Combining MILS with Contract-Based Design for Safety and Security Requirements

  • Alessandro Cimatti
  • Rance DeLong
  • Davide Marcantonio
  • Stefano Tonetta
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9338)


The distributed MILS (D-MILS) approach to high-assurance systems is based on an architecture-driven end-to-end methodology that encompasses techniques and tools for modeling the system architecture, contract-based analysis of the architecture, automatic configuration of the platform, and assurance case generation from patterns. Following the MILS (“MILS” was originally an acronym for “Multiple Independent Levels of Security”. Today, we use “MILS” as a proper name for an architectural approach and an implementation framework, promulgated by a community of interested parties, and elaborated by ongoing MILS research and development efforts.) paradigm, the architecture is pivotal to define the security policy that is to be enforced by the platform, and to design safety mechanisms such as redundancies or failures monitoring. In D-MILS we enriched these security guarantees with formal reasoning to show that the global system requirements are met provided local policies are guaranteed by application components. We consider both safety-related and security-related requirements and we analyze the decomposition also taking into account the possibility of component failures. In this paper, we give an overview of our approach and we exemplify the architecture-driven paradigm for design and verification with an example of a fail-secure design pattern.


MILS Contract-based design Safety and security Formal verification 



This work was performed on the D-MILS project (“Distributed MILS for Dependable Information and Communication Infrastructures”, European Commission FP7 ICT grant no. 318772), with our partners fortiss, Verimag, RWTH Aachen, U of York, Frequentis, Lynx, TTTech, and INRIA, funded partially under the EC’s Seventh Framework Programme.


  1. 1.
    D-MILS Project.
  2. 2.
    GSN community standard. Technical report, Origin Consulting (York) Limited (2011)Google Scholar
  3. 3.
    Amtoft, T., Hatcliff, J., Rodríguez, E.: Precise and automated contract-based reasoning for verification and certification of information flow properties of programs with arrays. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 43–63. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  4. 4.
    Amtoft, T., Hatcliff, J., Rodríguez, E., Robby, Hoag, J., Greve, D.: Specification and checking of software contracts for conditional information flow. In: Hardin, D.S. (ed.) Design and Verification of Microprocessor Systems for High-Assurance Applications, pp. 229–245. Springer, New York (2010)Google Scholar
  5. 5.
    Anderson, M., North, C., Griffin, J., Milner, R., Yesberg, J., Yiu, K.: Starlight: interactive link. In: 12th Annual Computer Security Applications Conference, pp. 55–63 (1996)Google Scholar
  6. 6.
    Boettcher, C., DeLong, R., Rushby, J., Sifre, W.: The MILS component integration approach to secure information sharing. In: 27thAIAA/IEEE Digital Avionics Systems Conference, St. Paul, MN, October 2008Google Scholar
  7. 7.
    Bozzano, M., Cimatti, A., Katoen, J., Nguyen, V.Y., Noll, T., Roveri, M.: Safety, dependability and performance analysis of extended AADL models. Comput. J. 54, 754–775 (2011)CrossRefGoogle Scholar
  8. 8.
    Bozzano, M., Cimatti, A., Mattarei, C., Tonetta, S.: Formal safety assessment via contract-based design. In: Cassez, F., Raskin, J.-F. (eds.) ATVA 2014. LNCS, vol. 8837, pp. 81–97. Springer, Heidelberg (2014) Google Scholar
  9. 9.
    Bradley, A.R.: SAT-based model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  10. 10.
    Brunel, J., Rioux, L., Paul, S., Faucogney, A., Vallée, F.: Formal safety and security assessment of an avionic architecture with alloy. In: ESSS, pp. 8–19 (2014)Google Scholar
  11. 11.
    Cavada, R., Cimatti, A., Dorigatti, M., Griggio, A., Mariotti, A., Micheli, A., Mover, S., Roveri, M., Tonetta, S.: The nuXmv symbolic model checker. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 334–342. Springer, Heidelberg (2014) Google Scholar
  12. 12.
    S. Chong and R. Van Der Meyden, Using architecture to reason about information security (2014). arXiv preprint arXiv:1409.0309
  13. 13.
    Cimatti, A., Dorigatti, M., Tonetta, S.: OCRA: a tool for checking the refinement of temporal contracts. In: ASE, pp. 702–705 (2013)Google Scholar
  14. 14.
    Cimatti, A., Griggio, A., Mover, S., Tonetta, S.: IC3 modulo theories via implicit predicate abstraction. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014 (ETAPS). LNCS, vol. 8413, pp. 46–61. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  15. 15.
    Cimatti, A., Griggio, A., Mover, S., Tonetta, S.: Verifying LTL properties of hybrid systems with K-liveness. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 424–440. Springer, Heidelberg (2014) Google Scholar
  16. 16.
    Cimatti, A., Tonetta, S.: Contracts-refinement proof system for component-based embedded systems. Sci. Comput. Program. 97, 333–348 (2015)CrossRefGoogle Scholar
  17. 17.
    Claessen, K., Sörensson, N.: A liveness checking algorithm that counts. In: FMCAD, pp. 52–59 (2012)Google Scholar
  18. 18.
    Specification of MILS-AADL. Technical report D2.1, Version 2.0, D-MILS Project, July 2014.
  19. 19.
    D2.2 translation of mils-aadl into formal architectural modeling framework. Technical report D2.2, Version 1.2, D-MILS Project, February 2014.
  20. 20.
    Intermediate languages and semantics transformations for distributed mils - part 1. Technical report D3.2, Version 1.2, D-MILS Project, February 2014.
  21. 21.
    Intermediate languages and semantics transformations for distributed mils - part 2. Technical report D3.3, Version 1.0, D-MILS Project, July 2014.
  22. 22.
    Compositional assurance cases and arguments for distributed mils. Technical report D4.2, Version 1.0, D-MILS Project, April 2014.
  23. 23.
    Integration of formal evidence and expression in mils assurance case. Technical report D4.3, Version 0.7, D-MILS Project, March 2015.
  24. 24.
    Compositional verification techniques and tools for distributed mils–part 1. Technical report D4.4, Version 1.0, D-MILS Project, July 2014.
  25. 25.
    Distributed mils platform configuration compiler. Technical report D5.2, Version 0.2, D-MILS Project, March 2014.
  26. 26.
    Extended separation kernel capable of global exported resource addressing. Technical report D6.1, Version 2.0, D-MILS Project, March 2014.
  27. 27.
    Mils network system supporting TTEthernet. Technical report D6.3, Version 1.0, D-MILS Project, March 2014.
  28. 28.
    R. DeLong, Commentary on the MILS Network Subsystem Protection Profile. Technical report, Version 0.31, September 2011Google Scholar
  29. 29.
    DeLong, R., Rushby, J.: Protection Profile for MILS Network Subsystems in Environments Requiring High Robustness, Version 0.31, September 2011Google Scholar
  30. 30.
    Dragoni, N., Massacci, F., Walter, T., Schaefer, C.: What the heck is this application doing? - a security-by-contract architecture for pervasive services. Comput. Secur. 28, 566–577 (2009)CrossRefGoogle Scholar
  31. 31.
    Information Assurance Directorate, National Security Agency, U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Fort George G. Meade, MD 20755–6000, Version 1.03, June 2007Google Scholar
  32. 32.
    Kopetz, H., Ademaj, A., Grillinger, P., Steinhammer, K.: The time-triggered ethernet (TTE) design. In: 8th IEEE International Symposium on Object-oriented Real-time distributed Computing (ISORC), Seattle, Washington (2005)Google Scholar
  33. 33.
    Rushby, J.: The design and verification of secure systems. In: Eighth ACM Symposium on Operating System Principles, Asilomar, CA, December 1981, pp. 12–21 (1981). (ACM Operating Systems Review, Vol. 15, No. 5)Google Scholar
  34. 34.
    Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Heidelberg (2014) Google Scholar
  35. 35.
    Sojka, M., Krec, M., Hanzálek, Z.: Case study on combined validation of safety & security requirements. In: SIES, pp. 244–251 (2014)Google Scholar
  36. 36.
    Steiner, M., Liggesmeyer, P.: Combination of safety and security analysis - finding security problems that threaten the safety of a system. In: SAFECOMP Workshop DECS (2013)Google Scholar
  37. 37.
    Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Moller, F., Birtwistle, G. (eds.) LC 1995. LNCS, vol. 1043, pp. 238–266. Springer, Heidelberg (1995)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Alessandro Cimatti
    • 1
  • Rance DeLong
    • 2
  • Davide Marcantonio
    • 1
  • Stefano Tonetta
    • 1
  1. 1.FBK-irstTrentoItaly
  2. 2.The Open GroupReadingUK

Personalised recommendations