Creating an Assurance Model for Secure Embedded Systems

In 2019, Galois and its spinout Tangram Flex were awarded a $5 million contract for the DARPA I2O Cyber Assured Systems Engineering (CASE) program. We wanted to present an update for the project’s progress. 

Introducing Cyber-Assured Plugins to embedded computer systems

“The problem is not in our stars … but in ourselves,” is a paraphrase from a famous line from Shakespeare’s play Julius Caesar that could easily apply to making sure modern computer systems are cyber-resilient. 

DARPA created the Cyber Assured Engineering System (CASE) to “develop the necessary design, analysis, and verification tools to allow system engineers to design-in cyber resiliency … when designing embedded computing systems.” Put simply, how do DoD systems engineers design systems with cybersecurity “baked in” to the requirements, the models, and the code? CASE makes that possible. However, there is a big gap between the way current systems engineers think about models and what is needed to effectively infuse cybersecurity into these systems.

Galois and Tangram Flex have been working to bridge this gap with Cyber-Assured Plugins (CAP), an “additive only” approach so TA6 partner engineers can use their own systems, while incorporating CASE tools for system analysis, assurance, and mitigation. 

Galois and Tangram Flex are ideally suited for this project because both companies have previous success understanding the applications of TA performers; translating underlying concepts into workflows that match the TA’s applications; and supporting integration of those tools to match their workflows.

“The CAP program is aligned to Tangram Flex’s purpose,” says Matt Farrell, operations lead with Tangram Flex. “This project helps us know the market need, the tooling and design of an embedded system, and any issues with adoption.” 

“Bad software leaks bad characteristic behaviors”

Embedded computer systems were once less vulnerable to cyber-attacks because they weren’t connected to networks. Current network connectivity now all but ensures that embedded systems can and will be exposed to cyber-attacks.  

“Bad software leaks bad behavior characteristics,” says Matthew Clark, Principal Scientist at Galois and Tangram Flex. This means a vulnerability can be exploited by attackers without the need to actually target the embedded system. So a major challenge in making embedded systems cyber-resilient is hardening them against behavior attacks. 

Systems are often designed without assurance built-in, but then have a set of “assurance checklists bolted on at the end,” says Don Barrett, a lead systems engineer with Tangram Flex. 

This method has not proven effective, and it increases industry cyber mitigation costs. Galois and Tangram Flex believe that companies must design systems with analysis and mitigation functions built in from their inception. 

However, this is easier said than done.  “The degree of assurance Galois and Tangram Flex can offer its TA6 partner’s system is highly dependent on the degree a system is open and in some cases modular,” Mr. Clark says.  “Often we are faced with the legacy software issue, where the first step in cyber design is reverse engineering and effective modeling.”  

Reverse engineering legacy software for cyber-hardening

During the project’s first phase, Galois and Tangram Flex noted that the tool suite used by the TA6 partner had an elegant UI/UX interface, but it was not compatible with CASE tools, which use AADL (Architecture Analysis and Design Language). 

Many system engineers haven’t worked with AADL-designed tools, and their own commercial tools do not create models that are suitable for analysis. This caused a problem for the ability to easily transition CAP. 

During the second phase, Galois and Tangram Flex used a tool from DARPA CODE to extract models from a commercial SysML tool, hoping to use automation to bridge the modeling gap. “The team found that commercial tool changes from version x to x.1 broke our CAP plugins and any ability for analysis along with it … [so] we found that a level of manual reverse engineering existing software is crucial to cyber hardening that software. There is no free lunch,” Mr. Clark says. 

Mr. Clark and his colleagues recommend the first step in assuring a TA performer’s system to first understand how individual components exchange information.  Once that is understood, automated tools can re-write the code that exchanges that information in a more effective, cyber assured way. He says, “The auto generation of a custom message passing system and highly reliable transforms between dissimilar message interfaces is a means to an end for assurance.”  

Demonstrating modeling functionality 

Galois and Tangram Flex are currently planning for CAP’s third phase, which aims to focus on tools, training, and educational materials. The plan calls for showing how CAP (using AADL architectural modeling) can analyze, find, and then mitigate threats:  

  • Developing a series of models demonstrating how CAP can work with TA6 partner legacy software
  • Describing best practices for how to develop automated analysis AADL models 
  • Using AADL to iteratively document forensic evidence 
  • Analyzing the AADL model to recommend cyber-mitigations

One of the goals for this phase will be to show the TA6 partner how an assurance tool can be built into their embedded system architecture from the beginning of its development.  

“The major effort [for this intended phase of CAP] will be to generate small examples of modeling functionality and tool use that can be applied to our TA6 partner models by their employees, without Galois or Tangram needing to be involved,” says Mr. Clark. 

A hopeful paradigm shift for the future

The planned end result for CAP’s third phase will be a collection of example models, but a larger goal will be the promotion of a broader knowledge base for effective cyber modeling and analysis; even for legacy systems.

Engineers like the UI/UX function of their legacy software because it is simple to use and makes their workflow efficient.  Don Barrett says, “designers can create the best tool imaginable, but if average engineers can’t decipher its functionality, then they won’t use it. So designing software for the experienced engineer scientist doing the work is crucial.  Tangram Flex takes this mission to heart and wants to develop a tool that engineers and developers can use without it being disruptive to their workflow.”  

The goal is for CAP to be a model for working CASE tools that can be used to design a stable and secure system from the ground up.  This would be a massive “paradigm shift,” says Mr. Barrett. 

Matt Clark also believes the work being done with CAP has the potential to help transform component-based development and analysis. “Enabling a way to forensically [model and mitigate] threats from legacy software would be great,” he says.  “There is still a ton of room to define what it means to do component based development and analysis.” 

This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the author and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited.