional The Certifying Body society (also ABP, AOA) Help you as a Accountable to the member public Outline 1. Background & Environmental

1.38k views • 29 slides
Semantics CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu Last week Intro to

Semantics CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu Last week Intro to

Compositional Semantics CMSC 723 / LING 723 / INST 725 M ARINE C ARPUAT marine@cs.umd.edu Last week Intro to Semantics Meaning representations motivated by semantic processing for specific applications 2 approaches to semantic

426 views • 40 slides
Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory October 18, 2002 Outline of talk program verification issues the semantic challenge programming languages the logical challenge

854 views • 38 slides
A compositional approach to statistical computing, machine learning, and probabilistic

A compositional approach to statistical computing, machine learning, and probabilistic

A compositional approach to statistical computing, machine learning, and probabilistic programming Darren Wilkinson @darrenjw darrenjw.github.io Newcastle University, UK / The Alan Turing Institute Bristol Data Science Seminar Bristol

687 views • 45 slides
Dirichlet Regression in R the DirichletReg package Marco Maier WU Vienna . Februar

Dirichlet Regression in R the DirichletReg package Marco Maier WU Vienna . Februar

Dirichlet Regression in R the DirichletReg package Marco Maier WU Vienna . Februar COMPOSITIONAL DATA . . . 1 Compositional Data . . . are composed of a set of variables whose contents are in a certain interval and sum

569 views • 17 slides
Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and Franois-Xavier Standaert 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum,

694 views • 46 slides
Certifying Compositional Model Checking Algorithms in ACL2 Sandip Ray John Matthews Mark Tuttle

Certifying Compositional Model Checking Algorithms in ACL2 Sandip Ray John Matthews Mark Tuttle

Certifying Compositional Model Checking Algorithms in ACL2 Sandip Ray John Matthews Mark Tuttle ACL2 Workshop Presentation July 14, 2003 Outline Motivation and Goals Technical Background Comments on Our Work Issues and

609 views • 31 slides
Numerical Solution of Compositional Two-Phase Flow in Porous Media P. Bastian Collaborators: M.

Numerical Solution of Compositional Two-Phase Flow in Porous Media P. Bastian Collaborators: M.

Numerical Solution of Compositional Two-Phase Flow in Porous Media P. Bastian Collaborators: M. Blatt, O. Ippisch, R. Neumann Universit at Heidelberg Interdisziplin ares Zentrum f ur Wissenschaftliches Rechnen Im Neuenheimer Feld 368,

567 views • 34 slides
Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs Robert

Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs Robert

Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs Robert Sison 13 Jan 2018 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au A confidentiality-preserving program Cross Domain Desktop Compositor

1.49k views • 118 slides

More recommend