software lopa
play

Software LOPA Approach to Performing a Layers of Protection Analysis - PowerPoint PPT Presentation

Software LOPA Approach to Performing a Layers of Protection Analysis for Complex Software OpenTech Andreas Platschek < andreas.platschek@opentech.at > May 23, 2017 Andreas Platschek (OpenTech) c May 23, 2017 1 / 31 Andreas


  1. Software LOPA Approach to Performing a Layers of Protection Analysis for Complex Software OpenTech Andreas Platschek < andreas.platschek@opentech.at > May 23, 2017 � Andreas Platschek (OpenTech) c May 23, 2017 1 / 31

  2. � Andreas Platschek (OpenTech) c May 23, 2017 2 / 31

  3. ”Yet further concerns relate to whether a consequence can be so severe that the frequency of the hazardous situation should not be taken into account, thus negating the concept fo ’risk’ in selecting the appropriate set of implementation techniques. In order to address this concern IEC 61511 formalised the concept of ’layers of protection’ requiring diversity between the different layers.” Audrey Canning , in: Functional Safety: Where have we come from? Where are we going? � Andreas Platschek (OpenTech) c May 23, 2017 3 / 31

  4. LOPA Principle IE1 Identi ed IE5 Hazard IE2 IE4 IE3 IE1-IE5 . . . I nitiating E vents IPL1-IPL4 . . . I ndependent L ayers of P rotection � Andreas Platschek (OpenTech) c May 23, 2017 4 / 31

  5. LOPA Principle IPL1 IPL2 IPL3 IE1 IPL4 Identi ed IE5 Hazard IE2 IE4 IE3 IE1-IE5 . . . I nitiating E vents IPL1-IPL4 . . . I ndependent L ayers of P rotection � Andreas Platschek (OpenTech) c May 23, 2017 5 / 31

  6. LOPA Principle IPL1 IPL2 IPL3 IE1 IPL4 Identi ed IE5 Hazard IE2 IE4 IE3 IE1-IE5 . . . I nitiating E vents IPL1-IPL4 . . . I ndependent L ayers of P rotection � Andreas Platschek (OpenTech) c May 23, 2017 6 / 31

  7. LOPA Basics Properties Independence Effectiveness Auditability � Andreas Platschek (OpenTech) c May 23, 2017 7 / 31

  8. Auditability Open-Source Rules! � Andreas Platschek (OpenTech) c May 23, 2017 8 / 31

  9. Auditability Open-Source Rules! If a Software LOPA is doable at all, then open-source software is definitely the prime suspect. � Andreas Platschek (OpenTech) c May 23, 2017 8 / 31

  10. Effectiveness Do the IPLs actually mitigate against the hazard? � Andreas Platschek (OpenTech) c May 23, 2017 9 / 31

  11. Independence Multiple layers only make sense if they fail independently! � Andreas Platschek (OpenTech) c May 23, 2017 10 / 31

  12. Independence Multiple layers only make sense if they fail independently! BUT “Independence is an important concept, although absolute independence is generally not achievable. ... However, IPLs should be sufficiently independent such that the degree of interdependence is not statistically significant.“ [1 , Section 3 . 2] � Andreas Platschek (OpenTech) c May 23, 2017 10 / 31

  13. Prospective SW IPLs (SIL2LinuxMP Context) seccomp cgroups CPU-shielding Namespaces PALLOC . . . Code Review (assure restricted use of syscalls) Static Code Analysis (coccinelle) Error Handling to detect faults � Andreas Platschek (OpenTech) c May 23, 2017 11 / 31

  14. Hardened NooM Container SIL2LinuxMP base system SIL 2 SIL 2 Safety app. Safety app. Monitoring 32bit FP 64bit INT SIL 0 busybox glibc 32bit glibc 64bit Debian Container seccomp seccomp glibc CPU 1 CPU 0 CPU 2 CPU 3 RAMbank n+1..m RAMbank m+1..i RAMbank i+1..j RAMbank 0..n At present this is the strongest multi-layer approach we are looking � Andreas Platschek (OpenTech) c May 23, 2017 12 / 31

  15. Independence of Layers How to perform LOPA and show INDEPENDECE of those different protection layers? � Andreas Platschek (OpenTech) c May 23, 2017 13 / 31

  16. Independence of Layers How to perform LOPA and show INDEPENDECE of those different protection layers? Static code analysis Development data � Andreas Platschek (OpenTech) c May 23, 2017 13 / 31

  17. Static Code Analysis Analyze functions called by subsystems (callgraphs) Find and analyze overlaps in callgraphs � Andreas Platschek (OpenTech) c May 23, 2017 14 / 31

  18. Intersection of Configurations Basecon ✁ g+Seccomp (SEC) Basecon ✁ g (BASE) � Andreas Platschek (OpenTech) c May 23, 2017 15 / 31

  19. Intersection outside of Baseconfig Basecon ✁ g+Seccomp (SEC) Basecon ✁ g (BASE) (SEC ✂ CGR) \ BASE = Ȃ Basecon ✁ g+CGROUPS (CGR) � Andreas Platschek (OpenTech) c May 23, 2017 16 / 31

  20. Intersection in Baseconfig Basecon ✁ g � Andreas Platschek (OpenTech) c May 23, 2017 17 / 31

  21. Analysis of Subsystems funcs_base_both RCU f3 new_funcs_base_both atomic � Andreas Platschek (OpenTech) c May 23, 2017 18 / 31

  22. Preliminary Results Set Nr. Functions baseconfig 20829 baseconfig+seccomp 21401 seccomp 572 baseconfig+cgroups 21120 cgoups 679 both not in baseconfig 0 funcs base 13792 funcs base seccomp 7131 funcs base cgroups 7391 funcs base both 6665 rcu funcs 6511 atomic funcs 294 new funcs base both 185 � Andreas Platschek (OpenTech) c May 23, 2017 19 / 31

  23. Developers Overlap seccomp cgroups Author cur hist cur hist Kees Cook 2740 26 4 2 Arnaldo Carvalho de Melo 50 2 18 6 Linus Torvalds 44 15 1 139 Daniel Borkmann 61 5 201 6 Paul Mundt 10 1 1 1 Al Viro X 1 X 10 Andrew Morton X 1 X 2 Fabian Frederick X 1 X 2 James Morris X 2 X 6 Stephen Rothwell X 2 X 2 David Howells X 3 X 5 cur . . . Number of lines in v4.9.18 . hist . . . Number of commits in all versions. � Andreas Platschek (OpenTech) c May 23, 2017 20 / 31

  24. Analysis of Effectiveness Similar to traditional LOPA . . . Identify all IEs (Hazard Analysis) Identify suitable IPLs for each identified IE Choose IPLs that are used � Andreas Platschek (OpenTech) c May 23, 2017 21 / 31

  25. Example Scenario: An application uses 2 devices, one is only written to, the second one is only read from. � Andreas Platschek (OpenTech) c May 23, 2017 22 / 31

  26. Example Scenario: An application uses 2 devices, one is only written to, the second one is only read from. IE: Writing to the read-only device leads to a hazardous situation. � Andreas Platschek (OpenTech) c May 23, 2017 22 / 31

  27. Example Scenario: An application uses 2 devices, one is only written to, the second one is only read from. IE: Writing to the read-only device leads to a hazardous situation. Error handling. Source-code review/audit. cgroups device controller rules prevent wrong access to devices. seccomp rules check if system calls to wrong usage are performed. � Andreas Platschek (OpenTech) c May 23, 2017 22 / 31

  28. Evidence Let’s check it out! � Andreas Platschek (OpenTech) c May 23, 2017 23 / 31

  29. Literature [0] IEC 61511: Functional safety – Safety instrumented systems for the process industry sector [1] Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, Center for Chemical Process Safety [2] Safety Integrity Level Selection – Systematic Methods Including Layer of Protection Analysis, Ed Marszal and Eric Scharpf [3] Lines of Defence/Layers of Protection Analysis in the COMAH Context, Prepared by Amey VECTRA Limited for the Health and Safety Executive , http://www.hse.gov.uk/research/misc/vectra300-2017-r02.pdf [4] Functional Safety: Where have we come from? Where are we going? Audrey Canning � Andreas Platschek (OpenTech) c May 23, 2017 24 / 31

  30. Questions? Ask now, or e-mail me later! Andreas Platschek < andreas.platschek@opentech.at > � Andreas Platschek (OpenTech) c May 23, 2017 25 / 31

  31. Seccomp Developers Lines in current version linux-stable$ find . -name *seccomp*\.[ch] | \ xargs git log --no-merges --format="%an" | sort | \ uniq -c | sort -nr 27 Kees Cook 7 Will Drewry 7 Andy Lutomirski 7 Alexei Starovoitov 5 Daniel Borkmann 4 Micka¨ el Sala¨ un 4 Matt Redfearn 3 Ralf Baechle 3 David Howells 3 Andrea Arcangeli � Andreas Platschek (OpenTech) c May 23, 2017 26 / 31

  32. cgroup developers Lines in current version linux-stable$ find . -name *cgroup*\.[ch] | \ xargs git log --no-merges --format="%an" | sort | \ uniq -c | sort -nr 641 Tejun Heo 137 Li Zefan 42 Paul Menage 29 Vivek Goyal 22 Al Viro 18 Aristeu Rozanski 15 Ben Blum 13 Lai Jiangshan 12 Daniel Wagner 11 Johannes Weiner � Andreas Platschek (OpenTech) c May 23, 2017 27 / 31

  33. seccomp developers commits over all versions linux-stable$ for FILE in $(find . -name *seccomp*\.[ch]); do \ git blame --line-porcelain $FILE | egrep "^author "; done | \ cut -d " " -f 2- | sort | uniq -c | sort -nr 2740 Kees Cook 241 Will Drewry 100 Andy Lutomirski 89 Tycho Andersen 69 Matt Redfearn 61 Daniel Borkmann 55 AKASHI Takahiro 50 Arnaldo Carvalho de Melo 48 David Howells 44 Linus Torvalds � Andreas Platschek (OpenTech) c May 23, 2017 28 / 31

  34. cgroups developers commits over all versions linux-stable$ for FILE in $(find . -name *cgroup*\.[ch]); do \ git blame --line-porcelain $FILE | egrep "^author "; done | \ cut -d " " -f 2- | sort | uniq -c | sort -nr 8772 Tejun Heo 907 Paul Menage 492 Aristeu Rozanski 407 Aneesh Kumar K.V 366 Aleksa Sarai 318 Serge E. Hallyn 288 Li Zefan 211 Sargun Dhillon 204 Daniel Borkmann 192 Aditya Kali � Andreas Platschek (OpenTech) c May 23, 2017 29 / 31

  35. seccomp Default behavior – deny all system calls: ctx = seccomp init(SCMP ACT KILL); Add used, safe system calls explicitly: seccomp rule add exact(ctx, SCMP ACT ALLOW, SCMP SYS(read), 1, SCMP A0(SCMP CMP EQ, fd)); � Andreas Platschek (OpenTech) c May 23, 2017 30 / 31

Recommend


More recommend