Paul Parkinson

Avionics Europe 2013 conference

2013-03-01T01:02:39-08:00

Last week I attended the Avionics Europe 2013 conference, which was held in Munich for the last time perhaps (as it is moving to Abu Dhabi in 2014).

The theme of this year's conference was 'Tackling the Challenges in Avionics: Single Sky Many Platforms', which continued to focus on the growth in air traffic across Europe and challenges arising for air traffic management and navigation. However, rather than continuing to focus on the regulatory challenges as in 2012 (which I have discussed previously), there was a shift in emphasis towards the implementation of technologies such as SESAR.

One of the keynote speakers, Captain Sascha Unterbarnscheidt, A320 Captain and Director Operations Support, Lufthansa Germany made some very interesting observations in his address "Single European Sky - Delivery to Daily Operations". In particular, how the fragmented European air space (compared to the United States), led to ATM inefficiencies in 2011 resulting in 17.9m minutes of ATM delays, 8.1m tonnes of wasted CO2, and increased costs of around 5billion Euros (with the effect on passengers of delayed flights, longer flight times, wasted fuel and increased noise). He then went on to explain how the increased levels of automation and productivity through SESAR would result in increased capacity, reduced costs and lower accident rates.

The impact and benefits of SESAR were also discussed in a number of other presentations at the conference, but the one which really caught my attention was the one which proposed changing the ATM model from peer-to-peer communication over proprietary network infrastructure, to making all airborne and ground-based information available to all users on (publicly-accessible) IP-based networks. I was alarmed at the obvious security implications of this approach, but the potential cyber security threats and their mitigation weren't even mentioned during the presentation. When networking critical infrastructure systems together, security must be considered from the outset rather than as an afterthought!

I also presented a conference paper "Use of ARINC 653 and ARINC 661 in Developing a Touch Screen Avionics Display", which I had co-authored with David Randall of Presagis. This included a discussion on the requirements of the upgrade of a cockpit avionics display for a military rotary-wing platform, and the use of standards-based architectures including ARINC 653 and ARINC 661 with COTS hardware platforms. The paper also presented the experience gained by the use of these technologies on a European military helicopter programme, including the benefits in overcoming hardware obsolescence and the contributions towards reductions in operational and through-life costs.

If you weren't able to attend the conference, we will make the paper available on the Wind River website soon.

The Advent of Multicore MILS

2013-01-11T13:50:17-08:00

It's been a rather long time since my previous blog post. I intended to post a blog before Christmas about our partner Curtiss-Wright's news release about VxWorks MILS support on the VPX6-187, but I simply ran out of time! So here it is as my first blog post of 2013.

The Curtiss-Wright press release was actually quite a game changer. To the casual reader, it may just appear to be about the release of another board support package (BSP) on a leading-edge COTS processor card, but the fact that this BSP supports multicore for a MILS architecture is what separates this press release from other announcements.

When the MILS software architecture was proposed in 1984 by the computer scientist Dr. John Rushby, microprocessors at the time were inherently single-core, and computing performance advances were being driven by clock speed increases and die size, at a rate following Moore's Law.

Over the last decade, single-core processors with robust MMU partitioning have become sufficiently performant to enable viable MILS separation kernels (SK). In recent years Wind River has implemented VxWorks MILS on single-core processor architectures (PowerPC MPC8548), and on multi-core processors, but only running on a single core (dual-core PowerPC MPC8641D, quad-core Intel Core i7).

However, with the VxWorks MILS Platform, Multicore Edition, the VxWorks MILS separation kernel now runs on all eight cores of the Freescale QoriQ P4080 processor concurrently. Yes that's right, I am talking about (MILS && multicore) rather than (MILS XOR multicore). This enables the integration of many MILS solutions on a single processor, creating reduced size, weight and power (SWaP) benefits - even high assurance security-critical systems have tough performance requirements.

The advent of multi-core processor architectures over the last few years has had a dramatic and disruptive effect on the embedded market. This has provided significant benefits in terms of reducing size, weight and power (SWaP), but has also presented some interesting challenges for safe and secure application domains.

For example, the global aerospace market has very mature processes for DO-178B safety-certification on single core processors. Similarly, the security community is approaching maturity for Common Criteria security evaluation on single core processors. But both segments are challenged when driving multicore systems through their respective processes.

There has also been an emerging trend in recent years of individual systems needing to meet both safety-certification and security evaluation, and now with the emergence of multicore, this presents some new regulatory challenges, but the benefits will be worth the effort.

This convergence is discussed in more detail in the white paper 'Safety, Security and Multicore' which is available for download from the Wind River website.

Avionics 2012 report

2012-03-23T14:24:49-07:00

I've just got back from the Avionics Europe 2012 conference and exhibition which was held in Munich.

The theme of this year's conference was 'Common Sky: Operating in One Air Space' focussing on the growth in air traffic across Europe, the challenges arising for air traffic management and navigation, and the development of SESAR air traffic management technologies.

I was keen to hear to how changes to the high-level policies would drive regulatory changes and drive technology requirements.

I didn't have to wait very long, as in his keynote speech, Brigadier General Hans-Georg Schmidt (Vice Commander of 1st German Air Division, and Chairman of the Military Air Traffic Management Board of EUROCONTROL) discussed the implications of the integration of unmanned systems (UAVs, UCAVs) into non-segregated airspace. He discussed the need for unmanned systems to be "sufficiently safe as not to reduce the overal safety of airspace", and said that unmanned systems "must be proven to be safe before their introduction into this environment". (The keynote speech is discussed in more detail by John Keller, conference chairman, in this blog post).

This subject of UAV safety certification was covered in more technical detail by Richard Seitz of Cassidian in his presentation on 'UAV Computing'. He discussed the differences between flight software on piloted aircraft (which leaves the ultimate decision to the pilot) and flight software in unmanned systems which becomes safety-critical in the case of datalink loss, and the need for RTCA DO-178B / EUROCAE ED-12B safety certification of UAV flight software.

It was encouraging to see the subject of UAV safety and the need for software certification being acknowledged, as this was a topic which I had also raised in my conference paper in the context of combined safety and security requirements for unmanned systems (for details see my previous blog).

The other recurring theme at the conference which caught my attention both in the conference and in the exhibition, was the technology disruption of multicore processor architectures, which provides some exciting opportunities for reducing the size, weight and power (SWaP) of avionics systems, but also presents new challenges for hardware and software safety certification. However, there's now significant momentum in the research into these areas, and the experience gained should lead to regulatory guidance and adoption in the near future.

So overall it was an interesting and enjoyable conference, not least for the fine Bavarian hospitality!

Avionics 2012 conference

2012-03-12T11:42:05-07:00

It's been a long time since my previous blog, as unfortunately I've been engrossed in a number of projects!

However, I have just got time to mention that I'm really looking forward to the Avionics Europe conference in Munich on 21-22 March. The conference programme is pretty packed, covering cockpit avionics and technologies for civil and military aircraft; and aircraft, spacecraft and UAV sensor payloads, diagnostics and certification.

I will be presenting a paper on "A Secure Virtualisation Approach to Support Multi-Level Secure Systems, Software Reuse and Incremental Certification" in the Embedded Software session on Wednesday afternoon.

The paper addresses how secure virtualisation approaches can be used to implement a system architecture to securely partition applications and data of different security domains on the same system (such as national Secret and NATO Secret data), whilst enabling the reuse of previously developed software applications and existing intellectual property in an open standards-based communications environment. The paper also includes a discussion on the requirements for supporting incremental safety-certification under RTCA DO-178C / EUROCAE ED-12C and Common Criteria security evaluation at high evaluation assurance levels, and the implementation architecture to support a role-based development process.

Wind River will also be exhibiting at the conference, so why not drop by our stand for a chat and to see a cool avionics display demo?

DSEi 2011: submarine periscopes and invisible tanks

2011-09-19T02:51:04-07:00

Last week, I attended the DSEi defence & security exhibition in London. As usual, it was an enormous event with a huge number of exhibitors, and it seemed to be even better attended than the 2009 event.

I visited some of Wind River's customers and partners, and I was really pleased to see a demo of the VxWorks-powered Astute submarine optronic mast on Thales' stand, which showed the huge difference that the 3-axis image stabilisation makes when using the periscope in rough seas.

While I was at the event, I also took the opportunity to look around at some of the state-of-the-art technologies on display. There were lots of new systems which were focused on 'cyber security', and 'cyber defence', and the application of military-grade cyber security for protecting critical national infrastructure.

However, the system which seemed the most revolutionary to me, was BAE SYSTEMS' ADAPTIV camouflage. There is a long-established problem of military vehicles being vulnerable to detection, and whilst covering tanks with traditional camouflage material can help disguise them in the visible spectrum, this doesn't prevent their detection from infrared (IR) sensors.

BAE SYSTEMS has developed an innovative solution to this problem using state-of-the-art technologies, which is being reported in the media as an 'infrared invisibility cloak'. ADAPTIV provides the ability to hide, blend, disrupt, and disguise the appearance of military targets, and also provides Identification Friend-or-Foe (IFF) for coalition operations to prevent friendly fire.

Unfortunately, the CV90 tank on display at DSEi didn't perform a live demo of ADAPTIV, but the official video teaser on YouTube is so impressive, that I decided to embed it below:

Linux, Common Criteria, and OS Protection Profiles

2011-09-16T02:19:07-07:00

In 2011, computer and network security news stories, which were previously the preserve of specialist journals and blogs, have become commonplace in the mainstream media. There are now many different types of threat, which are sometimes categorised into hacktivist, e-crime and most recently,advanced persistent threats (APT). Whilst some of these attacks have exploited zero day vulnerabilities, many of these attacks have simply taken advantage of the fact that systems have not been configured securely for their deployment environment.

To use an easy–to-understand analogy, consider a wireless router. This device will generally be shipped from the factory in the most flexible, open communication configuration, which will have many or all of the security options disabled. This will be fine if the wireless router is intended to be used as a free public Wi-Fi access point (e.g., cyber cafe), but not for a private business or home office if you want to prevent drive-by wireless hacks). In these cases, wireless encryption such as WPA2 will need to be enabled for the router and clients, and access may even need to be restricted to specific clients via MAC addresses, etc.

For the developer wanting to create a secure product using embedded Linux, the wealth of configurable functionality and security packages can seem overwhelming. In the critical device space, the key question is, "How can one create a Linux configuration for their product which can be secure and meet the security requirements of the product's targeted international markets?" The answer is straightforward and well defined - use standards-based approaches to both configure and prove security robustness.

For IT security, there is one globally-recognised standard, Common Criteria, that a product can be evaluated against, and this evaluation ensures that connected IT products are performed to high and consistent standards. Because Common Criteria is now recognized by 26 countries, product security evaluation using this standard eliminates the burden of duplicating security evaluations in multiple countries by providing international mutual recognition of evaluated products.

To accelerate the Common Criteria evaluation, the product can be developed according to the approved Protection Profile (PP) to ensure that it meets the accepted security requirements for that class of product. A Protection Profile is a document that defines the combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales for a specific security target (ST). The PP is used to substantiate vendors' claims of a given family of information system products. The PP for a particular device typically specifies the Evaluation Assurance Level (EAL), a number 1 through 7, indicating the depth and rigour of the security evaluation, usually in the form of supporting documentation and testing, that a product meets the security requirements specified in the PP. In the United Kingdom, CESG supports Common Criteria evaluation and the use of PPs; in the United States, the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have agreed to cooperate on the development of validated US government PPs.

Common Criteria testing and evaluation can be quite expensive, and adds significant risk to any programme. To help eliminate much of this risk, Wind River has taken this approach for the development of Wind River Linux Secure, a commercial-off-the-shelf (COTS) product which has been certified by NIAP under the US Common Criteria Evaluation Scheme to Evaluation Assurance Level (EAL) 4+ (EAL4 being the highest level which is mutually recognised internationally under the Common Criteria Recognition Arrangement, and "+" referring to the evaluation being augmented with the Security Assurance Requirement ALC_FLR.3, the highest level of systematic flaw remediation).

Wind River Linux Secure was evaluated against the US Government Protection Profile for General Purpose Operating Systems in a Networked Environment (US GP-OSPP). This is a new protection profile which was published by the US National Security Agency's Information Assurance Directorate in August 2010, and supersedes the earlier Role-Based Access Control Protection Profile (RBAC) which was 'sunsetted' from 1st September 2011.

With this COTS GP-OSPP foundation, we expect that evaluating Linux products under similar PPs, like the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) General Purpose Operating System Protection Profile (BSI GP-OSPP) can also be undertaken. The BSI OSPP is also published on the Common Criteria portal, and defines the specific requirements for the German security market. Although there are two separate general-purpose operating system protection profiles, with some specific differences in Security Functional Requirements, there is a lot of commonality, and Wind River’s experience in evaluating a full-featured Linux distribution from kernel.org removes considerable risk from other programmes requiring Common Criteria certification using the US GP-OSPP, BSI GP-OSPP, or other evaluation scheme.

IDEF 2011

2011-05-20T14:37:06-07:00

Last week, I attended the IDEF 2011 defence trade show in Instanbul as part of the Wind River team exhibiting on the Tektronik (Turkish distributor) stand.

Our partner, Curtiss-Wright, who were also exhibiting at the event, had kindly lent me a VPX chassis and VPX6-185 board, which I used to demonstrate a Cross-Domain Solution (CDS) demo running on VxWorks MILS. The demo filters packets of data between black and red networks based on the security classification of the data, and uses multiple partitions to implement sender and receiver on different interfaces.

The demo currently uses a simple encryption algorithm for data passed over the black network (which wouldn't present much of a challenge to GCHQ/CESG or NSA), so I decided to replace it with a stronger encryption algorithm which is more appropriate for real world systems. I initially considered using an open source implementation of AES-256, but then I remembered the export controls on 256-bit AES, so I decided to use a public domain implementation of the Russian GOST 28147-89 (which also uses a 256-bit keys).

I managed to get the GOST encrypt and decrypt routines running fine natively under Windows, and also on the VxWorks Simulator running on the Windows host, but I could not get the GOST decrypt routine to work correctly on the PowerPC target board. It turns out that the GOST algorithm assumes that it's running on a little-endian processor! So, I had to stick with the simple encryption algorithm for the time being, and will have to wait until the Cross-Domain demo is running on VxWorks MILS on Intel architecture before I can use GOST.

Finally, some of my colleagues have been blogging about Wind River's 30th anniversary recently, and some of the things that they have got up to at Wind River. As I've spent my time at Wind working in the Aerospace & Defence sector, there are plenty of cool projects which I've worked on over the years which I can't discuss, but there a some highlights which can mention. For example, it's not every day you get the opportunity to sit in the cockpit of an F-16!

Fun with VxWorks MILS 2.1

2011-04-21T05:51:03-07:00

It’s been a while since my previous blog, as I have been rather preoccupied with responding to a number of RFPs. However, I’ve managed to find some time to work on some demos for VxWorks MILS 2.1, which has been fun.

VxWorks MILS 2.1 introduced support for Wind River Linux as a Guest OS (VxWorks Guest OS and High Assurance Environment (HAE) having been supported in the earlier VxWorks MILS 2.0 release). I wanted to get some more hands-on experience of using Wind River Linux as a Guest OS (GOS) running on the VxWorks MILS 2.1 Separation Kernel (SK). So, I started with a version of the Blaster Blastee demo which had been modified by one of my colleagues in Engineering to use a Linux GOS partition for the Blaster. (Blaster Blastee is a well-known Wind River demo which provides a nice flexible framework for blasting TCP or UDP packets between nodes, testing network connectivity and performance).

I thought it would be an interesting exercise to extend the demo to also use Linux in a second partition as the Blastee (receiver), to demonstrate the scalability and determinism of the MILS SK with multiple Linux virtual boards (VB).

This proved to be quite easy to configure, as I was able to use the same Linux kernel image as the Blaster virtual board, but with different boot parameters (as this virtual board was using a separate dedicated Gigabit Ethernet device on my target board, with its own IP address), and I just invoked the Blastee executable which had been built into the Linux GOS filesystem. Once I had added a timeslot allocation for the Blastee VB into the MILS system schedule, I was able to build and run the system and send packets between the two partitions via external Gigabit Ethernet interfaces.

(Side note: Alternatively, I could have sent packets directly between the two partitions either by using Secure IPC ports via the MILS SK according to pre-defined security policy, or even via an IP tunnel over SIPC, but I used the external Ethernet interfaces, as I wanted to extend the demo further).

The next step was to configure this Linux GOS-based system to send and receive packets via the two Ethernet ports to corresponding VxWorks GOS-based Blaster and Blastee virtual boards on a second board. This configuration can be used to simulate a Public Network and a Secure Network connection between two nodes (see diagram above). The original MILS Blaster Blastee demo also includes a trusted Security Audit partition, running in a High Assurance Environment, which monitors the audit log for each partition, and also a Rogue partition which attempts to illegally access the Secure Network interface to intercept traffic (which is of course prevented by the MILS SK). When this demo is running freely, the link lights on my Gigabit switch flicker away furiously, and the VxWorks MILS partitions report output via the multiplexed serial I/O output to a host console.

To really see inside the system, and to step through the interactions of the sender and receiver (Linux Blaster to VxWorks Blastee over the Secure Network, and VxWorks Blaster to Linux Blastee on the Public Network), I used Wind River Workbench to debug all four connections concurrently, using Linux user-mode agents in each of the Linux VBs, and On-Chip Debugging (OCD) via JTAG to debug the VxWorks Blaster and Blastee. In this way, I could step through the sending and receiving of packets in both directions over the two networks (rather than having to rely on printf(), which would have been difficult to correlate across multiple partitions). The screen shot shows the point at which I am stepping through send and receive (the size of the screen shot is constrained by my 19” monitor).

So, this demo shows how the High Assurance Environment, VxWorks GOS and Linux GOS can all run on top of the MILS Separation Kernel and still provide good network performance despite being in a time-partitioned environment.

Safety-Critical Systems Symposium 2011

2011-02-02T03:27:19-08:00

I'm looking forward to the 19th annual Safety-Critical Systems Symposium which is being held in held in the UK next week.

The conference programme covers a range of subjects including safety cases, testing of safety-critical systems, updates to safety standards, and technologies. On the Thursday afternoon, I will be presenting a paper 'Safety, Security and Multicore'.

Wind River will be participating in the exhibition which is being held on the Wednesday, and we will have a live demo of VxWorks MILS 2.0 running on the stand. So why not pop by to discuss your safety & security requirements?

Farewell to Del.icio.us

2010-12-17T04:40:18-08:00

I was disappointed to read in TechCrunch this morning that Yahoo has decided to shut down the Del.icio.us social bookmarking website (or should I say service?).

I started using Delicious a few years ago after I had become fed up trying to organise my website bookmarks. I often want to bookmark A&D news stories, blog articles, technical papers and standards, etc., so that I can easily find them again when I want to read through them at a more convenient time or when I need to do research for a Wind River article or presentation.

The problem with web browser-based bookmarks is that this approach doesn't scale well for a large number of bookmarks. Web browser bookmarks can be sorted into hierarchical folders, but this can be counter-intuitive if you have inter-related subjects (e.g. safety and security). Also, if you also use more than one web browser as I do, then keeping bookmarks up to date in mulitple places becomes tedious. (I alternate between Firefox and IE depending on which I think is the least insecure at any particular time, Firefox is my current choice due to the NoScript plugin).

Social bookmarking overcomes these issues by allowing you to associate multiple tags with individual bookmarks, e.g. cyber, infosec, safety-critical. This make it much easier to order subjects and inter-related subjects without having to store them hierarchically (e.g. cyber+security+UK). The cloud computing approach also means that instead of tying my bookmarks to one web browser on one computer, I can access them from any computer. (This short video clip from Common Craft explains it much better I than I can). I've found the Delicious bookmarks to be so useful that I even embed them on my personal website so that other people can access them easily.

Sadly, one job I'll need to do over Christmas is to migrate my Delicious bookmarks to another social bookmarking service.