Integrity static analysis of COTS/SOUP

This paper describes the integrity static analysis approach developed to support the justification of commercial off-the-shelf software (COTS) used in a safety-related system. The static analysis was part of an overall software qualification programme, which also included the work reported in our paper presented at Safecomp 2002. Integrity static analysis focuses on unsafe language constructs and “covert” flows, where one thread can affect the data or control flow of another thread. The analysis addressed two main aspects: the internal integrity of the code (especially for the more critical functions), and the intra-component integrity, checking for covert channels. The analysis process was supported by an aggregation of tools, combined and engineered to support the checks done and to scale as necessary. Integrity static analysis is feasible for industrial scale software, did not require unreasonable resources and we provide data that illustrates its contribution to the software qualification programme

An audit model for safety-critical software

Atualmente o uso de software considerados complexos e críticos está crescendo em diversos setores da indústria como a aeronáutica com seus diversos sistemas embarcados em aeronaves e a médica com seus dispositivos médicos cada vez mais avançados. Devido a isso, a quantidade de standards dedicados a esse tipo de desenvolvimento está crescendo nos últimos anos e autoridades regulamentadoras estão reconhecendo a sua aplicabilidade e, em alguns casos, tornando como parte dos requisitos obrigatórios de certificação ou aprovação. O intuito de uma auditoria de software é verificar que o software desenvolvido está de acordo com a norma aplicável, no entanto os modelos existentes não permitem o auditor ter a flexibilidade de adequar o modelo de auditoria às suas necessidades. Como parte dessa pesquisa, diferentes modelos de desenvolvimento software foram considerados, bem como standards da área aeronáutica (RTCA DO-178C) e área médica (IEC 62304) foram estudados quanto as suas recomendações e requisitos para desenvolvimento de software safety-crítico. Como objetivo dessa dissertação, um modelo de auditoria de software foi proposto com as atividades que são necessárias para a condução de auditoria de software safety-crítico, permitindo ao auditor aplicar o modelo de acordo com as atividades que precisam ser auditadas, dando a flexibilidade necessária para o escopo da auditoria, bem como um conjunto de perguntas para a auditoria de software desenvolvido utilizando RTCA DO-178C e IEC 62304 foi sugerido e avaliado por especialistas de software para garantir a maturidade e eficiência das perguntas propostas. Além da avaliação das perguntas, também foi conduzido um estudo de caso, em uma empresa aeroespacial, com duas instanciações para avaliar a maturidade do modelo de auditoria de software proposto.Nowadays, the use of software considered complex and critical is growing in several industry sectors, such as aeronautics with its various systems embedded in aircraft and the medical one with its increasingly advanced medical devices. Because of this, the number of standards dedicated to this type of development is growing in recent years, and regulatory authorities are recognizing its applicability and, in some cases, making it part of the mandatory certification requirements or approval. The software audit intent is to verify that the software developed complies with the applicable standard. However, the existing audit models do not allow the auditor to tailor the audit model to its audit necessities. As part of this research, the various software development models were considered, and standards in the aeronautical (RTCA DO-178C) and medical (IEC/ISO 62304) areas were studied regarding their guidelines and requirements for safety-critical software development. This thesis aims to propose a software audit model with the activities necessary for conducting a safety-critical software audit, giving the auditor the necessary flexibility in the audit execution without the need to achieve specific predetermined milestones. Additionally, a set of questions for software auditing developed using RTCA DO-178C and IEC 62304 has been suggested and evaluated by software experts to ensure the maturity and efficiency of the proposed questions. In addition to evaluating the questions, a case study was also conducted in an aerospace company, with two instances to evaluate the proposed software audit model’s maturity.Não recebi financiament

Software Assurance Best Practices for Air Force Weapon and Information Technology Systems - Are We Bleeding?

In the corporate world, bits mean money, and as the Department of Defense (DoD) becomes more and more reliant on net-centric warfare, bits mean national security. Software security threats are very real, as demonstrated by the constant barrage of Internet viruses, worms, Trojans, and hackers seeking to exploit the latest vulnerability. Most organizations focus their resources on reactive defenses such as firewalls, antivirus software, and encryption, however as demonstrated by the numerous attacks that are successful, those post facto measures are not enough to stop the bleeding. The DoD defines software assurance (SwA) as the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software. SwA focuses on baking in security versus bolting it on afterwards. The Department of Homeland Security and DoD each have had SwA programs for a few years; however the Air Force (AF) just recently formed the Application Software Assurance Center of Excellence at Maxwell AFB-Gunter Annex, AL. This research seeks to identify common issues that present challenges to the development of secure software and best practices that the AF could adopt as it proactively begins to heal the SwA problem

A Harmonized Compositional Assurance Approach for Safety-Critical Systems

Safety-critical systems, those whose failure could end up in loss or injuries to people or the environment, are required to go through laborious and expensive certification processes. These systems have also increased their complexity and as it has already been done in other domains, they have applied component-based system developments to deal with complexity. However, components are difficult to assess as certification is done at system level and not at component level. Compositional certification approach proposes to get incremental credit by accepting that a specific component complies with specific standard’s requirements and it is correctly integrated. The objective is to support integration of new components while the previously integrated components do not need to work for re-acceptance. We propose (1) the use of assurance modelling techniques to provide us the mechanism to understand the common basis of standards shared by different domains such as the avionics, automotive and the medical devices design. We propose (2) an assurance decomposition methodology offering guidance and modelling mechanisms to decompose the responsibilities associated with the life-cycle of safety-critical components. This methodology ensures a hierarchy of assurance and certification projects where the responsibilities and project tasks can be specified and its accomplishment can be assessed to determine the compliance of functional safety standards. Assurance decomposition supports the reuse of components as it guides us not just for standards compliance but specifically on the understanding and tailoring of those standards for component assurance and support when those components are integrated into the final system. We propose (3) a contract-based approach to support the integration of reused components and at the same time, the proposal supports the identification of assumptions, a very laborious and time consuming task. Assurance Contracts are defined to ensure incremental compliance once the components are integrated. The objective of this assurance contracts is to ensure the overall compliance of the system with the selected standards and reference documents such as guidelines or advisory circulars. The defined approach to assurance contracts specification attempts to balance the need for unambiguity on the composition while maintaining the heterogeneity of the information managed. The claims classification offers an easy method to support the assessment of contract completeness and the structured expressions provide a semi-formal language to specify the assumptions and guarantees of a component. This work has been mainly framed in a European collaborative research projects such as OPENCOSS a Large-scale integrating project (IP) with 17 partners from 9 countries to develop a platform for safety assurance and certification of safety-critical systems (compliance with standards, robust argumentation, evidence management, process transparency), SAFEADAPT an FP7 project with 9 partners and RECOMP an ARTEMIS project.. The results of this work have been presented to the standardization group of the Object Management Group responsible for the SACM (Structured Assurance Case Metamodel) standard specification, which currently discusses its inclusion in future versions. The (4) tools presented and used in this work have been included in the results of an open tool platform developed within the OPENCOSS project that is being released in PolarSys. PolarSys is an Eclipse Industry Working Group created by large industry players and by tools providers to collaborate on the creation and support of Open Source tools for the development of embedded systems

Reducing the Software Risk in Ground Systems

Presentation to provide and overview of software's role in ground systems and how the security of the software is important and how it can be improved

Service-based Fault Tolerance for Cyber-Physical Systems: A Systems Engineering Approach

Cyber-physical systems (CPSs) comprise networked computing units that monitor and control physical processes in feedback loops. CPSs have potential to change the ways people and computers interact with the physical world by enabling new ways to control and optimize systems through improved connectivity and computing capabilities. Compared to classical control theory, these systems involve greater unpredictability which may affect the stability and dynamics of the physical subsystems. Further uncertainty is introduced by the dynamic and open computing environments with rapidly changing connections and system configurations. However, due to interactions with the physical world, the dependable operation and tolerance of failures in both cyber and physical components are essential requirements for these systems.The problem of achieving dependable operations for open and networked control systems is approached using a systems engineering process to gain an understanding of the problem domain, since fault tolerance cannot be solved only as a software problem due to the nature of CPSs, which includes close coordination among hardware, software and physical objects. The research methodology consists of developing a concept design, implementing prototypes, and empirically testing the prototypes. Even though modularity has been acknowledged as a key element of fault tolerance, the fault tolerance of highly modular service-oriented architectures (SOAs) has been sparsely researched, especially in distributed real-time systems. This thesis proposes and implements an approach based on using loosely coupled real-time SOA to implement fault tolerance for a teleoperation system.Based on empirical experiments, modularity on a service level can be used to support fault tolerance (i.e., the isolation and recovery of faults). Fault recovery can be achieved for certain categories of faults (i.e., non-deterministic and aging-related) based on loose coupling and diverse operation modes. The proposed architecture also supports the straightforward integration of fault tolerance patterns, such as FAIL-SAFE, HEARTBEAT, ESCALATION and SERVICE MANAGER, which are used in the prototype systems to support dependability requirements. For service failures, systems rely on fail-safe behaviours, diverse modes of operation and fault escalation to backup services. Instead of using time-bounded reconfiguration, services operate in best-effort capabilities, providing resilience for the system. This enables, for example, on-the-fly service changes, smooth recoveries from service failures and adaptations to new computing environments, which are essential requirements for CPSs.The results are combined into a systems engineering approach to dependability, which includes an analysis of the role of safety-critical requirements for control system software architecture design, architectural design, a dependability-case development approach for CPSs and domain-specific fault taxonomies, which support dependability case development and system reliability analyses. Other contributions of this work include three new patterns for fault tolerance in CPSs: DATA-CENTRIC ARCHITECTURE, LET IT CRASH and SERVICE MANAGER. These are presented together with a pattern language that shows how they relate to other patterns available for the domain

Data integrity: an often-ignored aspect of safety systems: executive summary

Data is all-pervasive and is found in all aspects of modern computer systems, and yet many engineers seem reluctant to recognise the importance of data integrity. The conventional view of data, as simply an aspect of software, underestimates the role played by data errors in the behaviour of the system and their potential effect on the integrity of the overall system. In many cases hazard analysis is not applied to data in the same way that it is applied to other system components. Without data integrity requirements, data development and data provision may not attract the degree of rigour that would be required of other system components of a similar integrity. This omission also has implications for safety assessment where the data is often ignored or neglected. This position becomes self reenforcing, as without integrity requirements the importance of data integrity remains hidden. This research provides a wide-ranging overview of the use (and abuse) of data within safety systems, and proposes a range of strategies and techniques to improve the safety of such systems. A literature review and a survey of industrial practice confirmed the conventional view of data, and showed that there is little consistency in the methods used for data development. To tackle these problems this work proposes a novel paradigm, in which data is considered as a separate and distinct system component. This approach not only ensures that data is given the importance that it deserves, but also simplifies the task of providing guidance that is specific to data. Having developed this conceptual framework for data, the work then goes on to develop lifecycle models to assist with data development, and to propose a range of techniques appropriate for the various lifecycle phases. An important aspect of the development of any safety-related system is the production of a safety argument, and this research looks in some detail at the treatment of data, and data development, within this justification. The industrial survey reveals that in data-intensive systems data is often developed quite separately from other elements of the system. It also reveals that data is often produced by an extended data supply chain that may involve a number of disparate organisations. These characteristics of data distinguish it from other system components and greatly complicate the achievement and demonstration of safety. This research proposes methods of modelling complex data supply chains and proposes techniques for tackling the difficult task of safety justification for such systems