HIGH ASSURANCE: PROVABLY SECURE SYSTEMS AND ARCHITECTURES

RANCE J. DELONG

Santa Clara University, Santa Clara, California and LynuxWorks, San Jose, California

1 INTRODUCTION

The need for high assurance provably secure systems and architectures is ever increasing due to the severity of the consequences of failure in critical cyber-physical systems and to the motivation of our adversaries to exploit those systems.

2 SCIENTIFIC OVERVIEW

2.1 Concepts of High Assurance Secure Systems

A system is an assembly of hardware and software that exhibits specific functional and nonfunctional properties. A secure system is one that, in addition to fulfilling its primary functional purpose, behaves in accordance with a security policy. The primary function delimits useful behaviors that give the system its reason for existence. Secure behaviors may be achieved by mechanisms that implement security functionality, such as authentication and access control, or by architectural structures that, without adding functionality, constrain the behaviors of a system to those that satisfy the desired security policy. To be considered secure, a system must be robust enough to resist attempts to violate the policy. Robustness may be achieved by requiring specific attributes of the design, implementation, or configuration, in concert with functionality that governs the behavior of the system at runtime to avoid actions that violate the security policy.

Unlike functionality, which often may be added or removed ...