Research and development of CITADEL project technologies was completed in October 2019. Many deliverables are confidential due to the sensitivities related to protecting Europe's Critical Infrastructures, however the following public results developed in the project are available for download:
D3.1 CITADEL Modeling and Specification Languages
This report proposes a new modeling language suitable to describe a dynamic system architecture. The language has a formal semantics to enable verification with formal methods. It supports the design of the communication among components and the monitoring of failures. Finally, it comes with a property specification language to formalize the system properties that must be ensured by the system architecture and protected from component failures such as malfunctioning or disruption of the communication network.
D3.2 CITADEL Verification Techniques and Tools
This deliverable presents the extensions developed for verification techniques and tools in order to cope with dynamic reconfigurable systems. In general, the complexity of system models is significantly increased when dynamic reconfiguration is considered. Research work in CITADEL has lead to the development of expressive modeling formalisms and original verification methods, capable of dealing with specific classes of infinite state systems and safety and security properties.
D3.3 CITADEL Design Techniques to Specify, Verify, and Synthesize Policies for Run-Time Monitors
This deliverable describes design techniques used to specify, verify, and synthesize policies for runtime monitors. In particular, it describes techniques to specify and synthesize monitors, how these are integrated with the language used to specify CITADEL adaptive systems, how they can be integrated with background knowledge and resets. Finally, it describes how the specification-based monitors can be complemented and integrated with learning techniques.
D3.4 CITADEL Configuration and Reconfiguration Synthesis
This deliverable reports on the design and implementation of adaptive MILS reconfiguration capabilities and describes its interfaces for integration within the CITADEL proposed workflow. The primary objective of the reconfiguration capability is to bring the Adaptive MILS system into a new consistent configuration upon occurrence of an undesirable event. Within the CITADEL framework, the adaptation, configuration and monitoring planes are the main responsible to implement this vision. The configuration plane coordinates the reconfiguration process by: (1) getting a target configuration from the adaptation plane, (2) synthesizing a sequence of reconfiguration steps reaching the target configuration and satisfying specified requirements and reconfiguration patterns, (3) implementing and controlling the reconfiguration procedure by triggering the adequate low-level components at the level of the foundational and monitoring planes.
D4.3 MILS Adaptation System
This deliverable describes the interfaces and architecture of the Adaptation Plane, a subsystem of the CITADEL Framework which refines the general concept of the MILS Adaptation System. The Adaptation Plane is decomposed into four subcomponents with clearly defined functions and interfaces. Two subcomponents essential for the function of the Adaptation Plane are Adaptation Engine which, based on a table of adaptation rules, triggers the adaptation following a manual operator command or an incoming alarm which signifies departure from the nominal system behavior, and Evaluator Module which is a computational engine that synthesizes the next architectural configuration of the system. The other subcomponents are Context Awareness which identifies the current context under which the CITADEL Framework and the application are used/operated, and State Estimator which estimates internal states of the application components.
D4.4 MILS Monitoring System
This deliverable describes a monitoring system composed of a communications monitoring component and a state monitoring component that work together to detect faults and attacks on MILS platforms. Both forms of monitoring are important to detect different kinds of problems: the communications monitor analyzes network-related events, whereas the state monitor analyzes events internal to the monitored system. The use of both monitoring approaches allows a more complete view of events that affect the monitored system.
D5.1 Interfaces and workflow definition for Adaptive-MILS Evidential Tool Bus
This report proposes a preliminary design of the Adaptive-MILS Evidential Tool Bus (AM-ETB) and interfaces for integration within the CITADEL proposed workflow. The primary objective of AM- ETB is to enable the timely re-construction of assurance cases for Adaptive-MILS systems along their evolution, and therefore to support a dynamic re-evaluation and/or re-certification process. In the proposed design, AM-ETB coordinates the construction of an assurance case by using (1) assurance case patterns, that is, generic arguments and reasoning schemes for Adaptive-MILS, (2) up-to-date system models and properties, that is, faithful abstractions of the system configuration and functionality and (3) machineable evidence, that is, automatically checkable analysis and validation results obtained using dedicated tools on system models.
D5.2 Adaptive-MILS Evidential Tool Bus for tool integration and assurance
This report describes the implementation of the Adaptive-MILS Evidential Tool Bus (AM-ETB) and interfaces for integration within the CITADEL proposed workflow. The primary objective of AM-ETB is to enable the timely re-construction of assurance cases for Adaptive-MILS systems along their evolution, and therefore to support a dynamic re-evaluation and/or re-certification process.
D5.5 Methodology for Industrial Evaluation and Readiness Assessment
This report presents the methodology to monitor and evaluate the achievement of the CITADEL project objectives, by means of the three industrial demonstrators planned to be implemented in the project. In addition, it defines the means to verify that the CITADEL solutions implemented in each demonstrator meets preestablished operational objectives and levels of technological maturity.
Training materials on CITADEL project technologies are also available under the Training tab above.