SlideShare a Scribd company logo

CS 5032 L6 reliability and security specification 2013

Download as PPTX, PDF
Ian Sommerville
Ian Sommerville
Technology
1 of 32
Dependability and Security Specification Lecture 2 Reliability and security specification, 2013 Slide 1
Reliability specification • Reliability can be measured so non-functional reliability requirements may be specified quantitatively. • Non-functional reliability requirements define the number of failures that are acceptable during normal use of the system or the time in which the system must be available. • Functional reliability requirements define system and software functions that avoid, detect or tolerate faults in the software and so ensure that these faults do not lead to system failure. • Software reliability requirements may also be included to cope with hardware failure or operator error. Reliability and security specification, 2013 Slide 2
The reliability specification process Identify the types of system failure that may lead to economic losses. Risk identification Estimate the costs and consequences of Risk analysis the different types of software failure Identify the root causes Risk of system failure decomposition Generate reliability specifications, including quantitative requirements Risk reduction defining the acceptable levels of failure Reliability and security specification, 2013 Slide 3
Types of system failure Failure type Description Loss of service The system is unavailable and cannot deliver its services to users. You may separate this into loss of critical services and loss of non-critical services, where the consequences of a failure in non-critical services are less than the consequences of critical service failure. Incorrect service delivery The system does not deliver a service correctly to users. Again, this may be specified in terms of minor and major errors or errors in the delivery of critical and non-critical services. System/data corruption The failure of the system causes damage to the system itself or its data. This will usually but not necessarily be in conjunction with other types of failures. Reliability and security specification, 2013 Slide 4
Reliability metrics • Reliability metrics are units of measurement of system reliability. • System reliability is measured by counting the number of operational failures and, where appropriate, relating these to the demands made on the system and the time that the system has been Metrics operational. * Probability of failure on demand • * Rate of occurrence of failures/Mean time to failure A long-term * Availability measurement programme is required to assess Reliability and security specification, 2013 the reliability of Slide 5 critical systems.
Probability of failure on demand (POFOD) • The probability that the system will fail when a request for service is made. • Used when demands for service are intermittent and relatively infrequent. • Appropriate for protection Protection system at Sizewell B power station systems where services are demanded Shuts down reactor if problems detected occasionally and where there are serious Reliability and security specification, 2013 consequence if the Slide 6
Rate of fault occurrence (ROCOF) • Reflects the rate of occurrence of failure in the system. – ROCOF of 0.002 means 2 failures are likely in each 1000 operational time units e.g. 2 failures per 1000 hours of operation • Relevant for systems where the system has to process a large number of similar requests in a defined time period – Credit card processing system, supermarket checkout system. Reliability and security specification, 2013 Slide 7
Mean time to failure • Reciprocal of ROCOF is Mean time to Failure (MTTF) – Relevant for systems with long transactions i.e. where system processing takes a long time (e.g. CAD systems). • MTTF should be longer than expected transaction length so that the system does not normally fail during a session or transaction Reliability and security specification, 2013 Slide 8
Availability • Measure of the fraction of the time that the system is available for use. • Takes repair and restart time into account • Availability of 0.998 means software is available for 998 out of 1000 time units. • Relevant for non-stop, continuously running systems – telephone switching systems, railway signalling systems, e- commerce systems, etc. Reliability and security specification, 2013 Slide 9
Availability specification Availability Explanation 0.9 The system is available for 90% of the time. This means that, in a 24-hour period (1,440 minutes), the system will be unavailable for 144 minutes. 0.99 In a 24-hour period, the system is unavailable for 14.4 minutes. 0.999 The system is unavailable for 84 seconds in a 24-hour period. 0.9999 The system is unavailable for 8.4 seconds in a 24-hour period. Roughly, one minute per week. Reliability and security specification, 2013 Slide 10
Failure consequences • When specifying reliability, it is not just the number of system failures that matter but the consequences of these failures. • Failures that have serious consequences are clearly more damaging than those where repair and recovery is straightforward. • In some cases, therefore, different reliability specifications for different types of failure may be defined. Reliability and security specification, 2013 Slide 11
Over-specification of reliability • Over-specification of reliability means that a high- level of reliability is specified but it is not cost- effective to achieve this. • In many cases, it is cheaper to accept and deal with failures rather than avoid them occurring. • To avoid over-specification – Specify reliability requirements for different types of failure. Minor failures may be acceptable. – Specify requirements for different services separately. Critical services should have the highest reliability requirements. – Decide whether or not high reliability is really required or if dependability goals can be achieved in some other way. Reliability and security specification, 2013 Slide 12
Steps to a reliability specification For each sub-system, analyse the consequences of possible system failures. From the system failure Different metrics may be analysis, partition used for different reliability failures into appropriate requirements classes For each failure class identified, set out the reliability using an appropriate metric Identify functional reliability requirements to reduce the chances of critical failures Reliability and security specification, 2013 Slide 13
Insulin pump specification • Probability of failure (POFOD) is the most appropriate metric. – Relatively infrequent demands (10s per day). • Transient failures that can be repaired by user actions such as recalibration of the machine. A relatively low value of POFOD is acceptable (say 0.002) – one failure may occur in every 500 demands. • Permanent failures require the software to be re-installed by the manufacturer. This should occur no more than once per year. POFOD for Reliability and security specification, 2013 this situation should be less than Slide 14 0.00002.
Functional reliability requirements • Checking requirements that identify checks to ensure that incorrect data is detected before it leads to a failure. • Recovery requirements that are geared to help the system recover after a failure has occurred. • Redundancy requirements that specify redundant features of the system to be included. • Process requirements for reliability which specify the development process to be used may also be included. Reliability and security specification, 2013 Slide 15
Examples of functional reliability requirements for MHC-PMS RR1: A pre-defined range for all operator inputs shall be defined and the system shall check that all operator inputs fall within this pre-defined range. (Checking) RR2: Copies of the patient database shall be maintained on two separate servers that are not housed in the same building. (Recovery, redundancy) RR3: N-version programming shall be used to implement the braking control system. (Redundancy) RR4: The system must be implemented in a safe subset of Ada and checked using static analysis. (Process) Reliability and security specification, 2013 Slide 16
Security specification • Security specification has something in common with safety requirements specification – in both cases, your concern is to avoid something bad happening. • Four major differences – Safety problems are accidental – the software is not operating in a hostile environment. In security, you must assume that attackers have knowledge of system weaknesses – When safety failures occur, you can look for the root cause or weakness that led to the failure. When failure results from a deliberate attack, the attacker may conceal the cause of the failure. – Shutting down a system can avoid a safety-related failure. Causing a shut down may be the aim of an attack. – Safety-related events are not generated from an intelligent adversary. An attacker can probe defenses over time to discover weaknesses. Reliability and security specification, 2013 Slide 17
Security policy • An organizational security policy applies to all systems and sets out what should and should not be allowed. • For example, a military policy might be: – Readers may only examine documents whose classification is the same as or below the readers vetting level. • A security policy sets out the conditions that must be maintained by a security system and so helps identify system security requirements. Reliability and security specification, 2013 Slide 18
The preliminary risk assessment process for security requirements Reliability and security specification, 2013 Slide 19
Security risk assessment Identify the key system assets (or services) that have to be protected. Asset identification Estimate the value of the identified assets Asset value assessment Assess the potential losses associated with each asset Exposure assessment Threat identification Identify the most probable threats to Reliability and security specification, 2013 the system assets Slide 20
Security risk assessment Decompose threats into possible attacks on the system and the ways that these may occur Attack assessment Propose the controls that may be put in place to protect an asset Control Assess the technical identification feasibility and cost of the controls Feasibility assessment Security requirements definition Security requirements can be infrastructure or application Reliability and security specification, 2013 system requirements Slide 21
Asset analysis in a preliminary risk assessment report for the MHC-PMS Asset Value Exposure The information system High. Required to support all High. Financial loss as clinical consultations. clinics may have to be Potentially safety-critical. canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed. The patient database High. Required to support all High. Financial loss as clinical consultations. clinics may have to be Potentially safety-critical. canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed. An individual patient record Normally low although may Low direct losses but be high for specific high- possible loss of reputation. profile patients. Reliability and security specification, 2013 Slide 22
Threat and control analysis in a preliminary risk assessment report Threat Probability Control Feasibility Unauthorized user Low Only allow system Low cost of implementation gains access as management from but care must be taken with system manager specific locations key distribution and to and makes system that are physically ensure that keys are unavailable secure. available in the event of an emergency. Unauthorized user High Require all users to Technically feasible but gains access as authenticate high-cost solution. Possible system user and themselves using a user resistance. accesses biometric confidential mechanism. Simple and transparent to information implement and also Log all changes to supports recovery. patient information to track system usage. Reliability and security specification, 2013 Slide 23
Security requirements for the MHC-PMS • Patient information shall be downloaded at the start of a clinic session to a secure area on the system client that is used by clinical staff. • All patient information on the system client shall be encrypted. • Patient information shall be uploaded to the database after a clinic session has finished and deleted from the client computer. • A log on a separate computer from the database server must be maintained of all changes made to the system database. Reliability and security specification, 2013 Slide 24
Formal methods and specification Reliability and security specification, 2013 Slide 25
Formal methods and critical systems • Formal specification is part of a more general collection of techniques that are known as ‘formal methods’. • These are all based on mathematical representation and analysis of software. • Formal methods include – Formal specification; – Specification analysis and proof; – Transformational development; – Program verification. Reliability and security specification, 2013 Slide 26
Use of formal methods • The principal benefits of formal methods are in reducing the number of faults in systems. • Consequently, their main area of applicability is in critical systems engineering. There have been several successful projects where formal methods have been used in this area. • In this area, the use of formal methods is most likely to be cost- effective because high system failure costs must be avoided. Reliability and security specification, 2013 Slide 27
Specification in the software process • Specification and design are inextricably intermingled. • Architectural design is essential to structure a specification and the specification process. • Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics. Reliability and security specification, 2013 Slide 28
Formal specification in a plan-based software process Reliability and security specification, 2013 Slide 29
Benefits of formal specification • Developing a formal specification requires the system requirements to be analyzed in detail. This helps to detect problems, inconsistencies and incompleteness in the requirements. • As the specification is expressed in a formal language, it can be automatically analyzed to discover inconsistencies and incompleteness. • If you use a formal method such as the B method, you can transform the formal specification into a ‘correct’ program. • Program testing costs may be reduced if the program is formally verified against its specification. Reliability and security specification, 2013 Slide 30
Acceptance of formal methods • Formal methods have had limited impact on practical software development: – Problem owners cannot understand a formal specification and so cannot assess if it is an accurate representation of their requirements. – It is easy to assess the costs of developing a formal specification but harder to assess the benefits. Managers may therefore be unwilling to invest in formal methods. – Software engineers are unfamiliar with this approach and are therefore reluctant to propose the use of FM. – Formal methods are still hard to scale up to large systems. – Formal specification is not really compatible with agile development methods. Reliability and security specification, 2013 Slide 31
Key points • Reliability requirements can be defined quantitatively. They include probability of failure on demand (POFOD), rate of occurrence of failure (ROCOF) and availability (AVAIL). • Security requirements are more difficult to identify than safety requirements because a system attacker can use knowledge of system vulnerabilities to plan a system attack, and can learn about vulnerabilities from unsuccessful attacks. • To specify security requirements, you should identify the assets that are to be protected and define how security techniques and technology should be used to protect these assets. • Formal methods of software development rely on a system specification that is expressed as a mathematical model. The use of formal methods avoids ambiguity in a critical systems specification. Reliability and security specification, 2013 Slide 32

Recommended

CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013Ian Sommerville
 
CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013Ian Sommerville
 
CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013Ian Sommerville
 
CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013Ian Sommerville
 
CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013Ian Sommerville
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013Ian Sommerville
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013Ian Sommerville
 

Recommended

CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013Ian Sommerville
 
CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013CS 5032 L8 dependability engineering 2 2013
CS 5032 L8 dependability engineering 2 2013Ian Sommerville
 
CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013Ian Sommerville
 
CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013Ian Sommerville
 
CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013Ian Sommerville
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013Ian Sommerville
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013Ian Sommerville
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Ian Sommerville
 
Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Ian Sommerville
 
Safety specification (CS 5032 2012)
Safety specification (CS 5032 2012)Safety specification (CS 5032 2012)
Safety specification (CS 5032 2012)Ian Sommerville
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9Ian Sommerville
 
Security Engineering 1 (CS 5032 2012)
Security Engineering 1 (CS 5032 2012)Security Engineering 1 (CS 5032 2012)
Security Engineering 1 (CS 5032 2012)Ian Sommerville
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineeringsoftware-engineering-book
 
Norman Patch and Remediation
Norman Patch and RemediationNorman Patch and Remediation
Norman Patch and RemediationKavlieBorge
 
Ch3
Ch3Ch3
Ch3Tashaf Mukhtar
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringaizazhussain234
 
Ch12 safety engineering
Ch12 safety engineeringCh12 safety engineering
Ch12 safety engineeringsoftware-engineering-book
 
Ch12-Software Engineering 9
Ch12-Software Engineering 9Ch12-Software Engineering 9
Ch12-Software Engineering 9Ian Sommerville
 
Ch14 resilience engineering
Ch14 resilience engineeringCh14 resilience engineering
Ch14 resilience engineeringsoftware-engineering-book
 
C90 Security Service
C90 Security ServiceC90 Security Service
C90 Security Servicechristoboshoff
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
Ispe Article
Ispe ArticleIspe Article
Ispe ArticleDavid Stephenson
 
DSDConference07
DSDConference07DSDConference07
DSDConference07Adam Taylor CEng FIET
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMuhammad Asim
 
Ch13-Software Engineering 9
Ch13-Software Engineering 9Ch13-Software Engineering 9
Ch13-Software Engineering 9Ian Sommerville
 
CS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterCS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterIan Sommerville
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 

More Related Content

What's hot

CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Ian Sommerville
 
Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Ian Sommerville
 
Safety specification (CS 5032 2012)
Safety specification (CS 5032 2012)Safety specification (CS 5032 2012)
Safety specification (CS 5032 2012)Ian Sommerville
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9Ian Sommerville
 
Security Engineering 1 (CS 5032 2012)
Security Engineering 1 (CS 5032 2012)Security Engineering 1 (CS 5032 2012)
Security Engineering 1 (CS 5032 2012)Ian Sommerville
 
Norman Patch and Remediation
Norman Patch and RemediationNorman Patch and Remediation
Norman Patch and RemediationKavlieBorge
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringaizazhussain234
 
Ch12-Software Engineering 9
Ch12-Software Engineering 9Ch12-Software Engineering 9
Ch12-Software Engineering 9Ian Sommerville
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMuhammad Asim
 
Ch13-Software Engineering 9
Ch13-Software Engineering 9Ch13-Software Engineering 9
Ch13-Software Engineering 9Ian Sommerville
 

What's hot (20)

CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)
 
Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)
 
Safety specification (CS 5032 2012)
Safety specification (CS 5032 2012)Safety specification (CS 5032 2012)
Safety specification (CS 5032 2012)
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9
 
Security Engineering 1 (CS 5032 2012)
Security Engineering 1 (CS 5032 2012)Security Engineering 1 (CS 5032 2012)
Security Engineering 1 (CS 5032 2012)
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineering
 
Norman Patch and Remediation
Norman Patch and RemediationNorman Patch and Remediation
Norman Patch and Remediation
 
Ch3
Ch3Ch3
Ch3
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Ch12 safety engineering
Ch12 safety engineeringCh12 safety engineering
Ch12 safety engineering
 
Ch12-Software Engineering 9
Ch12-Software Engineering 9Ch12-Software Engineering 9
Ch12-Software Engineering 9
 
Ch14 resilience engineering
Ch14 resilience engineeringCh14 resilience engineering
Ch14 resilience engineering
 
C90 Security Service
C90 Security ServiceC90 Security Service
C90 Security Service
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
Ispe Article
Ispe ArticleIspe Article
Ispe Article
 
DSDConference07
DSDConference07DSDConference07
DSDConference07
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Ch13-Software Engineering 9
Ch13-Software Engineering 9Ch13-Software Engineering 9
Ch13-Software Engineering 9
 

Viewers also liked

CS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterCS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterIan Sommerville
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 
CS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsCS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsIan Sommerville
 
CS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachCS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachIan Sommerville
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
CS 5032 L3 socio-technical systems 2013
CS 5032 L3 socio-technical systems 2013CS 5032 L3 socio-technical systems 2013
CS 5032 L3 socio-technical systems 2013Ian Sommerville
 
Introducing sociotechnical systems
Introducing sociotechnical systemsIntroducing sociotechnical systems
Introducing sociotechnical systemssommerville-videos
 

Viewers also liked (15)

CS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterCS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disaster
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2
 
CS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsCS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systems
 
CS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachCS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breach
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
System success and failure
System success and failureSystem success and failure
System success and failure
 
Critical systems intro
Critical systems introCritical systems intro
Critical systems intro
 
System dependability
System dependabilitySystem dependability
System dependability
 
Critical systems engineering
Critical systems engineeringCritical systems engineering
Critical systems engineering
 
Emergent properties
Emergent propertiesEmergent properties
Emergent properties
 
CS 5032 L3 socio-technical systems 2013
CS 5032 L3 socio-technical systems 2013CS 5032 L3 socio-technical systems 2013
CS 5032 L3 socio-technical systems 2013
 
Availability and reliability
Availability and reliabilityAvailability and reliability
Availability and reliability
 
Introducing sociotechnical systems
Introducing sociotechnical systemsIntroducing sociotechnical systems
Introducing sociotechnical systems
 
System security
System securitySystem security
System security
 

Similar to CS 5032 L6 reliability and security specification 2013

Dependability and security (CS 5032 2012)
Dependability and security (CS 5032 2012)Dependability and security (CS 5032 2012)
Dependability and security (CS 5032 2012)Ian Sommerville
 
5 - Safety - Critical Systems.pdf
5 - Safety - Critical Systems.pdf5 - Safety - Critical Systems.pdf
5 - Safety - Critical Systems.pdfFelixKipyego1
 
Dependablity Engineering 1 (CS 5032 2012)
Dependablity Engineering 1 (CS 5032 2012)Dependablity Engineering 1 (CS 5032 2012)
Dependablity Engineering 1 (CS 5032 2012)Ian Sommerville
 
Ch11 - Reliability Engineering
Ch11 - Reliability EngineeringCh11 - Reliability Engineering
Ch11 - Reliability EngineeringHarsh Verdhan Raj
 
Software Reliability_CS-3059_VISHAL_PADME.pptx
Software Reliability_CS-3059_VISHAL_PADME.pptxSoftware Reliability_CS-3059_VISHAL_PADME.pptx
Software Reliability_CS-3059_VISHAL_PADME.pptxVishalPadme2
 
Unit 2-software development process notes
Unit 2-software development process notes Unit 2-software development process notes
Unit 2-software development process notes arvind pandey
 
Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)Ian Sommerville
 
An Introduction to Designing Reliable Cloud Services January 2014
An Introduction to Designing Reliable Cloud Services January 2014An Introduction to Designing Reliable Cloud Services January 2014
An Introduction to Designing Reliable Cloud Services January 2014David J Rosenthal
 
Software Reliability Engineering
Software Reliability EngineeringSoftware Reliability Engineering
Software Reliability Engineeringguest90cec6
 
Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17koolkampus
 
Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Ian Sommerville
 
module 5 ppt ddb.pptx
module 5 ppt ddb.pptxmodule 5 ppt ddb.pptx
module 5 ppt ddb.pptxSushantRaj25
 

Similar to CS 5032 L6 reliability and security specification 2013 (20)

Dependability and security (CS 5032 2012)
Dependability and security (CS 5032 2012)Dependability and security (CS 5032 2012)
Dependability and security (CS 5032 2012)
 
5 - Safety - Critical Systems.pdf
5 - Safety - Critical Systems.pdf5 - Safety - Critical Systems.pdf
5 - Safety - Critical Systems.pdf
 
Dependablity Engineering 1 (CS 5032 2012)
Dependablity Engineering 1 (CS 5032 2012)Dependablity Engineering 1 (CS 5032 2012)
Dependablity Engineering 1 (CS 5032 2012)
 
Critical Systems
Critical SystemsCritical Systems
Critical Systems
 
Sqa material
Sqa materialSqa material
Sqa material
 
Ch11 - Reliability Engineering
Ch11 - Reliability EngineeringCh11 - Reliability Engineering
Ch11 - Reliability Engineering
 
Ch11
Ch11Ch11
Ch11
 
Reliability Engineering
Reliability EngineeringReliability Engineering
Reliability Engineering
 
Ch11 reliability engineering
Ch11 reliability engineeringCh11 reliability engineering
Ch11 reliability engineering
 
Software Reliability_CS-3059_VISHAL_PADME.pptx
Software Reliability_CS-3059_VISHAL_PADME.pptxSoftware Reliability_CS-3059_VISHAL_PADME.pptx
Software Reliability_CS-3059_VISHAL_PADME.pptx
 
Unit 2-software development process notes
Unit 2-software development process notes Unit 2-software development process notes
Unit 2-software development process notes
 
Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)Static analysis and reliability testing (CS 5032 2012)
Static analysis and reliability testing (CS 5032 2012)
 
An Introduction to Designing Reliable Cloud Services January 2014
An Introduction to Designing Reliable Cloud Services January 2014An Introduction to Designing Reliable Cloud Services January 2014
An Introduction to Designing Reliable Cloud Services January 2014
 
Software Reliability Engineering
Software Reliability EngineeringSoftware Reliability Engineering
Software Reliability Engineering
 
State model based
State model basedState model based
State model based
 
Ch3
Ch3Ch3
Ch3
 
Ch3
Ch3Ch3
Ch3
 
Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17
 
Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)Dependability Engineering 2 (CS 5032 2012)
Dependability Engineering 2 (CS 5032 2012)
 
module 5 ppt ddb.pptx
module 5 ppt ddb.pptxmodule 5 ppt ddb.pptx
module 5 ppt ddb.pptx
 

More from Ian Sommerville

Ultra Large Scale Systems
Ultra Large Scale SystemsUltra Large Scale Systems
Ultra Large Scale SystemsIan Sommerville
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITSIan Sommerville
 
Conceptual systems design
Conceptual systems designConceptual systems design
Conceptual systems designIan Sommerville
 
Requirements Engineering for LSCITS
Requirements Engineering for LSCITSRequirements Engineering for LSCITS
Requirements Engineering for LSCITSIan Sommerville
 
An introduction to LSCITS
An introduction to LSCITSAn introduction to LSCITS
An introduction to LSCITSIan Sommerville
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-studyIan Sommerville
 
Designing software for a million users
Designing software for a million usersDesigning software for a million users
Designing software for a million usersIan Sommerville
 
CS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureCS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureIan Sommerville
 
L17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureL17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureIan Sommerville
 

More from Ian Sommerville (13)

Ultra Large Scale Systems
Ultra Large Scale SystemsUltra Large Scale Systems
Ultra Large Scale Systems
 
Resp modellingintro
Resp modellingintroResp modellingintro
Resp modellingintro
 
Resilience and recovery
Resilience and recoveryResilience and recovery
Resilience and recovery
 
LSCITS-engineering
LSCITS-engineeringLSCITS-engineering
LSCITS-engineering
 
Requirements reality
Requirements realityRequirements reality
Requirements reality
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITS
 
Conceptual systems design
Conceptual systems designConceptual systems design
Conceptual systems design
 
Requirements Engineering for LSCITS
Requirements Engineering for LSCITSRequirements Engineering for LSCITS
Requirements Engineering for LSCITS
 
An introduction to LSCITS
An introduction to LSCITSAn introduction to LSCITS
An introduction to LSCITS
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-study
 
Designing software for a million users
Designing software for a million usersDesigning software for a million users
Designing software for a million users
 
CS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureCS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failure
 
L17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureL17 CS5032 critical infrastructure
L17 CS5032 critical infrastructure
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

CS 5032 L6 reliability and security specification 2013

  • 1. Dependability and Security Specification Lecture 2 Reliability and security specification, 2013 Slide 1
  • 2. Reliability specification • Reliability can be measured so non-functional reliability requirements may be specified quantitatively. • Non-functional reliability requirements define the number of failures that are acceptable during normal use of the system or the time in which the system must be available. • Functional reliability requirements define system and software functions that avoid, detect or tolerate faults in the software and so ensure that these faults do not lead to system failure. • Software reliability requirements may also be included to cope with hardware failure or operator error. Reliability and security specification, 2013 Slide 2
  • 3. The reliability specification process Identify the types of system failure that may lead to economic losses. Risk identification Estimate the costs and consequences of Risk analysis the different types of software failure Identify the root causes Risk of system failure decomposition Generate reliability specifications, including quantitative requirements Risk reduction defining the acceptable levels of failure Reliability and security specification, 2013 Slide 3
  • 4. Types of system failure Failure type Description Loss of service The system is unavailable and cannot deliver its services to users. You may separate this into loss of critical services and loss of non-critical services, where the consequences of a failure in non-critical services are less than the consequences of critical service failure. Incorrect service delivery The system does not deliver a service correctly to users. Again, this may be specified in terms of minor and major errors or errors in the delivery of critical and non-critical services. System/data corruption The failure of the system causes damage to the system itself or its data. This will usually but not necessarily be in conjunction with other types of failures. Reliability and security specification, 2013 Slide 4
  • 5. Reliability metrics • Reliability metrics are units of measurement of system reliability. • System reliability is measured by counting the number of operational failures and, where appropriate, relating these to the demands made on the system and the time that the system has been Metrics operational. * Probability of failure on demand • * Rate of occurrence of failures/Mean time to failure A long-term * Availability measurement programme is required to assess Reliability and security specification, 2013 the reliability of Slide 5 critical systems.
  • 6. Probability of failure on demand (POFOD) • The probability that the system will fail when a request for service is made. • Used when demands for service are intermittent and relatively infrequent. • Appropriate for protection Protection system at Sizewell B power station systems where services are demanded Shuts down reactor if problems detected occasionally and where there are serious Reliability and security specification, 2013 consequence if the Slide 6
  • 7. Rate of fault occurrence (ROCOF) • Reflects the rate of occurrence of failure in the system. – ROCOF of 0.002 means 2 failures are likely in each 1000 operational time units e.g. 2 failures per 1000 hours of operation • Relevant for systems where the system has to process a large number of similar requests in a defined time period – Credit card processing system, supermarket checkout system. Reliability and security specification, 2013 Slide 7
  • 8. Mean time to failure • Reciprocal of ROCOF is Mean time to Failure (MTTF) – Relevant for systems with long transactions i.e. where system processing takes a long time (e.g. CAD systems). • MTTF should be longer than expected transaction length so that the system does not normally fail during a session or transaction Reliability and security specification, 2013 Slide 8
  • 9. Availability • Measure of the fraction of the time that the system is available for use. • Takes repair and restart time into account • Availability of 0.998 means software is available for 998 out of 1000 time units. • Relevant for non-stop, continuously running systems – telephone switching systems, railway signalling systems, e- commerce systems, etc. Reliability and security specification, 2013 Slide 9
  • 10. Availability specification Availability Explanation 0.9 The system is available for 90% of the time. This means that, in a 24-hour period (1,440 minutes), the system will be unavailable for 144 minutes. 0.99 In a 24-hour period, the system is unavailable for 14.4 minutes. 0.999 The system is unavailable for 84 seconds in a 24-hour period. 0.9999 The system is unavailable for 8.4 seconds in a 24-hour period. Roughly, one minute per week. Reliability and security specification, 2013 Slide 10
  • 11. Failure consequences • When specifying reliability, it is not just the number of system failures that matter but the consequences of these failures. • Failures that have serious consequences are clearly more damaging than those where repair and recovery is straightforward. • In some cases, therefore, different reliability specifications for different types of failure may be defined. Reliability and security specification, 2013 Slide 11
  • 12. Over-specification of reliability • Over-specification of reliability means that a high- level of reliability is specified but it is not cost- effective to achieve this. • In many cases, it is cheaper to accept and deal with failures rather than avoid them occurring. • To avoid over-specification – Specify reliability requirements for different types of failure. Minor failures may be acceptable. – Specify requirements for different services separately. Critical services should have the highest reliability requirements. – Decide whether or not high reliability is really required or if dependability goals can be achieved in some other way. Reliability and security specification, 2013 Slide 12
  • 13. Steps to a reliability specification For each sub-system, analyse the consequences of possible system failures. From the system failure Different metrics may be analysis, partition used for different reliability failures into appropriate requirements classes For each failure class identified, set out the reliability using an appropriate metric Identify functional reliability requirements to reduce the chances of critical failures Reliability and security specification, 2013 Slide 13
  • 14. Insulin pump specification • Probability of failure (POFOD) is the most appropriate metric. – Relatively infrequent demands (10s per day). • Transient failures that can be repaired by user actions such as recalibration of the machine. A relatively low value of POFOD is acceptable (say 0.002) – one failure may occur in every 500 demands. • Permanent failures require the software to be re-installed by the manufacturer. This should occur no more than once per year. POFOD for Reliability and security specification, 2013 this situation should be less than Slide 14 0.00002.
  • 15. Functional reliability requirements • Checking requirements that identify checks to ensure that incorrect data is detected before it leads to a failure. • Recovery requirements that are geared to help the system recover after a failure has occurred. • Redundancy requirements that specify redundant features of the system to be included. • Process requirements for reliability which specify the development process to be used may also be included. Reliability and security specification, 2013 Slide 15
  • 16. Examples of functional reliability requirements for MHC-PMS RR1: A pre-defined range for all operator inputs shall be defined and the system shall check that all operator inputs fall within this pre-defined range. (Checking) RR2: Copies of the patient database shall be maintained on two separate servers that are not housed in the same building. (Recovery, redundancy) RR3: N-version programming shall be used to implement the braking control system. (Redundancy) RR4: The system must be implemented in a safe subset of Ada and checked using static analysis. (Process) Reliability and security specification, 2013 Slide 16
  • 17. Security specification • Security specification has something in common with safety requirements specification – in both cases, your concern is to avoid something bad happening. • Four major differences – Safety problems are accidental – the software is not operating in a hostile environment. In security, you must assume that attackers have knowledge of system weaknesses – When safety failures occur, you can look for the root cause or weakness that led to the failure. When failure results from a deliberate attack, the attacker may conceal the cause of the failure. – Shutting down a system can avoid a safety-related failure. Causing a shut down may be the aim of an attack. – Safety-related events are not generated from an intelligent adversary. An attacker can probe defenses over time to discover weaknesses. Reliability and security specification, 2013 Slide 17
  • 18. Security policy • An organizational security policy applies to all systems and sets out what should and should not be allowed. • For example, a military policy might be: – Readers may only examine documents whose classification is the same as or below the readers vetting level. • A security policy sets out the conditions that must be maintained by a security system and so helps identify system security requirements. Reliability and security specification, 2013 Slide 18
  • 19. The preliminary risk assessment process for security requirements Reliability and security specification, 2013 Slide 19
  • 20. Security risk assessment Identify the key system assets (or services) that have to be protected. Asset identification Estimate the value of the identified assets Asset value assessment Assess the potential losses associated with each asset Exposure assessment Threat identification Identify the most probable threats to Reliability and security specification, 2013 the system assets Slide 20
  • 21. Security risk assessment Decompose threats into possible attacks on the system and the ways that these may occur Attack assessment Propose the controls that may be put in place to protect an asset Control Assess the technical identification feasibility and cost of the controls Feasibility assessment Security requirements definition Security requirements can be infrastructure or application Reliability and security specification, 2013 system requirements Slide 21
  • 22. Asset analysis in a preliminary risk assessment report for the MHC-PMS Asset Value Exposure The information system High. Required to support all High. Financial loss as clinical consultations. clinics may have to be Potentially safety-critical. canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed. The patient database High. Required to support all High. Financial loss as clinical consultations. clinics may have to be Potentially safety-critical. canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed. An individual patient record Normally low although may Low direct losses but be high for specific high- possible loss of reputation. profile patients. Reliability and security specification, 2013 Slide 22
  • 23. Threat and control analysis in a preliminary risk assessment report Threat Probability Control Feasibility Unauthorized user Low Only allow system Low cost of implementation gains access as management from but care must be taken with system manager specific locations key distribution and to and makes system that are physically ensure that keys are unavailable secure. available in the event of an emergency. Unauthorized user High Require all users to Technically feasible but gains access as authenticate high-cost solution. Possible system user and themselves using a user resistance. accesses biometric confidential mechanism. Simple and transparent to information implement and also Log all changes to supports recovery. patient information to track system usage. Reliability and security specification, 2013 Slide 23
  • 24. Security requirements for the MHC-PMS • Patient information shall be downloaded at the start of a clinic session to a secure area on the system client that is used by clinical staff. • All patient information on the system client shall be encrypted. • Patient information shall be uploaded to the database after a clinic session has finished and deleted from the client computer. • A log on a separate computer from the database server must be maintained of all changes made to the system database. Reliability and security specification, 2013 Slide 24
  • 25. Formal methods and specification Reliability and security specification, 2013 Slide 25
  • 26. Formal methods and critical systems • Formal specification is part of a more general collection of techniques that are known as ‘formal methods’. • These are all based on mathematical representation and analysis of software. • Formal methods include – Formal specification; – Specification analysis and proof; – Transformational development; – Program verification. Reliability and security specification, 2013 Slide 26
  • 27. Use of formal methods • The principal benefits of formal methods are in reducing the number of faults in systems. • Consequently, their main area of applicability is in critical systems engineering. There have been several successful projects where formal methods have been used in this area. • In this area, the use of formal methods is most likely to be cost- effective because high system failure costs must be avoided. Reliability and security specification, 2013 Slide 27
  • 28. Specification in the software process • Specification and design are inextricably intermingled. • Architectural design is essential to structure a specification and the specification process. • Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics. Reliability and security specification, 2013 Slide 28
  • 29. Formal specification in a plan-based software process Reliability and security specification, 2013 Slide 29
  • 30. Benefits of formal specification • Developing a formal specification requires the system requirements to be analyzed in detail. This helps to detect problems, inconsistencies and incompleteness in the requirements. • As the specification is expressed in a formal language, it can be automatically analyzed to discover inconsistencies and incompleteness. • If you use a formal method such as the B method, you can transform the formal specification into a ‘correct’ program. • Program testing costs may be reduced if the program is formally verified against its specification. Reliability and security specification, 2013 Slide 30
  • 31. Acceptance of formal methods • Formal methods have had limited impact on practical software development: – Problem owners cannot understand a formal specification and so cannot assess if it is an accurate representation of their requirements. – It is easy to assess the costs of developing a formal specification but harder to assess the benefits. Managers may therefore be unwilling to invest in formal methods. – Software engineers are unfamiliar with this approach and are therefore reluctant to propose the use of FM. – Formal methods are still hard to scale up to large systems. – Formal specification is not really compatible with agile development methods. Reliability and security specification, 2013 Slide 31
  • 32. Key points • Reliability requirements can be defined quantitatively. They include probability of failure on demand (POFOD), rate of occurrence of failure (ROCOF) and availability (AVAIL). • Security requirements are more difficult to identify than safety requirements because a system attacker can use knowledge of system vulnerabilities to plan a system attack, and can learn about vulnerabilities from unsuccessful attacks. • To specify security requirements, you should identify the assets that are to be protected and define how security techniques and technology should be used to protect these assets. • Formal methods of software development rely on a system specification that is expressed as a mathematical model. The use of formal methods avoids ambiguity in a critical systems specification. Reliability and security specification, 2013 Slide 32