Project deliverable Open Access

Trustworthy MILS: CC Composite Evaluation Approach

Schwarz, Reinhard; Müller, Kevin; Blomberg, Alex Söding-Freiherr; Leconte, Bertrand; Gobbo, Gilles; Paulitsch, Michael; Tillequin, Axel

Leconte, Bertrand; Gilles, Gobbo; Schwarz, Reinhard; Müller, Kevin; Paulitsch, Michael; Blomberg, Axel Söding-Freiherr; Tillequin, Axel

As high assurance software systems are becoming more complex and sophisticated, assuring their security and safety is increasingly difficult and costly. Mono-lithic evaluation approaches do not scale well because evaluation effort grows exponentially with the complexity of the evaluation target. To keep pace with growing assurance demands, a compositional evaluation approach is a promising strategy.

In a compositional evaluation, the individual components of a system are evaluated independently, and these partial evaluation results are composed to derive the overall evaluation verdict with minimum additional effort. The Common Criteria for IT Security Evaluation (ISO/IEC 15408) and the sup-porting documentation offer two different compositional evaluation schemes: the “Composite Product Evaluation for Smart Cards and Similar Devices” (CPE) and the “Composed Assurance Package” (CAP).

In this report, we assess the suitability of CPE in the avionics domain, and we compare this evaluation scheme with its CAP alternative. We use the problem of evaluating an avionic security gateway as a case study to illustrate the implications, advantages, and drawbacks of the CPE approach.

Files (554.1 kB)
Name Size
554.1 kB Download
  • Airlines Electronic Engineering Committee (2005): Commercial Aircraft Information Security Concepts of Operation and Process Framework. ARINC Report 811

  • Christopher Preschern (2012): Catalog of Security Tactics linked to Common Criteria Requirements. In: Proc. 19th Conference on Pattern Languages of Programs (PLoP'12), October 19–21, Tucson, Arizona

  • Common Criteria Development Board (2012): Composite Product Evaluation for Smart Cards and Similar Devices. Common Criteria Supporting Document — Mandatory Technical Document, Version 1.2 (CCDB-2012-04-001)

  • Common Criteria Development Board (2012): Security Architecture Requirements (ADV_ARC) for Smart Cards and Similar Devices — Appendix 1.Supporting Document — Guidance, Version 2.0 (CCMB-2012-04-04)

  • Common Criteria Development Board (2012): Security Architecture Requirements (ADV_ARC) for Smart Cards and Similar Devices. Supporting Document — Guidance, Version 2.0 (CCMB-2012-04-03)

  • Common Criteria Maintenance Board (2012): Common Criteria for Information Technology Security Evaluation, CCv3.1 Revision 4 (CCMB-2012-09-001, -002, -003)

  • Common Criteria Maintenance Board (2012): Common Methodology for Information Technology Security Evaluation, CEMv3.1 Revision 4 (CCMB-2012-09-004)

  • Defence R&D Canada (2004): Review of the Composability Problem for System Evaluation. DRDC Ottawa CR 2004-19

  • EURO-MILS consortium: Deliverable D11.1: Project Requirements: Classification, Cross-domain analysis and High-Level Architecture

  • EURO-MILS consortium: Deliverable D12.3: Multiple Independent Levels of Security: Operating System (MILS PP: Operating System)

  • EURO-MILS consortium: Deliverable D21.1: MILS Architecture

  • Information Assurance Directorate (2007): U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03

  • ISO/IEC 15408:2009: Information technology — Security techniques — Evaluation criteria for IT security (= CCv3.1)

  • ISO/IEC 18045:2008: Information technology — Security techniques — Methodology for IT security evaluation (= CEMv3.1)

  • Jim Alves-Foss, W. Scott Harrison, Paul Oman, and Carol Taylor (2006): The MILS Architecture for High-Assurance Embedded Systems. International Journal of Embedded Systems, Vol. 2, No. 3/4, pp. 239–247

  • RTCA/EUROCAE (2000): Design Assurance Guidance for Airborne Electronic Hardware. DO-254 / ED-80

  • RTCA/EUROCAE (2012): Software Considerations in Airborne Systems and Equipment Certification. DO-178C / ED-12C

  • RTCA/EUROCAE(2011): Airworthiness security methods and considerations. DO-YY3/ED-203, Working Draft

  • W. Vanfleet, R. Beckwith, B. Calloni, J. Luke, C. Taylor, and G. Uchenick (2005): MILS: Architecture for High-Assurance Embedded Computing. CrossTalk: Journal of Defence Software Engineering, Vol. 18, No. 8, pp. 12–16

All versions This version
Views 4343
Downloads 3636
Data volume 19.9 MB19.9 MB
Unique views 4343
Unique downloads 3434


Cite as