MILS workshop 2019



Location: Congress Center Sindelfingen, Stuttgart

Workshop: 6th December 2019

Co-Located with ESE Kongress (, 02nd-06th December 2019

Conference website:


TimeName, CompanyTitle 
09:00 - 09:45 Sergey Tverdyshev, SYSGO MILS Introduction pdf
09:45- 10:30 Paul Lukowicz, DFKI ML in Embedded Applications: Challenges and Chances  
10:30 - 11:00 Break
11:00- 11:45 Daniel Schreckling, BMW Towards Automated Integration of Security Monitors in E/E Architectures  
11:45- 12:30 Juan Sanchez Jesus, DEKRA Cyber-security for the Automotive pdf
12:30- 13:30 Lunch
13:30- 14:45 Pierre Girard, GEMALTO Hardening your embedded system with Secure Elements pdf
14:45- 15:30 Lacamera Daniele, WolfSSL Fundamentals of Security in Safety Critical Systems pdf
15:30 END

Workshop objectives

The complexity, mission-criticality, and connectivity of the modern systems bring system trustworthiness to the front page. The required trustworthiness shall provide a sufficient assurance for the safety and security of the deployed systems. Examples of systems benefiting of, emerging, or badly needing it, are aircrafts, cars and autonomous vehicles, C2X/C2C, trains, subways, industrial IoT, traffic management systems, ships, satellites, medical devices, handheld devices.

The "MILS Workshop" focuses on bringing industry and research stakeholders together to advance methods, tools, approaches, and use-case on creating compositional assurance and trustworthiness for safety, security, and mixed-critical connected systems.

The assurance can be provided for example by architectural approaches, design properties, technologies, results of analysis, testing, formal verification, artifacts from model-based engineering, standard-based certification approaches, as well as assurance maintenance during the system life-time.



For systems that offer rich functionality, safety and security shall be supported by a software architecture that clearly splits functionality into subsystems with clearly defined criticalities. MILS (Multiple Independent Levels of Safety/Security) is an architectural approach based on a minimal and verifiable separation mechanism and controlled information flow. In embedded systems, the separation mechanism is typically implemented as a minimal operating system called separation kernel or hypervisor. MILS is all about the composability of components and assurance for components and integrated systems (up to the level of secure distributed systems) with respect to the required security policies and safety requirements. Workshop topics are MILS components and eco-systems, MLS systems and their relation to MILS systems, real-time separation kernels, MILS evaluation and compositional certification, MILS testing, vulnerability analysis of MILS systems, application of novel and existing information flow models/policies, cross-European/worldwide high-assurance security, methods and applications (e.g. formal methods) for MILS systems as a basis for high assurance.


More about MILS

MILS* is a high-assurance security architecture concept based on the principles of separation and controlled information flow. The MILS approach is all about decomposition of a system design into well-understood components and their interactions with the goal to achieve composable architecture and composable assurance. The composability of architecture and assurance as well as assurance maintenance for safe and secure systems is a grand challenge. The MILS workshop targets exactly this challenge. MILS defines a secure system from trustworthy components and system architecture. The MILS framework for composable architecture is based on a separation kernel (it can have overlapping functionality with a hypervisor or a distributed hypervisor) that creates partitions to separate different security domains. Such a separation kernel often needs to support real-time because there are many use-cases in embedded systems. Assurance composition targets creating an assurance argument. the overall system from arguments of its components and the system's security architecture.


* Historically MILS stands for "Multiple Independent Levels of Security" and today is considered as a proper noun.


List of topics

The workshop explicitly welcomes contributions on the industrial application of compositional assurance, assurance and certification frameworks, attack methods, and templates for MILS systems. The workshop topics are, but not limited to

  • Compositional approaches for safety and security architectures
  • Compositional approaches for safety and security assurance and certification
  • Designing and modelling of assurance cases
  • Application of novel and existing information flow models/policies
  • Methods and tools for assurance generation, model-based approaches
  • Formal methods as a basis for high assurance
  • Gap-less path from implementation to assurance
  • Maintenance of compositional assurance
  • MILS components and eco-system
  • MLS systems and their relation to MILS systems
  • Use-cases for compositional design/assurance , e.g. from avionics, IMA, automotive, Adaptive Autosar, communications, industrial automation, Industry 4.0, medical, railway, consumer and similar domains
  • Real-time separation kernels
  • MILS evaluation and certification
  • MILS testing and vulnerability analysis of MILS systems
  • Cross-European/world-wide high-assurance security
  • Comparison of MILS approach to other software engineering approaches and concepts


Workshop: 06th December 2019

Organizing Committee

  • Sergey Tverdyshev, SYSGO AG, Germany


MILS-19 proceedings will be published as online workshop proceedings at the Zenodo repository (DOI) and


The workshop will be held in Sindelfingen near Stuttgart in Germany. The workshop is co-located with the ESE Kongress 02-06 December 2019


  • Sergey Tverdyshev, sergey.tverdyshev AT


Previous Events