CN113806773B - AADL-based embedded system integrity access control model design method - Google Patents

AADL-based embedded system integrity access control model design method Download PDF

Info

Publication number
CN113806773B
CN113806773B CN202111059690.4A CN202111059690A CN113806773B CN 113806773 B CN113806773 B CN 113806773B CN 202111059690 A CN202111059690 A CN 202111059690A CN 113806773 B CN113806773 B CN 113806773B
Authority
CN
China
Prior art keywords
component
integrity
model
components
aadl
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111059690.4A
Other languages
Chinese (zh)
Other versions
CN113806773A (en
Inventor
孙聪
刘乔森
李亚晖
王中华
马建峰
郭鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Xian Aeronautics Computing Technique Research Institute of AVIC
Original Assignee
Xidian University
Xian Aeronautics Computing Technique Research Institute of AVIC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University, Xian Aeronautics Computing Technique Research Institute of AVIC filed Critical Xidian University
Priority to CN202111059690.4A priority Critical patent/CN113806773B/en
Publication of CN113806773A publication Critical patent/CN113806773A/en
Application granted granted Critical
Publication of CN113806773B publication Critical patent/CN113806773B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses an AADL-based embedded system integrity access control model design method, which comprises the following specific steps: 1. building a functional architecture model by using architecture analysis and design language AADL, 2 building a hardware architecture model by using AADL, 3 mapping an Integrity access control model into the architecture model, 4 verifying the Integrity of an embedded system architecture model with Integrity to be verified, 5 modifying an integrity_Label attribute value according to a verification result, and 6 outputting the embedded system architecture model containing the Integrity access control model. The method overcomes the defects that the prior art needs to identify the subject, the object and the access relation on the component and the AADL model needs to be converted into other models in the verification process. The invention has the advantage of high model efficiency for establishing and verifying the access control model conforming to the integrity.

Description

AADL-based embedded system integrity access control model design method
Technical Field
The invention belongs to the technical field of computers, and further relates to an embedded system integrity access control model Design method based on architecture analysis and Design Language AADL (Architecture Analysis & Design Language) in the technical field of embedded system security analysis. The invention can be used for establishing an integrity system architecture model of the embedded control system and verifying the integrity of the embedded control system architecture model.
Background
Integrity means that data can not be tampered illegally when being transmitted, or can be found out in time after being tampered. From the point of view of access control, the integrity access control model ensures that the integrity requirements are met by assigning an integrity tag to the subject and the data object of the access data, respectively, and comparing the integrity tags when the access control is performed. Defects easily occur in the design stage of a complex embedded system to cause the violation of integrity, and the design violating the integrity can cause the control parameters (high integrity) of a control system realized according to the design to be easily tampered with by low-integrity environment input (such as sensor input) or malicious data injected by an attacker, thereby causing the threat of the control system integrity. In order to reduce or avoid the defect of violating the integrity requirement in the design, optimizing the system design, an AADL embedded control system integrity modeling method is provided, and an integrity verification method for a model obtained by the modeling method is provided.
A method for modeling system safety is proposed in the patent literature of the university of northwest industries, which applies for the "AADL-based system vulnerability model design method" (application number: 202110076365.2, application publication number: CN 112764722A, application date: 2021.01.20). The method comprises the steps of defining an access control policy to prescribe an access subject, an access object and an access relation, modeling the access control policy by using an annex extension mode, then declaring a vulnerability model annex clause in component realization of each access object component, and identifying whether interaction is allowed by the access control policy by setting an access mark for each interaction to obtain an AADL-based system vulnerability model. The method has the following defects: whether the interaction is allowed by the access control strategy or not is required to be marked by setting an access mark for each interaction, the security modeling cost is high when the system interaction quantity is large, the complexity of the obtained system architecture security model is high, and the difficulty of verifying the security of the system model is increased.
The university of aviation aerospace in Beijing proposes a security analysis method of an AADL model in the patent literature (application number: 202010062226.X, application publication number: CN 111274699A, application date: 2020.01.19) of the university of aviation aerospace in Beijing, which is a security analysis method of an AADL model based on smart Iflow. Firstly, establishing an AADL system architecture model and an error model, converting the AADL system architecture model and the error model into a smartIflow model to verify the safety of the smart Iflow model, then formulating safety attributes according to safety requirements, inputting the smart Iflow model and the security attributes to a smartIflow model verification platform, and outputting a verification result. The method has the following defects: the AADL model needs to be converted into other verifiable models, the verification process cannot be directly executed from the AADL model, the additional cost of model conversion is needed, and the cost of system security verification is increased under the condition that the system architecture model is complex.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides an embedded system integrity access control model design method based on architecture analysis and design language AADL, which is used for solving the problems of high security modeling cost, high complexity of an obtained system architecture security model and high security verification cost of an AADL model.
The specific idea for realizing the purpose of the invention is as follows: and constructing an architecture model by using architecture analysis and design language AADL, and mapping the integrity access control model into the architecture model. The invention obtains an embedded system architecture model by modeling an embedded system architecture by using AADL, then defines the mapping relation between an Integrity access control model and the architecture model, establishes an Intigity_Label attribute for representing the Integrity Label of a host and an object by using an AADL extension attribute set, and adds the Intigity_Label attribute into the architecture model according to an access rule to obtain the embedded system architecture model with to-be-verified Integrity, and the model does not need to identify a host, an object and an access relation on a component, thereby solving the problems of high cost for solving security modeling and high complexity of the obtained system architecture security model. The invention verifies the Integrity of the embedded system architecture model, modifies the non-conforming attribute value of the integrity_Label, directly verifies the AADL model without being converted into other models, solves the problem of high security verification expense of the AADL model, and finally outputs the embedded system architecture model conforming to the Integrity access control model.
The method comprises the following specific steps:
step 1, constructing a functional architecture model by using architecture analysis and design language AADL;
step 2, constructing a hardware architecture model by utilizing AADL;
step 3, mapping the integrity access control model into an architecture model:
(3a) Mapping system components, process components, thread components, processor components, device components, and bus components in the embedded system architecture model into a body of an integrity access control model;
(3b) Mapping all data ports, event ports and event data ports in the embedded system architecture model into objects of an integrity access control model;
(3c) Establishing an integrity_Label attribute representing the host-object Integrity Label by using the AADL extended attribute set;
(3d) According to the Integrity access control rule, respectively and sequentially adding the integrity_Label attribute to all system components, process components, thread components, processor components, bus components and equipment components in the embedded system architecture model and all data ports, event ports and event data ports in the embedded system architecture model;
(3e) Outputting an embedded system architecture model with integrity to be verified;
step 4, verifying the integrity of the embedded system architecture model with integrity to be verified:
(4a) For each component of the embedded system architecture model, which is of the system component, the process component, the thread component, the processor component and the equipment component, acquiring a data port, an event port and an event data port in the feature declaration, comparing the attribute value of the component with the attribute value of the component in the feature declaration, and executing the step (4 b) if the attribute value of the component in the feature declaration is greater than or equal to the attribute value of the component in the feature declaration, otherwise, executing the step (5);
(4b) For each component of all types of system components, process components, thread components, processor components, bus components and equipment components in the embedded system architecture model, acquiring a sub-component in a sub-component statement thereof, comparing the attribute value of the component with the attribute value of the component in all sub-components in the sub-component statement thereof, if the attribute value of the component in the sub-component statement is smaller than or equal to the attribute value of the component in the sub-component in all sub-components thereof, executing a step (4 c), otherwise, executing a step 5;
(4c) Judging whether each component of all types of the system component, the process component and the thread component in the embedded system architecture model declares the processor binding attribute, if so, acquiring the processor component declared in the processor binding attribute and comparing the component with the Intigrence_Label attribute value of the processor component, if the Intigrence_Label attribute value of the component is greater than or equal to the Intigrence_Label attribute value of the processor component, executing the step (4 d), otherwise, executing the step (5);
(4d) Judging whether each component of all types of the embedded system architecture model is a system component, a process component, a thread component, a processor component and a device component declares a flow path, if so, acquiring source characteristics and destination characteristics declared in all flow paths, comparing the source characteristics with the destination characteristics, and if the source characteristics are greater than or equal to the destination characteristics, executing a step (4 e), otherwise, executing a step 5;
(4e) For all components of the system component, the process component, the thread component, the processor component and the equipment component in the embedded system architecture model, all connection examples of the components are obtained, the attribute values of the IntellityLabel of the ports at the two ends of the connection examples are compared, if the attribute values of the IntellityLabel of the ports at the two ends of the connection examples are equal, the step 6 is executed, otherwise, the step 5 is executed;
step 5, modifying the attribute value of the integrity_Label according to the verification result;
and 6, outputting an embedded system architecture model containing the integrity access control model.
Compared with the prior art, the invention has the following advantages:
first, because the invention maps the integrity access control model into the architecture model, the defect that the subject, the object and the access relation need to be marked on the component in the prior art is overcome, so that the invention has the advantages of low complexity of obtaining the model and high modeling efficiency on building the embedded system architecture model conforming to the integrity access control model.
Second, because the invention verifies the integrity of the embedded system architecture model with the integrity to be verified, the defect that the AADL model needs to be converted into other models in the verification process in the prior art is overcome, so that the invention can be directly verified on the AADL model, and the verification cost is saved.
Drawings
FIG. 1 is a flow chart of the present invention;
fig. 2 is a diagram of a core control subsystem of a flight control system of an unmanned aerial vehicle according to an embodiment of the present invention;
fig. 3 is a diagram of a hardware support subsystem of the unmanned aerial vehicle flight control system in an embodiment of the present invention;
fig. 4 is a diagram of a flight control system of an unmanned aerial vehicle according to an embodiment of the present invention.
Detailed Description
The invention is further described below by taking an unmanned aerial vehicle flight control system as an example with reference to the accompanying drawings.
The steps of designing the integrity access control model of the unmanned aerial vehicle flight control system of the present invention will be described in further detail with reference to fig. 1.
Step 1, modeling a UAVreference of a core control subsystem of an unmanned aerial vehicle flight control system by using an AADL system component, and modeling four core control components in the core control subsystem of the unmanned aerial vehicle flight control system by using an AADL process component and a thread component, wherein the four core control components specifically comprise a sensor functional component, a position control component, a gesture control component and an engine control component; the specific core control component modeling process is that an AADL process component is used for modeling a sensor function sensor, and a thread component is used for modeling a speed sensor function Acc, an Image sensor function Image and a gyroscope function Gyro in the sensor function sensor; modeling a position control function position by using an AADL process component, and modeling a position processing control function position handle of the position control component by using a thread component; modeling an attitude of attitude control by using an AADL process component, and modeling an attitude handle of attitude control by using a thread component; the AADL process is used to model engine control function movers and the thread component is used to model engine control processing function movershuand of engine control.
Table 1, unmanned aerial vehicle flight control system core control subsystem architecture model component port table
Modeling interaction among the core control component models by using data ports, data event ports, port connections and data streams in the characteristic fields of the AADL and the non-data components to obtain each core control component interaction model; the ports of each control component of the unmanned aerial vehicle flight control system and the model of the control function of the control component are shown in table 1.
The connection of each port of the unmanned aerial vehicle flight control system and the data flow are shown in table 2.
Table 2, unmanned aerial vehicle flight control system core control subsystem architecture model interaction table
Connection name/flow path name Port interaction mode
c1 (Port connection) data_out—>position_in
c2 (Port connection) data_out—>attitude_in
c3 (Port connection) position_out—>motors_in1
c4 (Port connection) attitude_out—>motors_in2
pc1 (Port connection) position_in—>positionhandle_in
pc2 (Port connection) positionhandle_out—>position_out
ac1 (Port connection) attitude_in—>attitudehandle_in
ac2 (Port connection) attitudehandle_out—>attitude_out
mc1 (Port connection) motors_in1—>motorshandle_in1
mc2 (Port connection) motors_in2—>motorshandle_in2
pf (flow path) positionhandle_in—>positionhandle_out
af (flow path) attitudehandle_in—>attitudehandle_out
The functional architecture model of the unmanned aerial vehicle flight control system obtained by the modeling process described above and combining tables 1 and 2 is shown in fig. 2.
Step 2, modeling a hardware support subsystem UAVhardware of the flight control system by using an AADL system component, and modeling firmware of the hardware support subsystem of the embedded system by using an AADL process component; the firmware is UAVfcProcessorFirmware of unmanned plane processor.
Modeling a sensor of a hardware support subsystem of the unmanned aerial vehicle flight control system using an AADL device component; the unmanned aerial vehicle processor UAVfcProcessor of the hardware support subsystem of the unmanned aerial vehicle flight control system is modeled using the processor component of the AADL.
The bus component is used to model the UAVbus of the unmanned aerial vehicle, which supports the physical connection between the sensor and the processor of the hardware support subsystem of the unmanned aerial vehicle flight control system.
Modeling firmware interactions of a hardware support subsystem of the unmanned aerial vehicle flight control system using data ports, data event ports, port connections, and data streams in feature fields of the AADL and non-data components; the firmware specifically comprises an unmanned aerial vehicle processor firmware and an unmanned aerial vehicle communication firmware UAVCOMUNICATIONS firmware, ports stated in characteristic fields of each firmware model are shown in table 3, and port connection and flow paths among each firmware port are shown in table 4.
Table 3, unmanned aerial vehicle flight control system hardware support subsystem firmware port table
Table 4, unmanned aerial vehicle flight control system hardware support subsystem port interaction table
Modeling interactions between sensors and processors of a hardware support subsystem of the unmanned aerial vehicle flight control system using bus accesses in feature fields of the hardware components of the AADL and access connections; the specific modeling process is that a sensor bus access sensor_in is declared in a feature field in a sensor of which the component type is a device component, a processor bus access processor_in is declared in a feature field in an unmanned plane processor UAVfcProcessor of which the component type is a processor component, an access connection bus_access1 of a sensor model and a bus model is declared in a hardware support subsystem UAVhardware, and an access connection bus_access2 of a processor model and a bus model is declared in a hardware support subsystem UAVhardware.
Modeling the carrying relation between the firmware of the hardware support subsystem of the unmanned aerial vehicle flight control system and the processor by using the processor binding attribute of the AADL; asserting the actual_processor_binding attribute in the attribute field of the hardware support subsystem UAVhardware associates the two firmware unmanned aerial vehicle Processor firmware UAVfcProcessorFirmware and the unmanned aerial vehicle communication firmware uavcomunignomafirm with the unmanned aerial vehicle Processor UAVfcProcessor model.
The hardware architecture model of the unmanned aerial vehicle flight control system obtained according to the modeling process is shown in fig. 3, the complete unmanned aerial vehicle flight control system model is shown in fig. 4, wherein fig. 4 (a) is a core control subsystem of the unmanned aerial vehicle flight control system, and fig. 4 (b) is a hardware support subsystem of the unmanned aerial vehicle flight control system.
Step 3, mapping a system component, a process component, a thread component, a processor component, a device component and a bus component in the unmanned aerial vehicle flight control system architecture model into a main body of an integrity access control model; the components include a sensor function sensor process, a speed sensor function Acc, a gyroscope function Gyro, a thread, an Image sensor function Image, a position control function position, a position processing control function position handle, a position control function attitude, a position control processing function attitude handle, a motor control function motion, a motor control processing function motorshable, an unmanned plane processor firmware UAVfcProcessorFirmware, a sensor device, an unmanned plane processor UAVfcProcessor, an unmanned plane communication firmware UAVCommunicationFirmware, and an unmanned plane bus UAVbus.
Mapping all data ports, event ports and event data ports in the unmanned aerial vehicle flight control system architecture model into objects of an integrity access control model; the ports include data output data_out (output data port), speed sensor output acc_out (output data port), gyroscope output gyro_out (output data port), image output image_out (output data port), position input position_in (input data port), position output position_out (output event data port), position processing input position handle_in (input data port), position processing output position handle_out (output data port), gesture input position_in (input data port), gesture output position_out (output event data port), gesture processing input position_in (input data port), gesture processing output position_out (input data port), engine control input position_in (input event data port), engine processing input position_in (input event port), unmanned aircraft processor output position handle_out (output data port), unmanned aircraft processor input position processing unit (input data port), unmanned aircraft processor input communication firmware (input communication firmware) 2-input communication firmware (input communication firmware) and unmanned aircraft input communication firmware (input hardware) 2_communication hardware input communication hardware 1_input communication hardware.
An extended set of attributes for AADL is used to build an Integrity Label attribute that represents the host-object Integrity Label.
Respectively and sequentially adding the integrity_Label attribute to all system components, process components, thread components, processor components, bus components and equipment components in the unmanned aerial vehicle flight control system architecture model and all data ports, event ports and event data ports in the unmanned aerial vehicle flight control system architecture model according to an Integrity access control rule; specific Interval_Label attribute values and components and ports to be added are as follows, the Interval_Label attribute value of the UAV (System) is Unclassified, the Interval_Label attribute value of the UAVfrequency (System) is Unclassified, the Interval_Label attribute value of the Sensor function Sensor is Unclassified, the Interval_Label attribute value of the speed Sensor function Acc (thread) is Imortant, the Interval_Label attribute value of the Gyro function Gyro (thread) is Imortant, the Interval_Label attribute value of the Image Sensor function ImageIpment is Imortant, the Interval_Label attribute value of the position control function position Sensor is VeryLabel, the Interval_Label attribute value of the position control function is VeryLabel is Imortant, the attitude control processing function is that the attribute value of the Inty_Label of the thread is Critical, the attribute value of the Inty_Label of the engine control function is Veryinforter, the attribute value of the Inty_Label of the thread is Critical, the attribute value of the Inty_Label of the hardware support subsystem UAVhardware is Unclassified, the attribute value of the Inty_Label of the Sensor is Veryinforter, the attribute value of the Inty_Label of the UAVfcprocessor is Veryinforter, the attribute value of the Inty_Label of the UAVfcProcessFirmware is Veryinforter, the attribute value of the UAVreceiver communication firmware is Ubex_LabutusTimeyer, the output data of the Ubbelohdout of the UANGTab, the data of the UANGSTRUCTUREMIQ is UbbrAbutTab, the UbbrAbelTimeLaberDarty attribute value of the UbbrAbelss, the speed sensor outputs Acc_out (output data port) with an Inty_Label value of Unclassified, gyroscope outputs Gyro_out (output data port) with an Inty_Label value of Unclassified, image outputs image_out (output data port) with an Inty_Label value of Unclassified, position inputs position_in (input data port) with an Inty_Label value of Import, position outputs position_out (output event data port) with an Inty_Label value of Imortant, position processes inputs position handle_in (input data port) with an Inty_Label value of Imortant, position processes output position inputs position handle_in (input data port) with an Inty_Label value of Imortant, position inputs position input position input (input data port) with an Inty_Label value of Imortant, the attribute value of the attribute_Label of the input attitude handle_in (input data port) is the Important, the attribute value of the attribute_label of the output attitude handle_out (input data port) is the Important, the attribute value of the attribute_label of the input motor control handle_in (input event port) is the Important, the attribute value of the attribute_label of the input motor handle_in (input event port) is the Important, the attribute value of the attribute_label of the output vfcprocessor_out (output data port) is the Important, the attribute value of the attribute_label of the input uacprocessor_in (input data event port) is the Important, the attribute value of the input uavcommu i 1 (input data port) is the Important, the unmanned aerial vehicle communication firmware outputs 2 UAVComain Firmware_out2 (output data port) with an Interval_Label attribute value of Imortant, the unmanned aerial vehicle communication firmware outputs 1 UAVComain Firmware_out1 (output event data port) with an Interval_Label attribute value of Imortant, and the unmanned aerial vehicle communication firmware inputs 2 UAVComain Firmware_in2 (input event port) with an Interval_Label attribute value of Imortant.
Outputting an unmanned aerial vehicle flight control system architecture model with integrity to be verified.
Step 4, using a model verification tool resolution on the open source AADL tool environment OSATE (Open Source AADL Tool Environment) to execute step 4, verifying the integrity of the embedded system architecture model whose integrity is to be verified.
Firstly, defining a resolution function is_lower_or_same_integer_level_property (lower, higher), wherein the lower parameter of the function is an AADL model element with smaller theoretical resolution_Label attribute value, the higher parameter is an AADL model element with larger theoretical resolution_Label attribute value, and the actual size relation of the two compared AADL model elements is consistent with the theoretical size relation by comparing the theoretical result with the actual result and returning the true value; a return value of false indicates inconsistency.
Secondly, for each component of the unmanned aerial vehicle flight control system architecture model, which is of the system component, the process component, the thread component, the processor component and the equipment component, acquiring a data port, an event port and an event data port in a feature statement, comparing an Intiness_Label attribute value of the component with an Intiness_Label attribute value in all the data port, the event port and the event data port in the feature statement, and executing a third step if the Intiness_Label attribute value of the component is greater than or equal to the Intiness_Label attribute value in all the data port, the event port and the event data port in the feature statement; defining a resolution function rule_1, wherein the function acquires a set of features in a component by using a resolution built-in function features (< component_name >), traverses the set, and executes an is_lower_or_same_integration_level_property (lower, higher) function by taking elements in the component and the features set as parameters, and executes the rule_1 function for each component of all types of system components, process components, thread components, processor components and equipment components in an unmanned aerial vehicle flight control system architecture model, wherein the return value of all executed rule_1 functions is true.
Thirdly, for each component of the unmanned aerial vehicle flight control system architecture model, which is of the system component, the process component, the thread component, the processor component, the bus component and the equipment component, acquiring a sub-component in a sub-component statement thereof, comparing an Intiness_Label attribute value of the component with an Intiness_Label attribute value in all sub-components in the sub-component statement thereof, and executing a fourth step of the step if the Intiness_Label attribute value of the component is smaller than or equal to the Intiness_Label attribute value in all sub-components in the sub-component statement thereof; defining a resolution function rule_2, wherein the function acquires a sub-component set in a component by using a resolution built-in function sub-components (< component_name >), traverses the set, uses elements in the component and the sub-component set as parameters to execute an is_lower_or_same_integer_level_property (lower, higher), and executes a rule_2 function for each component of all types of system components, process components, thread components, processor components, bus components and device components in the unmanned aerial vehicle flight control system architecture model, and the return value of all executed rule_2 functions is true.
Fourth, judging whether each component of the unmanned aerial vehicle flight control system architecture model is a system component, a process component and a thread component, if yes, acquiring the processor component stated in the processor binding attribute and comparing the component with the Intiness_Label attribute value of the processor component, and if the Intiness_Label attribute value of the component is greater than or equal to the Intiness_Label attribute value of the processor component, executing the fifth step; defining a resolution function rule_3, wherein the function takes all the processor components which are declared to have the processor binding attribute and are of the types of system components, process components and thread components and the processor components bound with the processor components as parameters of an is_lower_or_same_integrity_level_property (lower, higher) function, and executing the rule_3 function by all the components which are of the types of the system components, the process components and the thread components and declare the processor binding attribute in an unmanned aerial vehicle flight control system architecture model, wherein the return value of all the executed rule_3 functions is true.
Fifthly, judging whether each component of the unmanned aerial vehicle flight control system architecture model, which is a system component, a process component, a thread component, a processor component and a device component, declares a flow path, if so, acquiring source characteristics and destination characteristics declared in all flow paths, comparing the source characteristics with the destination characteristics, and if the source characteristics are greater than or equal to the destination characteristics, executing the sixth step; defining a resolution function rule_4, wherein the function uses a resolution built-in function flow_specific functions (flow_path >) to acquire a set of flow paths defined in a component, and for each flow path in the set, executing a resolution custom function is_lower_or_same_integer_level_property (lower) by taking a source feature and a destination feature as parameters, and executing a rule_4 function for each component which is of a system component, a process component, a thread component, a processor component and a device component and has declared a flow path in an unmanned aerial vehicle flight control system architecture model, wherein the return value of all executed rule_4 functions is true.
Step six, for all components of the embedded system architecture model, which are of the system component, the process component, the thread component, the processor component and the equipment component, all connection examples of the components are obtained, the attribute values of the port(s) at the two ends of the connection examples are compared, and if the attribute values of the port(s) at the two ends of the connection examples are equal, the step 5 is executed; defining a resolution function rule_5, acquiring all connection examples by using resolution function connections (< native_element >), acquiring ports at two ends of each connection example, acquiring an integrity_Label attribute value of the ports by using resolution custom function get_integrity_ Label (element), comparing, and executing rule_5 for all connection examples of all types including a system component, a process component, a thread component, a processor component and an equipment component in an unmanned aerial vehicle flight control system architecture model, wherein return values of all executed rule_5 functions are true.
And 5, modifying the integrity_Label attribute value according to the verification result, wherein the verification result of the Integrity of the embedded system architecture model to be verified is correct, so that the integrity_Label attribute value is not required to be modified.
And 6, outputting an architecture model of the embedded system, wherein the architecture model comprises an integrity access control model.

Claims (4)

1. An AADL-based embedded system integrity access control model design method is characterized in that: mapping the integrity access control model into an architecture model, and verifying the integrity of the embedded system architecture model with the integrity to be verified; the design method comprises the following steps:
step 1, constructing a functional architecture model by using architecture analysis and design language AADL;
step 2, constructing a hardware architecture model by utilizing AADL;
step 3, mapping the integrity access control model into an architecture model:
(3a) Mapping system components, process components, thread components, processor components, device components, and bus components in the embedded system architecture model into a body of an integrity access control model;
(3b) Mapping all data ports, event ports and event data ports in the embedded system architecture model into objects of an integrity access control model;
(3c) Establishing an integrity_Label attribute representing the host-object Integrity Label by using the AADL extended attribute set;
(3d) According to the Integrity access control rule, respectively and sequentially adding the integrity_Label attribute to all system components, process components, thread components, processor components, bus components and equipment components in the embedded system architecture model and all data ports, event ports and event data ports in the embedded system architecture model;
(3e) Outputting an embedded system architecture model with integrity to be verified;
step 4, verifying the integrity of the embedded system architecture model with integrity to be verified:
(4a) For each component of the embedded system architecture model, which is of the system component, the process component, the thread component, the processor component and the equipment component, acquiring a data port, an event port and an event data port in the feature declaration, comparing the attribute value of the component with the attribute value of the component in the feature declaration, and executing the step (4 b) if the attribute value of the component in the feature declaration is greater than or equal to the attribute value of the component in the feature declaration, otherwise, executing the step (5);
(4b) For each component of all types of system components, process components, thread components, processor components, bus components and equipment components in the embedded system architecture model, acquiring a sub-component in a sub-component statement thereof, comparing the attribute value of the component with the attribute value of the component in all sub-components in the sub-component statement thereof, if the attribute value of the component in the sub-component statement is smaller than or equal to the attribute value of the component in the sub-component in all sub-components thereof, executing a step (4 c), otherwise, executing a step 5;
(4c) Judging whether each component of all types of the system component, the process component and the thread component in the embedded system architecture model declares the processor binding attribute, if so, acquiring the processor component declared in the processor binding attribute and comparing the component with the Intigrence_Label attribute value of the processor component, if the Intigrence_Label attribute value of the component is greater than or equal to the Intigrence_Label attribute value of the processor component, executing the step (4 d), otherwise, executing the step (5);
(4d) Judging whether each component of all types of the embedded system architecture model is a system component, a process component, a thread component, a processor component and a device component declares a flow path, if so, acquiring source characteristics and destination characteristics declared in all flow paths, comparing the source characteristics with the destination characteristics, and if the source characteristics are greater than or equal to the destination characteristics, executing a step (4 e), otherwise, executing a step 5;
(4e) For all components of the system component, the process component, the thread component, the processor component and the equipment component in the embedded system architecture model, all connection examples of the components are obtained, the attribute values of the IntellityLabel of the ports at the two ends of the connection examples are compared, if the attribute values of the IntellityLabel of the ports at the two ends of the connection examples are equal, the step 6 is executed, otherwise, the step 5 is executed;
step 5, modifying the attribute value of the integrity_Label according to the verification result;
and 6, outputting an embedded system architecture model containing the integrity access control model.
2. The method for designing an AADL-based embedded system integrity access control model according to claim 1, wherein the step of constructing a functional architecture model using architecture analysis and design language AADL in step 1 is as follows:
modeling a core control subsystem of an embedded system by using an AADL (architecture analysis and design language) system component, and modeling the core control component in the core control subsystem of the embedded system by using an AADL process component and a thread component to obtain N core control component models, wherein the value of N is determined by a task of system development;
and secondly, modeling interaction among the core control component models by using the data ports, the data event ports, the port connections and the data streams in the characteristic fields of the AADL data components and the non-data components to obtain each core control component interaction model.
3. The method for designing an AADL-based embedded system integrity access control model according to claim 1, wherein the step of constructing a hardware architecture model by using AADL in step 2 is as follows:
firstly, modeling a hardware support subsystem of an embedded system by using an AADL (architecture analysis and design language) system component, and modeling firmware of the hardware support subsystem of the embedded system by using an AADL process component;
secondly, using an AADL (architecture analysis and design language) equipment component and a processor component to respectively model sensors and processors of a hardware support subsystem of an embedded system to obtain K sensor models and M processor models, wherein the values of K and M are determined by tasks developed by the system;
thirdly, modeling physical connection between a sensor and a processor of a hardware support subsystem of the embedded system by using a bus component;
fourth, using the data port, data event port, port connection and data stream in the feature field of the AADL data component and the non-data component to model the firmware interaction of the hardware support subsystem of the embedded system;
fifthly, modeling interaction between the sensor and the processor of the hardware support subsystem of the embedded system using bus access in the feature field of the hardware component of the AADL and access connection;
sixth, the processor binding property of the AADL is used to model the mounting relationship between the firmware of the hardware support subsystem of the embedded system and the processor.
4. The method for designing an AADL-based embedded system Integrity access control model according to claim 1, wherein the step of modifying the integrity_label attribute value according to the verification result in step 5 is as follows:
the method comprises the steps that firstly, the attribute values of all the Integradant_Label attribute values in the feature declaration of a component are modified to be smaller than or equal to the attribute values of the Integradant_Label attribute values of the features of which the Integradant_Label attribute values are larger than the Integradant_Label attribute values of the component;
secondly, modifying all the attribute values of the sub-components with the attribute values of the integrity_Label larger than the attribute value of the integrity_Label of the component in the sub-component declaration of the component into the attribute values smaller than or equal to the attribute value of the integrity_Label of the component;
thirdly, modifying all the components with the stated Intiness_Label attribute value of the binding processor attribute smaller than the Intiness_Label attribute value of the processor component into attribute values larger than or equal to the Intiness_Label attribute value of the processor component;
in the fourth step, the third step is that, modifying all the Integradant_Label attribute values of the target features with the Integradant_Label attribute values larger than the source feature Integradant_Label attribute values in the flow path into attribute values smaller than or equal to the source feature Integradant_Label attribute values;
and fifthly, modifying the attribute values of all the interconnected ports with unequal attribute values of the integrity_Label into equal attribute values.
CN202111059690.4A 2021-09-10 2021-09-10 AADL-based embedded system integrity access control model design method Active CN113806773B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111059690.4A CN113806773B (en) 2021-09-10 2021-09-10 AADL-based embedded system integrity access control model design method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111059690.4A CN113806773B (en) 2021-09-10 2021-09-10 AADL-based embedded system integrity access control model design method

Publications (2)

Publication Number Publication Date
CN113806773A CN113806773A (en) 2021-12-17
CN113806773B true CN113806773B (en) 2024-02-23

Family

ID=78940620

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111059690.4A Active CN113806773B (en) 2021-09-10 2021-09-10 AADL-based embedded system integrity access control model design method

Country Status (1)

Country Link
CN (1) CN113806773B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN112764722A (en) * 2021-01-20 2021-05-07 西北工业大学 AADL-based system vulnerability model design method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2973908B1 (en) * 2011-04-05 2018-02-16 Thales METHOD FOR MODELING, SIMULATION AND EVALUATION IN ADVANCE OF PHASE OF A CALCULATION PLATFORM

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN112764722A (en) * 2021-01-20 2021-05-07 西北工业大学 AADL-based system vulnerability model design method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于AADL的软件可靠性验证;谯婷婷;王乐;耶国栋;;计算机应用;20121231(第S2期);全文 *

Also Published As

Publication number Publication date
CN113806773A (en) 2021-12-17

Similar Documents

Publication Publication Date Title
CN109634600B (en) Code generation method based on security extension SysML and AADL models
CN105807631B (en) Industry control intrusion detection method and intruding detection system based on PLC emulation
CN110134599B (en) System architecture error behavior verification method and device
CN109739740A (en) A kind of AADL model combination formalization verification method
Brunel et al. A viewpoint-based approach for formal safety & security assessment of system architectures
Schirmer et al. Safe operation monitoring for specific category unmanned aircraft
CN113806773B (en) AADL-based embedded system integrity access control model design method
Conrad et al. Developing a digital twin for testing multi-agent systems in advanced air mobility: A case study of cranfield university and airport
CN103488570B (en) A kind of combined flow of information checking system and method for embedded software
CN107317811B (en) Method for realizing analog PLC
Zheng Real-time simulation in real-time systems: Current status, research challenges and a way forward
Selvaraj et al. Automatically learning formal models: An industrial case from autonomous driving development
Grönninger et al. Modeling variants of automotive systems using views
Genius et al. A framework for multi-level modeling of analog/mixed signal embedded systems
Chakraborty et al. A model based system engineering approach to design Avionics systems: Present and Future prospect
AbdElHamid et al. A novel software simulator model based on active hybrid architecture
Boniol et al. Challenges in the Certification of Computer Vision-Based Systems
Morelli et al. A system-level framework for the evaluation of the performance cost of scheduling and communication delays in control systems
Beneder et al. A Model-Based Approach for Remote Development of Embedded Software for Object Avoidance Applications
Jichan Simulation Analysis of Avionics System of UAV Based on MATLAB
Vermaelen et al. Formal verification of autonomous UAV behavior for inspection tasks using the knowledge base system IDP
Girstein et al. SCART: Simulation of Cyber Attacks for Real-Time
Hansen et al. Modeling, algorithm synthesis, and instrumentation for co-simulation in maude
KR101575133B1 (en) M&amp;S Entity assembly system and method for configurating aggregate objects in Modeling amp; Simulation environment
CN115410402B (en) Traffic signal sequential logic verification method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant