Certification

Mac Mollison

Who mandates certification?

FAA (Federal Aviation Administration)» Standards DO178B, DO297

DoD (Department of Defense)» Mandates a security validation program

incorporating many standards NSA (National Security Agency)

» Certifies crypto software and devices

DO 178-B

Sets lots of “software engineering” rules» E.g., documenting the design/development

process» We won’t discuss this further here

Gives criticality levels for software» The only part that has interesting

implications for us, to my knowledge» See next slide

DO 178-B Criticality Levels

A: Catastrophic B: Hazardous C: Major D: Minor E: No Effect

Implications of DO 178-B

1. Increasing WCET pessimism with increasing criticality level

» Our group has written papers on how to deal with this “intelligently”

2. Need to use Level-A RTOS that forces independence between software of different levels

» Defined by ARINC 653 API standard

ARINC 653

Defines API for time-space partitioning» See next slide

Multiple RTOSs are ARINC 653 compliant

» Wind River VxWorks 653» Etc.

Time-Space Partitioning

Partitions are basically “containers” that are statically scheduled.

DO 297

Standard for integrated modular avionics (IMA)

Satisfied by using an ARINC 653 OS Isn’t talked about much and we won’t

discuss it further now

Security

Must use “secure” RTOS, hardware, etc. when working with classified information» Classified = confidential, secret, top secret/SAR

Typically, when multiple security levels co-exist in one system, time-space partitioning is used» E.g. VxWorks MILS: Like VxWorks 653, but fewer

LOC More details in security segment of course