dependability and its threats: a taxonomy
Post on 15-Oct-2021
3 Views
Preview:
TRANSCRIPT
Dependability and its Threats:A Taxonomy
Al Avizienis Jean-Claude Laprie Brian Randell
18th IFIP World Computer Congress
Dependability: ability to deliver service that can justifiably be trusted
Service delivered by a system: its behavior as it is perceived by itsuser(s)
User: another system that interacts with the former
Function of a system: what the system is intended to do
(Functional) Specification: description of the system function
Correct service: when the delivered service implements the systemfunction
Service failure: event that occurs when the delivered service deviatesfrom correct service, either because the system does not comply with
the specification, or because the specification did not adequatelydescribe its function
Failure modes: the ways in which a system can fail, ranked according tofailure severities
Part of system state that may cause a subsequent service failure: errorAdjudged or hypothesized cause of an error: fault
Dependability: ability to avoid service failures that are more frequent
or more severe than is acceptable
When service failures are more frequent or more severe thanacceptable: dependability failure
Absenceof catastrophic
consequences onthe user(s) and the environment
Continuityof service
Readinessfor usage
Absence of unauthorized
disclosure of information
Absenceof improper
systemalterations
Ability toundergo
repairs andevolutions
SafetyReliability ConfidentialityAvailability Integrity Maintainability
Dependability
Security
Authorized actions
Absence of unauthorized access to, or handling of, system state
Fault
Prevention
Fault
ToleranceFault
RemovalFault
Forecasting
SafetyReliability ConfidentialityAvailability Integrity Maintainability
Faults Errors FailuresActivation Propagation Causation
FaultsFailures …… Causation
Attributes
Availability
Reliability
Safety
Confidentiality
Integrity
Maintainability
Dependability Means
Fault Prevention
Fault Tolerance
Fault Removal
Fault Forecasting
Threats
Faults
Errors
Failures
Situation
Relationship between dependability and security
Alternate definition of dependability
Service failures distinguished from dependability failures
Expanded classification of faults, including criterion of capabilityin the classification of human-made non-malicious faults
competence
Dependability issues of the development process development failures
Dependability related to dependence and trust
Dependability compared with high confidence, survivability,trustworthiness
Faults Errors Failures
Phase of creationor occurrence
Development faults
Operational faults
System boundariesInternal faults
External faults
DimensionHardware faults
Software faults
Phenomenologicalcause
Natural faults
Human-made faults
PersistencePermanent faults
Transient faults
FaultsFailures ……
CapabilityAccidental faults
Incompetence faults
ObjectiveMalicious faults
Non-malicious faults
Service Threats
Faults
Phase of creation
or occurrence
System boundaries
Phenomenological
cause
Dimension
Objective
Intent
Capability
Persistence Per Per Per Per Per Per Per Per Per Per Per Per Tr Per Tr Tr Tr Tr Per Tr Per Tr PerTr PerTr Tr Tr Per Tr
Acc Inc Acc Inc Acc Inc Acc Inc Acc Acc Acc Acc Inc Acc Inc Acc Inc Acc Inc
NonDel
Del Del Del NonDel
Del NonDel
NonDel
NonDel
NonDel
Del Del Del DelNonDel
NonMalicious
NonMalicious
MalMal
Software Hardware
NonMal
NonMal
NonMal
NonMalicious
NonMalicious
Mal Mal
Hdw Hdw Hdw Hardware Software
Human-made Human-madeNat Nat Nat
Internal Internal External
Development Operational
Development Faults Physical Faults Interaction Faults
Per
Faults
Phase of creation
or occurrence
System boundaries
Phenomenological
cause
Dimension
Objective
Intent
Capability
Persistence Per Per Per Per Per Per Per Per Per Per Per Per Tr Per Tr Tr Tr Tr Per Tr Per Tr PerTr PerTr Tr Tr Per Tr
Acc Inc Acc Inc Acc Inc Acc Inc Acc Acc Acc Acc Inc Acc Inc Acc Inc Acc Inc
NonDel
Del Del Del NonDel
Del NonDel
NonDel
NonDel
NonDel
Del Del Del DelNonDel
NonMalicious
NonMalicious
MalMal
Software Hardware
NonMal
NonMal
NonMal
NonMalicious
NonMalicious
Mal Mal
Hdw Hdw Hdw Hardware Software
Human-made Human-madeNat Nat Nat
Internal Internal External
Development Operational
Development Faults Physical Faults Interaction Faults
Per
SoftwareFlaws
LogicBombs
Hardw Errata
Produc Defects
Faults
Phase of creation
or occurrence
System boundaries
Phenomenological
cause
Dimension
Objective
Intent
Capability
Persistence Per Per Per Per Per Per Per Per Per Per Per Per Tr Per Tr Tr Tr Tr Per Tr Per Tr PerTr PerTr Tr Tr Per Tr
Acc Inc Acc Inc Acc Inc Acc Inc Acc Acc Acc Acc Inc Acc Inc Acc Inc Acc Inc
NonDel
Del Del Del NonDel
Del NonDel
NonDel
NonDel
NonDel
Del Del Del DelNonDel
NonMalicious
NonMalicious
MalMal
Software Hardware
NonMal
NonMal
NonMal
NonMalicious
NonMalicious
Mal Mal
Hdw Hdw Hdw Hardware Software
Human-made Human-madeNat Nat Nat
Internal Internal External
Development Operational
Development Faults Physical Faults Interaction Faults
Per
LogicBombs
Hardw Errata
Produc Defects
PhysDeter
PhysicalInterference
IntrusionAttempts
Faults
Phase of creation
or occurrence
System boundaries
Phenomenological
cause
Dimension
Objective
Intent
Capability
Persistence Per Per Per Per Per Per Per Per Per Per Per Per Tr Per Tr Tr Tr Tr Per Tr Per Tr PerTr PerTr Tr Tr Per Tr
Acc Inc Acc Inc Acc Inc Acc Inc Acc Acc Acc Acc Inc Acc Inc Acc Inc Acc Inc
NonDel
Del Del Del NonDel
Del NonDel
NonDel
NonDel
NonDel
Del Del Del DelNonDel
NonMalicious
NonMalicious
MalMal
Software Hardware
NonMal
NonMal
NonMal
NonMalicious
NonMalicious
Mal Mal
Hdw Hdw Hdw Hardware Software
Human-made Human-madeNat Nat Nat
Internal Internal External
Development Operational
Development Faults Physical Faults Interaction Faults
Per
PhysicalInterference
IntrusionAttempts
VW
InputMistakes
Human-made Faults
Non-malicious MaliciousObjective
IntentNon-deliberate
(Mistake)Deliberate
(Bad decision)Deliberate
Accidental Incompetence Accidental IncompetenceCapability
Interaction(operators,
maintainers)&
Development(designers)
Malicious logicfaults:
logic bombs,Trojan horses,
trapdoors,viruses,
worms,zombies
Intrusionattempts
Individuals&
organizations
Decision by
independent
professional
judgement by
board of enquiry or
legal proceedings
in court of law
Faults Errors Failures
Signaled failures
Unsignaled failuresDetectability
FaultsFailures ……
ConsistencyConsistent failures
Inconsistent failures
Consequences
Minor failures
Catastrophic failures
Domain
Content failures
Early timing failures
Late timing failures
Halt failures
Erratic failures
Service Threats
Fault Error FailureFailure… …Fault
Error
altersserviceFacility for
stoppingrecursion
Context
dependent
PropagationActivation Causation
Interactionor
composition
Activationreproducibility
Solid
(hard)faults
Elusive
(soft)faults
Elusive permanent faultsand
Transient faults
Intermittent faults
Interaction
faults
Prior presence
of avulnerability:
Internal faultthat enables
an external
fault to harmthe system
Non-malicious faults
15-20%2~ 60%1Development
40-50%1~ 20%2Human-made interaction *
15-20%2~ 10%3Physical interaction
15-20%2~ 10%3Physical internal
ProportionRankProportionRankFaults
Larger, controlledsystems
(e.g., Commercialairplanes; telephone
network; webapplications)
Computer systems
(e.g., Transactions,
Electronic switching,Back-end servers)
Number of failures
[consequences and outage
durations highlyapplication-dependent]
* Root analysis evidences that they often can be traced to
development faults
NetCraft — Uptime statistics (Dec 1, 2003)
Top 50 most requested sites
12849
0
200
400
600
800
1000
1200
1400
1600
1800
4389
6298
2605
1895
1337
1312
1084
1027
936
809
744
695
611
avg
max
Avg 92
Avg 259
www.whitehouse.govwww.google.com
www.daiko-lab.co.jp
www.microsoft.com
Number of requests
Up
tim
e (
hours
)
Yearly survey on computer damages in France — CLUSIF (2000, 2001, 2002)
Occurrence impact
3 year trends stable increase decrease
Occurrences
Risk perception
0
5,0%
10,0%
15,0%
20,0%
25,0%
Internal failures Loss of
essential services
Naturalevents
Physical accidents
Utilization errors
Design errorsVirus
infection
Targetted logic
attacks
Disclosures and frauds
Image damage
Thefts
Physical sabotage
Non malicious causes71%
Malicious causes29%
Non malicious causes29%
Internal failures
Loss of essential services
Naturalevents
Physical accidents
Utilization errors
Design errorsVirus
infection
Targetted logic
attacks
Disclosures and frauds
Image damage
Thefts
Physical sabotage
Malicious causes71%
10,0%
20,0%
30,0%
Loss ess. serv.
Int. fail.
Nat events
Util. err.
Des. err.
Virus Infec.
Thefts
High
Average
Low
Non malicious causes Malicious Causes
0%
20%
40%
60%
80%
100%
Global Information Security Survey 2003 — Ernst & Young
0% 5% 10% 15% 20%
Hardware failures
Software failure
Third party failure
Infrastructure failure
DDOS attack
Natural disaster
Malicious technical acts
Business partner misconduct
Telecommunications failures
Viruses and worms
Operational errors
System capacity failure
Employee misconduct
Inadvertent act of bus. partner(s)
Former employee misconduct
Non malicious faults81%
Malicious faults19%
Development failures
Development process terminates before the system
is accepted for use and placed into service
Inadequate
design wrt
functionality
or
performance
Incomplete
or faulty
specifications
Excessive
number of
specification
changes
Too many
development
faults
Insufficient
predicted
dependability
Faulty
estimates of
development
costs
Partial development failures
Budget or schedule overruns
Downgrading to less functionality, performance, dependability
3881Estimated lost value for software projects in the USA, in G$
225250Total estimated budget for software projects in the USA, in G$
52%61%Left functions for challenged projects
82%89%Overruns for challenged projects
15%31%Canceled projects
51%53%Challenged projects (completed and operational but over-budget, over the time estimate, and offers fewer features andfunctions than originally specified)
34%16%Successful projects (completed on-time and on-budget, with allfeatures and functions as initially specified)
13,5228,380Number of surveyed projects
20021994
Standish Group (Chaos reports)
Dependability and its attributes
Definitions of dependability
Original definition: ability to deliver service that canjustifiably be trusted
Aimed at generalizing availability, reliability, safety,
confidentiality, integrity, maintainability, that arethen attributes of dependability
Alternate definition: ability to avoid service failures that
are more frequent or more severe than is acceptable
A system can, and usually does, fail. Is it however
still dependable ? When does it become
undependable ?
criterion for deciding whether or not, in spite of
service failures, a system is still to be regarded asdependable.
Dependability and security
Dependability SecurityAuthorized
actions
Availability
Reliability
Safety
Confidentiality
Integrity
Maintainability
Dependence and trust
Dependence of system A on system B is the extent
to which system A’s dependability is (or would be)affected by that of system B
Trust: accepted dependence
1) hostile attacks(from hackers orinsiders)
2) environmental
disruptions(accidental disruptions,either man-made ornatural)
3) human and
operator errors (e.g.,
software flaws,mistakes by humanoperators)
1) attacks (e.g.,
intrusions, probes,denials of service)
2) failures (internally
generated events dueto, e.g., softwaredesign errors,hardware degradation,human errors,corrupted data)
3) accidents(externally generatedevents such as naturaldisasters)
• internal and
external threats
• naturally
occurring hazards
and malicious
attacks from a
sophisticated and
well-funded
adversary
1) development
faults (e.g., software
flaws, hardware errata,malicious logic)
2) physical faults(e.g., productiondefects, physicaldeterioration)
3) interaction faults(e.g., physicalinterference, inputmistakes, attacks,including viruses,worms, intrusions)
Threats
present
assurance that a
system will perform
as expected
capability of a
system to fulfill its
mission in a timely
manner
consequences of
the system
behavior are well
understood and
predictable
1) ability to deliver
service that can
justifiably be
trusted
2) ability of a
system to avoid
service failures that
are more frequent
or more severe
than is acceptable
Goal
TrustworthinessSurvivabilityHigh ConfidenceDependabilityConcept
top related