Upload
ali
View
223
Download
0
Embed Size (px)
Citation preview
8/19/2019 Lec4-Security and Dependability
1/29
oftware Engineering
ecurity and Dependability
Instructor
Dr. Mohamed Shams Eldeen
Third Year(Second Semester)
8/19/2019 Lec4-Security and Dependability
2/29
Topics coveredDependability properties
The system attributes that lead todependability.
Availability and reliability
Systems should be available to deliver serviceand perform as expected.
Safety
Systems should not behave in an unsafe way.Security
Systems should protect themselves and theirdata from external interference.
8/19/2019 Lec4-Security and Dependability
3/29
System dependability The dependability of the system is considered the
most important system property in most computer-
based systems.
The dependability of a system reects the user’s
degree of trust in that system. t reects the extent of
the user’s con!dence that it will operate as users
expect and that it will not "fail’ in normal use .
(Confdence)
Dependability covers the related systems attributes
of reliability# availability and security. These are all
8/19/2019 Lec4-Security and Dependability
4/29
mportance ofdependabilitySystem failures may have widespread e$ects with
large numbers of people a$ected by the failure.
Systems that are not dependable and are
unreliable# unsafe or insecure may be re%ected by
their users.
The costs of system failure may be very high ifthe failure leads to physical damage.
&ndependable systems may cause information
loss with a high conse'uent recovery cost.
8/19/2019 Lec4-Security and Dependability
5/29
(auses of failureHardware ailure
)ardware fails because of design and
manufacturing errors or because components
have reached the end of their natural life.
Sotware ailure
Software fails due to errors in its speci!cation#
design or implementation.Operational ailure
)uman users *+perators, may fail to use or
operate the system correctly.
8/19/2019 Lec4-Security and Dependability
6/29
rincipal dependability properties
Note that a system may be unreliable because its data has been corrupted by anexternal attack.
If a system is infected with a virus, you cannot be confident in its reliability or
safety.
8/19/2019 Lec4-Security and Dependability
7/29
+ther dependability propertiesepairability
eects the extent to which the system can be
repaired in the event of a failure. To diagnosis
the problem# you need to access the failed
component*s, and ma/ing changes to !x theproblems.
0aintainability
eects the extent to which the system can beadapted to new re'uirements1
2ote that epairability is a short-term
perspective to get the system bac/ into service1
while 0aintainabilit is a lon -term ers ective.
8/19/2019 Lec4-Security and Dependability
8/29
+ther dependability propertiesSurvivability
eects the extent to which the system can
deliver services whilst under hostile attac/ or
one of the system component has been failed.
3rror tolerance
t is part of a more general usability property and
reects the extent to which user errors are
avoided# detected or tolerated.2ote that &ser errors should# as far as possible#
be detected and corrected automatically and
should not be passed on to the system and
cause failures.
8/19/2019 Lec4-Security and Dependability
9/29
Dependability achievement To achieve the dependability# you should4
Avoid the introduction of accidental errors when
developing the system.
Design 5 6 5 processes that are e$ective in
discovering errors in the system.
Design protection mechanisms that guard against
external attac/s.
(on!gure the system correctly for its operating
environment.
nclude recovery mechanisms to help restore normal
8/19/2019 Lec4-Security and Dependability
10/29
8/19/2019 Lec4-Security and Dependability
11/29
Availability and reliabilitySystem availability and reliability are closely related properties
that can both be expressed as numerical probabilities.
Reliability
Is the probability that the system’s services will be delivered as
defined in the system specification.Availability
Is the probability that the system will be up and running to
deliver these services to users on request.
If, on average, inputs in every !,""" cause failures, then the
reliability, expressed as a rate of occurrence of failure, is "."".
If the availability is ".###, this means that, over some time
period, the system is available for ##.#$ of that time.
8/19/2019 Lec4-Security and Dependability
12/29
3rrors# 7aults and failuresSystem ault
is a characteristic of a software system that can lead to a system
error. %or example adding ! hour to the time of the last time
transmission, without a check if the time is greater than or equal
to &."".System ailure
is an event that occurs at some point in time when the system
does not deliver a service as user expected.System error
is an error in the system state that can lead to unexpected system
behavior.
8/19/2019 Lec4-Security and Dependability
13/29
7aults and failuresNote that
System faults do not always result in system errors and system
errors do not necessarily result in system failures.
'he reasons for this are as follows(
!. Not all code in a program is executed. 'he code that includes a
fault )e.g., the failure to initiali*e a variable+ may never be
executed because of the way that the software is used.
. 'he system may include fault detection and protection
mechanisms. 'hese ensure that the error behavior is discovered
and corrected before the system services are affected.
8/19/2019 Lec4-Security and Dependability
14/29
eliability in useeliability can only be de!ned formally with respect to a
system speci!cation i.e. a failure is a deviation from a
speci!cation.
emoving 89 of the faults in a system will not
necessarily improve the reliability by 89. A study at :0showed that removing ;
8/19/2019 Lec4-Security and Dependability
15/29
eliability achievementFault avoidance
Development techni'ue are used that minimise
the possibility of mista/es.
Fault detection and removal
5eri!cation and validation techni'ues that
increase the probability of detecting and correcting
errors before the system goes into service are
used.Fault tolerance
un-time techni'ues are used to ensure that
system faults do not result in system errors and>or
that system errors do not lead to system failures.
8/19/2019 Lec4-Security and Dependability
16/29
Safety
?oal is to identify protection re'uirements thatensure that system failures do not cause
environmental damage.
Saety Specifcationsis/ identi!cation @ )aard identi!cation
is/ analysis @ )aard assessment
is/ decomposition @ )aard analysisis/ reduction @ Safety re'uirements
speci!cation
8/19/2019 Lec4-Security and Dependability
17/29
)aard identi!cationdentify the haards that may threaten the system.)aard identi!cation may be based on di$erent
types of haard4
hysical haards *arts of machine brea/ o$ in
body,.
3lectrical haards *ower failure due to exhausted
battery,.
:iological haards *nfection caused by
introduction of machine,.
Service failure haards *nsulin underdose or
8/19/2019 Lec4-Security and Dependability
18/29
is/ analysis @ )aard assessment
The process of understanding the ris/s and
conse'uence problems that arise if an accident occur.
is/s may be categoried as4
mpossible. 0ust never arise or result in an accident
As low as reasonably practical*ABA,. 0ust
minimise the possibility of ris/ given cost and
schedule constraints.
Acceptable. The conse'uences of the ris/ are
acceptable and no extra costs should be incurred to
reduce haard probability
) d l i i /
8/19/2019 Lec4-Security and Dependability
19/29
)aard analysis @ is/decomposition
(oncerned with discovering the root causes ofris/s in a particular system.
&sed techni'ues4
nductive# bottom-up techni'ues. Start with a
proposed system failure and assess the haards
that could arise from that failure1
Deductive# top-down techni'ues. Start with a
haard and deduce what the causes of this
could be.
8/19/2019 Lec4-Security and Dependability
20/29
7ault-tree analysis
A deductive top-down techni'ue.
ut the ris/ or haard at the root of the tree and
identify the system states that could lead to that
haard.
Chere appropriate# lin/ these with "and’ or "or’
conditions.
A goal should be to minimie the number of single
causes of system failure.
8/19/2019 Lec4-Security and Dependability
21/29
An example of a software fault tree
i / d ti S f t i t
8/19/2019 Lec4-Security and Dependability
22/29
is/ reduction @ Safety re'uirementsspeci!cation'he aim of this process is to identify dependability requirements
that specify how the risks should be managed and ensure that
accidents do not arise.
Risk reduction strategies
isk avoidance )'he system is designed so that some classes of
ha*ard simply cannot arise+.
isk detection and removal)'he system is designed to detect
and remove ha*ards before they result in an accident+.
-amage limitation)'he system includes protection features that
minimise the damage that may result from an accident+.
8/19/2019 Lec4-Security and Dependability
23/29
3xamples of safety re'uirements
SR1( 'he system shall not deliver a single dose of insulin that isgreater than a specified maximum dose for a system user.
SR2( 'he system shall include a hardware diagnostic facility that
shall be executed at least four times per hour.
SR3( 'he alarm shall be sounded when any hardware or software
error is discovered and a diagnostic message shall be
displayed.
SR4( In the event of an alarm, insulin delivery shall be
suspended until the user has reset the system and cleared
the alarm.
8/19/2019 Lec4-Security and Dependability
24/29
Safety criticalityPrimary saety-critical systems
3mbedded software systems whose failure can cause the
associated hardware to fail and directly threaten people.
3xample is the insulin pump control system. System
failure may lead to user in%ury
Secondary saety-critical systems
Systems whose failure results in faults in other systems#
which can then have safety conse'uences.
7or example# the 0)(-0S is safety-critical as failure
may lead to inappropriate treatment being prescribed.
8/19/2019 Lec4-Security and Dependability
25/29
Safety and reliability
Safety and reliability are related but distinct n general# reliability and availability are necessary
but not sucient conditions for system safety
eliability is concerned with conformance (Compatible) to a given speci!cation and delivery of service
Safety ensuring that the system cannot cause damage
irrespective of whether or not it conforms to its
speci!cation
8/19/2019 Lec4-Security and Dependability
26/29
Securityt reects the system’s ability to protect itself from
external attac/.
Security is essential as most systems are networ/ed
so that external access to the system through the
nternet is possible.
Security is an essential pre-re'uisite for availability#
reliability and safety.
2ote that f a system is a networ/ed system and is
insecure then statements about its reliability and its
safety are unreliable.
8/19/2019 Lec4-Security and Dependability
27/29
Security terminologyTerm Definition
Asset Something of value which has to be protected. The asset may be thesoftware system itself or data used by that system. Such as 'he recordsof each patient that is receiving or has received treatment.
Exposure Possible loss or harm to a computing system. This can be loss ordamage to data, or can be a loss of time and effort if recovery isnecessary after a security violation.
Vulnerability(sensitivity)
A weaness in a computer!based system that may be exploited to causeloss or harm. Such as weak password system which makes it easy for usersto access the passwords
Attac An exploitation of a system"s vulnerability. #enerally, this is from outsidethe system and is a deliberate attempt to cause some damage. Such as
unauthori*ed user.
$ontrol A protective measure that reduces a system"s vulnerability. Encryption isan example of a control that reduces a vulnerability of a wea accesscontrol system. Such as password checking system that disallows user passwords that are proper names or words that are normally included in adictionary.
8/19/2019 Lec4-Security and Dependability
28/29
Damage from insecurityDenial o service
The system is forced into a state where normal
services are unavailable or where service is
signi!cantly degraded
Corruption o programs or data
The programs or data in the system may be
modi!ed in an unauthorised way
Disclosure o confdential inormation
nformation that is managed by the system may
be exposed to people who are not authorised to
8/19/2019 Lec4-Security and Dependability
29/29
Security assuranceulnera!ility avoidance
The system is designed so that vulnerabilities donot occur.
"ttac# detection and elimination
The system is designed so that attac/s on
vulnerabilities are detected and cancelled before
they result in an exposure. 7or example# virus
chec/ers !nd and remove viruses before they
infect a system
$%posure limitation and recovery
The system is designed so that the adverse
conse'uences of a successful attac/ are