MILS workshop 2018

certMILSEURO-MILS 4Clogo-hipeac


Location: Parc Alvisse Hotel / Luxembourg

Workshop: 25th June 2018

Co-Located with DSN2018 (, 25th-28th June 2018

Conference website:

Submission link:

Workshop objectives

The complexity, mission-criticality, and connectivity of the modern systems bring system trustworthiness to the front page. The required trustworthiness shall provide a sufficient assurance for the safety and security of the deployed systems. Examples of systems benefiting of, emerging, or badly needing it, are aircrafts, cars and autonomous vehicles, C2X/C2C, trains, subways, industrial IoT, traffic management systems, ships, satellites, medical devices, handheld devices.

The "MILS Workshop" focuses on bringing industry and research stakeholders together to advance methods, tools, approaches, and use-case on creating compositional assurance and trustworthiness for safety, security, and mixed-critical connected systems.

The assurance can be provided for example by architectural approaches, design properties, technologies, results of analysis, testing, formal verification, artifacts from model-based engineering, standard-based certification approaches, as well as assurance maintenance during the system life-time.


More about MILS

MILS* is a high-assurance security architecture concept based on the principles of separation and controlled information flow. The MILS approach is all about decomposition of a system design into well-understood components and their interactions with the goal to achieve composable architecture and composable assurance. The composability of architecture and assurance as well as assurance maintenance for safe and secure systems is a grand challenge. The MILS workshop targets exactly this challenge. MILS defines a secure system from trustworthy components and system architecture. The MILS framework for composable architecture is based on a separation kernel (it can have overlapping functionality with a hypervisor or a distributed hypervisor) that creates partitions to separate different security domains. Such a separation kernel often needs to support real-time because there are many use-cases in embedded systems. Assurance composition targets creating an assurance argument foccepted contributions will be assigned a DOI and will be published via the open access repository.r the overall system from arguments of its components and the system's security architecture.


* Historically MILS stands for "Multiple Independent Levels of Security" and today is considered as a proper noun.


List of topics

The workshop explicitly welcomes contributions on the industrial application of compositional assurance, assurance and certification frameworks, attack methods, and templates for MILS systems. The workshop topics are, but not limited to

  • Compositional approaches for safety and security architectures
  • Compositional approaches for safety and security assurance and certification
  • Designing and modelling of assurance cases
  • Application of novel and existing information flow models/policies
  • Methods and tools for assurance generation, model-based approaches
  • Formal methods as a basis for high assurance
  • Gap-less path from implementation to assurance
  • Maintenance of compositional assurance
  • MILS components and eco-system
  • MLS systems and their relation to MILS systems
  • Use-cases for compositional design/assurance , e.g. from avionics, IMA, automotive, Adaptive Autosar, communications, industrial automation, Industry 4.0, medical, railway, consumer and similar domains
  • Real-time separation kernels
  • MILS evaluation and certification
  • MILS testing and vulnerability analysis of MILS systems
  • Cross-European/world-wide high-assurance security
  • Comparison of MILS approach to other software engineering approaches and concepts


Workshop Programme

09:00 - 10:00 Invited Talk: Christian Schlehuber, DB Netze
Security in Railway
10:00 - 10:30 Reinhard Hametner and Stefan Resch. 
A Platform Approach for Fusing Safety and Security on a Solid Foundation
10:30 - 11:00 Break    
11:00 - 11:30 Holger Blasum and Sergey Tverdyshev. Classic and Adaptive AUTOSAR in MILS terms pdf  
11:30 - 12:00 Chera Bekker, Maurits de Graaf, Gerard Hoekstra and Thomas Quillinan. 
Enabling Civil/Military Cooperation in Crisis Management
12:00 - 12:30 Henk Birkholz, Christoph Krauß, Maria Zhdanova, Don Kuzhiyelil, Tolga Arul, Markus Heinrich,
Stefan Katzenbeisser, Neeraj Suri, Tsvetoslava Vateva-Gurova and Christian Schlehuber. 
A Reference Architecture for Integrating Safety and Security Applications on Railway Command and Control Systems
12:30 - 14:00 Lunch    
14:00 - 14:30 Invited Talk: Sergey Tverdyshev,
MILS Activities and Updates
14:30 - 15:00 Thorsten Schulz, Frank Golatowski and Dirk Timmermann. In Search for a Simple Secure Protocol for Safety-
Critical High-Assurance Applications
15:00 - 15:30 Markus Engqvist and Staffan Persson. 
CYRail - A use-case for applying MILS through network separation in critical infrastructure
15:30 - 16:00 Break    
16:00 - 16:30 Dorien Koelemeijer, Rasma Araby, Ayoub Nouri, Marius Bozga and Rance Delong. 
A Model-based Approach to Certification of Adaptive MILS
16:30 - 17:00 Alessandro Cimatti, Rance Delong, Ivan Stojic and Stefano Tonetta. Towards Adaptive MILS Systems: Model-
Based Design, Verification and Run-Time Adaptation
17:30 - 18:00 Adjourn    

Important dates

Submission deadline: April 26, 2018

Notification of acceptance: May 20, 2018

Final Paper: June 20, 2018

Workshop: 25th June 2018

Submission Guidelines

This is a workshop and we are looking for interesting experience, work, and ideas (possibly preliminary and exploratory) that will stimulate discussion and thought around MILS concepts and challenges. Submissions should clearly show industrial relevance. Submissions should be in PDF format and can be an extended abstract or a full paper. We recommend the guidelines for ACM SIG Proceedings. When the submission is accepted, you will have an opportunity to submit an updated version, which can range, depending on your choice, from 1 to (max) 12 pages.

Submissions via easychair:


Program Committee

  • Cristina Simache, Altran Sud Ouest
  • Christoph Krauß, Fraunhofer SIT
  • Rance DeLong, The Open Group
  • Burkhart Wolff, Univ Paris-Sud
  • Gonzalez David, IKERLAN
  • Dominique Bolignano, Prove&Run
  • Paul Pop, Technical University of Denmark
  • Kevin Mueller, Airbus
  • Stefano Tonetta, FBK
  • Julien Schmaltz, Precuneus Solutions
  • Harald Rueß, Fortiss
  • Miguel Bañón, Epoche and Espri
  • Michael Paulitsch, Thales
  • Holger Blasum, SYSGO
  • Sergey Tverdyshev, SYSGO

Organizing Committee

  • Sergey Tverdyshev, SYSGO AG, Germany


MILS-18 proceedings will be published as online workshop proceedings at the Zenodo repository (DOI) and


The workshop will be held in Luxembourg City, Luxembourg. The workshop is co-located with the The IEEE/IFIP International Conference on Dependable Systems and Networks ( DSN, 25 - 28 June 2018.


  • Sergey Tverdyshev, firstname.lastname AT


Previous Events