Deviational analyses for validating regulations on real systems

Similar documents
Principled Construction of Software Safety Cases

THE USE OF A SAFETY CASE APPROACH TO SUPPORT DECISION MAKING IN DESIGN

Outline. Outline. Assurance Cases: The Safety Case. Things I Like Safety-Critical Systems. Assurance Case Has To Be Right

Safety Case Construction and Reuse using Patterns. Abstract

Systems. Professor Vaughan Pomeroy. The LRET Research Collegium Southampton, 11 July 2 September 2011

Towards a multi-view point safety contract Alejandra Ruiz 1, Tim Kelly 2, Huascar Espinoza 1

SAFETY CASE PATTERNS REUSING SUCCESSFUL ARGUMENTS. Tim Kelly, John McDermid

An Ontology for Modelling Security: The Tropos Approach

PRIMATECH WHITE PAPER COMPARISON OF FIRST AND SECOND EDITIONS OF HAZOP APPLICATION GUIDE, IEC 61882: A PROCESS SAFETY PERSPECTIVE

COMMISSION IMPLEMENTING DECISION. of XXX

Castan Centre for Human Rights Law Faculty of Law, Monash University. Submission to Senate Standing Committee on Economics

ASSEMBLY - 35TH SESSION

Designing for recovery New challenges for large-scale, complex IT systems

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

PROJECT FINAL REPORT Publishable Summary

Understanding Software Architecture: A Semantic and Cognitive Approach

Australian Census 2016 and Privacy Impact Assessment (PIA)

Enhancing Model-Based Engineering of Product Lines by Adding Functional Safety

Huawei response to the. Ofcom call for input: 3.8 GHz to 4.2 GHz band: Opportunities for Innovation

(Text with EEA relevance)

Notice of coordination procedure required under spectrum access licences for the 2.6 GHz band

A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATING SAFETY AND SECURITY ENGINEERING FOR CYBER-PHYSICAL SYSTEMS

Keeping Your House in order?

Protection of Privacy Policy

RADIO SPECTRUM COMMITTEE

Compliance & Safety. Mark-Alexander Sujan Warwick CSI

Safety of programmable machinery and the EC directive

Privacy Values and Privacy by Design Annie I. Antón

The University of Sheffield Research Ethics Policy Note no. 14 RESEARCH INVOLVING SOCIAL MEDIA DATA 1. BACKGROUND

Submission of UN Environment and the World Health Organization: The promotion of lead paint laws and enhanced actions towards 2020

Notice of aeronautical radar coordination. Coordination procedure for air traffic control radar - notice issued to 3.

A/AC.105/C.1/2006/NPS/CRP.7 16 February 2006

Engineering, Communication, and Safety

Office for Nuclear Regulation

CAR Part IX Regulations for srpas Manufacturers. Presented by RPAS TF Eng to Industry, Jan. 24, 2019

Application for Assessment of a full quality assurance system regarding Measuring Instruments in accordance with MID

International Civil Aviation Organization ASSEMBLY 38TH SESSION EXECUTIVE COMMITTEE

Getting the evidence: Using research in policy making

Tuning-CALOHEE Assessment Frameworks for the Subject Area of CIVIL ENGINEERING The Tuning-CALOHEE Assessment Frameworks for Civil Engineering offers

Misuse Cases. Use Cases with Hostile Intent. Ian Alexander. A version of this article appeared in IEEE Software, January 2003

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (89) 5 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

The Development of the New Idea Safety Guide for Design of Instrumentation and Control Systems for Nuclear Power Plants

WG food contact materials

SYSTEM ANALYSIS & STUDIES (SAS) PANEL CALL FOR PAPERS

Phase 2 Executive Summary: Pre-Project Review of AECL s Advanced CANDU Reactor ACR

Decision to make the Wireless Telegraphy (Vehicle Based Intelligent Transport Systems)(Exemption) Regulations 2009

TOOL #21. RESEARCH & INNOVATION

SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,

19 Progressive Development of Protection Framework for Pharmaceutical Invention under the TRIPS Agreement Focusing on Patent Rights

Goals, progress and difficulties with regard to the development of German nuclear standards on the example of KTA 2000

Focusing Software Education on Engineering

Software Hazard and Safety Analysis

CEPT has conducted a number of studies and has produced a number of deliverables related to the use of MFCN in the 1400 MHz band, as listed below.

Improvements in Functional Safety of Automotive IP through ISO 26262:2018 Part 11

INTEGRITY AND CONTINUITY ANALYSIS FROM GPS JULY TO SEPTEMBER 2016 QUARTERLY REPORT

Value Paper. Are you PAT and QbD Ready? Get up to speed

Key elements of meaningful human control

Privacy Impact Assessment on use of CCTV

Universal Design in Student Projects at the Dublin School of Architecture, Dublin Institute of Technology

Total Situational Awareness (With No Blind Spots)

New spectrum for audio PMSE. Further details on approach to modelling and sharing in the band MHz

UML and Patterns.book Page 52 Thursday, September 16, :48 PM

IEEE STD AND NEI 96-07, APPENDIX D STRANGE BEDFELLOWS?

SAUDI ARABIAN STANDARDS ORGANIZATION (SASO) TECHNICAL DIRECTIVE PART ONE: STANDARDIZATION AND RELATED ACTIVITIES GENERAL VOCABULARY

Standing Committee on the Law of Patents

I hope you will find these comments constructive and helpful.

ICAO Handbook on Radio Frequency Spectrum Requirements for Civil Aviation Vol. I - ICAO Spectrum Strategy Vol. II - Frequency Planning

Procedure for introducing current scientific and technical knowledge into the authorisation procedure for plant protection products

Impact of ICH Q9 and the application of Risk Management

An Empirical Assessment of Researcher Perspectives

Countering Capability A Model Driven Approach

Project BONUS ESABALT

2017 Laws of Duplicate Bridge. Summary of Significant changes

Centre for the Study of Human Rights Master programme in Human Rights Practice, 80 credits (120 ECTS) (Erasmus Mundus)

Robert A. Martin 19 March 2018

Applying the ADQ Implementing Rule Engaging the Originators

SHORTWAVE BROADCASTING: A PRIMER ON COORDINATION OF SEASONAL SCHEDULES

ISACA Privacy Principles and Program Management Guide. Yves LE ROUX CISM, CISSP ISACA Privacy TF Chairman. Insert Date Here

EXERGY, ENERGY SYSTEM ANALYSIS AND OPTIMIZATION Vol. III - Artificial Intelligence in Component Design - Roberto Melli

Towards a Modern Approach to Privacy-Aware Government Data Releases

The Privacy Case. Matching Privacy-Protection Goals to Human and Organizational Privacy Concerns. Tudor B. Ionescu, Gerhard Engelbrecht SIEMENS AG

EUROPEAN GUIDANCE MATERIAL ON CONTINUITY OF SERVICE EVALUATION IN SUPPORT OF THE CERTIFICATION OF ILS & MLS GROUND SYSTEMS

What We Heard Report Inspection Modernization: The Case for Change Consultation from June 1 to July 31, 2012

Herts Valleys Clinical Commissioning Group. Review of NHS Herts Valleys CCG Constitution

Bell Helicopter Safety Management System Implementation

Committee on the Internal Market and Consumer Protection

AI for Global Good Summit. Plenary 1: State of Play. Ms. Izumi Nakamitsu. High Representative for Disarmament Affairs United Nations

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

Radio Regulatory Council Summary of Minutes (912th Meeting)

My 36 Years in System Safety: Looking Backward, Looking Forward

RESOLUTION 155 (WRC-15)

Using MIL-STD-882 as a WHS Compliance Tool for Acquisition

A response to Ofcom s consultation: New Spectrum for Audio PMSE

NEW 2LDS ADVISORY PANEL. RECOMMENDATIONS TO THE auda BOARD, AUGUST In December 2009 the auda board established the New 2LDs Advisory Panel to:

Expert Group on Preservation of Records, Knowledge and Memory across Generations

Distributed Systems Programming (F21DS1) Formal Methods for Distributed Systems

KRZYSZTOF MARTENS OPENING LEAD

Towards Integrated System and Software Modeling for Embedded Systems

Public Hearing on the use of security scanners at EU airports. European Economic and Social Committee. Brussels, 11 January 2011

GE/GN8648. Guidance on Positioning of Lineside Telephones. Rail Industry Guidance Note for GE/RT8048

Transcription:

REMO2V'06 813 Deviational analyses for validating regulations on real systems Fiona Polack, Thitima Srivatanakul, Tim Kelly, and John Clark Department of Computer Science, University of York, YO10 5DD, UK. Department of Civil Aviation, Ministry of Transport, Bangkok 10120, Thailand Abstract. Deviational analysis is a traditional way of exploring the safety of systems. The results of deviational analysis contribute to traditional safety cases and safety arguments. We extend deviational analysis to other aspects of dependability, notably security. We discuss how the evidence of deviational analysis can contribute to the validation of regulations, in the sense of their application of regulations to real systems. Keyword: deviational analysis, dependability, regulation validation 1 Background Regulations are intended to control the way that choice operates in critical systems. Validation must include consideration of how well their intent is met by real systems operating within the regulations. We describe the systematic analysis of security, illustrating it with results from a case study of the security of baggage handling in an international airport [11]. The case study was carried out in situ, with the co-operation of the relevant airport staff. International airline regulations [9] have a goal to prevent the introduction of explosives or other dangerous devices on to aircraft by way of checked baggage. This is elaborated [8] to, 1. all baggage is subject to security controls prior to boarding the aircraft; 2. all baggage is protected from interference or the introduction of unauthorised items after acceptance at the check-in counter; 3. baggage for passengers who are not on board the aircraft must not be transported on to the aircraft. The first two aspects are addressed here. The case study reveals a range of situations where the regulations are in force but their intent was not met. 1.1 Deviational analysis and argumentation The most mature area of dependability assurance is safety; national and international procedures require operators of aircraft, manufacturing plants and other critical systems to provide evidence of acceptably-safe operation.

814 Regulations Modelling and their Validation and Verification In safety, traditional checklist approaches capture experience of development or operation. More powerful approaches use flaw hypothesis to explore the potential for accidents. For example, HAZOP [7] is a systematic, deviational approach applied to models, that encourages imaginative analysis of potential for failure by applying guidewords to concepts and components. Deviational techniques provide evidence for arguments made to demonstrate to external assessors that a system meets necessary dependability targets. Again, argumentation is most advanced in safety work. In general, we can identify the required dependability attributes for particular types of system, and build policy and regulations based on argumentation of these attributes (see [2]). Safety cases are typically visualised using the Goal Structuring Notation (GSN). This expresses the structure of an argument in terms of the goals, argument strategies (eg. for decomposing goals), context, assumptions and solutions (where evidence establishes the validity of the stated goal) [5]. The GSN approach has been extended to dependability and policy derivation (see [4]). 1.2 Argumentation and regulations Our work looks at how well a real system establishes the intention of the regulations under which it operates (we do not directly analyse the regulations). We apply two deviational approaches to models of the baggage handling system. The deviations aim to elicit ways in which baggage security could be compromised, despite the system s established conformance to international regulations. Our deviational approaches, developed to analyse models for potential security vulnerabilities, apply HAZOP to use cases [13, 14] and security zones [12]. In [11], these approaches provide evidence to a GSN argument that the system is acceptably secure. The goal is to meet the security intent of the regulations. Here, we reflect on security analysis and argument as a means to explore how well the compliant baggage handling system establishes the intent of the regulations. 2 Abuse cases: HAZOP on use cases Use cases are used to model high-level functional requirements. We propose [11, 13] abuse cases to systematically challenge the meaning of every model element: the use case, its actors and associations. HAZOP is applied to the use case s process steps and their pre- and post-conditions. For actors, HAZOP is applied to their intentions and capabilities, as derived from intended goals. The technique was devised for use in the early stages of development, to identify and incorporate security-related requirements and development constraints. It is similar to, but more systematic than, other abuse or misuse case techniques used to highlight system vulnerabilities [6, 10], and to work using HAZOP to extract non-functional requirements [1, 3]. In adapting HAZOP for model analysis, each HAZOP guideword must be assigned a clear interpretation for each type of model element. For example, Table 1 gives the HAZOP guideword interpretations for actor.

REMO2V'06 815 Feature Guideword Meaning Actor NO The intent (action) does not take place Intent MORE More than the intent is achieved, eg. sequential or parallel repetition or some scalar parameter is too large LESS Actions were incomplete or insufficient AS WELL some supplementary or contradictory action occurred as AS well as that intended OTHER THAN The action achieves incorrect results or the actor uses the action for purposes outside the intended Actor NO The actor does not have the ability to perform the action Capability MORE, AS More general capability, allowing more than intended action WELL AS to be performed LESS, PART OF Less capability, or only part of the required abilities, so less is achieved than intended Table 1. Generic HAZOP guidewords interpreted for use case actor [11] The baggage handling system has been in operation for many years, so its functional requirements are well understood. As expected, abuse cases reveal no new information about functional aspects. However, the analysis reveals various security threats and several implicit security requirements. It also highlights the importance of appropriate inputs and/or information within the system: many of the vulnerabilities relate to incorrect use of baggage tags, or to the possibility of baggage being swapped or tampered with during the check-in process. The HAZOP analysis focuses on areas of vulnerability in the system that might compromise its ability to achieve the intention of the baggage regulations. In comparison to other security analysis techniques, abuse cases prompt a detailed discussion of how an attack might exploit a vulnerability, and possible effects of exploitation are thoroughly investigated. Airport security managers found the technique beneficial in its ability to identify vulnerabilities in operational tasks and in features of the computer systems related to baggage handling. Importantly, these issues are newly identified, despite the long period of use, under well-managed regulatory procedures. 3 Zonal analysis with HAZOP Regulations typically assume zoning. For example, transport networks have zones where vehicles can legally travel (roads, rails, air corridors) and park (parts of airports, some road verges). Regulations intend to manage action in and between zones, whilst risk analysis also considers interaction of networks: where roads cross railways, or road vehicles circulate in airports. The importance of zones in security is the ability to identify any means of illicitly crossing the boundary between zones. In [12], HAZOP challenges the potential channels, and the use of channels, between zones. For the baggage handling system [11], there are three zones: the baggage sorting and make-up area (zone 1), the check-in desk (zone 2) and all

816 Regulations Modelling and their Validation and Verification adjacent areas (zone 3). Airport staff identified known channels in relation to these zones. Compliance with the baggage-security regulations implies that these channels are only used in intended ways by authorised agents. Srivatanakul s systematic zonal HAZOP identified over 50 potential vulnerabilities, such as unintended channels to zones 1 an 2, and unintended consequences of intended channels. Thus, zones 1 and 2 were shown to be secure, but checked-in baggage might be compromised by illicit use of a legal entry point in to zone 2. In most cases, the vulnerabilities are protected by existing controls. However, a few had the potential to cause serious breaches of regulation, prompting reconsideration of how the regulations are interpreted, or application of enhanced access control. Again, the airport security management found the technique an effective audit of security measures. The HAZOP analyses contribute evidence to a GSN security argument. In [11], sample patterns of analysis are presented to assist the argument of that the security intent of the regulations is met. For example, a security goal formulated as Access to Zone 1 is restricted to authorised persons might be decomposed under a strategy, argument over authorised and unauthorised people. However, a HAZOP result is that authorised people can legally access a zone and and cause harm. The primary goal must be re-written as, Access to Zone 1 is restricted to authorised persons for identified purposes. The analysis proceeds to consider potential violations of security by authorised persons with unidentified purposes. At the lowest level, evidence that a security goal is met is by appeal to the finegrained HAZOP analysis of the zones and channels. 4 Conclusions In relation to validation of regulations, [11] notes that the vulnerabilities found by the two techniques arise, despite existing security controls and operational tasks that are compliant with the regulations in [8]. It is well-known that security cannot only be considered in general; regulations must be (re)validated in the specific context and domain. Security vulnerabilities arise because it is too easy to comply with the regulations without achieving their intent. In terms of the validation of regulations, our HAZOP analyses do not look at the regulations themselves, but at the ability of a system to uphold the intent of the regulation. HAZOP analysis is a widely-accepted systematic approach, applied to models of systems to detect and evaluate potential failures or vulnerabilities. Here, HAZOP generates significant insight in to potential security threats that would cause the system to violate the security intentions of the international baggage regulations. Abuse cases identify vulnerabilities in the interactions of people and processes, whilst zonal HAZOP seeks side channels by which secure zones can be attacked. Both are used here to explore how the intent of the regulations is borne out in the actual system. Although the zonal HAZOP case study concentrates on physical zones, HA- ZOP can also be applied to logical zones [12]. An important sort of logical zone,

REMO2V'06 817 in relation to regulation, is areas of responsibility; the analogy of illicitly crossing a boundary between zones is gaps or overlaps in the responsibilities of people or systems that contribute to compliance with the regulations. The deviational analyses provide a valuable security audit of the existing system, and prompt consideration of the need for specific guidance on how to achieve the intent of the regulations in specific situations. If similar analyses were to be applied to systems for which new regulations were being prepared, possible omissions or errors could be detected and corrected in the draft regulations. References 1. K. Allenby and T. P. Kelly. Deriving safety requirements using scenarios. In 5th IEEE International Symposium on Requirements Engineering (RE 01). IEEE Computer Society Press, 2001. 2. G. Despotou and T. Kelly. Extending the safety case concept to address dependability. In 22nd International System Safety Conference. System Safety Society, August 2004. 3. B. P. Douglass. Real-time UML (2nd ed.): Developing efficient objects for embedded systems. Addison-Wesley Longman Ltd., 2000. 4. M. Hall-May and T. Kelly. Planes, trains and automobiles - an investigation into safety policy for systems of systems. In 23rd International System Safety Conference. System Safety Society, August 2005. 5. T. P. Kelly. Arguing Safety - A Systematic Approach to Safety Case Management. PhD thesis, Department of Computer Science, University of York, 1999. http://www.cs.york.ac.uk/ftpdir/reports/ycst-99-05.pdf. 6. J. McDermott. Abuse-case-based assurance arguments. In 17th Annual Computer Security Applications Conference., pages 366 376. IEEE Computer Society, 2001. 7. MoD. Defence standard 00-58: HAZOP studies on systems containing programmable electronics. Technical report, UK Ministry of Defence, 1996. 8. International Civil Aviation Organisation. Annex 17, safeguarding civil aviation against acts of unlawful interference. ICAO, 2002. 9. International Civil Aviation Organisation. Doc 8973, security manual for safeguarding civil aviation against acts of unlawful interference. ICAO, 2002. 10. G. Sindre and A. L. Opdahl. Eliciting security requirements by misuse cases. In Proc. of TOOLS Pacific 2000, pages 120 131. IEEE Computer Society, 2000. 11. T. Srivatanakul. Security Analysis with Deviational Techniques. PhD thesis, Department of Computer Science, University of York, UK, 2005. http://www.cs.york.ac.uk/ftpdir/reports/ycst-2005-12.pdf. 12. T. Srivatanakul, J. Clark, and F. Polack. Security zonal analysis. Technical Report YCS-2004-374, Department of Computer Science, University of York, UK, 2004. http://www.cs.york.ac.uk/ftpdir/reports/ycs-2004-374.pdf. 13. T. Srivatanakul, J. A. Clark, and F. Polack. Effective security requirements analysis: HAZOP and use cases. In Information Security: 7th International Conference, volume 3225 of LNCS, pages 416 427. Springer, September 2004. 14. T. Srivatanakul, J. A. Clark, and F. Polack. Writing effective security abuse cases. Technical Report YCS-2004-375, Department of Computer Science, University of York, UK, 2004. http://www.cs.york.ac.uk/ftpdir/reports/ycs-2004-375.pdf.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback