Get documents about "Dependability and Security Working Group
Shared by: dffhrtcv3
-
Stats
- views:
- 1
- posted:
- 5/3/2012
- language:
- pages:
- 44
Document Sample
DAME Dependability and Security
Study
Presenters Howard Chivers / Martyn Fletcher
University of York
Contents
• Introduction
• Analysis Approach: Dependability and Security
– Security
– Dependability
– Joint working
• Experience
– System Context
– Asset Analysis
• What Next: Deployment Clustering
• Summary
Distributed Aircraft Maintenance Environment - DAME
Introduction
Dame Project Aims
• Develop a Grid-enabled diagnostic system
• Demonstrate this on the Rolls-Royce AeroEngine
diagnostics problem
– A Diagnostic Grid
– Grid management tools for unstructured data
– An practical application demonstrator
• Develop the understanding and Business Case
needed for industrial deployment:
– Grid middleware and application/services layer integration
– Scalability and Deployment options
– Security and Dependability issues
Distributed Aircraft Maintenance Environment - DAME
Purpose of the Study
• Provide analysis to enable ultimate deployment of
DAME in engine domain.
• Provide analysis as basis for deployment in other
domains.
• Contribute to Grid community research in
dependability and security.
Distributed Aircraft Maintenance Environment - DAME
Why do stakeholders care?
• The DAME workflow automates a collaboration
between multiple stakeholders, each has their own
business perspective and interests.
• The Data is high volume – to be cost effective it must
be possible to physically distribute the data and its
processing.
Distributed Aircraft Maintenance Environment - DAME
Dependability Goals
Key goals include:
• Confidentiality of key industrial properties.
– The most critical items are algorithms
• Restricting access to stakeholders’ operational performance
data.
• The Integrity of data used to make diagnostic decisions.
• Provenance of diagnostic decisions made using the system.
The system is advisory, so safety is not a major goal. Reliability
and Availability are concerns, but have lower significance.
Distributed Aircraft Maintenance Environment - DAME
Analysis Approach:
Dependability & Security
Distributed Aircraft Maintenance Environment - DAME
Dependability and Security
• Attributes:
– Reliability
– Safety
– Maintainability
– Security (Confidentiality, Integrity, Availability)
• Attributes have varying significance in different
systems.
Distributed Aircraft Maintenance Environment - DAME
Security (Risk) Analysis
• Focus on risk to the overall business process
• Process
– Define system context:
• Boundary / actors / assets / external assumptions.
– Analyse assets:
• Identify impact / threat for each.
– Attackers perspective.
– Vulnerabilities.
• Identify likelihood.
• From matrix, identify unacceptable deployment risks,
example:
– High impact and high likelihood need to be reduced.
Distributed Aircraft Maintenance Environment - DAME
Security (Risk) Analysis
System Context
System External
Boundary Assumptions
Actors Assets
Asset
Attackers’
threats Analysis
Perspective
Impact
L M H
Vulnerabilities
H x
Likelihood M
L o
– Distributed Aircraft Maintenance Environment - DAME
Dependability Analysis
• High level analysis for complex systems developed at
York is rooted in the need for safety cases of layered
systems.
Distributed services
Service 0 Service N
Analysis
Interface
Distributed Middleware Infrastructure Component
under
analysis
Distributed Hardware Infrastructure
Distributed Aircraft Maintenance Environment - DAME
High level Analysis of a
Complex System
• Focuses on infrastructure.
• Approach at York (based on FMEA – Failure Modes
an Effects Analysis + SHARD - Software Hazard
Analysis and Resolution in Design):
– Define high level functions at specified interface.
– Apply guidewords (omission, commission etc.) – undesirable
situations.
– Cause.
– Effect.
– Derived requirements - to prevent / mitigate.
• Satisfy derived requirements to provide
dependability.
Distributed Aircraft Maintenance Environment - DAME
High level Analysis of a
Complex System
No. Grid Service High Level Function Example failure
1 Provision of secure and timely data flow. Network saturated/blocked.
2 Controlled access to grid processing (factory One node of grid doesn’t work
services).
3 Provision of secure algorithm and data storage Whilst data is stored or manipulated it gets
and memory management corrupted e.g. by another grid application.
4 Provision of consistent execution state and Different versions of same algorithm running on
information on that state (provenance). nodes.
5 Provision of HM and failure management Does not inform that estimated time won’t be
reached
6 Secure and timely access to accurate registry False information held in registry
data.
Distributed Aircraft Maintenance Environment - DAME
High level Analysis of a
Complex System
• Analysis process:
– SHARD like analysis of component – in this case grid
middleware + infrastructure
• Uses guidewords, for example:
– Omission.
– Commission.
– Early.
– Late.
– Value (detectable/undetectable).
Distributed Aircraft Maintenance Environment - DAME
High level Analysis of a
Complex System
1. Provision of secure and timely data flow.
Guideword Causes Effect Derived Requirements
Omission – Network No data arrives at far end Replicate network path.
Data not sent from saturated/blocked (Denial receiver may be blocked Receiver may use date
application to of Service?). from continuing stamp on data.
application/copy on Registry has no execution. Registry returns error
another node. information on receiver. when there is no receiver.
Registry has incorrect Registry is protected from
information on receiver third party alteration.
(or has been tampered
with).
Receiver is no longer
running.
Distributed Aircraft Maintenance Environment - DAME
Choice of method
• Approaches have complementary strengths
• In combination:
– Use security risk analysis to establish whole-system issues
– Use ‘high level analysis’ to identify infrastructure
vulnerabilities in the context of the main risk analysis
– Combined study minimises project cost and demands on
customer time
• Take advantage of other sources of vulnerability
information – particularly for security
Distributed Aircraft Maintenance Environment - DAME
Observations
• The security system risk analysis method provides a
useful overall framework
• … but it must include the wider set of dependability
attributes.
• Using both forms of analysis explicitly deals with the
flexible deployment of applications envisaged in the
grid.
• ... but it remains to be seen if the interface requirements
between Grid applications and infrastructure are mature
enough to allow dependability analysis.
Distributed Aircraft Maintenance Environment - DAME
Experience: System Context
Distributed Aircraft Maintenance Environment - DAME
Context
System Context
System External
Boundary Assumptions
Actors Assets
Asset
Attackers’
threats Analysis
Perspective
Impact
L M H
Vulnerabilities
H x
Likelihood M
L o
Needs to be extended to accommodate arbitrary deployment
–
Distributed Aircraft Maintenance Environment - DAME
Initial System View
Distributed Aircraft Maintenance Environment - DAME
System Context
• System Context document (DAME/York/TR/03.007)
– Business process.
– System boundary.
– Actors (primary and supporting).
– Assets (service and data).
– Service interactions.
– External assumptions.
• Purpose:
– Provides a concise reference – allows stakeholders to agree
on a description of the system.
– Identifies Assets: Services and Data
• .. but not hardware?
Distributed Aircraft Maintenance Environment - DAME
Actors & System Context
Engine
Manufacturer
Airline / Maintenance Contractor
(RR)
(at Airport)
Information / request for advice
Domain Expert (DE)
- engine expert
Dowload Investigate using tools
Engine
Data
Remote / Distributed Provide
Perform
Diagnosis
Minor Repair Tools and Services / Prognosis
Upload / Advice
Perform
Engine
Inspections Ground Data Distributed Aircraft
Local Support Update Engine Records
Diagnosis Maintenance Environment (DAME)
System
- Miscellaneous Providers.
DAME
Diagnosis Engine Data Center (EDC) - DS&S
Service Data Manager (SDM)
Request advice including Workscope Generator- RR
Maintenance from MA
Engineer (ME)
Information / request
Investigate using for advice
Update Engine tools
Record
Provide
Remove engine and Diagnosis
dispatch for major overhaul / Prognosis
/ Advice
Request advice
Return overhauled from DE
engine to service Update Engine
Record
Update Engine
Records
Maintenance Analyst (MA)
- maintenance expert
Data Center
(DS&S)
Engine Maintenance
Repair and Overhaul
(MRO) Facility
(RR / Contractor)
Distributed Aircraft Maintenance Environment - DAME
Service Assets
stores Engine Data Record in
QUOTE / GSS
*
*
1
EngineDataStore-G
stores / retrieves DAME results, annotations, etc.
gets EDR from 1
EngineDataCenter
1 1
1
1
The EDC contains various
1 independent tools and
1
* gets EDR from facilities - only the
ArrivalNotification Encoder-G EngineDataStore is
shown here.
*
ZModViewer-G
1
1 1 1 *
seaches for patterns using SDM-G
Portal-CollaborationEnvironment WorkflowManager
AURA-G
* * 1 -EncodedZmodDataFeature
1 1 1..* 1..* gets EDR from
1 extracts orders using
1
1 1
XTO-G
RoleDatabase 1 1 1
1 1
1 gets extracted orders
1 1
gets EDR from
visualises engine data using Chart-G
MyProxy
1 1
models engine using
EngineModel-G
1 1
diagnoses fault using
CBRAnalysis-G gets SDM Record from
searches for clusters using 1 1
getsWorkflowAdvice DataBaseMiner-G gets SDM Records from
-ClusterData
1 1
1 CBRWorkflowAdvisor-G
Distributed Aircraft Maintenance Environment - DAME
Data Assets
1 1
EncodedData AURAEncodedData
1 1 *
CBRRuleSet WorkFlowRuleSet
1 1
1 1 * * *
* SuggestedWorkflow
TrackedOrder XTOFeatureResult AURAResult CBRResult ChartResult
0..* 0..1 0..1 0..1 * 0..1
0..1
1 1 1
1
1 0..1
1 WorkflowRecord
0..1 1 ZmodViewerResult
WorkflowRule * processPerfomance 1
inputParamSet
1 1
1 1 *
0..* 0..1
Case 0..1
1
deadline EngineModelResult
status 1..3
1 userStatus[3]
1
1 1 * * *
QUOTEFeatureResult EngineDataRecord UserView
0..1 1 0..1 1
1 User * *
Role Annotations
distinguishedName 1
1 1
1 *
UserRole
1 0..1 1
1 * 1 * * 1 1 * *
Airframe Flight FlightEvent Engine SDMRecord
Distributed Aircraft Maintenance Environment - DAME
Context: Method
• Business Use-Cases & initial Service diagram
derived from design documents
• Aim for a Deployment-neutral description
• Checks:
– Build & check data and service models from the interactions
specified in the use-cases.
– Is the data required by each service consistent with the data
model?
– Do members of the project, and its customers, think this
represents their system?
Distributed Aircraft Maintenance Environment - DAME
Context: Method (2)
• Control granularity:
– Services at deployment granularity.
– Data, sufficient to distinguish between different use or
origin.
– Assets must be meaningful to customers to allow a
discussion of threat & impact.
• Result:
– 24 Data Types and 14 Services.
– Contrast with
• ‘Initial brainstorm’ meeting: 4 data types & 4 services
• Initial system view (slide 21): 3 data types &
13 services (2 different!)
Distributed Aircraft Maintenance Environment - DAME
Observations
• Methodological analysis is necessary.
– Existing system documentation is strong on services but weak on
data
• Need to be flexible about representations & models to align with
project methods.
• Control:
– Granularity
– Avoid mechanisms, keep to requirements
• The ‘grid’ nature may make it difficult to establish hardware
assets - may be a problem or blessing, but needs to be
recognised.
• The system is ‘virtual’ – need to be explicit about the
management needed.
Distributed Aircraft Maintenance Environment - DAME
Experience: Asset Analysis
Distributed Aircraft Maintenance Environment - DAME
Asset Analysis
• Generated pro-forma of assets and generic concerns.
• Reviewed with Industrial / Academic Partners:
– Reviewed system context document.
– Preliminary assets analysis - assigned concerns and impacts to:
• Data assets
• Service asset
• Stakeholder concerns also used to elicit system security goals.
– Allows the separation of goal concerns and ‘derived’ requirements.
• Review of Asset Threat model and Security Goals now
complete.
Distributed Aircraft Maintenance Environment - DAME
Process
• Keyword list to prompt discussion on each asset:
– execution, confidentiality, integrity, availability, privacy,
completeness,provenance, non-repudiation…
• Only about half these categories used, and not all for
every asset.
• Impact rating: L/M/H in business terms:
– 0: not rated – too low to be significant
– L: significant cost
– M: impact on company bottom line
– H: long term impact on company bottom line
Distributed Aircraft Maintenance Environment - DAME
Typical Requirements
Key goals include:
• Confidentiality of key industrial properties.
– The most critical items are algorithms
• Restricting access to stakeholders’ operational performance
data.
• The Integrity of data used to make diagnostic decisions.
• Provenance of diagnostic decisions made using the system.
The system is advisory, so safety is not a major goal. Reliability
and Availability are concerns, but have lower significance.
Distributed Aircraft Maintenance Environment - DAME
Observations
• New system requirements will probably emerge from
this study:
– Finer grain control of users within roles
– The need for provenance for data items as well as
workflows
– The possible separation of different types of raw data to
facilitate grid processing
– The need to audit services in the (virtual) system
• Need to be careful about responsibilities when data
or services are shared with other systems– e.g. long
term data integrity for some data items is important,
but outside DAME.
Distributed Aircraft Maintenance Environment - DAME
Observations
• The customers have real security concerns – this is
not a system where all parts will be allowed to ‘run
anywhere’.
– security analysis informs deployment options
• Keywords (e.g. integrity’) are very broad – need to
record the actual concern in each case.
• Linking impact (L/M/H) to business criteria helps
prevent ‘drift’ of assessments.
Distributed Aircraft Maintenance Environment - DAME
What Next:
Deployment Contacts
System Data flow between
services (Fragment)
Pattern_Matcher AURA_Search
AURA_Encoded_data
Time_Series_Fragment Z_Mod_Result
XTO_Assessor Z_Mod_Viewer AURA_G (Train)
Time_Series_Data
Feature_Result
XTO_G Extractor_G
Engine_Data_Record: Z_Mod
Performance Data
Engine_Data_Store
Distributed Aircraft Maintenance Environment - DAME
Deployment groups services
and related data
Pattern_Matcher AURA_Search
AURA_Encoded_data
Time_Series_Fragment Z_Mod_Result
XTO_Assessor Z_Mod_Viewer AURA_G (Train)
Time_Series_Data
Feature_Result
XTO_G Extractor_G
Engine_Data_Record: Z_Mod
Performance Data
Engine_Data_Store
Distributed Aircraft Maintenance Environment - DAME
Deployment container
contracts
Pattern_Matcher e.g.: AURA_Search
Engine data: confidentiality
AURA_Encoded_data
Time_Series_Fragment Z_Mod_Result
Service integrity (management access…)
XTO_Assessor Authentication:AURA_G (Train)
Z_Mod_Viewer users of feature results
Time_Series_Data
Feature_Result
XTO_G Extractor_G
Engine_Data_Record: Z_Mod
Performance Data
Engine_Data_Store
Distributed Aircraft Maintenance Environment - DAME
Deployment Conclusions
• Provides the link between the high level system
design, users security goals, and actual deployed
software.
• Will specify requirements on ‘locations’
– Test deployment architecture for feasibility
– Decomposes the distributed system for subsequent
vulnerability analysis
Distributed Aircraft Maintenance Environment - DAME
Summary
Distributed Aircraft Maintenance Environment - DAME
Documents Produced
• Discussion / working documents:
– DAME Initial Dependability Assessment -
AME/York/TR/03.001. From meeting with industrial
partners on 17th March 2003.
– Analysis of the Grid – Phillipa Conmy
– Security Risk Brief – Howard Chivers
– Options for Merging Dependability and Security Analysis -
Howard Chivers. This includes a neutral terminology.
– DAME Dependability and Security: Asset Analysis pro-
forma.
• DAME Dependability and Security: System Context
Document - DAME/York/TR/03.007.
• DAME Dependability and Security: Asset Analysis
Document - DAME/York/TR/04.001.
Distributed Aircraft Maintenance Environment - DAME
Future Work
• Sign off System Context, Asset Analysis and attacker profiles.
• Identify deployment constraints & requirements
• Identify & document security trade-offs at the system design
and deployment level.
• Document lessons learned – where the existing design needs
to be revisited from the security perspective.
• Vulnerability analysis etc (risk matrix, mitigation)
– As far as can be applied in a generic way – the target of
deployment is not the present system.
Distributed Aircraft Maintenance Environment - DAME
Final Observations
• Security risk analysis is best carried out as an
integrated part of the system design:
– The context can be part of the standard system
documentation
– Deployment and other design tradeoffs can be made early
– The security analysis will highlight requirements that might
otherwise be missed.
Distributed Aircraft Maintenance Environment - DAME
Final Observations (2)
• The grid nature of the problem introduces new
challenges: DAME is a ‘virtual system’
– Mapping to hardware is deferred
– Requirements for administration of the ‘virtual’ system, as
well as individual resources
• Appropriate security is essential before systems of
this sort can be exploited commercially.
Distributed Aircraft Maintenance Environment - DAME
