Lec4-Security and Dependability

8/19/2019 Lec4-Security and Dependability

1/29

oftware Engineering

ecurity and Dependability

Instructor

Dr. Mohamed Shams Eldeen

Third Year(Second Semester)


2/29

Topics coveredDependability properties

The system attributes that lead todependability.

Availability and reliability

Systems should be available to deliver serviceand perform as expected.

Safety

Systems should not behave in an unsafe way.Security

Systems should protect themselves and theirdata from external interference.


3/29

System dependability The dependability of the system is considered the

most important system property in most computer-

based systems.

The dependability of a system reects the user’s

degree of trust in that system. t reects the extent of

the user’s con!dence that it will operate as users

expect and that it will not "fail’ in normal use .

(Confdence)

Dependability covers the related systems attributes

of reliability# availability and security. These are all


4/29

mportance ofdependabilitySystem failures may have widespread e$ects with

large numbers of people a$ected by the failure.

Systems that are not dependable and are

unreliable# unsafe or insecure may be re%ected by

their users.

The costs of system failure may be very high ifthe failure leads to physical damage.

&ndependable systems may cause information

loss with a high conse'uent recovery cost.


5/29

(auses of failureHardware ailure

)ardware fails because of design and

manufacturing errors or because components

have reached the end of their natural life.

Sotware ailure

Software fails due to errors in its speci!cation#

design or implementation.Operational ailure

)uman users *+perators, may fail to use or

operate the system correctly.


6/29

rincipal dependability properties

Note that a system may be unreliable because its data has been corrupted by anexternal attack.

If a system is infected with a virus, you cannot be confident in its reliability or

safety.


7/29

+ther dependability propertiesepairability

eects the extent to which the system can be

repaired in the event of a failure. To diagnosis

the problem# you need to access the failed

component*s, and ma/ing changes to !x theproblems.

0aintainability

eects the extent to which the system can beadapted to new re'uirements1

2ote that epairability is a short-term

perspective to get the system bac/ into service1

while 0aintainabilit is a lon -term ers ective.


8/29

+ther dependability propertiesSurvivability

eects the extent to which the system can

deliver services whilst under hostile attac/ or

one of the system component has been failed.

3rror tolerance

t is part of a more general usability property and

reects the extent to which user errors are

avoided# detected or tolerated.2ote that &ser errors should# as far as possible#

be detected and corrected automatically and

should not be passed on to the system and

cause failures.


9/29

Dependability achievement To achieve the dependability# you should4

Avoid the introduction of accidental errors when

developing the system.

Design 5 6 5 processes that are e$ective in

discovering errors in the system.

Design protection mechanisms that guard against

external attac/s.

(on!gure the system correctly for its operating

environment.

nclude recovery mechanisms to help restore normal


10/29


11/29

Availability and reliabilitySystem availability and reliability are closely related properties

that can both be expressed as numerical probabilities.

Reliability

Is the probability that the system’s services will be delivered as

defined in the system specification.Availability

Is the probability that the system will be up and running to

deliver these services to users on request.

If, on average, inputs in every !,""" cause failures, then the

reliability, expressed as a rate of occurrence of failure, is "."".

If the availability is ".###, this means that, over some time

period, the system is available for ##.#$ of that time.


12/29

3rrors# 7aults and failuresSystem ault

is a characteristic of a software system that can lead to a system

error. %or example adding ! hour to the time of the last time

transmission, without a check if the time is greater than or equal

to &."".System ailure

is an event that occurs at some point in time when the system

does not deliver a service as user expected.System error

is an error in the system state that can lead to unexpected system

behavior.


13/29

7aults and failuresNote that

System faults do not always result in system errors and system

errors do not necessarily result in system failures.

'he reasons for this are as follows(

!. Not all code in a program is executed. 'he code that includes a

fault )e.g., the failure to initiali*e a variable+ may never be

executed because of the way that the software is used.

. 'he system may include fault detection and protection

mechanisms. 'hese ensure that the error behavior is discovered

and corrected before the system services are affected.


14/29

eliability in useeliability can only be de!ned formally with respect to a

system speci!cation i.e. a failure is a deviation from a

speci!cation.

emoving 89 of the faults in a system will not

necessarily improve the reliability by 89. A study at :0showed that removing ;


15/29

eliability achievementFault avoidance

Development techni'ue are used that minimise

the possibility of mista/es.

Fault detection and removal

5eri!cation and validation techni'ues that

increase the probability of detecting and correcting

errors before the system goes into service are

used.Fault tolerance

un-time techni'ues are used to ensure that

system faults do not result in system errors and>or

that system errors do not lead to system failures.


16/29

Safety

?oal is to identify protection re'uirements thatensure that system failures do not cause

environmental damage.

Saety Specifcationsis/ identi!cation @ )aard identi!cation

is/ analysis @ )aard assessment

is/ decomposition @ )aard analysisis/ reduction @ Safety re'uirements

speci!cation


17/29

)aard identi!cationdentify the haards that may threaten the system.)aard identi!cation may be based on di$erent

types of haard4

hysical haards *arts of machine brea/ o$ in

body,.

3lectrical haards *ower failure due to exhausted

battery,.

:iological haards *nfection caused by

introduction of machine,.

Service failure haards *nsulin underdose or


18/29

is/ analysis @ )aard assessment

The process of understanding the ris/s and

conse'uence problems that arise if an accident occur.

is/s may be categoried as4

mpossible. 0ust never arise or result in an accident

As low as reasonably practical*ABA,. 0ust

minimise the possibility of ris/ given cost and

schedule constraints.

Acceptable. The conse'uences of the ris/ are

acceptable and no extra costs should be incurred to

reduce haard probability

) d l i i /


19/29

)aard analysis @ is/decomposition

(oncerned with discovering the root causes ofris/s in a particular system.

&sed techni'ues4

nductive# bottom-up techni'ues. Start with a

proposed system failure and assess the haards

that could arise from that failure1

Deductive# top-down techni'ues. Start with a

haard and deduce what the causes of this

could be.


20/29

7ault-tree analysis

A deductive top-down techni'ue.

ut the ris/ or haard at the root of the tree and

identify the system states that could lead to that

haard.

Chere appropriate# lin/ these with "and’ or "or’

conditions.

A goal should be to minimie the number of single

causes of system failure.


21/29

An example of a software fault tree

i / d ti S f t i t


22/29

is/ reduction @ Safety re'uirementsspeci!cation'he aim of this process is to identify dependability requirements

that specify how the risks should be managed and ensure that

accidents do not arise.

Risk reduction strategies

isk avoidance )'he system is designed so that some classes of

ha*ard simply cannot arise+.

isk detection and removal)'he system is designed to detect

and remove ha*ards before they result in an accident+.

-amage limitation)'he system includes protection features that

minimise the damage that may result from an accident+.


23/29

3xamples of safety re'uirements

SR1( 'he system shall not deliver a single dose of insulin that isgreater than a specified maximum dose for a system user.

SR2( 'he system shall include a hardware diagnostic facility that

shall be executed at least four times per hour.

SR3( 'he alarm shall be sounded when any hardware or software

error is discovered and a diagnostic message shall be

displayed.

SR4( In the event of an alarm, insulin delivery shall be

suspended until the user has reset the system and cleared

the alarm.


24/29

Safety criticalityPrimary saety-critical systems

3mbedded software systems whose failure can cause the

associated hardware to fail and directly threaten people.

3xample is the insulin pump control system. System

failure may lead to user in%ury

Secondary saety-critical systems

Systems whose failure results in faults in other systems#

which can then have safety conse'uences.

7or example# the 0)(-0S is safety-critical as failure

may lead to inappropriate treatment being prescribed.


25/29

Safety and reliability

Safety and reliability are related but distinct n general# reliability and availability are necessary

but not sucient conditions for system safety

eliability is concerned with conformance (Compatible) to a given speci!cation and delivery of service

Safety ensuring that the system cannot cause damage

irrespective of whether or not it conforms to its

speci!cation


26/29

Securityt reects the system’s ability to protect itself from

external attac/.

Security is essential as most systems are networ/ed

so that external access to the system through the

nternet is possible.

Security is an essential pre-re'uisite for availability#

reliability and safety.

2ote that f a system is a networ/ed system and is

insecure then statements about its reliability and its

safety are unreliable.


27/29

Security terminologyTerm Definition

Asset Something of value which has to be protected. The asset may be thesoftware system itself or data used by that system. Such as 'he recordsof each patient that is receiving or has received treatment.

Exposure Possible loss or harm to a computing system. This can be loss ordamage to data, or can be a loss of time and effort if recovery isnecessary after a security violation.

Vulnerability(sensitivity)

A weaness in a computer!based system that may be exploited to causeloss or harm. Such as weak password system which makes it easy for usersto access the passwords

Attac An exploitation of a system"s vulnerability. #enerally, this is from outsidethe system and is a deliberate attempt to cause some damage. Such as

unauthori*ed user.

$ontrol A protective measure that reduces a system"s vulnerability. Encryption isan example of a control that reduces a vulnerability of a wea accesscontrol system. Such as password checking system that disallows user passwords that are proper names or words that are normally included in adictionary.


28/29

Damage from insecurityDenial o service

The system is forced into a state where normal

services are unavailable or where service is

signi!cantly degraded

Corruption o programs or data

The programs or data in the system may be

modi!ed in an unauthorised way

Disclosure o confdential inormation

nformation that is managed by the system may

be exposed to people who are not authorised to


29/29

Security assuranceulnera!ility avoidance

The system is designed so that vulnerabilities donot occur.

"ttac# detection and elimination

The system is designed so that attac/s on

vulnerabilities are detected and cancelled before

they result in an exposure. 7or example# virus

chec/ers !nd and remove viruses before they

infect a system

$%posure limitation and recovery

The system is designed so that the adverse

conse'uences of a successful attac/ are

Documents

Lec4-Security and Dependability