Formal Framework for Safety, Security, and Availability of Aircraft Communication Networks
Abstract
As the costs of fuel and maintenance increase and regulations on weight and environmental impact tighten, there is an increasing push to transition onboard aircraft networks to wireless, reducing weight, fuel, maintenance time, and pollution. A candidate short-range wireless network for aircraft onboard communications is outlined using the common ZigBee protocol and privacy-preserving search implemented as a secure publish/subscribe system using specially coded metadata. Formally specifying safety and security properties and modeling the network in New e(X)tensible Model Verifier enable verification and fault analysis via model checking and lay the groundwork for future certification avenues. Experiments formally analyzing the candidate wireless network are reported, showing overhead and availability for encrypted and fault-tolerant communications. A formal model is proposed, which allows system designers to estimate communication failure rates and directly trade off fault tolerance for bandwidth, while preserving communication security.
References
[1] , “War on Wiring,” Aerospace America, 2017, pp. 24–27, https://aerospaceamerica.aiaa.org/features/war-on-wiring/.
[2] , “A Case Study in Safety, Security, and Availability of Wireless-Enabled Aircraft Communication Networks,” 17th AIAA Aviation Technology, Integration, and Operations Conference, AIAA Paper 2017-3112, June 2017. https://doi.org/10.2514/6.2017-3112
[3] , “Fault-Tolerance Mechanisms for ZigBee Wireless Sensor Networks,” Work-in-Progress (WiP) Session of the 19th Euromicro Conference on Real-Time Systems (ECRTS 2007), IEEE, New York, July 2007, pp. 37–40.
[4] , “A Novel Fault Detection and Recovery Mechanism for Zigbee Sensor Networks,” Second International Conference on Future Generation Communication and Networking (FGCN), Vol. 1, IEEE, New York, 2008, pp. 270–274. https://doi.org/10.1109/FGCN.2008.105
[5] , “Wireless Avionics and Human Interfaces for Inflatable Spacecraft,” Aerospace Conference, IEEE, New York, 2008, pp. 1–16. https://doi.org/10.1109/AERO.2008.4526527
[6] , “Fault Tolerance in ZigBee Wireless Sensor Networks,” Aerospace Conference, IEEE, New York, 2011, pp. 1–15. https://doi.org/10.1109/AERO.2011.5747474
[7] , “Practical Performability Assessment for ZigBee-Based Sensors in the IoT Era,” Performability in Internet of Things, EAI/Springer Innovations in Communication and Computing, Springer, Cham, Switzerland, 2019, pp. 21–31. https://doi.org/10.1007/978-3-319-93557-7_2
[8] , “Practical Techniques for Searches on Encrypted Data,” IEEE Symposium on Security and Privacy (S&P), IEEE Computer Soc., Washington, D.C., 2000, pp. 44–55. https://doi.org/10.1109/secpri.2000.848445
[9] , “Secure Indexes,” Report 2003/216, 2003, http://eprint.iacr.org/.
[10] , “Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions,” Journal of Computer Security, Vol. 19, No. 5, 2011, pp. 895–934. https://doi.org/10.3233/JCS-2011-0426
[11] , “Conjunctive, Subset, and Range Queries on Encrypted Data,” Theory of Cryptography, Springer, Berlin, 2007, pp. 535–554. https://doi.org/10.1007/978-3-540-70936-7_29
[12] , “Achieving Usable and Privacy-Assured Similarity Search over Outsourced Cloud Data,” Proceedings of the IEEE International Conference on Computer Communications (INFOCOM), IEEE, New York, March 2012, pp. 451–459. https://doi.org/10.1109/infcom.2012.6195784
[13] , “Towards Efficient Yet Privacy-Preserving Approximate Search in Cloud Computing,” Computer Journal, Vol. 57, No. 2, 2014, pp. 241–254. https://doi.org/10.1093/comjnl/bxt045
[14] , “Cryptographic Cloud Storage,” Financial Cryptography and Data Security, Springer, Berlin, 2010, pp. 136–149. https://doi.org/10.1007/978-3-642-14992-4_13
[15] , “Searchable Encryption with Decryption in the Standard Model,” IACR Cryptology ePrint Archive, Vol. 2008, 2008, p. 423, https://eprint.iacr.org/2008/423.
[16] , “Public Key Encryption with Keyword Search,” International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, 2004, pp. 506–522. https://doi.org/10.1007/978-3-540-24676-3_30
[17] , “Formal Specification and Verification of a Coordination Protocol for an Automated Air Traffic Control System,” Proceedings of the 12th International Workshop on Automated Verification of Critical Systems (AVoCS 2012), Electronic Communications of the EASST, Vol. 53, European Assoc. of Software Science and Technology, Berlin, Germany, 2012.
[18] , “Formal Specification and Verification of a Coordination Protocol for an Automated Air Traffic Control System,” Science of Computer Programming, Vol. 96, No. 3, 2014, pp. 337–353. https://doi.org/10.1016/j.scico.2014.04.002
[19] , “Probabilistic Model Checking for Comparative Analysis of Automated Air Traffic Control Systems,” Proceedings of the 33rd IEEE/ACM International Conference on Computer-Aided Design (ICCAD 2014), IEEE/ACM, San Jose, CA, 2014, pp. 690–695. https://doi.org/10.1109/iccad.2014.7001427
[20] , “Comparing Different Functional Allocations in Automated Air Traffic Control Design,” Proceedings of Formal Methods in Computer-Aided Design (FMCAD 2015), IEEE/ACM, Austin, TX, 2015. https://doi.org/10.1109/fmcad.2015.7542260
[21] , “Model Checking at Scale: Automated Air Traffic Control Design Space Exploration,” Proceedings of the 28th International Conference on Computer Aided Verification (CAV 2016), LNCS, Vol. 9780, Springer, Toronto, 2016, pp. 3–22. https://doi.org/10.1007/978-3-319-41540-6_1
[22] , “Establishing Flight Software Reliability: Testing, Model Checking, Constraint-Solving, Monitoring and Learning,” Annals of Mathematics and Artificial Intelligence, Vol. 70, No. 4, 2014, pp. 315–349. https://doi.org/10.1007/s10472-014-9408-8
[23] , “Trust Your Model-Verifying Aerospace System Models with Java Pathfinder,” 2008 IEEE Aerospace Conference, IEEE, New York, 2008, pp. 1–11. https://doi.org/10.1109/aero.2008.4526573
[24] , “Eliminating Synchronization Faults in Air Traffic Control Software via Design for Verification with Concurrency Controllers,” Automated Software Engineering, Vol. 14, No. 2, 2007, pp. 129–178. https://doi.org/10.1007/s10515-007-0008-2
[25] , “Formal Analysis of the Operational Concept for the Small Aircraft Transportation System,” Rigorous Development of Complex Fault-Tolerant Systems, Springer, Berlin, 2006, pp. 306–325. https://doi.org/10.1007/11916246_16
[26] , “The COMPASS Approach: Correctness, Modelling and Performability of Aerospace Systems,” Computer Safety, Reliability, and Security, Springer, Berlin, 2009, pp. 173–186. https://doi.org/10.1007/978-3-642-04468-7_15
[27] , “Model Checking Large Software Specifications,” IEEE Transactions on Software Engineering, Vol. 24, No. 7, 1998, pp. 498–520. https://doi.org/10.1109/32.708566
[28] , “Feasibility of Model Checking Software Requirements: A Case Study,” Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS), IEEE, New York, 1996, pp. 77–88. https://doi.org/10.1109/cmpass.1996.507877
[29] , “Analyzing the Next Generation Airborne Collision Avoidance System,” Tools and Algorithms for the Construction and Analysis of Systems, Springer, Berlin, 2014, pp. 620–635. https://doi.org/10.1007/978-3-642-54862-8_54
[30] , “COMPASS 3.0,” Tools and Algorithms for the Construction and Analysis of Systems (TACAS), edited by Vojnar T. and Zhang L., Springer, Cham, Switzerland, 2019, pp. 379–385. https://doi.org/10.1007/978-3-030-17462-0_25
[31] , “Formal Design and Safety Analysis of AIR6110 Wheel Brake System,” Proceedings of the 27th International Conference on Computer Aided Verification (CAV), Springer, Berlin, 2015, pp. 518–535. https://doi.org/10.1007/978-3-319-21690-4_36
[32] “DO-178B: Software Considerations in Airborne Systems and Equipment Certification,” Radio Technical Commission for Aeronautics, Dec. 1992, https://www.rtca.org/content/standards-guidance-materials [retrieved 20 May 2020].
[33] “DO-178C/ED-12C: Software Considerations in Airborne Systems and Equipment Certification,” Radio Technical Commission for Aeronautics, 2012, https://www.rtca.org/content/standards-guidance-materials [retrieved 20 May 2020].
[34] “DO-333: Formal Methods Supplement to DO-178C and DO-278A,” Radio Technical Commission for Aeronautics, 2011, https://www.rtca.org/content/standards-guidance-materials [retrieved 20 May 2020].
[35] “DO-254: Design Assurance Guidance for Airborne Electronic Hardware,” Radio Technical Commission for Aeronautics, April 2000, https://www.rtca.org/content/standards-guidance-materials [retrieved 20 May 2020].
[36] , “Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications,” ACM Transactions on Programming Languages and Systems, Vol. 8, No. 2, 1986, pp. 244–263. https://doi.org/10.1145/5397.5399
[37] , “Specification and Verification of Concurrent Systems in CESAR,” International Symposium on Programming, Vol. 137, Lecture Notes in Computer Science, Springer, Berlin, 1982, pp. 337–351. https://doi.org/10.1007/3-540-11494-7_22
[38] , “More Scalable LTL Model Checking via Discovering Design-Space Dependencies,” Tools and Algorithms for the Construction and Analysis of Systems (TACAS), edited by Beyer D. and Huisman M., Springer, Cham, Switzerland, 2018, pp. 309–327. https://doi.org/10.1007/978-3-319-89960-2_17
[39] , “The nuXmv Symbolic Model Checker,” International Conference on Computer Aided Verification, Springer, Berlin, 2014, pp. 334–342. https://doi.org/10.1007/978-3-319-08867-9_22
[40] , “NuSMV: A New Symbolic Model Checker,” International Journal on Software Tools for Technology Transfer, Vol. 2, No. 4, 2000, pp. 410–425. https://doi.org/10.1007/s100090050046
[41] , “NuSMV 2.4 User Manual,” CMU/ITC-irst, Tech. Rept., Trento, Italy, 2005.
[42] , “nuXmv 2.0 User Manual,” Fondazione Bruno Kessler, Tech. Rept., Trento, Italy, 2019.
[43] , “Towards Model Checking Interpreted Systems,” Proceedings of the Second International Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS), ACM Press, New York, 2002, pp. 115–125. https://doi.org/10.1145/860575.860792
[44] , “Model-Checking Based on Fluid Petri Nets for the Temperature Control System of the ICARO Co-Generative Plant,” Computer Safety, Reliability and Security, edited by Anderson S., Felici M. and Bologna S., Springer, Berlin, 2002, pp. 273–283. https://doi.org/10.1007/3-540-45732-1_27
[45] , “Software Safety Analysis of a Flight Management System Vertical Navigation Function—A Status Report,” 22nd Digital Avionics Systems Conference Proceedings (DASC), IEEE, New York, 2003, pp. 1.B.1–1.1–9. https://doi.org/10.1109/dasc.2003.1245805
[46] , “Model Checking Software Requirement Specifications Using Domain Reduction Abstraction,” 18th IEEE International Conference on Automated Software Engineering, IEEE Computer Soc., Washington, D.C., 2003, pp. 314–317. https://doi.org/10.1109/ase.2003.1240328
[47] , “Proving the Shalls,” International Journal on Software Tools for Technology Transfer, Vol. 8, Nos. 4–5, 2006, pp. 303–319. https://doi.org/10.1007/s10009-004-0173-6
[48] , “Will This Be Formal?” Theorem Proving in Higher Order Logics, edited by Mohamed O. A., Muñoz C. and Tahar S., Springer, Berlin, 2008, pp. 6–11. https://doi.org/10.1007/978-3-540-71067-7_2
[49] , “Formal Modeling and Verification of Safety-Critical Software,” IEEE Software, Vol. 26, No. 3, 2009, pp. 42–49. https://doi.org/10.1109/MS.2009.67
[50] , “A Symbolic Model Checking Approach to Verifying Satellite Onboard Software,” Science of Computer Programming, Vol. 82, March 2014, pp. 44–55. https://doi.org/10.1016/j.scico.2013.03.005
[51] , “Model Checking of Safety-Critical Software in the Nuclear Engineering Domain,” Reliability Engineering & System Safety, Vol. 105, Sept. 2012, pp. 104–113. https://doi.org/10.1016/j.ress.2012.03.021
[52] , “FuseIC3: An Algorithm for Checking Large Design Spaces,” Formal Methods in Computer Aided Design (FMCAD), IEEE, New York, 2017, pp. 164–171. https://doi.org/10.23919/FMCAD.2017.8102255
[53] , “The SMV Language,” Cadence Berkeley Labs., Tech. Rept., Berkeley, CA, 1999.
[54] , “SAL 2,” Computer Aided Verification, edited by Alur R. and Peled D. A., Springer, Berlin, 2004, pp. 496–500. https://doi.org/10.1007/978-3-540-27813-9_45
[55] , “ABC: An Academic Industrial-Strength Verification Tool,” Computer Aided Verification, edited by Touili T., Cook B. and Jackson P., Springer, Berlin, 2010, pp. 24–40. https://doi.org/10.1007/978-3-642-14295-6_5
[56] , “SatCarrier CONOPS: A Concept of Operations for Satellite Carriers,” AIAA, Tech. Rept., Reston, VA, 2009.
[57] , “Algorithm and Operational Concept for Resolving Short-Range Conflicts,” Proceedings of the Institution of Mechanical Engineers, Part G: Journal of Aerospace Engineering, Vol. 224, No. 2, 2010, pp. 225–243. 10.1243/09544100 JAERO546
[58] , “Designing an Interactive Local and Global Decision Support System for Aircraft Carrier Deck Scheduling,” Infotech@Aerospace, AIAA Paper 2011-1516, June 2011.
[59] , “Exploration Medical Capability ConOps and Systems Engineering Technical Interchange Meeting Summary,” NASA Johnson Space Center, JSC-CN-39099, Houston, TX, 2017, https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20170002573.pdf [retrieved 20 May 2020].
[60] , Handbook of Model Checking, Springer International Publishing, 2018. https://doi.org/10.1007/978-3-319-10575-8
[61] , “Linear Temporal Logic Symbolic Model Checking,” Computer Science Review, Vol. 5, No. 2, 2011, pp. 163–203. https://doi.org/10.1016/j.cosrev.2010.06.002
[62] , “A Property-Based Proof System for Contract-Based Design,” 2012 38th Euromicro Conference on Software Engineering and Advanced Applications, IEEE, New York, 2012, pp. 21–28. https://doi.org/10.1109/seaa.2012.68
[63] , “OCRA: A Tool for Checking the Refinement of Temporal Contracts,” Automated Software Engineering (ASE), IEEE, New York, 2013, pp. 702–705. https://doi.org/10.1109/ase.2013.6693137
[64] , “Contracts-Refinement Proof System for Component-Based Embedded Systems,” Science of Computer Programming, Vol. 97, Jan. 2015, pp. 333–348. https://doi.org/10.1016/j.scico.2014.06.011
[65] , “Model-Based Verification of Safety Contracts,” International Conference on Software Engineering and Formal Methods, edited by Canal C. and Idani A., Springer, Cham, Switzerland, 2015, pp. 101–115. https://doi.org/10.1007/978-3-319-15201-1_7
[66] , “A Temporal Logics Approach to Contract-Based Design,” Architecture-Centric Virtual Integration (ACVI), IEEE, New York, 2016, pp. 1–3. https://doi.org/10.1109/acvi.2016.7
[67] , “Contract-Based Verification of Hierarchical Systems of Components,” Software Engineering and Formal Methods (SEFM), IEEE, New York, 2008, pp. 377–381. https://doi.org/10.1109/sefm.2008.28
[68] , “Contract-Based Reasoning for Component Systems with Rich Interactions,” Embedded Systems Development, Springer, New York, 2013, pp. 139–154. https://doi.org/10.1007/978-1-4614-3879-3_8
[69] , “A Platform-Based Design Methodology with Contracts and Related Tools for the Design of Cyber-Physical Systems,” Proceedings of the IEEE, Vol. 103, No. 11, 2015, pp. 2104–2132. https://doi.org/10.1109/JPROC.2015.2453253
[70] , “Formal Safety Assessment via Contract-Based Design,” Automated Technology for Verification and Analysis, Springer International Publishing, Cham, 2014, pp. 81–97. https://doi.org/10.1007/978-3-319-11936-6_7
[71] , “OCRA: Othello Contracts Refinement Analysis User Guide (Version 1.3),” 2015, https://es-static.fbk.eu/tools/ocra/download/OCRA_Language_User_Guide.pdf [retrieved 20 May 2020].
[72] , “The xSAP Safety Analysis Platform,” Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Springer, Berlin, 2016, pp. 533–539. https://doi.org/10.1007/978-3-662-49674-9_31
[73] “xSAP: The eXtended Safety Assessment Platform User Guide (Version 1.2),” https://es.fbk.eu/tools/xsap/downloads/xsap-manual.pdf [retrieved 20 May 2020].
[74] , “Disk Failures in the Real World: What Does an MTTF of 1,000,000 Hours Mean to You?” Proceedings of the 5th USENIX Conference on File and Storage Technologies, USENIX Assoc., Berkeley, CA, 2007, p. 1–es. https://doi.org/10.5555/1267903.1267904
[75] , “Evaluating the Impact of Undetected Disk Errors in Raid Systems,” 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, IEEE, New York, 2009, pp. 83–92. https://doi.org/10.1109/dsn.2009.5270353
[76] , “Undetected Disk Errors in RAID Arrays,” IBM Journal of Research and Development, Vol. 52, No. 4.5, 2008, pp. 413–425. https://doi.org/10.1147/rd.524.0413
[77] , “Characteristics of Backup Workloads in Production Systems,” Proceedings of the 10th USENIX Conference on File and Storage Technologies, USENIX, Assoc., Berkeley, CA, 2012, p. 4. https://doi.org/10.5555/2208461.2208465
[78] , “Extracting Flexible, Replayable Models from Large Block Traces,” Proceedings of the 10th USENIX Conference on File and Storage Technologies, USENIX Assoc., San Jose, CA, 2012, p. 22. https://doi.org/10.5555/2208461.2208483
[79] , “Capture, Conversion, and Analysis of an Intense NFS Workload,” Proceedings of the 7th Conference on File and Storage Technologies, USENIX Assoc., Berkeley, CA, 2009, pp. 139–152. https://doi.org/10.5555/1525908.1525919
[80] , “scc: Cluster Storage Provisioning Informed by Application Characteristics and SLAs,” Proceedings of the 10th USENIX Conference on File and Storage Technologies, USENIX Assoc., Berkeley, CA, 2012, p. 23. https://doi.org/10.5555/2208461.2208484
[81] , “Dynamic Resource Allocation for Database Servers Running on Virtual Storage,” Proceedings of the 7th Conference on File and Storage Technologies, USENIX Assoc., Berkeley, CA, 2009, pp. 71–84. https://doi.org/10.5555/1525908.1525914
[82] , “RAID: High-Performance, Reliable Secondary Storage,” ACM Computing Surveys, Vol. 26, No. 2, 1994, pp. 145–185. https://doi.org/10.1145/176979.176981
[83] , “The Mathematics of RAID-6,” 2007, http://alamos.math.arizona.edu/RTG16/ECC/raid6.pdf [retrieved 20 May 2020].
[84] , Lectures in Abstract Algebra: III. Theory of Fields and Galois Theory, Vol. 32, Springer International Publishing, 2012. https://doi.org/10.1007/978-1-4612-9872-4
[85] , “RESeED: Regular Expression Search over Encrypted Data in the Cloud,” IEEE 7th International Conference on Cloud Computing (CLOUD), IEEE, New York, 2014, pp. 673–680. https://doi.org/10.1109/cloud.2014.95
[86] , “RESeED: A Secure Regular-Expression Search Tool for Storage Clouds,” Software: Practice and Experience, Vol. 47, No. 9, 2017, pp. 1221–1241. https://doi.org/10.1002/spe.2473
[87] , “A One Round Protocol for Tripartite Diffie-Hellman,” Journal of Cryptology, Vol. 17, No. 4, 2004, pp. 263–276. https://doi.org/10.1007/s00145-004-0312-y
[88] , “Curve25519: New Diffie-Hellman Speed Records,” International Workshop on Public Key Cryptography, Springer, Berlin, 2006, pp. 207–228. https://doi.org/10.1007/11745853_14
[89] , “Onion Routing,” Communications of the ACM, Vol. 42, No. 2, 1999, pp. 39–41. https://doi.org/10.1145/293411.293443
[90] , “Location Privacy and Anonymity Preserving Routing for Wireless Sensor Networks,” Computer Networks, Vol. 52, No. 18, 2008, pp. 3433–3452. https://doi.org/10.1016/j.comnet.2008.09.005
[91] , “Black Routing and Node Obscuring in IoT,” IEEE 3rd World Forum on Internet of Things (WF-IoT), IEEE, New York, 2016, pp. 323–328. https://doi.org/10.1109/wf-iot.2016.7845477
[92] , “Modelling Failure Conditions in Zigbee Based Wireless Sensor Networks,” International Journal of Wireless and Microwave Technologies, Vol. 7, No. 2, 2017, pp. 25–34. https://doi.org/10.5815/ijwmt.2017.02.03
[93] , The Theory of Algorithms, Vol. 15, Springer, Netherlands, 1960.
[94] , Simulation Modeling and Analysis, 3rd ed., McGraw–Hill Higher Education, 1999. https://doi.org/10.5555/554952
[95] , “Handbook of Mathematical Functions,” Vol. 55, Applied Mathematics Series, Dover Publications, 1966, p. 39.