Conference paper Open Access
The aviation industry needs to assure the reliable operation of aircrafts. While this reliability has many aspects, this talk focused on the aspect of information technology for the electronic on- and off-board equipment. Modern architectures of avionics, the aircraft's electronic systems, are driven by denser integration into embedded platforms and the interconnection of these systems to each other. In addition, the aircraft's ecosystem demands new connectivity solutions for several stakeholders, e.g. passengers, airlines or air traffic management. This trend of transferring the previously closed, federated systems into interconnected Integrated Modular Avionics offering additional services introduces the potential risk of threads and increased attack surfaces allowing intruders to harm the operation of the aircraft. To counter these threats is challenge for the aviation industry that needs new system design approaches.
The concept of Multiple Independent Levels of Security (MILS) can provide such a system design for equipment operating in high-assurance environments. Due to its properties of separation and controlled information flow, MILS is a promising design approach for the secure integration of several systems into one hardware platform. While this idea has been part of research for the last decades, MILS can also be used as software design concept for one embedded system. This approach divides the system under development into several sub-functions that can be implemented and executed inside isolated runtime compartments. Information flows between these compartments are mediated by the MILS platform. This divide-and-conquer approach decouples critical code from less critical code, limits the perimeters of the internal software dependencies and allows a localized verification of sub-functions.
This paper presents the general security environment to develop and operate avionics, explains the introduced MILS software design approach in more detail, provides the identified advantages and disadvantages using this concept, and discusses the results of a feasibility study using a common avionic high-assurance system to control the information exchange on security domain borders.