Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author: Zhensheng Guo; Zeckzer, D.; Liggesmeyer, P.; Ma ̈ ckel, O.; AG Software Eng.: Dependability, Univ. of Kaiserslautern, Kaiserslautern, Germany Source:

Similar presentations


Presentation on theme: "Author: Zhensheng Guo; Zeckzer, D.; Liggesmeyer, P.; Ma ̈ ckel, O.; AG Software Eng.: Dependability, Univ. of Kaiserslautern, Kaiserslautern, Germany Source:"— Presentation transcript:

1 Author: Zhensheng Guo; Zeckzer, D.; Liggesmeyer, P.; Ma ̈ ckel, O.; AG Software Eng.: Dependability, Univ. of Kaiserslautern, Kaiserslautern, Germany Source: Software Engineering Advances (ICSEA), 2010 Fifth International Conference Presented by Jui-Lung Yao, Master Student of CSIE, CCU Identification of Security-Safety Requirements for the outdoor robot RAVON using Safety Analysis Techniques 1

2 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 2

3 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 3

4 Introduction In order to identify such security-safety requirements, e.g., security attacks that have safety consequences, it is important to find effective techniques for concurrently identifying possible safety failures, their probabilities, and countermeasures and security attacks, vulnerabilities, likelihoods, and protection measures. 4

5 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 5

6 Identify the requirement In order to identify the requirements, it is essential to elicit the possible requirements from the different stakeholders. During requirements elicitation, the developers try to talk to possible stakeholders with the aim of identifying a complete set of requirements. Scenarios-based techniques are widely used both in theory and in industry. 6

7 Scenarios-based techniques Scenario descriptions based on domain-related terms are often expressed using natural language. Scenarios may be represented in a variety of media, either natural language text, graphics, images, videos or designed prototypes. Furthermore, it may exist a modeling language providing semi-formal / formal notations 7

8 Scenarios-based techniques A general narrative scenario example 8

9 Goal Structuring Notation (GSN) The Goal Structuring Notation (GSN) explicitly represents the individual elements of any safety argument (requirements, claims, evidence and context) and (perhaps more significantly) the relationships that exist between these elements (i.e. how individual requirements are supported by specific claims, how claims are supported by evidence and the assumed context that is defined for the argument). 9

10 Goal Structuring Notation (GSN) A graphical argumentation notation. 10

11 Goal-Directed Requirements Acquisition (KAOS) A conceptual model for acquiring and structuring requirements models, with an associated acquisition language. A set of strategies for elaborating requirements models in KAOS framework. An automated assistant to provide guidance in the acquisition process according to such strategies. 11

12 Goal-Directed Requirements Acquisition (KAOS) (Organizational) goals lead to requirements. Goals justify and explain requirements which are not necessarily comprehensible by stakeholders. Goals can be used to assign responsibilities to agents so that prescribed constraints can be met. Goals provide basic information for detecting and resolving conflicts that arise from multiple viewpoints 12

13 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 13

14 Failure modes and effects analysis FMEA developed as a formal methodology in the 1960s in response to the special safety needs of the aircraft industry. A FMEA is a procedure in product development and operations management for analysis of potential failure modes within a system for classification by the severity and likelihood of the failures. 14

15 Fault tree analysis Fault tree analysis (FTA) is a top down, deductive failure analysis in which an undesired state of a system is analyzed using boolean logic to combine a series of lower-level events. 15

16 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 16

17 Security analysis techniques Fault tree analysis for security (sometimes referred to as threat tree or attack tree analysis) is a top-down approach to identifying vulnerabilities. In a fault tree, the attacker's goal is placed at the top of the tree. Then, the analyst documents possible alternatives for achieving that attacker goal. 17

18 Security analysis techniques (cont’d) For each alternative, the analyst may recursively add precursor alternatives for achieving the subgoals that compose the main attacker goal. This process is repeated for each attacker goal. By examining the lowest level nodes of the resulting attack tree, the analyst can then identify all possible techniques for violating the system's security; preventions for these techniques could then be specified as security requirements for the system. 18

19 Security analysis techniques (cont’d) Failure Modes and Effects Analysis (FMEA) is a bottom-up approach for analyzing possible security failures. The consequences of a simultaneous failure of all existing or planned security protection mechanisms are documented, and the impact of each failure on the system's mission and stakeholders is traced. 19

20 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 20

21 Safety and Security analysis techniques 1. Identification of analysis objects. 2. Qualitative and quantitative analysis. 3. For the safety domain, failure causes, modes, effects, hazards, probability and cost of the risk exposure are used. 4. In contrast, for the security domain, attacks, vulnerability, likelihood, financial losses, protective measures, etc. are utilized. 5. Prioritization of the functions. 21

22 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 22

23 Case study This case study was performed on the Robust Autonomous Vehicle for Off-road Navigation (RAVON) RAVON is an automatic outdoor robot, which is designed for supporting human beings in dangerous areas or dangerous activities such as fire extinguishing, handling of toxic materials, etc. 23

24 Case study The robot weighs around 750 kg and can navigate in the field using sensors like 2-D scanners, 3-D scanners, GPS receivers, and controllers such as industry PCs, as well as software controllers, actuators, and motors. It can move with a maximum speed of 3 meters per second. 24

25 Case study 25 First of all, a bottom-up safety analysis such as FME(C)A will be performed to identify possible failure reasons, failure modes, and failure effects or hazards that are associated with the identified functions. Afterwards, a fault tree analysis could be conducted based on a selected failure behavior and its possible causes.

26 Case study 26 Safety fault tree The figure shows the possible causes of the malfunction of the bumper.

27 Case study 27 Security attack tree In this figure, the top event "RAVON fails" occurs if one of the following attacks is successful : "physical attack" or "attack via software".

28 Case study 28 Security-safety fault tree In the Figure, the bumper related security tree branch "safety control deactivated" is added in the safety fault tree as an intermediate event under intermediate event "bumper contact bar fails".

29 Case study 29 Safety control software as mentioned in the fault tree analysis.  “ The safety bumper should ensure the functionality of the safety chain”. According to the performed security-safety analysis, they could derive the following security-safety requirements:

30 Case study 30  “The safety bumper should ensure the functionality of the safety chain. A monitoring mechanism should check the current status of the bumper continuously.  If a defect of the bumper is detected, the RAVON braking system will be activated and the wheels will be stopped immediately.  In addition, a firewall and an up-to-date antivirus application should be installed in RAVON, in order to protect RAVON from unauthorized and unauthenticated remote access.”

31 Outline Introduction Identify the requirement Safety analysis techniques Security analysis techniques Safety and Security analysis techniques Case study Conclusion & Future work 31

32 Conclusion In this paper, they have described how safety analysis techniques can help to facilitate identification of security-safety requirements.. A mapping and comparison of the two models after the security and safety analysis is unavoidable in Harmonizing the security and safety requirements. 32

33 Conclusion The case study shows that this drawback can be resolved better, more cost-efficiently, and more effectively by using one identical model that is constructed by safety analysis techniques. 33

34 Future work The conflict between these two types of requirements was not addressed. Investigation aimed at adapting other safety analysis techniques to security analysis. The derivation of the security-safety requirements is currently performed manually based on the functional requirements and safety analysis results (e.g., failure modes and countermeasures). 34

35 Thanks for your listening 35


Download ppt "Author: Zhensheng Guo; Zeckzer, D.; Liggesmeyer, P.; Ma ̈ ckel, O.; AG Software Eng.: Dependability, Univ. of Kaiserslautern, Kaiserslautern, Germany Source:"

Similar presentations


Ads by Google