Towards safe and secure computer based railway interlocking systems

• Published in: International journal of transport development and integration Vol. 4; no. 3; pp. 218 - 229
• Main Authors: Martinez, Sébastien, Dalay Israel De Almeida Pereira, Bon, Philippe, Simon Collart- Dutilleul, Perin, Matthieu
• Format: Journal Article
• Language: English
• Published: Southampton W I T Press 31.07.2020
• Subjects: Circuit diagrams; Circuits; Computer architecture; Context; Formal specifications; Locking; Mechanical systems; Production costs; Relay; Safety; Software; Trains
• ISSN: 2058-8305; 2058-8313
• DOI: 10.2495/TDI-V4-N3-218-229

Railway interlocking systems (RIS) are responsible for the control of trains’ movements by allowing or denying their routing according to safety rules. Originally built as mechanical systems then as electrical mechanical systems, they are modelled as relay-based electrical circuit diagrams and checked manually. Even recent computer based RIS are still modelled as relay diagrams. Manual checking of safety in such a critical context is an issue that needs to be addressed by the railway domain. In this context, one of the objectives of the LChIP project is the development of computer-based RIS based on the formal specification of the RIS behaviour, which allows the generation of formally checked computer binaries by refinement. however, the produced binaries may be accessed and tampered with by ill-intended persons as computer code is easier to analyse and understand than electrical mechanical systems. In the context of the LChIP project, binaries are run on a Microchip PIC32 MCU embedding two independent 32-bit MIPS processors. The choice of such generic architecture allows easier production and maintain- ability, lower production costs and easier replacement in case of hardware failure. It also makes it easier to reverse engineer compiled software as the MIPS architecture is well documented and has a small instruction set. This paper presents how binaries can be obtained using the B-method formal language and it discusses the usage of software obfuscation as a way to ensure security of these binaries. Obfuscation transforms a piece of software to make it impossible to understand for potential attackers, while keeping its observable behaviour: obfuscated software give the same outputs for the same inputs as their unobfuscated counterparts. As the obfuscation transformations do not alter the behaviour of formally checked generated binaries in a way that would void the safety checking, it is possible to secure computer based RIS and prevent ill-intended persons from tampering with them.