Interplay of Misuse Case and Fault Tree Analysis for Security and Safety Analysis

Ohutus ja turvalisus infosüsteemides muutuvad aasta-aastalt üha olulisemaks. Seda seetõttu, et kaasaegsed infosüsteemid on üha enam levinud veebiteenustes, -võrgustikes ja –pilvedes. Ohutuse seisukohalt olulisi süsteeme, mida ei ole varem Internetis kasutatud, tehakse ümber, et muuta neid kasuatatvaks Internetis. Selle tulemusena on tekkinud vajadus leida uusi meetodeid, mis kindlustaks nii ohutuse kui turvalisuse tarkvarasüsteemides. Kui ohutust ja turvalisust ei käsitleta koos, võivad nad riske suurendada – olukorra ohutuks muutmine võib tekitada riski turvalisuses ning sellest tekib probleem. Näiteks lukustatud uksed ühiselamutes turvalisuse huvides, kaitsmaks sealseid elanikke röövide ning muude võimalike kuritegude eest. Uste avamiseks kasutavad ühiselamu elanikud kaarte, mis uksed avavad. Tulekahju korral aga avanevad uksed ohutuse eesmärgil automaatselt ning kurjategijad, lülitades sisse tuletõrjealarmi, pääsevad ühiselamu elanike vara juurde.Antud uurimistöös antakse ülevaade ohutusest ja turvalisusest kui ühtsest süsteemist, määratledes ohutuse ja turvalisuse mõisted ning otsides võimalikke viise nende integreerimiseks, arendades koosmõju ohutuse ja turvalisuse vahel kasutades misuse case´i ja fault tree analysis´i. Töös selgitatakse fault tree analysis´i sobivust ohutuse domeeni mudelisse ja püütakse leida koosmõju fault tree analysis´i ja misuse case´i tehnikate vahel. Kasutades nii ohutuse kui turvalisuse domeenimudeleid ning tekitades koosmõju tehnikate vahel, on oodatud tulemuseks ohutuse ja turvalisuse probleemi lahendamine tarkvarasüsteemides. Usutavasti aitab antud uurimistöö kaasa ohutuse ja turvalisuse integreerimisvõimaluste leidmisele selgitades fault tree analysis sobivust ohutuse domeenimudelisse, kasutades misuse case´i ja information security risk management´i seost ja kooskõlastades seda misuse case´i tehnikaga Samuti selgitatakse töös uut metoodikat, kuidas kasutada fault tree analysis-d ja misuse case´i selleks, et saavutada nii ohutus kui turvalisus kaasaegsetes infosüsteemides. Lisaks sellele testiti töös selgitatud sobivust usaldusväärse stsenaariumi korral, mis kinnitab sobivuse paikapidavust.Nowadays safety and security are becoming more and more important because of the fact that modern information systems are increasingly distributed over web-services, grids and clouds. Safety critical systems that were not utilizing usage over Internet are being re-engineered in order to be use over Internet. As a consequence of this situation there is need of new methods that cover both security and safety aspects of software systems, since these systems are used in transportation, health and process control systems that arises risk of physical injury or environmental damage. Additionally when safety and security aspects are not considered together they may violate each other while one situation is making a case safe it may violate security and this is a problem. Such as in the sample of lock doors at dormitories for security purpose to protect inhabitants against robbery and some other possible crimes, those inhabitants of dormitories use distance keys to unlock them but in case of a fire situation in the building for safety purposes these lock doors are unlocking themselves and by activating fire alarms attackers can get access to inhabitants properties. In current thesis we introduce integrated domain models of security and safety, extracting definitions from safety and security domains and finding possible pairs to integrate. Developing interplays between security and safety technique that is misuse cases and fault tree analysis. We demonstrate alignment of fault tree analysis to safety domain model and making interplay between techniques from fault tree analysis to misuse cases. By using the domain models of both security and safety and making interplay between techniques we proposed an integrated technique we expect to solve the problem to cover both safety aspects of software system benefiting from complementary strengths of security domain model and techniques. We believe that our study is contributing to the integration attempts of security and safety techniques by illustrating alignment of fault tree analysis with safety domain model benefitting from misuse cases and information security risk management relationship and making interplay with misuse case technique. And also we illustrate a new methodology on how to use fault tree analysis and misuse cases in order to elicit safety concerns in a new information system by having interplay with misuse case. Moreover, we test correctness of our methodology by making results comparison of a safety risk analyze done

A methodology for the generation of efficient error detection mechanisms

A dependable software system must contain error detection mechanisms and error recovery mechanisms. Software components for the detection of errors are typically designed based on a system specification or the experience of software engineers, with their efficiency typically being measured using fault injection and metrics such as coverage and latency. In this paper, we introduce a methodology for the design of highly efficient error detection mechanisms. The proposed methodology combines fault injection analysis and data mining techniques in order to generate predicates for efficient error detection mechanisms. The results presented demonstrate the viability of the methodology as an approach for the development of efficient error detection mechanisms, as the predicates generated yield a true positive rate of almost 100% and a false positive rate very close to 0% for the detection of failure-inducing states. The main advantage of the proposed methodology over current state-of-the-art approaches is that efficient detectors are obtained by design, rather than by using specification-based detector design or the experience of software engineers

Building safe software

Murphy is a set of techniques and tools under investigation for their potential in enhancing the safety of software. This paper describes some of the work which has been done and some which is planned

A controlled experiment for the empirical evaluation of safety analysis techniques for safety-critical software

Context: Today's safety critical systems are increasingly reliant on software. Software becomes responsible for most of the critical functions of systems. Many different safety analysis techniques have been developed to identify hazards of systems. FTA and FMEA are most commonly used by safety analysts. Recently, STPA has been proposed with the goal to better cope with complex systems including software. Objective: This research aimed at comparing quantitatively these three safety analysis techniques with regard to their effectiveness, applicability, understandability, ease of use and efficiency in identifying software safety requirements at the system level. Method: We conducted a controlled experiment with 21 master and bachelor students applying these three techniques to three safety-critical systems: train door control, anti-lock braking and traffic collision and avoidance. Results: The results showed that there is no statistically significant difference between these techniques in terms of applicability, understandability and ease of use, but a significant difference in terms of effectiveness and efficiency is obtained. Conclusion: We conclude that STPA seems to be an effective method to identify software safety requirements at the system level. In particular, STPA addresses more different software safety requirements than the traditional techniques FTA and FMEA, but STPA needs more time to carry out by safety analysts with little or no prior experience.Comment: 10 pages, 1 figure in Proceedings of the 19th International Conference on Evaluation and Assessment in Software Engineering (EASE '15). ACM, 201

Use of COTS functional analysis software as an IVHM design tool for detection and isolation of UAV fuel system faults

This paper presents a new approach to the development of health management solutions which can be applied to both new and legacy platforms during the conceptual design phase. The approach involves the qualitative functional modelling of a system in order to perform an Integrated Vehicle Health Management (IVHM) design – the placement of sensors and the diagnostic rules to be used in interrogating their output. The qualitative functional analysis was chosen as a route for early assessment of failures in complex systems. Functional models of system components are required for capturing the available system knowledge used during various stages of system and IVHM design. MADe™ (Maintenance Aware Design environment), a COTS software tool developed by PHM Technology, was used for the health management design. A model has been built incorporating the failure diagrams of five failure modes for five different components of a UAV fuel system. Thus an inherent health management solution for the system and the optimised sensor set solution have been defined. The automatically generated sensor set solution also contains a diagnostic rule set, which was validated on the fuel rig for different operation modes taking into account the predicted fault detection/isolation and ambiguity group coefficients. It was concluded that when using functional modelling, the IVHM design and the actual system design cannot be done in isolation. The functional approach requires permanent input from the system designer and reliability engineers in order to construct a functional model that will qualitatively represent the real system. In other words, the physical insight should not be isolated from the failure phenomena and the diagnostic analysis tools should be able to adequately capture the experience bases. This approach has been verified on a laboratory bench top test rig which can simulate a range of possible fuel system faults. The rig is fully instrumented in order to allow benchmarking of various sensing solution for fault detection/isolation that were identified using functional analysis

Learning Tractable Probabilistic Models for Fault Localization

In recent years, several probabilistic techniques have been applied to various debugging problems. However, most existing probabilistic debugging systems use relatively simple statistical models, and fail to generalize across multiple programs. In this work, we propose Tractable Fault Localization Models (TFLMs) that can be learned from data, and probabilistically infer the location of the bug. While most previous statistical debugging methods generalize over many executions of a single program, TFLMs are trained on a corpus of previously seen buggy programs, and learn to identify recurring patterns of bugs. Widely-used fault localization techniques such as TARANTULA evaluate the suspiciousness of each line in isolation; in contrast, a TFLM defines a joint probability distribution over buggy indicator variables for each line. Joint distributions with rich dependency structure are often computationally intractable; TFLMs avoid this by exploiting recent developments in tractable probabilistic models (specifically, Relational SPNs). Further, TFLMs can incorporate additional sources of information, including coverage-based features such as TARANTULA. We evaluate the fault localization performance of TFLMs that include TARANTULA scores as features in the probabilistic model. Our study shows that the learned TFLMs isolate bugs more effectively than previous statistical methods or using TARANTULA directly.Comment: Fifth International Workshop on Statistical Relational AI (StaR-AI 2015

Model-Based Security Testing

Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security testing (MBST) is a relatively new field and especially dedicated to the systematic and efficient specification and documentation of security test objectives, security test cases and test suites, as well as to their automated or semi-automated generation. In particular, the combination of security modelling and test generation approaches is still a challenge in research and of high interest for industrial applications. MBST includes e.g. security functional testing, model-based fuzzing, risk- and threat-oriented testing, and the usage of security test patterns. This paper provides a survey on MBST techniques and the related models as well as samples of new methods and tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582

Time-Space Efficient Regression Testing for Configurable Systems

Configurable systems are those that can be adapted from a set of options. They are prevalent and testing them is important and challenging. Existing approaches for testing configurable systems are either unsound (i.e., they can miss fault-revealing configurations) or do not scale. This paper proposes EvoSPLat, a regression testing technique for configurable systems. EvoSPLat builds on our previously-developed technique, SPLat, which explores all dynamically reachable configurations from a test. EvoSPLat is tuned for two scenarios of use in regression testing: Regression Configuration Selection (RCS) and Regression Test Selection (RTS). EvoSPLat for RCS prunes configurations (not tests) that are not impacted by changes whereas EvoSPLat for RTS prunes tests (not configurations) which are not impacted by changes. Handling both scenarios in the context of evolution is important. Experimental results show that EvoSPLat is promising. We observed a substantial reduction in time (22%) and in the number of configurations (45%) for configurable Java programs. In a case study on a large real-world configurable system (GCC), EvoSPLat reduced 35% of the running time. Comparing EvoSPLat with sampling techniques, 2-wise was the most efficient technique, but it missed two bugs whereas EvoSPLat detected all bugs four times faster than 6-wise, on average.Comment: 14 page