Compliance with safety-critical requirements for software has become the foundation upon which compliance with security requirements is based. Development and certification of software for airborne safety-critical applications is typically done following a guidance document called RTCA/DO-178B. Parallels exist between compliance with RTCA/DO-178B and information technology (IT) security requirements defined in ISO 14508.
More commonly known as the Common Criteria, ISO 14508 defines functional and assurance requirements for security in IT products. Compliance with RTCA/DO-178B provides a basis for meeting both medium and high assurance requirements of the Common Criteria. To fully understand the parallels between these two standards, it is useful to explore each standard independently.
The RTCA/DO-178B Guidance Document
RTCA/DO-178B, commonly known as DO-178B, is a process-oriented document used for the development of safety-critical software. It describes a planning process, a development process, a verification process, a configuration management process, a quality assurance process and a certification liaison process.
The objectives of DO-178B are mapped to these processes. The development process uses a set of objectives for requirements, design, and coding and integration. The verification process contains objectives to review requirements, design and code as well as to produce test cases and perform structural coverage analysis. These engineering-related processes are accompanied by specific objectives for configuration management and software quality assurance. The number of these objectives depends on the software’s role in system safety: the higher the level, the more objectives are required.
For example, software that controls an aircraft automatic pilot in landing an airplane has a critical role in the safety of the aircraft, whereas software that controls a passenger entertainment unit has no impact on the aircraft’s safety. Obviously, failure of the software controlling the entertainment system will have only a minor effect on aircraft operation, possibly altering crew workload slightly. In contrast, a software failure of the autopilot could have a catastrophic outcome, potentially leading to the loss of life.
For this reason, DO-178B prescribes five levels of software criticality. Each level relates to the failure condition that could result from a latent software defect. Typically, a system safety assessment is done to determine the required software level in a given application. Level A is defined as the most safety-critical software level and Level E is defined as the least safety-critical software level (Table 1).
Most of the DO-178B process objectives are similar to the objectives found in the Common Criteria.
The Common Criteria
The Common Criteria, ISO 14508, comprise an international standard that defines IT security requirements. This standard draws some of its heritage from the Trusted Computer System Evaluation Criteria, the so-called “Orange Book.” The Common Criteria define two classes of security requirements: functional and assurance. The objectives of these two classes vary depending upon the security classification level.
Security functional requirements include audit, communications, cryptography, data protection, authentication, security management, privacy, protection of TOEs, resource utilization, TOE access and trusted paths.
They focus on what the IT product is supposed to do in order to meet security objectives. This implementation-independent method of identifying security functionality provides a common basis for evaluating the security capabilities of software products, including operating systems. Other federal standards requiring compliance with certain classes of functional requirements, such as cryptography or communications, may come into play.
Security assurance requirements define the following classes of assurance processes for a software product. They include configuration, management, maintenance of assurance, development, life cycle support, tests, delivery & operation, protection profile evaluation, guidance documents, security target evaluation and vulnerability assessment.
These classes of security assurance processes indicate the software development methodology and processes required to ensure an appropriate level of rigor for a product’s security level. It is these classes of processes that have commonality with DO-178B processes. Before examining this commonality, it is useful to discuss other Common Criteria terminology.
The definition of specific security functional and assurance requirements is done through the “Protection Profile” and “Security Target” documents. The Protection Profile is an implementation-independent definition of the security functionality and assurance requirements for a particular category of products. The Security Target is an implementation-specific document for a Target of Evaluation (TOE) that claims support for one or more protection profiles and forms the basis for evaluation of the software on the Security Target.
continue to next page >>
