(eBook PDF) Model Driven Development for

Embedded Software: Application to Communications

for Drone Swarm pdf download

https://ebooksecure.com/product/ebook-pdf-model-driven-
development-for-embedded-software-application-to-communications-
for-drone-swarm/

Download more ebook from https://ebooksecure.com

We believe these products will be a great fit for you. Click
the link to download now, or visit ebooksecure.com
to discover even more!

Data-Driven and Model-Based Methods for Fault Detection

and Diagnosis 1st Edition - eBook PDF

https://ebooksecure.com/download/data-driven-and-model-based-
methods-for-fault-detection-and-diagnosis-ebook-pdf/

(eBook PDF) Introduction to Graphics Communications for

Engineers 5th Edition

http://ebooksecure.com/product/ebook-pdf-introduction-to-
graphics-communications-for-engineers-5th-edition/

(eBook PDF) Translational Medicine in CNS Drug

Development, Volume 29

http://ebooksecure.com/product/ebook-pdf-translational-medicine-
in-cns-drug-development-volume-29/

(eBook PDF) Personalized Professional Learning: A Job-

Embedded Pathway for Elevating Teacher Voice

http://ebooksecure.com/product/ebook-pdf-personalized-
professional-learning-a-job-embedded-pathway-for-elevating-
teacher-voice/
Practical Application of Supercritical Fluid
Chromatography for Pharmaceutical Research and
Development 1st Edition - eBook PDF

https://ebooksecure.com/download/practical-application-of-
supercritical-fluid-chromatography-for-pharmaceutical-research-
and-development-ebook-pdf/

(eBook PDF) Theory and Research for Academic Nurse

Educators: Application to Practice

http://ebooksecure.com/product/ebook-pdf-theory-and-research-for-
academic-nurse-educators-application-to-practice/

Titanium Alloys for Biomedical Development and

Applications: Design, Microstructure, Properties, and
Application 1st Edition - eBook PDF

https://ebooksecure.com/download/titanium-alloys-for-biomedical-
development-and-applications-design-microstructure-properties-
and-application-ebook-pdf/

Introduction to Graphics Communications for Engineers

5th Edition Gary Robert Bertoline - eBook PDF

https://ebooksecure.com/download/introduction-to-graphics-
communications-for-engineers-ebook-pdf/

(eBook PDF) Engineering Software Products: An

Introduction to Modern Software Engineering

http://ebooksecure.com/product/ebook-pdf-engineering-software-
products-an-introduction-to-modern-software-engineering/
Model-driven Development for Embedded Software
This page intentionally left blank
Model-driven Development
for Embedded Software

Application to Communications
for Drone Swarm

Jean-Aimé Maxa
Mohamed Slim Ben Mahmoud
Nicolas Larrieu
First published 2018 in Great Britain and the United States by ISTE Press Ltd and Elsevier Ltd

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as
permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced,
stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers,
or in the case of reprographic reproduction in accordance with the terms and licenses issued by the
CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the
undermentioned address:

ISTE Press Ltd Elsevier Ltd

27-37 St George’s Road The Boulevard, Langford Lane
London SW19 4EU Kidlington, Oxford, OX5 1GB
UK UK
www.iste.co.uk www.elsevier.com

Notices
Knowledge and best practice in this field are constantly changing. As new research and experience
broaden our understanding, changes in research methods, professional practices, or medical treatment
may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and
using any information, methods, compounds, or experiments described herein. In using such information
or methods they should be mindful of their own safety and the safety of others, including parties for
whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any
liability for any injury and/or damage to persons or property as a matter of products liability, negligence
or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in
the material herein.
®
MATLAB is a trademark of The MathWorks, Inc. and is used with permission. The MathWorks does not
warrant the accuracy of the text or exercises in this book. This book’s use or discussion of MATLAB®
software or related products does not constitute endorsement or sponsorship by The MathWorks of a
®
particular pedagogical approach or particular use of the MATLAB software.

For information on all our publications visit our website at http://store.elsevier.com/

© ISTE Press Ltd 2018

The rights of Jean-Aimé Maxa, Mohamed Slim Ben Mahmoud and Nicolas Larrieu to be identified as the
authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents
Act 1988.

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library
Library of Congress Cataloging in Publication Data
A catalog record for this book is available from the Library of Congress
ISBN 978-1-78548-263-2

Printed and bound in the UK and US

 Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Introduction and Approach . . . . . . . . . . . . . . . . . . . . . . . xi

Chapter 1. State of the Art of Model-driven Development

(MDD) as Applied to Aeronautical Systems . . . . . . . . . . . . 1
1.1. Principle of MDD . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2. Use in avionics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1. System virtualization: Integrated Modular
Avionics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.2. MILS: divide and conquer to ensure security . . . . . . . . . 3
1.2.3. Combined treatment of safety and security
considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.4. Certification of an avionics system . . . . . . . . . . . . . . . 7
1.3. The case of drones (UAS - Unmanned
Aerial Systems) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.1. The need for a new rapid prototyping
methodology for UAS design . . . . . . . . . . . . . . . . . . . . . 9
1.3.2. Safety standards . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.3. Software development lifecycle . . . . . . . . . . . . . . . . 12

Chapter 2. Original Rapid Prototyping Method for

Embedded Systems for UAVs . . . . . . . . . . . . . . . . . . . . . 15
2.1. Using models to auto-generate a system . . . . . . . . . . . . . . 15
2.1.1. Presentation of different steps . . . . . . . . . . . . . . . . . 15
vi Model-driven Development for Embedded Software

2.2. Formal verification of models . . . . . . . . . . . . . . . . . . . 18

2.2.1. Model analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3. Advantages of MDD (Model-driven Development)
methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4. MDD contributions to UAS certification . . . . . . . . . . . . . 22
2.5. Choice of tools for applying MDD methodology . . . . . . . . . 26
2.6. AVISPA: a formal verification tool for
security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.7. The need for verification . . . . . . . . . . . . . . . . . . . . . . 33
2.7.1. Why use AVISPA? . . . . . . . . . . . . . . . . . . . . . . . . 34
2.8. Additional tools: simulation and experimentation . . . . . . . . 36
2.8.1. Testing and validation using emulation and
network simulations . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.8.2. Testing and validation using real experiments . . . . . . . . 41

Chapter 3. Application to Communications

in a Drone Fleet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2. Cooperating unmanned aeronautical systems . . . . . . . . . . . 44
3.2.1. Unmanned Aircraft/Aerial Systems . . . . . . . . . . . . . . 45
3.2.2. Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.3. Ground station . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.4. Drone fleets . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.3. Ad hoc communications architecture for
a drone fleet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3.1. Ad hoc drone network . . . . . . . . . . . . . . . . . . . . . . 49
3.4. Routing protocols in an ad hoc drone network . . . . . . . . . . 52
3.4.1. Hierarchical protocols . . . . . . . . . . . . . . . . . . . . . . 54
3.4.2. Reactive protocols . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4.3. Proactive protocols . . . . . . . . . . . . . . . . . . . . . . . 55
3.4.4. Geographic protocols . . . . . . . . . . . . . . . . . . . . . . 56
3.4.5. UAANET networks and routing protocols:
discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.5. Security in an ad hoc drone network . . . . . . . . . . . . . . . . 59
3.5.1. Weaknesses in UAANET networks . . . . . . . . . . . . . . 60
3.5.2. Attacks on UAANET networks . . . . . . . . . . . . . . . . 62
 Contents vii

3.5.3. SAODV secure ad hoc routing protocols . . . . . . . . . . . 68

3.6. Designing a new secure routing protocol for
UAANETs (SUAP: Secure UAANET Routing Protocol) . . . . . . . 74
3.6.1. Choosing an initial routing protocol . . . . . . . . . . . . . . 75
3.6.2. The SUAP protocol . . . . . . . . . . . . . . . . . . . . . . . 76
3.6.3. The SAODV protocol . . . . . . . . . . . . . . . . . . . . . . 79
3.6.4. Wormhole attacks . . . . . . . . . . . . . . . . . . . . . . . . 84
3.6.5. Single attacker variant . . . . . . . . . . . . . . . . . . . . . . 84
3.6.6. State of the art: solutions for defense against
wormhole attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.6.7. A new method for detecting and defending
against wormhole attacks . . . . . . . . . . . . . . . . . . . . . . . 91
3.6.8. Defense mechanism for single-attacker
wormhole attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.6.9. Limitations of the SUAP protocol . . . . . . . . . . . . . . . 99
3.7. Using the AVISPA tool to verify the security properties
of the SUAP protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
3.7.1. Application of the SUAP protocol . . . . . . . . . . . . . . . 101
3.7.2. Analysis of the specification of the SUAP
protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
3.8. Implementation of the SUAP protocol . . . . . . . . . . . . . . . 104
3.8.1. Software architecture of the SUAP
algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.8.2. Modeling the SUAP protocol . . . . . . . . . . . . . . . . . . 106
3.8.3. Use of the model-driven approach in developing
the SUAP protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.8.4. Implementation of the SUAP protocol . . . . . . . . . . . . . 116
3.9. Validation of the SUAP protocol by performance
evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
3.9.1. Validation of the routing partition . . . . . . . . . . . . . . . 119
3.9.2. Validation of the security functions of the
SUAP protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
3.9.3. Validation of the wormhole detection
mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
3.9.4. Validation by performance evaluation:
discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
viii Model-driven Development for Embedded Software

Conclusions and Perspectives . . . . . . . . . . . . . . . . . . . . 153

Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
 Preface

The aim of this book is to describe the principles of model-oriented design

used in the field of aeronautics, specifically for unmanned aerial vehicles
(UAVs) or drones.

In this book, we will focus on the design of an on-board system for UAV
ad hoc communications. In this context, we present an original rapid
prototyping methodology for complex embedded systems, showing how this
approach creates considerable time savings in the verification and formal
validation phases, contributing to UAS (Unmanned Aerial System)
certification.

We will also discuss more traditional, but necessary, verification phases

which must be carried out in order to verify system performances. This
evaluation is conducted through network simulation and testbed
experimentations.

The different tools required to implement this methodology will also be

described in order to allow readers to reproduce all or part of the approach
themselves.

Finally, in order to illustrate the benefits of our new approach, we provide

an example of use through the development of an embedded system in the
field of aeronautics, specifying the different phases of the methodology. The
x Model-driven Development for Embedded Software

aim is to design, validate and test a new secure routing protocol for UAV ad
hoc communications.

Jean-Aimé M AXA
Mohamed Slim B EN M AHMOUD
Nicolas L ARRIEU
January 2018
 Introduction and Approach

The drone industry is rapidly evolving. The type and the usage of
industrial drones have changed considerably over the last five years. Drones
are now able to carry increasingly complex payloads, with unprecedented
levels of autonomy and automation during their assigned missions.

This increase in UAV complexity levels requires improvements in the

processes and methods used for their design and evaluation and for the
success of missions in which they are involved. The aim of this book is to
present a new rapid prototyping method, intended for the design of complex
embedded systems using simple and intuitive design tools. The work
presented here is inspired by previous contributions to the aeronautical
domain, where the complexity inherent in the development of embedded
systems has received considerable attention over the past few decades.

The work presented in this book is innovative in terms of the relevance of

the rapid prototyping method presented in Chapter 2, and also in terms of the
application of this method. The communicating drone network project which
will be presented later in this book is one of the very first experiments in
which multiple UAVs, with shared mission objectives, have been able to
exchange surveillance information (video) securely and in real time. Thus, in
this implementation, security is dependent on the type of communication
network (an ad hoc network in which each drone may act as an emitter,
relayer or receiver of information), and also on the security mechanisms
applied to information exchanges during the fleet mission. Note that all of the
protocols presented later in this work were defined, designed and evaluated
using the rapid prototyping method presented here. To the best of our
xii Model-driven Development for Embedded Software

knowledge, no other similar work in the field of embedded systems has

involved the application of model-oriented methods to the specific context of
communicating drone networks.

The rest of this work will be organized as follows. Chapter 2 is given over
to a state of the art of model-driven development methods applied to
aeronautical systems. Drones are usually considered as autonomous aircraft,
as the software requirements are similar to those for conventional aircraft. It is
thus interesting to compare existing approaches to MDD (Model-Driven
Development) for traditional aircraft (e.g. an Airbus A380) with those used
for UAS (Unmanned Aerial Systems).

In Chapter 2, we will present our prototyping method for embedded drone

systems. This original method is built on MDD principles in order to design
complex systems (e.g. a communicating drone network) with the assistance of
top-level artifacts. These artifacts rely on the use of a model-driven
formalism, allowing simple and rapid definition of the final system functions.
These high-level models have a higher power of expression than classic
software specifications, and thus simplify the validation of system
functionalities. Moreover, the use of high-level models creates new
possibilities in terms of formal verification methods, which will also be
discussed in this chapter. The phase in which the functionalities of the final
system are validated and verified is critical for aeronautical systems
(including drones); the certification requirements for flight authorization are
particularly stringent in this case. Formal verification methods, associated
with the use of high-level models for system design, make it possible to
reduce the engineering workload involved in the software validation phase
which follows modeling. These different points will be discussed in detail in
Chapter 2, along with a discussion of the advantages obtained by using formal
methods in conjunction with high-level models. Note, however, that formal
validation of high-level models is not sufficient to verify all functionalities of
the final system. This first phase of formal verification must be followed by a
more traditional verification phase (e.g. through unitary testing). Our
discussion will therefore also cover more “standard” verification tools used to
validate functionalities of the final system. We will pay particular attention to
a hybrid simulation tool developed specifically for the purposes of validating
network operations (at protocol level) for drone fleets. We will also focus on
 Introduction and Approach xiii

the physical components required to implement information exchange

functions in the embedded system in question (i.e. the Delair-Tech DT 18
drone).

Finally, we will give a detailed account of the implementation which led

us to define the rapid prototyping method presented in the previous chapter.
This implementation exemplifies a very promising application of drone fleets,
involving the simultaneous use of multiple UAVs to cover a far larger
geographical area than would be possible with one drone. For drones to
operate as a fleet, they need to be able to communicate in order to reduce the
number of control and information exchange stations needed for the
surveillance mission. This principle leads to the definition of an ad hoc drone
network. In this context, new communication protocols were defined and
implemented using our rapid prototyping method. The final chapter of this
work notably includes the presentation of a new routing protocol, which takes
account of the vulnerabilities inherent in ad hoc communication networks,
and proposes new mechanisms for efficiently solving these issues. The
improvements to the routing protocol are intended to increase the security of
the ad hoc network, improving service for surveillance missions. The final
chapter will describe the model-driven development process for the new
routing protocol. This evaluation will focus on three aspects: the use of
formal methods; the use of a hybrid simulation tool; and real experiments, in
which multiple drones were involved in a geographically distributed
surveillance mission.
This page intentionally left blank
 1

State of the Art of Model-driven

Development (MDD) as Applied to
Aeronautical Systems

1.1. Principle of MDD

Faced with an exponential increase in program complexity, operators in the

aeronautical sector have established software-based certification procedures
based on the use of model-driven methods. These methods guarantee a certain
level of operational security, and in some cases make the design process easier.

Generally speaking, software which is embedded in a critical system such

as an airplane or other aircraft must be subject to certain certification
constraints in order to be considered trustworthy. Certification implies a
certain degree of confidence in the system. For software in particular, it is
important to show that the design follows a development process in
accordance with the state of the art in the aeronautical sector.

Most software design methods are based on UML (Unified Modeling

Language) [RUM 04]. However, these methods need to be adapted to take
account of the operating environment of the final system. Methods based on
UML only allow high-level descriptions of a system, with no consideration
for the constraints involved in its physical implementation and execution.
Moreover, UML does not respond to design requirements in the aeronautical
context, or in the case of drones. This is due to the fact that it does not possess
the toolchains required to contribute to the validation of a critical system. In
2 Model-driven Development for Embedded Software

the context of designing an embedded software program for manned or

unmanned aircraft, software certification must be taken into account during
the design phase. This consideration implies the use of chains of design tools
which contribute to the attainment of certification for the final system.

Model-driven approaches aim to generate some or all of a system through

the use of high-level models. This paradigm increases productivity while also
optimizing compatibility between different sub-systems, thanks to widespread
reuse of normalized models. This also simplifies the software design process
and facilitates model reuse due to the levels of abstraction encountered in the
associated professional logic.

Model-driven approaches use models to improve the forecasting, design,

implementation and modification of systems. They offer a number of
advantages. First, they encourage the efficient use of high-level models in the
design process. They also offer the possibility of using better design practices
in system creation. The main aims of the MDD approach include portability,
interoperability and reusability, via the separation of platform-dependent
aspects and more abstract aspects which are not dependent on a specific
application. This type of approach was introduced and defined by the OMG
(Object Management Group), which aimed to develop the object-oriented
approach while increasing the level of abstraction to the point of using
another representation of concepts and relationships drawn from an initial
specification, i.e. the model. A model is an abstract representation of the
knowledge and activities which govern a domain of application, making it
easier to understand the final system. This development technique allows
designers to focus on desired system behaviors rather than on
implementation. The partial generation of code using model specifications
leads, among other things, to savings in terms of development costs.

1.2. Use in avionics

Improvements in the performance of aeronautical systems mean that it is

now possible to envisage the use of new technologies in the context of
embedded aeronautical systems on aircraft, along with the opening up of
avionic networks, previously closed for security reasons, to public networks
such as the Internet. These new technologies require new solutions in order to
maintain the high levels of security required.
 State of the Art of Model-driven Development (MDD) as Applied to Aeronautical Systems 3

1.2.1. System virtualization: Integrated Modular Avionics

The first generations of avionic software systems were based on direct

relationships between systems: when a captor transmitted an element of
information to two on-board computers, the data was duplicated and sent over
two independent communication channels, each serving a single receiver. The
development of new technologies has resulted in the creation of new services
for crews and in the introduction of new interactions.

A new concept, Integrated Modular Avionics (IMA), was introduced with

the development of the A380. It allows several independent programs to be
executed within a single hardware module. RTCA (Radio Technical
Commission for Aeronautics) DO-297, the Integrated Modular Avionics
Development Guidance and Certification Considerations standard of 8th
November 2005, sets out a framework for the design and implementation of
systems for integrated modular avionic architectures in civil aviation. Created
by Special Committee 200 (SC-200), this standard defines IMA as “a shared
set of flexible, reusable, and interoperable hardware and software resources
that, when integrated, form a platform that provides services, designed and
verified to a defined set of requirements, to host applications performing
aircraft functions”. This standard defines and delimits the roles of different
IMA module suppliers: application suppliers, IMA platform suppliers, system
integrators and certification agents.

1.2.2. MILS: divide and conquer to ensure security

The segregation of participants which occurs in virtualization solutions

makes it useful for increasing the security of sensitive applications. This
observation led to the gradual development of the concept of Multiple [and]
Independent Levels of Security[/Safety] (MILS) architectures. Based on John
Rushby’s work on micro-kernel separation, MILS architectures guarantee a
high level of security for the execution of multiple programs in a single
infrastructure.

The division of a complex task into several simpler tasks is a fundamental

principle of engineering. In computing, this equates to decomposing or
dividing a program into modules. This simplifies security assessments, as the
evaluator does not need to evaluate a whole, monolithic system, but rather a
set of smaller, distinct modules and pairings.
4 Model-driven Development for Embedded Software

Virtualization solutions may be implemented for developing a support for

MILS architecture on the condition that they guarantee respect for the four
intrinsic properties of MILS:
– the solution must be impossible to circumvent, i.e. no entity may
communicate with the system without passing the security checks imposed
by the host system;
– it must be possible to evaluate the solution, with formal proof that the
virtualization system (and thus the host) operates in a correct and valid fashion;
– the solution must always be active: all communications are monitored,
not just the first messages exchanged;
– the solution must be resistant to alteration, preventing any modification
without explicit authorization.

These properties are guaranteed via an evaluation of the security of the

solution. Even for “small” systems, this evaluation is complex; it is only
achievable for minimalist systems (microsystems) intended for system
virtualization and separation, known as separation microkernels. Separation
microkernels ensure the implementation of concepts of temporal and spatial
separation between programs, while monitoring information flows. The
kernel ensures that each program and its virtual machine (VM) are able to use
hardware resources during their assigned times. A program cannot hinder the
operation of another program, “stealing” its operating time; there is thus a
temporal separation between the two VMs. The kernel also guarantees that a
hardware resource will not be simultaneously assigned to two virtual
machines. The addressing spaces in the memory and input/output channels
are shared out during configuration of the separation kernel: this is known as
partitioning the addressing space.

Each instance of execution at each access point is checked by the kernel to

ensure that the address accessed by the real machine is that which has been
assigned to it. The kernel will block any access attempts which do not fulfill
this condition, ensuring the spatial separation of VMs. Similarly, VMs may
make use of specific channels to communicate with each other, which are also
managed by the separation kernel (rather than operating directly through the
subjacent electronics). The kernel thus monitors the form of communications,
checking the maximum length of sent messages, authorizing access, stamping
 State of the Art of Model-driven Development (MDD) as Applied to Aeronautical Systems 5

received messages, etc. In an MILS system, each virtual machine operates

independently of its counterparts. From the perspective of the host separation
kernel, each VM has its own dedicated addressing sub-space. The set of these
sub-spaces is a partition (in the mathematical sense of the term) of the host’s
full addressing space. Each VM has specific assigned time slots within a
cycle, and these slots make up a time partition. In the context of an MILS
architecture, the term “partition” therefore relates to the temporal and spatial
resources associated with a virtual machine. During system execution, the
separation kernel acts as a partition scheduler and as a compulsory point of
passage to access resources.

An MILS system needs to guarantee certain properties:

– in terms of inter-partition information flows, only authorized sources
should be able to generate information, and information should only be
delivered to specified, authorized recipients;
– data in a partition should only be accessible to programs associated with
the partition in question, and should be isolated from data from other partitions.
Private data remains private, with no possibility of infiltration (reading from
another partition) or exfiltration (writing data to another partition). This means
that each partition must have a dedicated addressing space, in which addresses
only have meaning for the partition which uses that space;
– the processor itself must not allow information to travel from one
partition to another, whether through material caches or even in measures of
processing time. For example, a form of attack exists which involves analyzing
processing cycle counters to extract information relating to cryptographic keys,
as discussed in (Kocher, 1996). MILS systems must be as resistant as possible
to attacks of this kind;
– operating errors in one partition should not have an impact on the other
partitions, and should be detected, contained and corrected. MILS systems,
used in military and civil information systems, have attracted growing interest
in the aeronautical sector. However, virtualization is already used in this
area, with a slightly different goal - that of enabling hardware sharing while
maintaining high levels of security (operational safety), as we saw in the case
of IMA. The current aim in aeronautics is to allow these two aspects (security
and safety) to be treated together, as we will see in the following section.
6 Model-driven Development for Embedded Software

1.2.3. Combined treatment of safety and security considerations

The development of embedded systems in aircraft is subject to significant

constraints, both in terms of operational safety and security. In aeronautics,
the term “safety” is used to denote both the security and the operational safety
of systems, i.e. the intrinsic properties of systems which make them resistant
to operating errors. The term “security” relates to the ability of aeronautical
systems to resist deliberate attacks (pirating, etc.).

The safety constraints encountered in the domain of avionics have always

been particularly stringent. Any general operating fault in an aircraft may lead
to its partial or total destruction, endangering human lives. Different
aeronautics standards specify safety constraints which must be respected in
order for aircraft to be allowed to fly. Critical embedded avionic programs,
such as autopilots, are subject to standard RTCA DO-178B.

DO-178B defines five Design Assurance Levels (DAL) for the

development of avionic software. DAL-A is the highest and most restrictive
level and is used for critical applications where an operating fault could have
catastrophic consequences, while DAL-E is much less restrictive, and is
reserved for applications which do not affect the safety of the aircraft in any
way. The standard DO-178B and the different levels of DAL will be discussed
in greater detail in section 1.3.2. Programs must be evaluated on the basis of
safety criteria before being embedded and used in an aircraft. This
verification activity, known as certification, is carried out by independent
organizations at the national level. In France, for example, aeronautical
systems are certified by the DGAC (Direction Générale de l’Aviation Civile).

Originally, aerospace firms focused their in-depth work on safety

considerations, considering the complexity of embedded systems and the
closure of avionic networks to be sufficient to guarantee security. Since the
9/11 attacks, however, security has become a major consideration in system
design, which has led to the introduction of new constraints and new
practices. Sensitive products must be security checked via an evaluation
process. Security requirements may be grouped into “packets” of
requirements for the purposes of evaluating the final products. There are
seven of these packets for assurance requirements alone, known as the
Evaluation Assurance Levels or the EAL, and number from 1 to 7. EAL-2, for
example, encompasses all of the requirements of EAL-1 plus a number of
 State of the Art of Model-driven Development (MDD) as Applied to Aeronautical Systems 7

additional elements, and so on up to EAL-7, the highest level of security

assurance which may be assigned according to the CC ITSEC (Common
Criteria for Information Technology Security Evaluation) nomenclature. This
standard has been adopted by the ISO as ISO CEI 15408, and is often referred
to simply as the “Common Criteria” or the CC; it is used to evaluate whole
systems with regard to security requirements.

Despite the existence of these two standards (DAL and EAL), certification
(guaranteeing system safety) and evaluation (guaranteeing system security)
are currently treated independently and in parallel; certain very similar
verifications are thus carried out twice. Work on defining a new development
method covering both safety and security aspects, while avoiding redundancy
in the steps and processes involved, is currently underway. However, this lies
outside the scope of our work here, and will not be addressed further.

1.2.4. Certification of an avionics system

1.2.4.1. Qualification of tools for certification

The cost of certifying avionic software, in terms of time, man-hours and
money, increases as the required level of assurance increases. An airplane
autopilot requiring DAL-A certification can take hundreds of engineers
several years to define, at a cost reaching into the millions of dollars; DAL-A
certification involves 66 independent checks. The program controlling “No
Smoking” and “Fasten Seat Belt” light displays in aircraft, however, only
requires DAL-D certification, involving a mere 15 control tasks. The
development of this program is much less costly due to its low impact on
aircraft safety. During the design process, certification costs may be reduced
by automating certain control tasks via the use of specific tools which
guarantee certain safety properties. The use of a DAL-A qualified compiler
for conformity, for example, guarantees that the binary code conforms to the
source code, fulfilling the “verify the conformity of binary code with source
code” requirement for DAL-A certification. However, the tool (in this case,
the compiler) itself needs to be verified to ensure that it does not introduce
errors. The verification of software tools is known as qualification, and is
carried out in a similar way to aeronautical software certification.
8 Model-driven Development for Embedded Software

1.2.4.2. Model-driven design approaches in aeronautics

MDD (Model-driven Development) approaches have long been used in

traditional software engineering. Unified Modeling Language (UML) is the
most widespread language used across all industries as a support for design
methods when defining and implementing classic software. However, this
toolkit cannot be used for certain specific developments, including embedded
software in the aeronautic and aerospace industries. The main issue with
UML-based design methods lies in the fact that the tools used to produce final
software systems are unable to take account of certification requirements.
This is not necessarily problematic for mass market applications (e.g. when
designing web services) which may make use of UML, or for industrial
applications with limited constraints. However, it must be taken into account
in the case of critical applications, such as aircraft or satellites. Certification
of the final product must be taken into account, and the toolchains used in the
appropriate standardization process for applications with high security and
safety requirements must be integrated.

Note that the certification process for embedded software designed for
specific uses in the aeronautical industry is highly and precisely codified.
There are several standards which must be taken into account. Here, we will
only consider those relating to software engineering for embedded systems:
DO-178 C and DO-331.

1.2.4.3. DO-178C: Software Considerations in Airborne Systems and

Equipment Certification

This document was issued by the RTCA in 2012 and constitutes the fourth
edition of a document that defines the applicable standards for certifying
embedded avionic software systems. This latest version takes account of the
latest developments in MDD for software engineering. Notably, it takes
account of the possibility of validating systems using formal verification
methods for the first time in an aeronautical context; this approach can reduce
the number of unitary tests required for validation of a final product. It
constitutes a significant advance in aeronautical engineering, with a profound
impact on the way in which aeronautical systems will be designed and
produced in future. The document highlights MDD approaches which are
able to automatically generate source code from high-level models, defining
the functionalities and behaviors of the final system.
 State of the Art of Model-driven Development (MDD) as Applied to Aeronautical Systems 9

1.2.4.4. DO-331: Model-Based Development and Verification

DO-331 is a supplement to the DO-178C standardization document which
suggests classes of tools and methods which may be used to automatically
generate source code and to validate the high-level models used in the
automatic code generation process. DO-331 recommends the use of
model-based verification methods. The RTCA notably recommends three
types of mechanisms to facilitate the verification process: model checking,
formal proofs and code assertions. These different verification techniques
have been used for several years in other areas of industry, and have now
reached a sufficient level of maturity for application in complex
environments, such as aeronautical validation and certification processes.

1.3. The case of drones (UAS - Unmanned Aerial Systems)

In the field of drones, the different perspectives for application offered by

UAS show promise in terms of the possibility of carrying out flexible and
evolutive missions. These missions are generally carried out over inhabited
areas within national airspace. It is therefore essential to ensure that missions
are carried out successfully, covering every eventuality for every system
module, in order to prevent operational failures with potentially catastrophic
consequences (e.g. loss of life). As yet, there is no operational safety standard
for unmanned aircraft. A document of this type would be helpful in defining
the lifecycle and security levels of the embedded systems making up the
UAS. We will focus on this type of problem here, considering the engineering
aspect of developing complex systems and proposing a rapid prototyping
methodology for the development of a secure routing protocol for a fleet of
drones.

1.3.1. The need for a new rapid prototyping methodology for UAS
design

A drone system is generally made up of several software modules, each

responsible for a set of specific functions. These modules are involved in
dynamic exchanges of information relating to their environment, allowing
them to offer different types of services during a given mission. To take
account of this critical environment, operational safety assurances are needed
when developing software for use within the UAS, ensuring maximum
10 Model-driven Development for Embedded Software

conformity between the specification and implementation of the source code.

Note that in critical embedded systems, we speak of operational safety in
terms of something which is dependent on the system operating correctly in
response to input; the term does not cover information security aspects. The
term is used here as it is widely used in existing literature on design studies
for critical software.

Moreover, civil drones currently operate in specific airspaces, separate

from the space used by short-, medium- and long-haul aviation. However,
UAVs may need to share airspace with civil aircraft to fulfill certain
commercial applications. For this to be possible, operational validation of the
autopilot system will be required. This process consists of going through each
of the systems involved in the UAS, studying their execution in every possible
circumstance. Our contribution to the validation process is based on a solution
adopted in the aeronautical field, making use of a rapid prototyping
methodology in order to verify the operational safety of software during the
design process. This method is based on a model-driven architecture, using a
chain of formal verification and code generation tools. It ensures full
traceability of requirements from the specification to their implementation in
the source code. This method also offers portability and allows for the reuse
of source code via the separation of platform-specific aspects and abstract
aspects used to describe the system.

Our aim in this book is to illustrate the use of our model-driven rapid
prototyping method via the implementation of a secure communication
architecture in a drone fleet. This architecture is intended to supplement the
software architecture which is already used in the Delair-Tech UAS1. While
the current architecture already allows single drones to be flown in French
civil airspace [MAN 15], the new system, involving a fleet of UAVs, needs to
pass a further validation test. The use of drones in fleets results in new
behaviors (particularly in cases where traffic command and control messages
are transmitted through the fleet) which are not present in current
sub-systems, meaning that a new global validation is required.

Our focus here is on contributing to validating our secure routing protocol

through the use of a model-driven methodology. To validate this protocol, the

1 We worked in partnership with Delair-Tech on the implementation and real-world validation

activities described in this book.
Discovering Diverse Content Through
Random Scribd Documents
back
back