Екатерина Рудина


Екатерина Рудина, старший системный аналитик Лаборатории Касперского.
Аналитик отдела защиты критической инфраструктуры Лаборатории Касперского и Kaspersky Lab ICS CERT в сфере исследования угроз и оценки рисков компьютерной и сетевой безопасности, а также реализации системных подходов в обеспечении безопасности информационных и киберфизических систем. Соавтор рекомендаций по безопасности IEEE, ITU, Industrial Internet Consortium и ряда национальных стандартов.

The State Monitoring Engine for the Adaptive MILS Platform

Архитектура MILS позволяет реализовать операционные системы с учетом требований к их функциональной и информационной безопасности, что особенно важно с точки зрения обеспечения доверия к киберфизическим системам в составе критической информационной инфраструктуры. В то же время, практические сценарии применения требуют разнообразия политик безопасности и возможности оперативно реагировать на воздействие окружающей информационной и физической среды без потери гарантий в отношении всех аспектов безопасности этих систем. Иногда такая реакция предусматривает переконфигурирование системы для обеспечения ее устойчивости к внешним факторам. Динамический MILS задуман как основа для реализации многокомпонентных систем, которые могут предоставить возможности оперативной реконфигурации состава компонентов и политик их взаимодействия (включая политики безопасности) без потери гарантий, обеспечиваемых на этапе верификации безопасности системы. Адаптивная MILSплатформа задействует динамический MILS для обеспечения устойчивости систем вследствие оперативной реакции на события внешней среды. Система мониторинга адаптивной MILS платформы предоставляет механизм обработки событий внешней среды, который способен отследить выполнение заданных политик в распределенной гетерогенной среде, и обеспечить должную обратную связь для механизма адаптации и реконфигурации платформы. Основой для реализации механизма мониторинга состояний в составе адаптивной MILS платформы является система безопасности KasperskySecurity System. Исследование и прототипирование адаптивной MILS платформы выполняется в рамках проекта CITADEL, частично финансируемого программой Horizon 2020 Европейского союза, грант 700665.


Nowadays the trust to the system is not limited to the security of this system. To be trustworthy system must demonstrate the reliability, safety, security and resilience to attacks. The priorities of these aspects are different for every given system. Moreover, these properties sometimes constrain each other, posing the problem of their reprioritizing in critical situations. Due to these reasons, the trustworthy system should be also adaptable to the changing circumstances.

The Multiple Independent Levels of Security and Safety (MILS) architectural approach has emerged as a new strategy for the cost-effective construction of systems requiring dependability with high assurance. MILS is popularly characterized as the use of a separation kernel to run applications belonging to diverse security domains (or safety criticalities) on the same processor.

MILS is a component-based approach to develop and certify critical systems. Current MILS implementations provide only for fixed runtime architectures as they are based on statically configured MILS platforms. MILS Platform is a standardized, component-based high-assurance platform providing predictable behavior, security, safety and performance. Its inherent properties are improved dependability and maintainable assurance. Distributed MILS Platform (such as D-MILS ) supports distributed systems environments and provides the appropriate tools for the design, analysis, verification, compositional implementation and certification of scalable architectures.

The limitations of the classic MILS such as the only support of the static thoroughly scrutinized configurations result in the development of dynamic MILS. The concept of dynamic MILS includes the reconfiguration mechanisms and reconfiguration policy. The idea of adaptive MILS platform is in the dynamic reconfiguration of a system at runtime without compromising its robustness and integrity. The adaptive MILS platform employs the concept of dynamic MILS to facilitate the resilience of the system built on this platform. The CITADEL project builds on the MILS technology accomplishments of D-MILS and Euro-MILS and performs the research and development necessary to create adaptive MILS systems. It is proposed to use adaptive MILS in new and evolving adaptive systems contexts having strategic focus within the EU, such as Critical Infrastructures and the Internet of Things, where adaptability is a crucial ingredient for the safety and security of future systems, and where the rigorous construction and verification made possible by MILS holds particular promise.

The project brings together 14 participants from around the Europe (The Open Group from UK, SYSGO AG from Germany, TTTech from Austria, UniControls from Czech Republic, several academic institutes from Netherlands, Germany, France, and others). Different participants act as Critical Infrastructure (CI) Technology Researchers, Industrial CI Technology Providers, CI Technology Integrators and Innovators, Industrial CI Solution Providers, Industrial CI Solution Providers, Standards Bodies and Protection Authorities. The project expects to achieve in its final phase the demonstration of the capabilities of the adaptive MILS technology in several industrial contexts and application scenarios and lay the technical foundations for a certification framework for the use of adaptive MILS components and systems in critical infrastructure applications.

The key elements of the distributed adaptive MILS platform are the mechanisms for adaptive (re)configuration and runtime monitoring.

The configuration means include both offline configuration tools, to develop and check the initial configuration, and online configuration mechanisms, to carry out reconfiguration to a new target configuration. Among the capabilities required by adaptive MILS, the following are the key:

  • configuration change agent to invoke the primitives for configuration changes;
  • reconfiguration reference monitor to decide permissible configuration changes according to a configuration change policy;
  • runtime adaptation framework to provide a plug-in architecture for a hierarchy of adaptation strategies;
  • configuration synthesis module to synthesize configuration transition sequences taking the system from one valid configuration to another according to the configuration change policy.

The monitoring serves many purposes within a platform. In CITADEL’s adaptive MILS system, in addition to the use of the monitoring capabilities within the design of an application, and monitoring for intrusions and other anomalies, there are a few specific critical functions served by monitoring within the MILS adaptation architecture:

  • perform runtime observation to assure that properties previously proven in the current assurance case continue to hold;
  • detect conditions that cause the current configuration to no longer satisfy the current conformance property;
  • detect violation of assumptions in the current assurance case or other conditions that should trigger adaptation;
  • build context awareness.

The state monitoring engine, the part of the monitoring framework, is planned to be based on Kaspersky Security System (the part of KasperskyOS operating system) with specifically implemented monitoring policies for the use cases intended to demonstrate the capabilities of the Adaptive MILS platform. Among other deliverables, we will also provide the framework for the development of bespoke monitoring applications.

As responsible for the development of this state monitoring engine, in our talk we will consider the goals, architecture, and implementation of this engine and the monitoring framework as a whole. We will also briefly touch upon some of the current accomplishments and the accompanying challenges for this project.

CITADEL is an Innovation Action partly funded by the Horizon 2020 Programme of the European Union under grant agreement no. 700665.


При поддержке