Safety Engineering Overview

Questions and Answers

What is a system, in terms of security, that requires protection?

Asset

The security dimension of integrity refers to unauthorized access to information that is not supposed to be accessed.

False (B)

What is the most important system dependability attribute?

Security

What assessment is used to identify generic risks applicable to a system and to decide if an adequate level of security can be achieved at a reasonable cost?

Preliminary risk assessment

Which of the following is NOT a fundamental issue in designing a system architecture that maintains security?

Identification (B)

What is the process of evaluating security risks during system design?

Design risk assessment

Misuse cases are not directly associated with use cases.

False (B)

What are the three security dimensions?

Confidentiality, Integrity, and Availability

What does secure system design incorporate from the beginning to protect it from threats?

Security measures

Secure system programming means writing software without security in mind.

False (B)

Which of the following is NOT a type of security testing?

Functional testing (D)

Formal verification is essential for proving that a program conforms to its specification.

True (A)

What is the process of designing and implementing security into an application system?

Secure systems programming

What type of security testing involves drawing on experience from outside the development team to test an application system?

Penetration testing

Secure system design is not a primary factor when considering secure systems engineering.

False (B)

Which of these is NOT a measure that can be used to reduce a system's vulnerability?

Availability check (A)

What are scenarios that represent malicious interaction with a system, used to discuss and identify possible threats and attacks associated with the system's security?

Misuse cases

What is the process of incorporating security measures into a system to protect it from threats?

Secure system design

A security case demonstrates that a system is secure if it's adequately safe for a given application in a particular environment.

True (A)

Flashcards

Safety-Critical System

A system where safe operation is essential, preventing harm to people and environment.

Primary Safety-Critical Software

Software directly controlling hardware, malfunctions can lead to injury or damage.

Secondary Safety-Critical Software

Software that indirectly leads to hazards; design faults from software can cause harm.

Hazard

A system state that could lead to an accident.

Hazard Avoidance

Designing a system to prevent hazards from occurring.

Hazard Detection and Removal

Identifying and eliminating hazards before they cause accidents.

Damage Limitation

Strategies to minimize damage from accidents when they occur.

Safety Requirements

Functional requirements defining protective measures against failures and attacks.

Hazard Identification

The process of recognizing potential hazards within a system.

Risk Assessment Categories

Levels of acceptable risk: intolerable, ALARP, acceptable.

ALARP

As low as reasonably practicable; risk minimized relative to costs.

Formal Verification

Use of formal methods to mathematically ensure system specifications are met.

Model Checking

A technique for systematically checking models against specifications.

Static Program Analysis

Automated tools that examine code for errors without execution.

Safety Case

A structured argument supported by evidence demonstrating system safety.

Cybersecurity

Protection of systems against digital threats or attacks.

Confidentiality

Ensuring that information is only accessible to authorized parties.

Integrity

Guaranteeing that information is accurate and unaltered.

Availability

Ensuring that systems are accessible when needed.

Interception Threats

Potential attacks that access confidential information.

Modification Threats

Attacks that alter system data or functionality.

Penetration Testing

Testing a system's security by simulating attacks.

Misuse Cases

Scenarios depicting malicious interactions with a system.

Design Risk Assessment

Evaluating security risks during the design phase of a system.

Defense in Depth

Layered security approaches to protect assets.

Secure Programming

Writing code with built-in protections against vulnerabilities.

Security Testing

Evaluating a system's resilience against potential attacks.

Static Analysis Levels

Various levels of checks including characteristics and assertion error checking.

Study Notes

Safety Engineering

• Safety in software systems is achieved by understanding situations leading to safety-related failures. Software is engineered to prevent failures. System reliability is necessary but not sufficient for safety.
• Safety-critical systems require operation to always be safe, regardless of specifications.
• Safety-critical software is divided into two classes:
• Primary: Embedded controller software that, if malfunctioning, can lead to hardware failure and harm people/environment.
• Secondary: Software that, though not directly interacting with hardware, can cause harm (e.g., design software errors leading to faulty designs.)

Safety-Critical System

• Hazard is a state capable of causing an accident.
• Strategies for avoiding accidents include:
• Hazard avoidance: Designing systems to eliminate hazards.
• Hazard detection and removal: Designing systems to detect and remove hazards that threaten safety.
• Damage limitation: Designing systems with protection features to minimize the damage from an accident.

Safety Terminology

• Accident (or mishap): An unplanned event with human injury or damage to property/environment.
• Damage: Loss resulting from a mishap, ranging from minor injury to widespread devastation.
• Hazard: Conditions with potential for causing or contributing to an accident.
• Hazard probability: Likelihood of a hazard occurring.
• Hazard severity: Assessment of worst possible damages.
• Risk: Measure of probability a system will cause an accident, based on hazard probability, severity and probability of causing an accident.

Safety Requirements

• Safety requirements define checking and recovery facilities in a system.
• Activities in a hazard-driven safety specification process:
• Hazard identification: Identifying hazards threatening the system.
• Hazard assessment: Deciding which hazards are most dangerous/likely.
• Hazard analysis: Root-cause analysis of hazard occurrences.
• Risk reduction: Safety requirements to minimize hazard resulting accidents.

Hazard Assessment

• Focuses on understanding factors causing hazards and their consequences.

Hazard Analysis

• Process of discovering root causes of hazards in a safety-critical system.
• Fault tree analysis is a common hazard analysis technique.

Risk Reduction

• Identifying strategies for minimizing risks and ensuring no accidents occur.
• Hazard avoidance,
• Hazard detection and removal, and
• Damage limitation are possible strategies used.

Risk Categories

• Three risk categories help in hazard assessment.
• Intolerable: Risks threatening human life; system must stop threat from occurring.
• ALARP: Risks with less serious consequences but high probability are reduced as far as reasonably possible.
• Acceptable: Risks with minor damages; every possible step is taken to reduce risk from happening.

Safety Assurance Processes

• Activities ensuring a system operates safely.
• Hazard analysis and monitoring: Monitoring hazards traced through system development.
• Safety reviews: Regularly reviewing security throughout software development.
• Safety certification: Certification of crucial components.

Formal Verification

• Formal methods of software development using a mathematically sound model of a system.

Model Checking

• Creating a formal state model of a system to check correctness.

Static Program Analysis

• Automated tools scanning code to detect potential errors and anomalies.

Safety Cases

• Documented evidence proving a system's safety for a given application. Safety cases relate software failures to broader system failures, and demonstrate that either failures will not occur or won't be propagated causing system failures.

Structured Arguments

• These logical arguments are used to decide a system's operational safety. These arguments use evidence to support claims about security/dependability and use a claim-based approach.

Software Safety Arguments

• Demonstrates that a software program will operate as intended without causing unsafe states.

Security Engineering

• Software systems are more connected to the internet, creating various external attacks that developers must consider.
• System threats come from malicious actors with technical skills as well as accidental mistakes in development.
  • Three Security Dimensions:
• Confidentiality: Protecting information from unauthorized access.
• Integrity: Preventing unauthorized modification or corruption of data.
• Availability: Ensuring authorized access to data and services as needed.
• Security is organizational, with levels for infrastructure, applications, and operations.

Security Threats

• Interception threats: Attackers gain access to protected assets.
• Interruption threats: Attackers make part of a system unusable.
• Modification threats: Attackers tamper with system assets.
• Fabrication threats: Attackers insert false information into a system.
• Controls use avoidance (stopping threats), detection (identifying), and recovery (fixing).

System Design

• Security is integrated from the start.
• Decisions about Security at the architectural design influence overall protection.
• Practices for improving system reliability through Security.

Secure Systems Programming

• Secure system design and programming requires conscious thinking about security into every part of the application design.

Security Testing and Assurance

• Assessing how well a system can withstand attacks and weaknesses.
• Experience-based testing: Testing using known attack types.
• Penetration testing: External testing to look for vulnerabilities.
• Tool-based analysis/Formal Verification: Checking against known weaknesses and proving it conforms to its specifications.

Design Guidelines

• Guidelines for secure systems engineering, including defense-in-depth, security balancing usability.

Architectural Design

• Architectural design decisions have big effects on a software system's emergent security properties. System architectures must consider protection and distribution techniques so critical assets are protected and the consequences of attacks are minimized. Layers exist for platform, application, and record-level protection.

Description

This quiz delves into the fundamentals of safety engineering, emphasizing the importance of preventing failures in safety-critical software systems. It covers various strategies for hazard avoidance and the classification of safety-critical software into primary and secondary categories. Test your understanding of these crucial concepts and their application in engineering safe software.