9.3 Security and Safety Level Checking
9.3.1 Check Security Levels
This analysis checks whether the security level of a component with an outgoing connection does not exceed the security level of the component this connection leads to. This analysis can be performed on declarative AADL models and on AADL instance models.  The analysis is invoked on a declarative model or on an instance model using “Analyses > Security > Check Security Levels” or the graphic button.  When invoked on an AADL specification, all declarative model files in the workspace are analyzed.  When invoked on a component implementation, all component declarations that are part of its system hierarchy are analyzed.  When invoked on an instance model, only the instance model is checked.  This analyses is more complete when analyzing system instances; when analyzing declarative models it does not understand modes.
The security level is specified on components, i.e., on component type, component implementation, or subcomponent declarations. The check can be invoked on an AADL XML file, or on any of the AADL model objects in the AADL Object Editor. The analysis plug-in performs this check for all connections if either or both ports have a value for this property. The analysis plug-in expects the property SEI::SecurityLevel, an aadlinteger-valued property to be defined in the SEI property set, i.e.,
Property set SEI is
  SecurityLevel:
    aadlinteger applies to (system, process, thread group, thread);
End SEI;
For declarative AADL models this analysis performs two functions.  First, it ensures that a component has a security level that is the maximum of the security levels of its subcomponents. Second, it checks all connections to determine whether the source component of a connection declaration has a security level that is the same or lower than that of the destination component.  If a component does not have a SecurityLevel property declared its value is assumed to be zero, i.e., the lowest security level.
The first check is performed for every component implementation that is part of the system hierarchy of the root component implementation.  If the component implementation does not have this property, but at least one of its subcomponents does, then the property value will be set to the maximum value for the component implementation.  If the enclosing component implementation already has a SecurityLevel value and it is less than the maximum of the subcomponent security levels, its value will be updated to the maximum.
The analysis propagates the security level value up the system hierarchy in one of two ways.  If the analysis is invoked on an Aadl model instance (either the corresponding aaxl resource or any model object of the model instance), then the component hierarchy of the system instance is traversed in postfix order (bottom up) to evaluate each component implementation that is a classifier for the subcomponent that is represented by a component instance object in the instance model.  If the analysis is invoked on an AadlSpec (either the corresponding aaxl resource or any model object of an AadlSpec), then the analysis works bottom up through the component classifier library.  This means it starts with component implementations with out subcomponents, and then recursively processes component implementations, whose subcomponents have the already processed component implementations as classifiers.
The second check is performed after the security level values have been propagated up the system hierarchy.  This check compares the security levels of the source and destination components in connection declarations. 
For instance models the analysis examines each semantic connection for ports and compares the security level of the source and destination.
9.3.2 Check Safety Levels
This analysis checks whether the safety criticality level of a component with an outgoing connection is higher or equal to the safety criticality level of the component at the destination end of the connection. The idea is that a component with lower safety criticality should not drive the operation of a component with a higher safety criticality.
The analysis is invoked on a declarative model or on an instance model using “Analyses > Security > Check Safety Levels” or the graphic button.  When invoked on an AADL specification, all declarative model files in the workspace are analyzed.  When invoked on a component implementation, all component declarations that are part of its system hierarchy are analyzed. When invoked on an instance model, only the instance model is checked.  This analyses is more complete when analyzing system instances; when analyzing declarative models it does not understand modes.
The safety criticality level is specified on components, i.e., on component type, component implementation, or subcomponent declarations using the property SEI::SafetyCriticality, an aadlinteger valued property defined in the SEI property set, i.e.,
Property set SEI is
  SafetyCriticality:
    aadlinteger applies to (system, process, thread group, thread);
End SEI;
For declarative AADL models this analysis checks all connections to determine whether the source component of a connection declaration has a safety criticality level that is the same or higher than that of the destination component.  If a component does not have a SafetyCriticality property declared its value is assumed to be zero, i.e., the lowest safety level.
For instance models the analysis examines each semantic connection for ports and compares the security level of the source and destination.