On Hierarchical Design of Computer Systems for Critical Applications Peter Gabriel Neumann Presented by Bo Cui.

Slides:

Advertisements

Similar presentations

Operating System Security

Advertisements

Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.

Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.”

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

CprE 458/558: Real-Time Systems

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Systems engineering 1.

BY RAJESWARI S SOFTWARE TESTING. INTRODUCTION Software testing is the process of testing the software product. Effective software testing will contribute.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

Testing. Definition From the dictionary- the means by which the presence, quality, or genuineness of anything is determined; a means of trial. For software.

Evaluation of Safety Critical Software -- David L. Parnas, -- A. John van Schouwen, -- Shu Po Kwan -- June 1990 Presented By Zhuojing Li.

INFO 637Lecture #81 Software Engineering Process II Integration and System Testing INFO 637 Glenn Booker.

CLEANROOM SOFTWARE ENGINEERING.

Hardware Support for Trustworthy Systems Ted Huffmire ACACES 2012 Fiuggi, Italy.

HW/SW/FW Allocation – Page 1 of 14CSCI 4717 – Computer Architecture CSCI 4717/5717 Computer Architecture Allocation of Hardware, Software, and Firmware.

CSE 303 – Software Design and Architecture

Secure Systems Research Group - FAU 1 A survey of dependability patterns Ingrid Buckley and Eduardo B. Fernandez Dept. of Computer Science and Engineering.

Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

Secure Systems Research Group - FAU Classifying security patterns E.B.Fernandez, H. Washizaki, N. Yoshioka, A. Kubo.

SOFTWARE DESIGN.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 3 Slide 1 Critical Systems 1.

10 Software Architecture CSCU 411 Software Engineering.

Architectural Design lecture 10. Topics covered Architectural design decisions System organisation Control styles Reference architectures.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Software Engineering Principles. SE Principles Principles are statements describing desirable properties of the product and process.

CprE 458/558: Real-Time Systems

Safety-Critical Systems 7 Summary T V - Lifecycle model System Acceptance System Integration & Test Module Integration & Test Requirements Analysis.

Multics CysecLab Graduate School of Information Security KAIST.

Chapter 5 – Designing Trusted Operating Systems

1 5/18/2007ã 2007, Spencer Rugaber Architectural Styles and Non- Functional Requirements Jan Bosch. Design and Use of Software Architectures. Addison-Wesley,

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Dr. Jeff Teo Class 4 July 2, Deliverables Lecture on Trusted Computing: Evolution and Direction Review of students’ blogs and assignments Summarize.

©Ian Sommerville 2000Dependability Slide 1 Chapter 16 Dependability.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.

Network Security The Parts of the Sum Stephen T. Walker Overview by Justin Childs.

SENG521 (Fall SENG 521 Software Reliability & Testing Fault Tolerant Software Systems: Techniques (Part 4a) Department of Electrical.

Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.

Defect testing Testing programs to establish the presence of system defects.

1 Software Testing. 2 What is Software Testing ? Testing is a verification and validation activity that is performed by executing program code.

Week#3 Software Quality Engineering.

CS457 Introduction to Information Security Systems

Critical systems design

Introduction to Assurance

Computer Data Security & Privacy

Security Engineering.

Software Design Methodology

Chapter 19: Building Systems with Assurance

THE ORANGE BOOK Ravi Sandhu

Princess Nourah bint Abdulrahman University

Software Engineering Lecture #9.

Chapter 10 – Software Testing

Paper by D.L Parnas And D.P.Siewiorek Prepared by Xi Chen May 16,2003

Abstractions for Fault Tolerance

Presentation transcript:

On Hierarchical Design of Computer Systems for Critical Applications Peter Gabriel Neumann Presented by Bo Cui

Critical environments and Critical requirements  Computers are increasingly being used in life- critical environments and other critical applications.  Critical environments have critical requirements  Any or all of a wide range of characteristics whose absence or diminished presence can result in serious consequences.

Critical Computer System Requirements  Critical computer system requirements exist in different abstractions  Critical requirements are different at each abstraction  Critical system requirements are closely interrelated.

Hypothesis  Appropriate use of hierarchical abstraction and encapsulation can lead to systems intrinsically better at satisfying critical requirements than conventionally designed systems while also helping to reduce undesired side effects and to isolate propagation of failures

Hierarchies  Concept of layer A uses layer B – Layer A depends for its correctness on layer B, or layer A calls layer B, or a combination of both. – A requires presence of correct version of B With respect what set of requirements is correctness to be defined ? – A more mechanistic definition which avoids correctness is : Layer A uses layer B whenever it is syntactically possible that A depends upon B. Depends upon : A is said to depend upon B whenever an action of B, or change to B, or total unavailability of B, can have an effect upon A.

Hierarchies … contd.  Concept of Generalized trusted Computing Base (GTCB) – Enforces most critical properties – Properties that GTCB enforces should not be compromised from outside of GTCB(use good designing techniques like fault tolerance, recovery strategies, careful implementation, verification)

Hierarchies … contd.  Degrees of Criticality – Degrees of criticality for each feature of system is designed and assigned to that layer in the hierarchy  Multilevel Security – All data and sections are classified into some security level – No adverse flow policy i.e. Information is not allowed to flow from a higher level of security to a lower level of security

Hierarchies … contd.  In multi level security (MLS) the lower layers of computer system typically provide a security kernel that enforces no-adverse-flow policy.  On the top of security kernel is implemented a set of trusted processes – These processes can selectively violate no-adverse-flow principle.  The kernel and all trusted software together form the trusted computing base (TCB).

Hierarchies … contd.  Multilevel Integrity – Each program or piece of data is associated with certain level of integrity – No adverse flow policy  Implementation of integrity level separation is used to limit tampering with the system by less trustworthy individuals and in combination with multilevel security can ensure that no Trojan horses, viruses etc can violate the system properties

Design Principles  Principle of least privilege  Principle of information hiding  Principle of preserving hierarchical orderings  Design decomposition should be sought that requires only a small portion of the system to be trusted  All above principles contribute to the notion of defensive design for critical systems which tries to make the results at each layer resilient to undetected or unanticipated failures of lower layers and which tries to propagate its own errors upwards

Conclusion  No system is guaranteed to work properly all the time.  Humans in the loop may add to the problem rather than improve it.  In a complex system it is essentially impossible to predict all the sources of catastrophic failures.  The notion that all critical concerns can be confined to a small portion of the system or distributed system is a fantasy.  Hierarchical design and careful implementation of complex critical systems can help to confine the bad effects and increase system reliability, security and other positive features.