Method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains

US 8,977,848 B1
Filed: 11/15/2011
Issued: 03/10/2015
Est. Priority Date: 11/15/2011
Status: Active Grant

First Claim

Patent Images

1. A system for providing both safety and security functions, the system comprising:

a computing device providing at least a first partition and a second partition, the computing device implementing time and space partitioning to isolate resources available to the first partition and the second partition;

a safety module operating in the first partition, the safety module providing safety functions for the system;

a security module operating in the second partition, the security module providing security functions for the system; and

a predefined communication interface defining a set of communications allowable between the safety module and the security module, wherein information sharing between the safety module and the security module is restricted to only the set of communications allowable through the predefined communication interface,wherein the security functions provided by the security module include detecting a security violation, and wherein the set of communications allowable between the safety module and the security module includes a corrective action request from the security module to the safety module specifying a set of security-relevant partitions to be shutdown and restarted when the security violation is detected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing safety and security functions are disclosed. The system includes a computing device that provides at least a first partition and a second partition. The computing device implements time and space partitioning to isolate resources available to the first partition and the second partition. The system also includes a safety module that operates in the first partition for providing safety functions for the system. The system further includes a security module that operates in the second partition for providing security functions for the system. A predefined communication interface is utilized to facilitate communications between the safety module and the security module. The communication interface defines a set of communications allowable between the safety module and the security module, wherein information sharing between the safety module and the security module is restricted to only the set of communications allowed through the communication interface.

29 Citations

View as Search Results

20 Claims

1. A system for providing both safety and security functions, the system comprising:
- a computing device providing at least a first partition and a second partition, the computing device implementing time and space partitioning to isolate resources available to the first partition and the second partition;
  
  a safety module operating in the first partition, the safety module providing safety functions for the system;
  
  a security module operating in the second partition, the security module providing security functions for the system; and
  
  a predefined communication interface defining a set of communications allowable between the safety module and the security module, wherein information sharing between the safety module and the security module is restricted to only the set of communications allowable through the predefined communication interface,wherein the security functions provided by the security module include detecting a security violation, and wherein the set of communications allowable between the safety module and the security module includes a corrective action request from the security module to the safety module specifying a set of security-relevant partitions to be shutdown and restarted when the security violation is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein when the set of security-relevant partitions to be shutdown and restarted includes the second partition within which the security module operates, the second partition is the last partition the safety module shuts down and the first partition the safety module restarts.
  - 3. The system of claim 1, wherein for each particular partition of the set of security-relevant partitions specified in the corrective action request, the safety module determines whether the security module is authorized to request a shutdown and restart for that particular partition, and performs the shutdown and restart for that particular partition only when the security module is authorized.
  - 4. The system of claim 1, wherein the set of communications allowable between the safety module and the security module includes an event report from the safety module to the security module, wherein the event report notifies the security module of a security-related event.
  - 5. The system of claim 1, wherein the set of communications allowable between the safety module and the security module includes an audit report from the safety module to the security module, wherein the audit report is retrieved by the safety module from an operating system within which both the safety module and the security module operate.
  - 6. The system of claim 1, wherein the set of communications allowable between the safety module and the security module includes a Secure Initial State (SIS) notification from the safety module to the security module.
  - 7. The system of claim 1, wherein the computing device utilizes a Separation Kernel Operating System (SKOS) to implement time and space partitioning.

8. A method for reconciling safety and security functions in an integrated computing device, the method comprising:
- partitioning the computing device to provide at least a first partition and a second partition;
  
  isolating resources available to the first partition and the second partition utilizing time and space partitioning;
  
  providing a safety module in the first partition, the safety module configured for performing safety functions;
  
  providing a security module in the second partition, the security module configured for performing security functions, wherein the security functions include detecting a security violation; and
  
  providing a predefined communication interface between the safety module and the security module, the predefined communication interface defining a set of communications allowable between the safety module and the security module, wherein information sharing between the safety module and the security module is restricted to only the set of communications allowable through the predefined communication interface, and wherein the set of communications allowable between the safety module and the security module includes a corrective action request from the security module to the safety module specifying a set of security-relevant partitions to be shutdown and restarted when the security violation is detected.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein when the set of security-relevant partitions to be shutdown and restarted includes the second partition within which the security module operates, the second partition is the last partition the safety module shuts down and the first partition the safety module restarts.
  - 10. The method of claim 8, wherein for each particular partition of the set of security-relevant partitions specified in the corrective action request, the safety module determines whether the security module is authorized to request a shutdown and restart for that particular partition, and performs the shutdown and restart for that particular partition only when the security module is authorized.
  - 11. The method of claim 8, wherein the set of communications allowable between the safety module and the security module includes an event report from the safety module to the security module, wherein the event report notifies the security module of a security-related event.
  - 12. The method of claim 8, wherein the set of communications allowable between the safety module and the security module includes an audit report from the safety module to the security module, wherein the audit report is retrieved by the safety module from an operating system within which both the safety module and the security module operate.
  - 13. The method of claim 8, wherein the set of communications allowable between the safety module and the security module includes a Secure Initial State (SIS) notification from the safety module to the security module.
  - 14. The method of claim 8, wherein the computing device utilizes a Separation Kernel Operating System (SKOS) to implement time and space partitioning.

15. A system for providing both safety and security functions, the system comprising:
- a computing device providing at least a first partition and a second partition, the computing device implementing time and space partitioning to isolate resources available to the first partition and the second partition;
  
  a safety module operating in the first partition, the safety module providing safety functions for the system;
  
  a security module operating in the second partition, the security module providing security functions for the system; and
  
  a predefined communication interface defining a set of communications allowable between the safety module and the security module,wherein the security functions provided by the security module include detecting a security violation, wherein the set of communications allowable between the safety module and the security module includes a corrective action request from the security module to the safety module specifying a set of security-relevant partitions to be shutdown and restarted when the security violation is detected, andwherein the safety module and the security module operate independently within the computing device and information sharing between the safety module and the security module is restricted to only the set of communications allowable through the predefined communication interface, allowing the safety module and the security module to be independently certifiable.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the safety module and the security module are certifiable at different certification levels.
  - 17. The system of claim 15, wherein when the set of security-relevant partitions to be shutdown and restarted includes the second partition within which the security module operates, the second partition is the last partition the safety module shuts down and the first partition the safety module restarts.
  - 18. The system of claim 15, wherein the set of communications allowable between the safety module and the security module includes an event report from the safety module to the security module, wherein the event report notifies the security module of a security-related event.
  - 19. The system of claim 15, wherein the set of communications allowable between the safety module and the security module includes an audit report from the safety module to the security module, wherein the audit report is retrieved by the safety module from an operating system within which both the safety module and the security module operate.
  - 20. The system of claim 15, wherein the set of communications allowable between the safety module and the security module includes a Secure Initial State (SIS) notification from the safety module to the security module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Original Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Inventors
Frerking, Michael J., Shelton, Greg L., Tomlinson, Brandon L., Priest, Kevin R., Sletteland, Branden H., Killham, Cheryl L., Cain, Brian S., McNamara, Jeffrey B.
Primary Examiner(s)
Davis, Zachary A

Application Number

US13/296,845
Time in Patent Office

1,211 Days
Field of Search

713/166, 713/164, 718/107, 718/106, 718/104, 701/3, 701/14, 712/28, 712/29, 719/319
US Class Current

713/166
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/71   to assure secure computing ...

G06F 2221/2149   Restricted operating enviro...

G06F 9/5061   Partitioning or combining o...

Method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links