Page 1
RTSecureCorba-1Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Secure, Real-Time CORBARequirements for Military Avionics
Presented to OMG/NSA WorkshopApril 1997
Roberta Gotfried
(310) 334-7655
[email protected]
Dennis Finn
(310) 334-1043
[email protected]
Page 2
RTSecureCorba-2Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Outline
• Characteristics of Military Avionics Processing Environments
• Software Architecture Issues in Military Avionics Systems
• Real-Time Requirements– RT CORBA Functional Requirements
– Real-Time Features of Avionics Operating Systems, POSIX and Ada95
– Which Real-Time Requirements Implemented in the Application, OMG’s OMA, OS, Hardware?
• Evolution of Avionics Processing Architectures
• Security Requirements– Information Security is a Recognized Requirement in Airborne Systems
– Security Features of F-22 & Future Military Avionics Systems
– Which Security Requirements Implemented in the Application, OMG’s OMA, OS, Hardware?
• Technical Risk Reduction Plan for CORBA in Military Avionics
Page 3
RTSecureCorba-3Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Characteristics ofMilitary Avionics Processing Environments
• Real-Time: Periodic & Aperiodic Events; Hard Real-Time; Resource Management - QoS
• Processing: Serial & Parallel; Signal & Data
• Parallel Processing: Cache Coherent Shared Mem versus Message Passing Distributed Mem (e.g., Mercury)
• I/O: Multiple Buses; Not Typically TCP/IP; Streaming Data
• Adaptive Behavior: Increase or Decrease Processing Load in Response to Dynamic Environment (e.g., sensor resolution, EW, Fire Control, Radar Modes, ...)
• Security: Military & Intelligence Threats; Multi-Level; International
• Mission Critical: Lives Depend on Correct Operation (BIT, Fault Management, System Integrity)
• Embedded: Remote Operations; Field Replaceable Modules; Size, Weight and Power: 2X Increase => 10X $ Increase
Page 4
RTSecureCorba-4Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Example Avionics Processing Architecture
DIGITAL/ANALOG MODULES DIGITAL ANALOG
SIGNALPROCESSORS
DATAPROCESSORS
INTEGRATED BACKPLANES
APERTURESSENSOR
FRONT ENDSF.O.
NETWORK DISPLAYSAIRCRAFTSYSTEMS
EOFLIR/IRST
MISSILEWARNING
RADAR
EW/ESM
CNI
CONTROLS
MASSMEMORY
COCKPITINDICATORS
ELEC POWERSYS
FLIGHT CONTROLSYSTEM
INERTIALSENSORS
AIR DATASYSTEM
RF
ARRAYS
ACOUSTICS
DISPLAY
DISPLAY
DISPLAY
DISPLAY
•••
F.O.NETWORK
RECORDERS
SENSOR
NETWORK
VIDEO
NETWORK
SWITCHED NETWORKS
PAR. & SERIAL BUSES
SWITCHED NETWORKS
PAR. & SERIAL BUSES
ANALOG DIGITAL
FO
AVIONICS
BUS
This architecture is taken from the Joint Advanced Strike Technology Program Avionics Architecture Definition, Version 1.0 dated 9 August 1994
•••
Page 5
RTSecureCorba-5Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Software Architecture:Issues in Military Avionics Systems
• Evolution (Evolvability)
• Increased Situational Awareness– Increased Survivability and Lethality
• Aircraft LifeCycle Cost– Development
– Maintenance
– Upgrades (technology, function, cost reduction)
• Scalability at Runtime
CORBA represents part of a solution to address many of these challenges.
Page 6
RTSecureCorba-6Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
System Evolvability20 - 30 Year LifeCycle
• Why Upgrade: Parts Obsolescence; Changes in Functionality & Performance• Cost-Effective Upgrades
– Reengineer Legacy S/W, OO, Reuse, COTS
– Revalidation strategies for cost, reliability, correctness (flight test)
Page 7
RTSecureCorba-7Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Increased Situational Awareness(Survivability & Lethality)
INTEL
GBSCommon
MGS
CommonMGS
JTIDSNet
JSF
JSTARS
Rivet Joint EP--3E AWACSE-2C
U-2RTIERsEtc.
AOCCVBG
MAGTF
Page 8
RTSecureCorba-8Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Decreasing Aircraft Life Cycle Costs
• API Standards Increase Portability
• OO Software Architectures Increase System Modularity
• CORBA Increases Portability of Objects & Interoperability Between Objects
• Increased Potential for Reuse and for Use of COTS Components Lowers Development and Incremental Upgrade Costs
• Software: Jovial, Ada83, other --> Jovial, Ada95, COTS, Legacy Reuse, other
• Increased Use of COTS Standards: Portability, Interoperability, Scalability
• Increased Use of COTS Hardware & Software Components
• Fewer Hardware Module Types
Page 9
RTSecureCorba-9Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Run-Time ScalabilityPROSE
RADAR: S/T
IMAGERYPROCSG
E/O IMAGER
SENSOR- FUSION
I/O
I/O
I/O
I/O
ATR
SMA
MISS PLNG
SECUR COMM
OPENCOMM
I/O
E/W
I/O WAN
I/O RAID
Sys MgrConsole,Maint. Access
Hard Store,Sys Reload
SPARE
SPARE
SPARE
SPARE
SPARE
RADAR: SAR
SPARE
Page 10
RTSecureCorba-10Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Real-Time CORBARequired In Military Avionics
• All Real-Time SIG (ORBOS) Activities Necessary in Military Avionics– Fault Tolerance WG
– Flexible Bindings WG
– Embedded ORB WG
– Multiple Protocols WG (low latency transport, RT IOP, UDP GIOP, ...)
– Time Services WG
– End-to-end Timelinenss Predictability WG
– Scheduling WG
– Run Time Performance Metrics WG (Metrics SIG - initial RFI real-time market)
• Real-Time Parallel Processing for CORBA Needed in Military Avionics– Parallel ORB Supporting SPMD Applications on MIMD Parallel Processor
– No OMG SIG/WG on Parallel Processing Platform
– Tandem Has Parallel ORB for Fault Tolerance on Proprietary Non-Stop Processor
– MPI DeFacto Standard in HPCC Community - RT MPI as RT SIG RFI Response
– DARPA HPC++
Page 11
RTSecureCorba-11Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Real-Time OS + CORBA + Securityin Military Avionics
• JSF, DISA (AJPO), and USAF Wright Lab funded Hughes to evaluate and determine the suitability of the POSIX and AOS APIs, and Ada 95 features for real-time embedded software
– Areas of Interest: availability, performance, security, and supportability tradeoffs
– Delta Document Comparing RT POSIX (IEEE 1003.5b/D5), AOS, Ada 95• 165 page Delta Doc on OMG Server: orbos/97-03-02, orbos/97-03-03
• Examining CORBA + Security Implications for AOS/POSIX/Ada95 in Military Avionics
Page 12
RTSecureCorba-12Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
SAE Requirements
Communication
Data Security
Task Control Instrumentation
Timer Services
File Management
Input / Output
Synchronization
Data Conversion Built-In TestBootup/Initialization/
ShutdownMemory Management
Configuration
Program Support
Non-Operational Support
Reinitialization
Special Devices
Page 13
RTSecureCorba-13Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Real-Time POSIX Should Address
RequirementsRequirements:
•Program Support•Data Security•Memory Management•Input Output•Data Conversion•Fault Management•Non-Operational Support
Number of RequirementsNumber of Requirements:•108 Total Requirements
FindingsFindings:
•Significant POSIX Deficiencies were Found in:•Program Support•Data Security•Memory Management•Input Output•Data Conversion•Fault Management•Non-Operational Support
RecommendationRecommendation:
•Present The Missing Requirements to The Real-Time Working Group.
•Get a Consensus on The Needed Requirements.
•Implement The Agreed-on Requirements.
•Migrate Any Requirements That have not Been Agreed-on to Category 4.
•Recommend The Implementation of Ada Bindings of Any Relevant Requirements.
POSIX AOS Ada-950%
20%
40%
60%
80%
100%
POSIX AOS Ada-95
POSIX Should Address
Page 14
RTSecureCorba-14Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
The Trend in APIs
Ada + POSIXAda + POSIX•Real-Time Functionality Lacking in OS, POSIX, and Ada•Considerable Overlap in OS, POSIX, and Ada
POSIX RTOS HOL0%
20%
40%
60%
80%
100%
POSIX RTOS HOL
Past
POSIX AOS Ada-950%
20%
40%
60%
80%
100%
POSIX AOS Ada-95
Present
POSIX AOS Ada-950%
20%
40%
60%
80%
100%
POSIX AOS Ada-95
Future
Ada + POSIXAda + POSIX•High Order Functionality in Ada•General OS Functionality in POSIX•Hardware Specific Functionality in RTOS
Page 15
RTSecureCorba-15Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Evolution of Avionics Processing Architectures
Secure Secure ProcessorProcessorArchitectures Architectures EnableEnable
Data Security Importance:• Protect Classified Information From Leaking
Data Security Approach:1. Each Unit At Application High2. "Natural" Red/Black Separations
• Single Application Within Each Physical Boundary• Single Applications Developer Per Unit• Debugging Scope Is Limited to Application
Federated System Properties: Integrated Avionics Properties:
Data Security Importance:• Protect Classified Information• Prevent Illicit Interactions Between ApplicationsData Security Approach:1. "Built-in" Robust Hardware and Software
Separation Mechanisms: Trusted Computing Base (TCB)
2. Assurance Through Trust Engineering Discipline
• Multiple Applications Sharing Many Common Resources
• Multiple Applications Developers• Multiple Applications Debugging
Displays
Mass Store
Radar
Communication/Nav
IRST
Electronic Combat
Integrated Signal and Data
Processing
Software for:• Radar• IRST• EC
Share Common Computing Resources
• Comm/Nav• Mission Mgmt• Pilot Interface
Displays
RadarCommunication
IRSTElectronic Combat
Nav
Mission
Data Processor
Signal Processor
Data Processor
Signal Processor
Data Processor
Signal Processor
Data Processor
Signal Processor
Data Processor
Data Processor
Page 16
RTSecureCorba-16Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Air Vehicle Interfaces Extend Beyond the Operational Environment
Gateway
Manage Test and Evaluate Operate and Support
Design Manufacture Develop Logistics Analyze Problems
Network
Diagnostics
MissionSupport
Instrumentation
DataProcessing
MissionSupport
Integrity Monitoring Flight & Environ. Data BIT, IOBD Results
Product DefinitionEng. Drawings,Parts, Materials
SoftwareDevelopment
CostAccounting
ConfigurationManagement
CDRLTracking
Schedule andPerformanceMonitoring
ResourcePlanning
and Control
NC Equip.Fabrication
ManufacturingPlanning
TOAuthoring
Provisioning Integrity and R&M Analysis
ManufacturingAnalysis
Design Analysis
LogisticsAnalysis
Maintenance Maintenance
RequirementsDefinition
Design Modelingand Analysis
ExistingSystems
Training
LSA TrainingDevelopment
The IWSDB Data Dictionary logically integrates Data Repositories which may be physically located anywhere on the network.
Diag.
Data Repositories
IWSDBData Dictionary
& Directory
Page 17
RTSecureCorba-17Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Information Security is a Recognized Requirement in Airborne Systems
• Click to add text• National Assets– COMINT– ELINT– IMINT
• Threat Assets– HUMINT– Surveillance
Information
Off-Board Information
• Mission Plan• Threat/Target Information• Aircraft Capabilities and Technology• Databases• Electronic Keys
On-Board Information
Multi Level Security
SAP/SAR
SCI
Codeword
NOFORN
NATO
ConfidentialConfidentialSecretSecret
Top SecretTop Secret
Example Security Threats in Airborne Systems
• Insider Threat (developers, maintainers)• Disclosure• Eavesdropping• Penetration• Traffic Analysis• Masquerading (Spoofing,Malicious Logic)• Emissions Attack• Reverse Engineering (Tech/Alg)• Penetration (Maintenance)• Falsification• Obstruction (Overload)
Applications• F-22• Joint Strike Fighter• Upgrades to Existing
– RECCE– JSTARS– E2C– F15– Comanche
• Data Fusion• Sensor Fusion• Situation Awareness• RealTime Intell• Integrated Avionics• Off-Board Sensors• SATCOM
Page 18
RTSecureCorba-18Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
JSF Secure Avionics Architecture Concept
VehicleManagement
Pilot Vehicle Interfacing
Stores Management
Integrated RF SensingSharedApertures
Integrated EO Sensing
Integrated CoreProcessing
--- --- ---
--- --- ---
Audio Control Panel
Data Transfer Equipment/Mass Memory
Portable Maintenance Aid
Security Perimeter Airborne VideoTape Recorder
InstrumentationTape Recorder
Crypto Key Fill
Page 19
RTSecureCorba-19Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Air Vehicle Interfaces with Security Characteristics
Air
Vehicle
Flight Data - Confidential
MPS
Other JSFA/C
RemoteStations
Mission Data(Unencrypted)
DisplaysVideo Tape
SystemBuildvia JIMS
ExternalEnvironment
TCTSGround Station
Nav Station
(Unencrypted)
(Encrypt Key 1)
(Encrypt Key 2)
Unclassified
EW Input
(Unclassified)EO Input
(Unencrypted)Radar Pulses - Secret
(Unencrypted)
IFF Pulses [TRANSEC]
(Unclassified IFF Key)
Expendables/Decoys (Secret)(Unencrypted)
TCTS Data -System High
(Encrypted with TCTS key)
Nav Data
(Uncl & Encryp. Secret GPS)
Display Data - System High
Multilevel (encrypted with key 1 or key 2 depending on max level of data)
IFDL Data - System High
MIDS Data - Secret
(MIDS Traffic Key)
(U/VHF Traffic Key One Level per Transmission)
Comm. - Clear Voice
(Unencrypted)
Instrumentation Data - System High
(Unencrypted)
FlightData Tape
ECM
Security Audit Data/Other(Encrypted with Key 1 or Key 2 Depending on A/C Level)
FW Inputs (UDF/Countermeasures/Libraries)
Multilevel (Encrypted with Key 1 or Key2)
SATCOM Data - Multilevel(Encrypted)
Fault Codes/SW Load/Vehicle Status/Test Commands
(Unclassified - Except for UnencryptedConfidential FW Load)
TS/ All SARs
(Encrypted with TS/SAR IFDL Traffic Key)
Comm. - Voice High
Conf. & Sec
OtherPlatforms
On-Board Tape
(Unclassified)
JIMS(Avionics)
Page 20
RTSecureCorba-20Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Technical Risk Reduction Planfor CORBA in Military Avionics
• Real-Time, Secure CORBA– Performance Assessment of COTS ORBs (execution time & memory usage)
– Real-Time, Trusted ORB Supporting MLS Using Standard RTOS API (e.g., AOS)
• Increased Experience Using CORBA With Ada95 on Real-Time, Embedded COTS Processor (e.g., OIS/Iona Orbix/Ada on PPC)
• Profiles of COTS ORBs - Use Only The Necessary Fuctionality
• Extensible ORBs (e.g., I/O)
• Parallel, Real-Time, Secure CORBA Applications– DeFacto Parallel Processing API Standards (i.e., MPI, Embedded MPI, Real-Time
MPI) for Scalability
– Real-Time, Secure OS Experience in COTS Parallel Processors (e.g., DARPA PROSE for Intel TeraFlops)
– Secure, RT CORBA for SPMD Applications on COTS Embedded Parallel Processors (e.g., Mercury, CSPI, Sky)
• Demonstrate Scalable, Real-Time, Secure Military Application Software Using CORBA on Embedded Processors
Page 21
RTSecureCorba-21Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.
Summary
• CORBA Provides Same Benefits to Commercial and Military Systems– Standard APIs Increase Application Portability
– Heterogeneous Languages, COTS Components, Reuse
– Interoperability Between Distributed Objects
• Military Avionics Systems Require Solutions That Address Combinations of– Security + Real-Time + Embedded + Fault Tolerance + Scalability
• CORBA Needs to Provide– Flexibility in Security Policy and Models
– Well-Defined and Acceptable Levels of Assurance in ORBs
– Security Architecture That Clearly Defines OS/ORB Roles