Checklist for Iso Compliance in Insurance - PowerPoint by gps13265


More Info
									Difficulties in Providing
Certification and Assurance
for Software Defined Radios

         John Giacomoni
 University of Colorado at Boulder
Certification & Assurance
   Establish a level of assurance that a
    product conforms to its specifications
       Solve trust problems where information
        asymmetries exist
   Product & process certification
Systems Problem
   Historical context of trusted computing
   More than components or spectrum
       SDR device and aggregates (network)
       Cross layer/module interactions
           Spectrum/SDR Network/OS/Applications
       Composition problems
           Emergent behavior
Product Certification
   Underwriters Laboratories - 1901
       Demonstrates correlation between product
        certification and risk
   CableLabs 1988
       Solve interoperability problems
   FCC testing
       Adoption of external standards
Problems with Product Testing
   The more attributes exist, the more
    difficult it becomes to achieve
    acceptable assurance
       Boundary value testing
       Modular design can help in some situations
            Restrictive software interfaces
            Restrictive physical limitations
   Future products
Process Certification
   A group’s maturity or discipline is linked to
    their ability to repeat past successes
       Intuitive for manufacturing
       Difficult when domain changes
            Information products are in constant evolution
       Institutional knowledge
       Costly for small companies
       Certifications sometimes viewed as a checklist
   Ex: ISO 9000, CMMI
Security Certification
   Malicious users
   Difficult to correctly describe a system
       Need all parties involved
   Difficult to correctly evaluate a system
       How do we know when to stop?
            Appropriate level of assurance?

   Documented model ?= implemented model
   Ex-post factors:
       Removal from market
       Assurance by insurance
   Lag time to market
Security Certification
   Who authors the protection profiles?
   Who certifies the evaluators?
   Who pays for certification?
       Avoid forum shopping
   WiFi and Part 15
       Functionally correct
       Security wise, a weak standard
            WEP RC4 problem was well understood
            Eventually chose to accept security flaws
   Possibly a simpler problem than SDR
       Predetermined operating conditions
            Band/Power/Mask
FCC Orders
   Orders
       Flexibility to vendors to properly implement
       Failure results in removal of products from
        market and liability consequences
       No TCBs
       Shift from source code evaluation to “high
        level operational description[s] or flow
   Complexity make assurance difficult
       Complexity increases with degrees of
   Process models may limit innovation
    due to overhead costs
   High levels of assurance expensive
       Limits small companies ability to innovate
   New methods for evaluation
Findings Cont.
   Continued vigilance in protecting
    existing spectrum users
       Particularly for public safety&aeronautical
   Increasing self determinacy within a
       Assign risk to appropriate parties
   International cooperation on certification
    for compliance
Future Work
   Explore how certification requirements may
    differ between licensing models
   Modeling the impact of a misbehaving device
   Evaluate likelihood of malicious users
       Is spectrum access attractive?
            Self regulating ham radio community
   Effectiveness of ex-ante & ex-post
    protections/regulations at each layer
   John Giacomoni
       Department of Computer Science
       University of Colorado at Boulder
       Boulder, CO 80309-0430

To top