You are here: The Open Group > The Open Group Conference, Cannes 2012 > Proceedings

Real-Time & Embedded Systems Forum

Objective of Meeting

The first objective of Monday’s session was to provide an Overview of the RTES Forum and the many different areas that real-time and embedded systems affect and the very important role that standards, certification, and sufficient evidence have on assuring dependability in critical systems.

The second, and major, objective of the session was to provide an in-depth look at the Mils™ landscape, proposed standard, and the potential for a certification mechanism for high assurance Mils™ products.


1400-1430: The RTES Forum and Dependability through Assuredness™ (Joe Bergmann, Director, RTES Forum)

Joe Bergmann provided the Overview of the RTES Forum, highlighting the work they are doing on assuring dependability through each of the various projects the RTES Forum has in place. The presentation provides greater detail on the various groups in the RTES Forum and the work they have undertaken.

Joe's presentation is available here.

1430-1530: Mils™ Architecture (Rance DeLong, LynuxWorks)

Rance DeLong provided an overview of the Mils™ Architecture as a Basis for a Foundation of Dependability. His presentation covered the basics elements of architecture in a system and software engineering world such as components, interactions, patterns, and constraints, focusing on some of the basic attributes of an architecture style: a vocabulary of design elements, a set of configuration rules, and a semantic representation. He emphasized the criticality of enforcing the architecture through policy, giving examples of poorly enforced architecture, unintended interactions, and blurred separation, all of which were a prelude to the discussion of the dependability of a Mils™ Architecture. He introduced the Mils™ topic with the following clarifications:

  • "MILS" was originally an acronym for “Multiple Independent Levels of Security”. Its usage referred primarily to the concept of strong partitioning on a single platform, such as that provided by a separation kernel.
  • “MILS Initiative” is a community of vendors, system integrators, research sponsors, researchers, educators, and customers pursuing the “MILS idea” for the past decade. This initiative, fostered within The Open Group, has led to Mils™.
  • Mils™ is now used as a proper noun, rather than an acronym. “Mils” refers to the refined set of concept definitions, architecture, doctrine, standards, practices, and support for the development, evaluation, certification, and deployment of Mils components and systems intended to achieve the MILS goals. Mils™ is a trademark of The Open Group.

Rance DeLong’s presentation on the Mils™ Architecture can be found here.

1600-1630: A Recap of the Mils™ API Standards Work (Rance DeLong, Chair Mils™ API Work Group)

The objective of this wok is to provide a common API for the development of high-assurance Mils™ components for Mils™ platforms, including those provided by diverse separation kernel implementations.

The desirability of a standard API to catalyze a commercial marketplace of software products is well understood and a long established practice. What is different about the Mils™ API is that it is intended to serve as the basis for the development of high-assurance products. These products will be subject to assurance standards similar to those set forth in the Separation Kernel Protection Profile (SKPP) and those enumerated by the Common Criteria’s evaluation assurance levels EAL6 and EAL7. The requirements include rigorous demonstration (proof) that the implementation corresponds to the design, and that the design exhibits particular properties as expressed by a formal model.

The work on this standard is ongoing through the Mils™ API Working Group – and they expect to submit a version of the standard to The Open Group Review and Approval Process by the beginning of 2013.

Rance DeLong’s presentation on the Mils™ API Standards work can be found here.

1630-1730: Compositional Certification of High-Assurance COTS Components and Systems (Rance DeLong)

"Compositional certification seeks to achieve the needed assurance to certify a system without deep direct scrutiny of each subsystem or component, but rather, whenever possible, to depend only on the assurance resulting from prior scrutiny of the subsystem or component. The assurance needed for certification of the system must be capable of being produced by combining assurances. Thus, as certification is dependent on assurance, compositional certification is dependent on compositional assurance. This presentation explores the following topics: compositional assurance and its difficulties, formalizations of systems and of properties, compositional reasoning, security properties and hyper-properties, a MILS illustration of compositional assurance, and a summary."

[Quoted from the Compositional Certification Lecture Notes by Rance DeLong]

Rance DeLong’s presentation on Compositional Certification of High-Assurance COTS Components and Systems can be found here.

Additional reference material for this session can be found below:

1730-1800: Proposed Scheme for Independent Evaluation and Certification of High-Assurance COTS Components and Systems (Rance DeLong)

Rance DeLong provided a summary of the Commercial Evaluation and Certification work being explored by The Open Group in designing a commercial evaluation and certification program for high-assurance components and systems. It is expected to include assurance cases that make claims with arguments and evidence and will involve the explicit and pervasive use of formal methods to increase rigor. It is intended to be less onerous but more robust than existing programs, and could be utilized to fill some of the gaps arising out of the restructuring of current certification paradigms. A major objective will be for international recognition of high-assurance results.

Rance DeLong’s presentation on Independent Evaluation and Certification can be found here.

Additional reference material for this session can be found below:


The outputs are reflected in the Summary and Next Steps.

Next Steps

The next steps for the Independent Evaluation and Certification work are to continue to evolve the current paper/proposal, further vet the concept with government and industry, and to begin to build a strong set of supporters and a business case for assuring that others see the value and are willing to invest time resources or funding in the outcome.

The Mils™ API Working Group meets periodically throughout the year via teleconferences and web conferences.  Their main priority is to evolve the Mils™ API Specification through consensus within the Working Group – and to submit it to The Open Group Review and Approval Process.

To participate in mils-api-wg and help in the development of the standard, please contact Joe Bergmann at


See above.

   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page