RTSecureCorba-1Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Secure, Real-Time CORBARequirements for Military Avionics

Presented to OMG/NSA WorkshopApril 1997

Roberta Gotfried

(310) 334-7655

rgotfried@msmail4.hac.com

Dennis Finn

(310) 334-1043

dfinn@msmail4.hac.com

RTSecureCorba-2Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Outline

• Characteristics of Military Avionics Processing Environments

• Software Architecture Issues in Military Avionics Systems

• Real-Time Requirements– RT CORBA Functional Requirements

– Real-Time Features of Avionics Operating Systems, POSIX and Ada95

– Which Real-Time Requirements Implemented in the Application, OMG’s OMA, OS, Hardware?

• Evolution of Avionics Processing Architectures

• Security Requirements– Information Security is a Recognized Requirement in Airborne Systems

– Security Features of F-22 & Future Military Avionics Systems

– Which Security Requirements Implemented in the Application, OMG’s OMA, OS, Hardware?

• Technical Risk Reduction Plan for CORBA in Military Avionics

RTSecureCorba-3Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Characteristics ofMilitary Avionics Processing Environments

• Real-Time: Periodic & Aperiodic Events; Hard Real-Time; Resource Management - QoS

• Processing: Serial & Parallel; Signal & Data

• Parallel Processing: Cache Coherent Shared Mem versus Message Passing Distributed Mem (e.g., Mercury)

• I/O: Multiple Buses; Not Typically TCP/IP; Streaming Data

• Adaptive Behavior: Increase or Decrease Processing Load in Response to Dynamic Environment (e.g., sensor resolution, EW, Fire Control, Radar Modes, ...)

• Security: Military & Intelligence Threats; Multi-Level; International

• Mission Critical: Lives Depend on Correct Operation (BIT, Fault Management, System Integrity)

• Embedded: Remote Operations; Field Replaceable Modules; Size, Weight and Power: 2X Increase => 10X $ Increase

RTSecureCorba-4Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Example Avionics Processing Architecture

DIGITAL/ANALOG MODULES DIGITAL ANALOG

SIGNALPROCESSORS

DATAPROCESSORS

INTEGRATED BACKPLANES

APERTURESSENSOR

FRONT ENDSF.O.

NETWORK DISPLAYSAIRCRAFTSYSTEMS

EOFLIR/IRST

MISSILEWARNING

RADAR

EW/ESM

CNI

CONTROLS

MASSMEMORY

COCKPITINDICATORS

ELEC POWERSYS

FLIGHT CONTROLSYSTEM

INERTIALSENSORS

AIR DATASYSTEM

RF

ARRAYS

ACOUSTICS

DISPLAY

DISPLAY

DISPLAY

DISPLAY

•••

F.O.NETWORK

RECORDERS

SENSOR

NETWORK

VIDEO

NETWORK

SWITCHED NETWORKS

PAR. & SERIAL BUSES

SWITCHED NETWORKS

PAR. & SERIAL BUSES

ANALOG DIGITAL

FO

AVIONICS

BUS

This architecture is taken from the Joint Advanced Strike Technology Program Avionics Architecture Definition, Version 1.0 dated 9 August 1994

•••

RTSecureCorba-5Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Software Architecture:Issues in Military Avionics Systems

• Evolution (Evolvability)

• Increased Situational Awareness– Increased Survivability and Lethality

• Aircraft LifeCycle Cost– Development

– Maintenance

– Upgrades (technology, function, cost reduction)

• Scalability at Runtime

CORBA represents part of a solution to address many of these challenges.

RTSecureCorba-6Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

System Evolvability20 - 30 Year LifeCycle

• Why Upgrade: Parts Obsolescence; Changes in Functionality & Performance• Cost-Effective Upgrades

– Reengineer Legacy S/W, OO, Reuse, COTS

– Revalidation strategies for cost, reliability, correctness (flight test)

RTSecureCorba-7Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Increased Situational Awareness(Survivability & Lethality)

INTEL

GBSCommon

MGS

CommonMGS

JTIDSNet

JSF

JSTARS

Rivet Joint EP--3E AWACSE-2C

U-2RTIERsEtc.

AOCCVBG

MAGTF

RTSecureCorba-8Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Decreasing Aircraft Life Cycle Costs

• API Standards Increase Portability

• OO Software Architectures Increase System Modularity

• CORBA Increases Portability of Objects & Interoperability Between Objects

• Increased Potential for Reuse and for Use of COTS Components Lowers Development and Incremental Upgrade Costs

• Software: Jovial, Ada83, other --> Jovial, Ada95, COTS, Legacy Reuse, other

• Increased Use of COTS Standards: Portability, Interoperability, Scalability

• Increased Use of COTS Hardware & Software Components

• Fewer Hardware Module Types

RTSecureCorba-9Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Run-Time ScalabilityPROSE

RADAR: S/T

IMAGERYPROCSG

E/O IMAGER

SENSOR- FUSION

I/O

I/O

I/O

I/O

ATR

SMA

MISS PLNG

SECUR COMM

OPENCOMM

I/O

E/W

I/O WAN

I/O RAID

Sys MgrConsole,Maint. Access

Hard Store,Sys Reload

SPARE

SPARE

SPARE

SPARE

SPARE

RADAR: SAR

SPARE

RTSecureCorba-10Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Real-Time CORBARequired In Military Avionics

• All Real-Time SIG (ORBOS) Activities Necessary in Military Avionics– Fault Tolerance WG

– Flexible Bindings WG

– Embedded ORB WG

– Multiple Protocols WG (low latency transport, RT IOP, UDP GIOP, ...)

– Time Services WG

– End-to-end Timelinenss Predictability WG

– Scheduling WG

– Run Time Performance Metrics WG (Metrics SIG - initial RFI real-time market)

• Real-Time Parallel Processing for CORBA Needed in Military Avionics– Parallel ORB Supporting SPMD Applications on MIMD Parallel Processor

– No OMG SIG/WG on Parallel Processing Platform

– Tandem Has Parallel ORB for Fault Tolerance on Proprietary Non-Stop Processor

– MPI DeFacto Standard in HPCC Community - RT MPI as RT SIG RFI Response

– DARPA HPC++

RTSecureCorba-11Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Real-Time OS + CORBA + Securityin Military Avionics

• JSF, DISA (AJPO), and USAF Wright Lab funded Hughes to evaluate and determine the suitability of the POSIX and AOS APIs, and Ada 95 features for real-time embedded software

– Areas of Interest: availability, performance, security, and supportability tradeoffs

– Delta Document Comparing RT POSIX (IEEE 1003.5b/D5), AOS, Ada 95• 165 page Delta Doc on OMG Server: orbos/97-03-02, orbos/97-03-03

• Examining CORBA + Security Implications for AOS/POSIX/Ada95 in Military Avionics

RTSecureCorba-12Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

SAE Requirements

Communication

Data Security

Task Control Instrumentation

Timer Services

File Management

Input / Output

Synchronization

Data Conversion Built-In TestBootup/Initialization/

ShutdownMemory Management

Configuration

Program Support

Non-Operational Support

Reinitialization

Special Devices

RTSecureCorba-13Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Real-Time POSIX Should Address

RequirementsRequirements:

•Program Support•Data Security•Memory Management•Input Output•Data Conversion•Fault Management•Non-Operational Support

Number of RequirementsNumber of Requirements:•108 Total Requirements

FindingsFindings:

•Significant POSIX Deficiencies were Found in:•Program Support•Data Security•Memory Management•Input Output•Data Conversion•Fault Management•Non-Operational Support

RecommendationRecommendation:

•Present The Missing Requirements to The Real-Time Working Group.

•Get a Consensus on The Needed Requirements.

•Implement The Agreed-on Requirements.

•Migrate Any Requirements That have not Been Agreed-on to Category 4.

•Recommend The Implementation of Ada Bindings of Any Relevant Requirements.

POSIX AOS Ada-950%

20%

40%

60%

80%

100%

POSIX AOS Ada-95

POSIX Should Address

RTSecureCorba-14Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

The Trend in APIs

Ada + POSIXAda + POSIX•Real-Time Functionality Lacking in OS, POSIX, and Ada•Considerable Overlap in OS, POSIX, and Ada

POSIX RTOS HOL0%

20%

40%

60%

80%

100%

POSIX RTOS HOL

Past

POSIX AOS Ada-950%

20%

40%

60%

80%

100%

POSIX AOS Ada-95

Present

POSIX AOS Ada-950%

20%

40%

60%

80%

100%

POSIX AOS Ada-95

Future

Ada + POSIXAda + POSIX•High Order Functionality in Ada•General OS Functionality in POSIX•Hardware Specific Functionality in RTOS

RTSecureCorba-15Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Evolution of Avionics Processing Architectures

Secure Secure ProcessorProcessorArchitectures Architectures EnableEnable

Data Security Importance:• Protect Classified Information From Leaking

Data Security Approach:1. Each Unit At Application High2. "Natural" Red/Black Separations

• Single Application Within Each Physical Boundary• Single Applications Developer Per Unit• Debugging Scope Is Limited to Application

Federated System Properties: Integrated Avionics Properties:

Data Security Importance:• Protect Classified Information• Prevent Illicit Interactions Between ApplicationsData Security Approach:1. "Built-in" Robust Hardware and Software

Separation Mechanisms: Trusted Computing Base (TCB)

2. Assurance Through Trust Engineering Discipline

• Multiple Applications Sharing Many Common Resources

• Multiple Applications Developers• Multiple Applications Debugging

Displays

Mass Store

Radar

Communication/Nav

IRST

Electronic Combat

Integrated Signal and Data

Processing

Software for:• Radar• IRST• EC

Share Common Computing Resources

• Comm/Nav• Mission Mgmt• Pilot Interface

Displays

RadarCommunication

IRSTElectronic Combat

Nav

Mission

Data Processor

Signal Processor

Data Processor

Signal Processor

Data Processor

Signal Processor

Data Processor

Signal Processor

Data Processor

Data Processor

RTSecureCorba-16Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Air Vehicle Interfaces Extend Beyond the Operational Environment

Gateway

Manage Test and Evaluate Operate and Support

Design Manufacture Develop Logistics Analyze Problems

Network

Diagnostics

MissionSupport

Instrumentation

DataProcessing

MissionSupport

Integrity Monitoring Flight & Environ. Data BIT, IOBD Results

Product DefinitionEng. Drawings,Parts, Materials

SoftwareDevelopment

CostAccounting

ConfigurationManagement

CDRLTracking

Schedule andPerformanceMonitoring

ResourcePlanning

and Control

NC Equip.Fabrication

ManufacturingPlanning

TOAuthoring

Provisioning Integrity and R&M Analysis

ManufacturingAnalysis

Design Analysis

LogisticsAnalysis

Maintenance Maintenance

RequirementsDefinition

Design Modelingand Analysis

ExistingSystems

Training

LSA TrainingDevelopment

The IWSDB Data Dictionary logically integrates Data Repositories which may be physically located anywhere on the network.

Diag.

Data Repositories

IWSDBData Dictionary

& Directory

RTSecureCorba-17Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Information Security is a Recognized Requirement in Airborne Systems

• Click to add text• National Assets– COMINT– ELINT– IMINT

• Threat Assets– HUMINT– Surveillance

Information

Off-Board Information

• Mission Plan• Threat/Target Information• Aircraft Capabilities and Technology• Databases• Electronic Keys

On-Board Information

Multi Level Security

SAP/SAR

SCI

Codeword

NOFORN

NATO

ConfidentialConfidentialSecretSecret

Top SecretTop Secret

Example Security Threats in Airborne Systems

• Insider Threat (developers, maintainers)• Disclosure• Eavesdropping• Penetration• Traffic Analysis• Masquerading (Spoofing,Malicious Logic)• Emissions Attack• Reverse Engineering (Tech/Alg)• Penetration (Maintenance)• Falsification• Obstruction (Overload)

Applications• F-22• Joint Strike Fighter• Upgrades to Existing

– RECCE– JSTARS– E2C– F15– Comanche

• Data Fusion• Sensor Fusion• Situation Awareness• RealTime Intell• Integrated Avionics• Off-Board Sensors• SATCOM

RTSecureCorba-18Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

JSF Secure Avionics Architecture Concept

VehicleManagement

Pilot Vehicle Interfacing

Stores Management

Integrated RF SensingSharedApertures

Integrated EO Sensing

Integrated CoreProcessing

--- --- ---

--- --- ---

Audio Control Panel

Data Transfer Equipment/Mass Memory

Portable Maintenance Aid

Security Perimeter Airborne VideoTape Recorder

InstrumentationTape Recorder

Crypto Key Fill

RTSecureCorba-19Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Air Vehicle Interfaces with Security Characteristics

Air

Vehicle

Flight Data - Confidential

MPS

Other JSFA/C

RemoteStations

Mission Data(Unencrypted)

DisplaysVideo Tape

SystemBuildvia JIMS

ExternalEnvironment

TCTSGround Station

Nav Station

(Unencrypted)

(Encrypt Key 1)

(Encrypt Key 2)

Unclassified

EW Input

(Unclassified)EO Input

(Unencrypted)Radar Pulses - Secret

(Unencrypted)

IFF Pulses [TRANSEC]

(Unclassified IFF Key)

Expendables/Decoys (Secret)(Unencrypted)

TCTS Data -System High

(Encrypted with TCTS key)

Nav Data

(Uncl & Encryp. Secret GPS)

Display Data - System High

Multilevel (encrypted with key 1 or key 2 depending on max level of data)

IFDL Data - System High

MIDS Data - Secret

(MIDS Traffic Key)

(U/VHF Traffic Key One Level per Transmission)

Comm. - Clear Voice

(Unencrypted)

Instrumentation Data - System High

(Unencrypted)

FlightData Tape

ECM

Security Audit Data/Other(Encrypted with Key 1 or Key 2 Depending on A/C Level)

FW Inputs (UDF/Countermeasures/Libraries)

Multilevel (Encrypted with Key 1 or Key2)

SATCOM Data - Multilevel(Encrypted)

Fault Codes/SW Load/Vehicle Status/Test Commands

(Unclassified - Except for UnencryptedConfidential FW Load)

TS/ All SARs

(Encrypted with TS/SAR IFDL Traffic Key)

Comm. - Voice High

Conf. & Sec

OtherPlatforms

On-Board Tape

(Unclassified)

JIMS(Avionics)

RTSecureCorba-20Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Technical Risk Reduction Planfor CORBA in Military Avionics

• Real-Time, Secure CORBA– Performance Assessment of COTS ORBs (execution time & memory usage)

– Real-Time, Trusted ORB Supporting MLS Using Standard RTOS API (e.g., AOS)

• Increased Experience Using CORBA With Ada95 on Real-Time, Embedded COTS Processor (e.g., OIS/Iona Orbix/Ada on PPC)

• Profiles of COTS ORBs - Use Only The Necessary Fuctionality

• Extensible ORBs (e.g., I/O)

• Parallel, Real-Time, Secure CORBA Applications– DeFacto Parallel Processing API Standards (i.e., MPI, Embedded MPI, Real-Time

MPI) for Scalability

– Real-Time, Secure OS Experience in COTS Parallel Processors (e.g., DARPA PROSE for Intel TeraFlops)

– Secure, RT CORBA for SPMD Applications on COTS Embedded Parallel Processors (e.g., Mercury, CSPI, Sky)

• Demonstrate Scalable, Real-Time, Secure Military Application Software Using CORBA on Embedded Processors

RTSecureCorba-21Copyright © 1997 by Hughes Aircraft Co. Permission to make digital or hard copies of part or all of this work is granted without fee provided the copies are not made or distributed forprofit or commercial advantage and that the copies bear this notice. Hughes Aircraft Co. makes no warranty of any kind with regard to this material and shall not be liable for errors contained herein.

Summary

• CORBA Provides Same Benefits to Commercial and Military Systems– Standard APIs Increase Application Portability

– Heterogeneous Languages, COTS Components, Reuse

– Interoperability Between Distributed Objects

• Military Avionics Systems Require Solutions That Address Combinations of– Security + Real-Time + Embedded + Fault Tolerance + Scalability

• CORBA Needs to Provide– Flexibility in Security Policy and Models

– Well-Defined and Acceptable Levels of Assurance in ORBs

– Security Architecture That Clearly Defines OS/ORB Roles