230 likes | 400 Views
Dagstuhl seminar From Security to Dependability. Dependability and Security : Positioning*. Jean-Claude Laprie.
E N D
Dagstuhl seminar From Security to Dependability Dependability and Security: Positioning* Jean-Claude Laprie * Partially based on Basic Concepts and Taxonomy of Dependable and Secure Computing, A.Avizienis, J.C. Laprie, B. Randell, C. Landwehr, IEEE Transactions on Dependable and Secure Computing, Vol. 1, no. 1, pp. 11-33, January-March 2004
Dependability: ability to deliver service that can justifiably be trusted Servicedelivered by a system: its behavior as it is perceived by its user(s) User: another system that interacts with the former Function of a system: what the system is intended to do (Functional) Specification: description of the system function Correct service: when the delivered service implements the system function Service failure: event that occurs when the delivered service deviates from correct service, either because the system does not comply with the specification, or because the specification did not adequately describe its function (Service) Failure modes: the ways in which a system can fail, ranked according to failure severities Part of system state that may cause a subsequent service failure:error Adjudged or hypothesized cause of an error:fault Dependability: ability to avoid service failures that are more frequent or more severe than is acceptable When service failures are more frequent or more severe than acceptable: dependability failure Dependence of system A on system B is the extent to which system A’s dependability is (or would be) affected by that of system B Trust: accepted dependence
Dependability Readiness for usage Continuity of service Absence of catastrophic consequences on the user(s) and the environment Absence of unauthorized disclosure of information Absence of improper system alterations Ability to undergo repairs and evolutions Availability Reliability Safety Confidentiality Integrity Maintainability
… … Causation Activation Propagation Causation Errors Failures Faults Failures Faults Availability Reliability Safety Confidentiality Integrity Maintainability Fault Prevention Fault Tolerance Fault Removal Fault Forecasting
Availability Reliability Safety Confidentiality Integrity Maintainability Attributes Fault Prevention Fault Tolerance Fault Removal Fault Forecasting Dependability Means Faults Errors Failures Threats
Dependability definitions • Original definition: ability to deliver service that can justifiably be trusted • Enables to generalize availability, reliability, safety, confidentiality, integrity, maintainability, that are then attributes of dependability • Alternate definition: ability to avoid service failures that are more frequent or more severe than is acceptable • A system can, and usually does, fail. Is it however still dependable ? When does it become undependable ? criterion for deciding whether or not, in spite of service failures, a system is still to be regarded as dependable
Dependability attributes • Availability, Reliability, Safety, Confidentiality, Integrity, Maintainability: Primary attributes • Secondary attributes • Specialization • Robustness: dependability with respect to external faults • Survivability: dependabilty in the presence of active fault(s) • Distinguishing among various types of (meta-)information • Accountability: availability and integrity of the person who performed an operation • Authenticity: integrity of a message content and origin, and possibly some other information, such as the time of emission • Non-repudiability: availability and integrity of the identity of the sender of a message (non-repudiation of the origin), or of the receiver (non-repudiation of reception)
National Information Assurance Glossary, Committee on National Security Systems, May 2003, revised June 2006 information systems security (INFOSEC):Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. Protection against unauthorized access to information Protection against unauthorized modification of information Protection against denial of service to authorized users Integrity Availability Confidentiality Note: the ‘classical’ defintion of security as it used to appear in the Common Criteria (composition of confidentiality , integrity, and availability) has disappeared in the current edition
Information assurance: Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. Availability: Timely, reliable access to data and information services for authorized users. Integrity: Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. Note that, in a formal security model, integrity is interpreted more narrowly to mean protection against unauthorized modification or destruction of information. Authentication: Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information. Confidentiality: Assurance that information is not disclosed to unauthorized individuals, processes, or devices. Nonrepudiation: Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.
Availability Reliability Safety Authorized actions Dependability Security Confidentiality Integrity Maintainability
Early timing failures Late timing failures Domain Halt failures Erratic failures Threats … … Faults Errors Failures Faults Failures Development faults Content failures Phase of creation or occurrence Operational faults Internal faults System boundaries External faults Natural faults Phenomenological cause Human-made faults Signaled failures Detectability Hardware faults Unsignaled failures Dimension Software faults Consistent failures Malicious faults Consistency Inconsistent (Byzantine) failures Intent Non-malicious faults Accidental faults Minor failures Capability Deliberate faults l l l Consequences Incompetence faults Catastrophic failures Permanent faults Persistence Transient faults
Faults Software Flaws Logic Bombs Hardw Errata Phys Deter Physical Interference Intrusion Attempts V W Input Mistakes Produc Defects Phase of creation or occurrence Development Operational Internal Internal External System boundaries Dimension Software Hardware Hardware Hardware Software Phenomenological cause Human-made Human-made Nat Nat Nat Human-made Human-made Non mal Mal Mal Non mal Non mal Non mal Non mal Non malicious Malicious Mal Non malicious Intent Capability Acc Del Inc Dél Del Acc Del Inc Acc Acc Del Del Acc Del Inc Acc Acc Del Inc Persistence Per Per Per Per Per Per Per Per Per Per Tra Per Tra Tra Tra Per Tra Per Tra Tra Per Tra Tra Per Tra Development faults Physical faults Interaction faults
Human-made Faults Intent Non-malicious Malicious Accidental (Mistakes) Deliberate (Bad decisions) Incompetence Deliberate Capability Interaction (operators, maintainers) & Development (designers) Individuals & organizations Malicious logic faults: logic bombs, Trojan horses, trapdoors, viruses, worms, zombies Intrusion attempts Decision by independent professional judgement by board of enquiry or legal proceedings in court of law
… … Failure Fault Error Failure Fault Causation Activation Propagation Error alters service Facility for stopping recursion Interaction faults Interaction or composition Activation reproducibility Prior presence of a vulnerability: Internal fault that enables an external fault to harm the system Context dependent Elusive (soft) faults Solid (hard) faults Elusive permanent faults and Transient faults Intermittent faults
Website uptime statistics (Netcraft) Uptime (hours) Avg Requests Top 50 most requested sites (March 2006) Top 50 longest running sites (March 2006) Uptime (hours) Evolution over time Uptime (hours) Availability for 100h MTBF
Tandem 30 G1-G5 20 ECL-TCM MTTF yrs) 10 9020 CMOS 308X/3090 0 2000 1995 1990 1985 Mean time to system crash, due to hardware failure, for high end IBM servers
Hardware 15% Anti- virus 4% System configuration 34% Drivers 27% Operator errors 51% Software 34% Coresoftware 13% Hardware 22% Failure sources of Web sites (3 sites, 6 months, 500-5000 servers/site) Failure causes Windows 2000 platforms From B. Murphy,Fault Tolerance role in this high availability world From D. Patterson, Recovery-oriented computing
Yearly survey on computer damages in France — CLUSIF (2000, 2001, 2002) Occurrences Risk perception Occurrence impact 3 year trends stable increase decrease
Safety Security • Malicious faults have become a concern for safety-critical systems • • Opening up of SCADAs (Supervisory Control and Data Acquisition) and connection to global information infrastructure • Assessment Product Process Safety Formal methods Security Compliance • Rapid trend change in attack style (bots) • ? • Change in statistical distribution of failure causes(beyond large media coverage) • Dependability does not equate accidental faults • Terminology tolerance (!) • Conceptually, provided the underlying concepts are clearly and consistently expressed • Practically, e.g., via ReSIST knowledge base, under construction