Basic Concepts and Taxonomy of Dependable and Secure Computing - PDF document

Basic Concepts and Taxonomy of Dependable and Secure Computing Presented By H. Momeni Instructor: Dr. Abdollahi Azgomi Reliable Software Design Course Iran University of Science and Technology Spring 2007 The Basic Concepts • System Function, Behavior, Structure, and Service • The Threats to Dependability and Security • Dependability, Security, and Their Attributes • The Means to Attain Dependability and Security Reliable Software Design Course 2 Spring 2007 - IUST 1

System Function • System is an entity that interacts with its environment (other systems, hardware, software, humans) • Systems are characterized by fundamental properties: functionality, performance, dependability and security, and cost • The function of a system is what the system is intended to do and is described by the functional specification Reliable Software Design Course 3 Spring 2007 - IUST Behavior • The behavior of a system is what the system does to implement its function and is described by a sequence of states. • The total state of a given system is the set of the following states: computation, communication, stored information, interconnection, and physical condition. Reliable Software Design Course 4 Spring 2007 - IUST 2

Structure • The structure of a system is what enables it to generate the behavior • A system is composed of a set of components bound together in order to interact Reliable Software Design Course 5 Spring 2007 - IUST Service • The service delivered by a system is its behavior as it is perceived by its users • A user is another system that receives service from the provider • The part of the provider’s total state that is perceivable at the service interface is its external state. Reliable Software Design Course 6 Spring 2007 - IUST 3

The Threats to Dependability and Security Concepts • Correct service is delivered when the service implements the system function. • Service failure, is an event that occurs when the delivered service deviates from correct service • A service failure is a transition from correct service to incorrect service to not implementing the system function • Service outage: the period of delivery of incorrect service • Service restoration: transition from incorrect service to correct service Reliable Software Design Course 7 Spring 2007 - IUST Threats • A service failure means that at least on ore more external state of the system deviate from the correct service state. • The deviation is called an error • Error is the part of the total state of the system that may lead to service failure • The cause of a error is called a fault • A fault is active when it cause an error, otherwise is dormant Reliable Software Design Course 8 Spring 2007 - IUST 4

Dependability and Security Attributes • The original definition of dependability is the ability to deliver service that can justifiably be trusted. • Dependability attributes: – availability: readiness for correct service. – reliability: continuity of correct service. – safety: absence of catastrophic consequences on the users and the environment. – integrity: absence of improper system alterations. – maintainability: ability to undergo modifications and repairs. Reliable Software Design Course 9 Spring 2007 - IUST Dependability and Security Attributes (cont’d) • Security attributes: – availability: for authorized action – confidentiality: absence of unauthorized disclosure of information – integrity: absence of unauthorized system alterations. Reliable Software Design Course 10 Spring 2007 - IUST 5

The Means to Attain Dependability and Security • Fault prevention – prevent the occurrence or introduction of faults . • Fault tolerance – avoid service failures in the presence of faults. • Fault removal – reduce the number and severity of faults. • Fault forecasting – estimate the present number, the future incidence and the likely consequences of faults. Reliable Software Design Course 11 Spring 2007 - IUST System Lifecycle 1. Development phase � System interact with development environment and related faults � Development environment � Physical world � Human developer � Development tools � Production and test facilities Reliable Software Design Course 12 Spring 2007 - IUST 6

System Lifecycle (cont’d) 2. Use phase • Begins when the system is accepted for use and starts the service delivery • Three periods: � Service delivery � Service outage: service failure � Service shutdown: intentional halt of service by an authorized entity • System interacts with its use environment: � Physical world, administrators, users, providers, infrastructure, intruders Maintenance may take place during all three periods of the use phase Reliable Software Design Course 13 Spring 2007 - IUST Maintenance Reliable Software Design Course 14 Spring 2007 - IUST 7

Maintenance vs. fault tolerance • Distinction between fault tolerance and maintenance: maintenance involves the participation of an external agent, e.g., a repairman, test equipment, remote reloading of software • Repair is part of fault removal (during the use phase) Reliable Software Design Course 15 Spring 2007 - IUST Taxonomy of Faults • All faults that may affect a system during its life are classified according to eight basic viewpoints • If all combinations of the eight elementary fault classes were possible, there would be 256 different combined fault classes • 31 faults have been identified Reliable Software Design Course 16 Spring 2007 - IUST 8

Reliable Software Design Course 17 Spring 2007 - IUST Taxonomy of Faults (cont’d) • All 31 combined faults are categorized to three major overlapping groups: – Development faults : occurring during development – Physical faults: affect hardware – Interaction faults: external faults Reliable Software Design Course 18 Spring 2007 - IUST 9

Reliable Software Design Course 19 Spring 2007 - IUST Reliable Software Design Course 20 Spring 2007 - IUST 10

Human made faults • Two basic classes 1. Nonmalicious faults :introduced without malicious objectives • nondeliberate faults that are due to mistakes • deliberate faults that are due to bad decisions � It is usually considered that both mistakes and bad decisions are accidental. � Some very harmful mistakes and very bad decisions are made by persons who lack professional competence to do the job (incompetence) Reliable Software Design Course 21 Spring 2007 - IUST Human made faults (cont’d) 2. Malicious faults: introduced during either system development with the objective to cause harm to the system during its use Goals: – To disrupt or halt service (DoS) – Access confidential information – Improperly modify the system Classes: – Malicious logic faults: Trojan horses, logic or timing bombs, viruses, worms,… – Intrusion attempts: power fluctuation, radiation,… Reliable Software Design Course 22 Spring 2007 - IUST 11

Malicious logic faults Reliable Software Design Course 23 Spring 2007 - IUST Interaction faults • Occur during the use phase – Operational faults – External faults – Human made faults A broad class of human-made operational faults are configuration faults, i.e., wrong setting of parameters that can affect security, networking, storage, middleware • Reconfiguration faults: occur during configuration changes concurrently with system operation Reliable Software Design Course 24 Spring 2007 - IUST 12

Failures 1. Service failure • An event that occurs when the delivered service deviates from correct service. 2. Development failure • Be introduced into the system being developed by its environment, especially by human developers, development tools and production facilities. 3. Dependability and security failures • occurs when the given system suffers service failures more frequently or more severely than acceptable Reliable Software Design Course 25 Spring 2007 - IUST Service Failures • The service failures modes characterize according to four viewpoints: 1. Failure domain 2. Detectability of failures 3. Consistency of failures 4. Consequence of failures on the environment Reliable Software Design Course 26 Spring 2007 - IUST 13

Failure domain viewpoint failure modes • content failures: service content deviates from implementing the system function • timing failures: timing of service delivery deviates from implementing the system function • halt failures: when the service is halted (silent failure) • erratic failures: a service delivered but is erratic Reliable Software Design Course 27 Spring 2007 - IUST Detectability viewpoint failure modes • The detectability viewpoint addresses the signaling of service failures to the users • Signaling at the service interface originates from detecting mechanisms in the system that check the correctness of the delivered service. – signaled failures: when the losses are detected and signaled by a warning signal – unsignaled failures: otherwise • The detecting mechanisms themselves have two failure modes : – signaled failures :signaling a loss of function when no failure has actually occurred (false alarm) – unsignaled failures: not signaling a function loss Reliable Software Design Course 28 Spring 2007 - IUST 14