9:00 – 9:45: Certification and Mutual
Recognition above EAL4 in Europe
(Olaf Tetteo, Manager System Evaluations, Brightsight)
Olaf Tetteo
gave a presentation on certification at EAL4 and below.
He emphasized that the process is all about recognition and
involves:simple recognition statement, foundations of recognition, and a
formal recognition statement. He made the important distinction that
EAL4 is recognized worldwide and EAL5-7 is recognized throughout most of
Europe (see slide 14 from the Brightsight presentation).
He
summarized the focus of Common Criteria (CC) by saying it is about the
properties of the product and how the product is tested. And that the
security requirements are based on a specific security threat, so that
the product is tested for correct security functionality and any
potential vulnerabilities with respect to that security threat.
He provided
an overview that illustrated the focus of the CC process, which is based
on specific areas: development and delivery processes, secure design and
implementation, manuals documenting secure usage.
In the
presentation from Brightsight there were excellent charts illustrating
which worldwide Common Criteria Recognition Agreements (CCRA) and which
Senior Officer Group Recognition Agreements (SOG-IS) were honored by
which countries throughout Europe.
In his
presentation Olaf provided a solid picture of the certification paradigm
that is used throughout Europe via the Common Criteria; focusing on what
organizations can choose to recognize (or not) and the standards to
which the various test labs and certification bodies must adhere.
The
presentation for this session can be found here.
9:45 – 10:30: Overview of a High-Assurance
Architecture incorporating a Separation Kernel from a European
Perspective
(Jose Almeida, SYSGO AG)
Jose
Almeida,
who manages SYSGO engineering in the South of Europe, gave an
informative and candid presentation on EAL7 recognition between some
countries in Europe, acknowledging the fact that high assurance is a
sensitive area and each country accepts/provides different levels of
quality and assurance.
During his
presentation he noted that each country has their own certification
authorities and that the evaluation methodology may differ depending on
country. Reinforcing
the message that we are hearing time and time again - Common Criteria is
complex and difficult – and needs to be simplified.
He noted
that the SKPP is not yet fully “accepted” in some countries,
partially due to the fact that there is not enough information on how to
use it, what is included, what isn’t, and how to effectively implement
the SKPP given that much of the richness is expected to be implemented
outside of the separation kernel.
Jose said
that this is a great opportunity for standardization and he is
interested to see how the MILS API work can help clarify and pull the
MILS separation kernel.
In the
presentation Jose indicated that NATO is pushing EU countries to adopt
MILS/SKPP.
Jose also
covered two current SYSGO projects that dealt with separation kernels:
the first was the VerisoftXT project, the second was a project (Securely
Partitioning Spacecraft Computing Resources) with EADS Astrium Toulouse,
and University of York funded by ESA for 2008 – 2010.
This project, which is focused on satellite security during all
phases: construction, pre-launch, launch, pre-orbit, orbit, and
post-orbit, involves special and temporal partitioning so they are
looking at MILS and Real-time Operating System (RTOS) for this project.
The
presentation for this session can be found here.
10:45 – 11:30: Standardization Basis for a
High-Assurance Minimum Application Runtime
(Rance DeLong, LynuxWorks)
Rance
DeLong provided an overview of the work that The Open Group MILS API
Working Group is doing on establishing a standard MILS API.
Some of the major MILS vendors such as WindRiver, Green Hills,
SYSGO, and LynuxWorks have come together to work on a standard for the
MILS separation kernel APIs.
Rance provided some of the background and rationale behind this
effort. He
also highlighted some of the scope and approach decisions that the
working group must make and emphasized the value propositions behind
this cooperative effort.
The
presentation for this session can be found here.
11:30 – 12:30: Proposed POSIX Elements for
Inclusion in a High-Assurance Application Runtime: An interactive
discussion on rationale and prioritization of proposed POSIX elements
(Facilitated by Rance DeLong, LynuxWorks)
Rance
DeLong facilitated an interactive session on the work that The Open
Group MILS API Working Group is doing on establishing a standard MILS
API. Some
of the major MILS vendors such as WindRiver, Green Hills, SYSGO, and
LynuxWorks have come together to work on a standard for the MILS
separation kernel APIs. This
group along with many other middleware companies and integrators are
meeting regularly to drive this effort forward.
The working group has published a draft set of Frequently Asked
Questions (FAQ), which was distributed to the participants for review
and feedback at the meeting.
The FAQ will help to define the scope and the optimal footprint
and functionality to be included in the final set of MILS APIs.
The draft
FAQ can be found here.
14:00 – 15:00: Challenges of Multicore –
Potential Impact on Safety-Critical and High-Assurance Security
Environments
(Alex Wilson, Wind River)
Alex Wilson
provided an interesting presentation on the challenges, advantages, and
trade-offs between single core and multi-core high-assurance systems, in
the field of avionics. He offered a wide range of compelling features
for system designers for multi-core technology. He Highlighted the
capability for: consolidation of hardware resources, reduced heat
loading, and reduced swap investment.
He also
discussed the impact that multi-core implementations would have on
certification authorities from both a hardware and software perspective.
During the
interactive part of the presentation the group expressed the need to get
the hardware and chip vendors involved
so that we could gain more insight
into the interfaces of shared resources.
The
presentation for this session can be found here.
15:30 – 16:00: Update on Common Criteria and
NIAP, and discussion on a commercial approach to evaluation,
certification, and accreditation of High Robustness Commercial Security
Products for e.g., SCADA, SMA, Medical Devices, Critical Infrastructure,
ITS, etc.
(Rance DeLong/Joe Bergmann)
This
session was primarily an update from Joe on the people he has contacted
in the DoD, NIST, NSC, EC, DFA, and NATO to gain support for the idea of
a commercial approach to evaluation and certification of high-assurance
security products.
Separation
Kernel from a European Perspective:
Next steps in this area are to continue to work with SYSGO through The
Open Group MILS API Working Group, and to define a market adoption and
implementation prospectus, which would clarify what is necessary to
implement and to create the middleware APIs necessary to make the
technology easy to integrate and use effectively.
As part of the market adoption work, NATO support for the SKPP is
imperative and the RT&ES Forum will work to interface with NATO to
gain that support.
MILS
Minimal Runtime: The MILS API
Working Group will establish a periodic (every two weeks) conference
call to progress the APIs for a MILS Minimal Runtime architecture. The Working
Group is to review and provide feedback on the FAQ, which will be
reviewed during a Webex scheduled for May 13 at 11:00 Eastern.
If you are interested in joining the MILS API Working Group,
please contact Sally Long at s.long@opengroup.org.
Commercial Approach to
Certification, Validation, and Accreditation: As this concept solidifies, the RT&ES Forum
will begin work on defining the value proposition, business objectives,
feasibility, and resource and financial requirements for working with
industry to undertake such an initiative.
