



# ESA CYBERSECURITY BY DESIGN FOR MIXED CRITICALITY EMBEDDED SYSTEMS



## **AGENDA**





Project Overview Security in Space, Study Overview, NG-ULTRA [1, 2, 3]



**Project Synthesis** 



Next / Closing



# ESA STUDY CYBERSECURITY BY DESIGN FOR MIXED CRITICALITY EMBEDDED SYSTEMS



• In a joint cooperation with ESA, Airbus, TAS and SYSGO the result of this study was the proof that the RTOS PikeOS for MPU offers properties and features that allow implementing secure applications with different security sensitivity for the R52 CPU Architecture (see next slide), which is running on the NG-ULTRA.



## **NG-ULTRA & PIKEOS FOR MPU**





**NOTE**: For the study, the NG-Ultra HW was replaced by a simulation environment based on FVP (HW was not available at ESA)

- [1] https://dahlia-h2020.eu/ (Deep sub-micron microprocessor for spAce rad-Hard appLlcation Asic)
- [2] https://eurospace.org/dasia-conference-aspx/ Programme : NG-Ultra: a system-on-chip suiting the upcoming space missions (TAS, May 17th 2022)
- [3] https://www.sysgo.com/pikeos-for-mpu

## **USAGE SCENARIOS & USE CASES**



In cooperation with **ADS** and **TAS** the typical satellite mission usage scenarios e.g.:

- Earth Observation
- Satellite Navigation
- Satellite Telecommunications
- Deep Space

and use cases deemed relevant for security were analyzed and mapped e.g.:

- Protection of the OS layer from applications, and applications from other applications.
- Protection of the communication to and from external systems.
- Access Control

## **PROJECT SYNTHESIS**



- We initiated the Common Criteria (ISO/IEC 15408) like analysis for PikeOS for MPU
- We ported the PikeOS (MMU) security target (ST) test suite to MPU and to the new architecture for ARM Cortex R52.
  - The test suite was successfully executed and delivered with 100% Coverage.
- We mapped the PikeOS for MPU security properties to the System as a whole, validated on several use cases.
  - All the testing performed in this project are security related, and only security related,
    as it was the focus
  - Correspond to about 10% of the existing PikeOS requirements

## **CERTIFICATION SUPPORT PACKAGE**



The package shows which documents and artifacts must be produced, and what evidence must be collected along the lifecycle of the project based on proven standards [ECSS], [ED-203A], [DO-356A] and especially for cyber-security [CC].

## We recommend following:

- Common Criteria, as used in this study, or a similar approach can be the security standard.
- Certifying the RTOS and SBRTOS (System Based on the RTOS) would preferably be done separately.
- Lower-level separation security objectives should be provided and validated by the RTOS.
- SBRTOS certification shall specify, high-level system security objectives including analysis of security risks and security risk treatments.

## DOCKER IMAGE TO RE-EXECUTE VALIDATION



- A full-functional test-environment was provided including the
  - SYSGO Test Framework (TFW)
  - The target as ARM FVP R52 (Simulation)
  - PikeOS for MPU
- Single tests or the complete test run can be reproduced
- An introduction with a live demo to use it was conducted.





## VALIDATION AND VERIFICATION INFRASTRUCTURE



## **SYSGO Test Framework (TFW)**

- XML based test description for analysis, inspection, normal and robustness test cases
- Generation of Camera-ready verification artifacts (PDF)
- Automated test compilation, execution and result analysis (allows nightly runs)
- QA support by means of review sheet preparation and review status maintenance
- Synopsis test case generator
- Allows fine control on the granularity of the tests executed (full, partial, individual tests)
- Supports single-core or multicore configurations
  - SMP for PikeOS
  - AMP for PikeOS for MPU)



## VALIDATION AND VERIFICATION INFRASTRUCTURE



## **SYSGO Test Framework (TFW)**

- Extensible and adaptable interface for project specific setups (e.g. interface to target controller equipment for real HW)
- **Bi-directional interface** to the requirement management tool DOORS to exchange data between test suites and DOORS requirement documents
- Interface to the config management tool GIT to perform automated inspection of files
- Generic interface to structural code coverage tools, implementations for CodeTEST and Rapita Verification Suite (RVS) are available

## **SECURITY VALIDATION AND VERIFICATION RESULTS**



- In order to test and validate the security requirements (00106-8000-ST) a mapping to the existing requirements of the RTOS components has been established in a traceability matrix (TRACE).
- This TRACE document has been combined with the test results (TR) to summarize in one single document the security tracing and achievement during testing.

|                              |          | Valid Test-Result |       |         |
|------------------------------|----------|-------------------|-------|---------|
| <br>Module                   | Baseline | #REQ              | #PASS | %PASS   |
| 00106-8000-ST                | 42.2     | 114               | 114   | 100,00% |
| <br>00106-8022-TRACE         | 42.1     | 501               | 501   | 100,00% |
| 00106-2000-KERN-IF           | 42.4     | 160               | 160   | 100,00% |
| 00106-2060-KDEV-IF           | 42.2     | 66                | 66    | 100,00% |
| 00106-3000-P\$\$W-IF         | 42.3     | 150               | 150   | 100,00% |
| 00106-2500-PGEN-IF           | 42.3     | 20                | 20    | 100,00% |
| 00106-5000-CONF-IF           | 42.2     | 23                | 23    | 100,00% |
| 00106-0236-CCONV-TAR         | 40.12    | 131               | 131   | 100,00% |
| 00106-0237-CCONV-TAR-VMIT    | 42.1     | 121               | 121   | 100,00% |
| <br>00106-0238-CCONV-TAR-ROM | 42.1     | 68                | 68    | 100,00% |
|                              |          |                   |       |         |
| Summary                      |          | 1354              | 1354  | 100,00% |

## **SAMPLES**



#### Requirements Document: 00106-3000-PSSW-IF.pdf



#### Test Case from 00106-3003-PSSW-TC.pdf

3.33.2 tc\_03 Normal operation test of vm\_qport\_control().

#### GP OK: method: TEST

Check that vm\_qport\_control() returns P4\_E\_OK when called with valid port descriptor and when the invoked kdev Gate Provider's control entry point returns P4\_E\_OK.

#### GP CTRL: method: TEST

Check that vm\_qport\_control() has been entered by a test specific ioctl command. Test if the ioctl command's data is filled by the provider with an identifier.

#### Test LOG

1 run target 2 ##START## 3 date | 107.02.2023 10:49:15 UTC 4 identify | test set name: 5 identify | tp.CommunicationPorts.portControl 6 identify | test cases: 7 identify | TC 'tc 03' num subtc=1 manual=0 8 identify | TC 'tc\_04' num\_subtc=1 manual=0 9 identify | build by: 10 identify | pikeos@vvbuild7 11 identify | build id: 12 identify | 413e3296-36c6-3800-94c4-c212843647ff 13 identify | target controller host name: 14 identify | vvbuild7 15 identify | target controller machine id: 16 identify | c114657f-9632-8fe1-54c5-201ecde26ab6 17 identify | target inventory number: 18 identify | none 19 identify | Ichannels: 20 identify | protocol tcp link to 127.0.0.1:5000 21 tc.start | tp.CommunicationPorts.portControl-tc 03 22 equ.start |tp.CommunicationPorts.portControl-tc\_03|1 23 obj.subres|tp.CommunicationPorts.portControl-tc\_03|1|GP\_OK|S\_PASS 24 obj.subres|tp.CommunicationPorts.portControl-tc\_03|1|GP\_CTRL|S\_PASS 25 equ.end |tp.CommunicationPorts.portControl-tc 03|1 26 obj.result|tp.CommunicationPorts.portControl-tc\_03|GP\_CTRL|O\_PASS 27 obj.result|tp.CommunicationPorts.portControl-tc\_03|GP\_OK|O\_PASS 28 tc.end |tp.CommunicationPorts.portControl-tc\_03 29 tc.start |tp.CommunicationPorts.portControl-tc\_04 30 equ.start | tp.CommunicationPorts.portControl-tc 04 | 1 31 obj.subres tp.CommunicationPorts.portControl-tc\_04 1 GP\_OK S\_PASS 32 obj.subres | tp.CommunicationPorts.portControl-tc 04 | 1 | GP CTRL | S PASS 33 equ.end | tp.CommunicationPorts.portControl-tc 04|1 34 obj.result|tp.CommunicationPorts.portControl-tc\_04|GP\_CTRL|O\_PASS 35 obj.result|tp.CommunicationPorts.portControl-tc\_04|GP\_OK|O\_PASS 36 tc.end |tp.CommunicationPorts.portControl-tc\_04 37 summary | 4 O\_PASS, 0 O\_UNSUPPORTED, 0 O\_UNTESTED 38 summary | 0 O\_FAIL, 0 O\_ERROR, 0 without result 39 date | 07.02.2023 10:49:16 UTC 40 ##END## 41 TEST RUN RETURN VALUE: 0

[00106/ts\_pssw\_mpu] / wbuild\_results / tp.CommunicationPorts.portControl.res

## **CERTIFICATION WITH TFW**



- Automatic Traceability (Requirements, Implementation, Test)
  - Complete Automation (DOORS, GIT, VVBUILD, TFW)
  - Easy check of compliance and completeness
  - Early cross-checking and error correction
- Cross-Standards Certification Model
  - for
    - DO-178 (Avionic),
    - ECSS 40/80 (Space)
    - EN50128, EN50657 (Railway),
    - IEC61508 (Automation),
    - ISO26262 (Automotive)
  - Generic "Tailoring" Concept used, only one set of "corporate" plans and standards
  - All development life cycle documents are the same for every standard
  - Only plans and certification artefacts (e.g. Safety Case v. SW Accomplishment Summary) are generated according to the need of the specific industry.
- "Proven-in-use" handling of Certification-Readiness
  - For lower and highest safety levels (up to DO-178C DAL-A, ECSS Category A)
  - "Security certification" is handled with the same process model now extended with the dimension "Security".
  - Well-known "notified bodies" for product and project certifications
  - Well-known "authorities" and expertise to handle "certifications"



## **CERTIFICATION STATISTICS (PIKEOS RTOS)**



## Detailed Specification of Functionality, Architecture and Design

- # of High Level Requirements: 1122
- # of Low Level Requirements: 9225
- Ø 2.4 Source Code Lines (only cert parts) / Requirement
- # of document, source code and test case reviews executed: 728

### Detailed Tests to cover Functionality and Structural coverage

- All tests are executed on all reference hardware (e.g. different architectures like ARM8, PPC, X86)
- Approach to test on specific customer hardware (PikeOS PSP Validation)
- # of test procedures: 2689
- # test objectives: 18413
- # of Test Source Code Lines: 1.6 M
- # of decision point to be covered by testing: 4350
- # of MCDC points to be covered by testing: 4313
- Ø 154 Test Source Lines / Requirement

### High Automation during Testing

- Usage of SYSGO test framework to
  - highly automate tests (100%) with nightly test runs and automatic target control
- handling of target HW testing
- Module, Inspection and Functional testing fully automated
- All documents (test cases, test reports, structural coverage) will be generated as PDFs (Camera-ready verification artifacts)
- All test tools are qualified up to the highest safety and security levels

## CONCLUSION



- Security for space has become important in most recent times
- A RTOS with a prequalified set of documentation for security is the basis to provide all security "features" to be used for security for the SBRTOS.
- Security certification on system level need further investigation depending on the requirements for the SBRTOS.
- This V&V approach and packaging allows for the full V&V testing to be done on site on actual deployed HW, or early in the development process in a simulated environment before the HW is available









# THANK YOU FOR YOUR ATTENTION

## **SYSGO GmbH**

Am Pfaffenstein 8 55270 Klein-Winternheim Germany

Phone: +49 6136 99480 E-Mail: info@sysgo.com

Sales Contact sales@sysgo.com

#### Subscribe, Like and Follow:

www.sysgo.com/newsletter

www.sysgo.com/twitter

www.sysgo.com/linkedin

www.sysgo.com/youtube

www.sysgo.com

## PERFORMANCE EVALUATION

 vvbuild generates performance indicators based on tested requirement, result and review status

 OPR classification to analyze the impact of safety and security-relevant deviations

• KPI: Evaluation of Progress, Efficiency & Velocity

