Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Systems architecture with the functional safety/security emphasis

Systems Architecture with the Functional Safety-Security emphasis
I was asked to give a talk on the unification of Functional Safety (FuSa) and Security for which I replied that two disciplines cannot be viewed separately from Systems Engineering. Instead of talking about safety/security interop, I explained how to build complex systems and how these systems fail. Only when you understand that we do not know how to build absolutely reliable systems and that eventually anything you create fails, you can understand how to add reliability and security mechanisms to your solutions. The summary of the presentation is:
 Envision how your solution will be operated
 Design for maintainability
 Add safety concept
 Add security mechanisms
 Build for failure

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Systems architecture with the functional safety/security emphasis

  1. 1. HSPE Tech Exchange8/26/20201 Systems Architecture with the emphasis on Functional Safety and Security Interoperability with the emphasis on Functional Safety and Security Interoperability Systems Architecture
  2. 2. HSPE Tech Exchange8/26/20202 Systems Architecture with the emphasis on Functional Safety and Security Interoperability • Systems Architecture • How Systems Fail • Functional Safety & Security Interoperability • Systems Security • Automotive Cluster Example • Summary Agenda
  3. 3. HSPE Tech Exchange8/26/20203 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Systems Engineering CDIO: Conceive, Design, Implement, and Operate. Development Phasing Lifecycle Planning Lifecycle Integration Baselines Engineering Process Cross-Team Collaboration Management
  4. 4. HSPE Tech Exchange8/26/20204 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Scope Triangle Avoid Over-Engineering! Schedule CostFeatures Constant!!! Variable Functionality creates risks for Schedule and Cost!!!
  5. 5. HSPE Tech Exchange8/26/20205 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Functional Requirements  Define the Problem (What do you want your system to do?)  Identify the major usecases (80x20 rule: 20% of your solution satisfies 80% of the requirements)  Identify the Baselines (standards, existing technologies, etc.)  Visualize how your system will be operated If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask, for once I know the proper question, I could solve the problem in less than five minutes. – Albert Einstein
  6. 6. HSPE Tech Exchange8/26/20206 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Non-Functional Requirements Performance Accessibility Security Scalability Maintainability Availability Deployability Extensibility
  7. 7. HSPE Tech Exchange8/26/20207 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Architecture Concepts 1. The most obvious approach might be to imagine the future you want and build it. Unfortunately, that doesn’t work that well because technology co-evolves with people. It’s a two step—technology pushes people to move forward and then people move past technology and it has to catch up. The way we see the future is constantly evolving and the path you take to get there matters. In technical terms we can call this ‘continuous improvement.’ 2. Establish modular and composable design making it possible to (1) use your system in different (standardized) configurations and applications and (2) evolve it as the requirements and technologies change. 3. Control (or manage) and reduce complexity! Civilization advances by extending the number of important operations we can perform without thinking about them. – Alfred North Whitehead
  8. 8. HSPE Tech Exchange8/26/20208 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Safety Concepts Safe Life Each element strong enough to stay intact for the entire life cycle Fail Safe One element may fail: other elements strong enough to stay intact for limited time; inspection required!!
  9. 9. HSPE Tech Exchange8/26/20209 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Security Concepts 1. Find all flaws and fix them, test your system to death! 2. Demonstrate directly that a system is secure using formal methods. This moves or reduces the problem to another one: you must have a secure model! 3. Accept that the world is not perfect and that absolute security is not achievable: − Insecurity exists, − Insecurity cannot be destroyed, − Insecurity can be moved around, − As the number of bugs (defects) in you system goes to zero, number of vulnerabilities goes to infinity! 3 possible approaches to security
  10. 10. HSPE Tech Exchange8/26/202010 Systems Architecture with the emphasis on Functional Safety and Security Interoperability • Systems Architecture • How Systems Fail • Functional Safety & Security Interoperability • Systems Security • Automotive Cluster Example • Summary Agenda
  11. 11. HSPE Tech Exchange8/26/202011 Systems Architecture with the emphasis on Functional Safety and Security Interoperability − All system components eventually fail. − Excessive complexity decreases resilience. − Resilience engineering must balance the number and types of resilience techniques against the complexity. We do not know how to build 100% reliable systems, we only know how to manage risk! Resilience
  12. 12. HSPE Tech Exchange8/26/202012 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Wings fall off of massive airplane Source: Fox News
  13. 13. HSPE Tech Exchange8/26/202013 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Toyota Unintended Acceleration • Toyota Lexus ES 350 sedan Reached 100 mph+ • 911 Emergency Phone Call from passenger during event. • All 4 occupants killed in crash. • Toyota data on infotainment software shows an expected one “major bug” for every 30 coding rule violations. [Kawana 2004] Source: The New York Times
  14. 14. HSPE Tech Exchange8/26/202014 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Environment System 1 Component A Component B Error Failure Failure Hazard Accident Not-Safe System Failure Detection/ Reaction Fail-Safe System Detection/ Compensation Failure Failure Detection/ Compensation Fault-Tolerant System Fail-Operational System System 2 System 3 Voting or Fail-over to a redundant System Fault Propagation in Systems Internal Dormant Fault
  15. 15. HSPE Tech Exchange8/26/202015 Systems Architecture with the emphasis on Functional Safety and Security Interoperability 7 Classes of Hardware Vulnerabilities 1. permissions and privileges, 2. buffer errors, 3. resource management (shared resources), 4. information leakage, 5. numeric errors, 6. crypto errors, and 7. code injection. Probability of software failure equals 1
  16. 16. HSPE Tech Exchange8/26/202016 Systems Architecture with the emphasis on Functional Safety and Security Interoperability • Systems Architecture • How Systems Fail • Functional Safety & Security Interoperability • Systems Security • Automotive Cluster Example • Summary Agenda
  17. 17. HSPE Tech Exchange8/26/202017 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Safety / Security In many languages, there is only one word for safety and security. In German, for example, the word is 'Sicherheit,' in Spanish it is 'seguridad', in French it is 'sécurité' and in Italian it is 'sicurezza.‘ According to Merriam-Webster, the primary definition of safety is "the condition of being free from harm or risk," which is essentially the same as the primary definition of security, which is "the quality or state of being free from danger." Safety and security are clearly interlinked; there is no safety without security and vice-versa.  José Manuel Durão Barroso, President of the European Commission "EU Action on Nuclear Safety" Security is the condition of the system being protected from unintended or unauthorized access, change or destruction. Safety is the condition of being protected from or unlikely to cause danger, risk, or injury. Both Safety and Security ask the same question: How is your system going to fail?!
  18. 18. HSPE Tech Exchange8/26/202018 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Three Sides of Functional Safety & Security Engineering Product Heterogeneous Architecture Safety Island Security Island (PKCS 11, FIPS 140-2 L2/3) FuSa (ISO 26262)SDL (SAE/ISO 21434) ASIL Security Process Safety/Security Architecture Device Reliability & Trustworthiness Process Platform Hardening for Safety and Security Safety & Security Architecture FuSa (ISO 26262) Functional SafetySecurity Self-Test and Recovery (STAR) Safety Island SDL (ISO 21434) The principle of least privilege (POLP) Security Island Platform 1 2 3 1 2 3
  19. 19. HSPE Tech Exchange8/26/202019 Systems Architecture with the emphasis on Functional Safety and Security Interoperability The V Threat Analysis and Risk Assessment Security Goals Security Architecture Attack Tree Analysis (ATA) Security Activities Functional and Penetration Tests Integration and Penetration Tests Validate Security Assumptions Hazard analysis and Risk Assessment Safety Goals System Safety Concept FMEA, FTA, FMEDA Test Safety Mechanisms Test Safety Mechanisms Validate Safety Assumptions Guidelines, Reviews, Analyses Safety Activities Safe and Secure Platform Requirements Analysis System Architecture HW/SW Design HW/SW Implementation HW/SW Test System Integration System Test Maintenance and Upgrades Incidence Response Plan Code and HW Implementation Reviews The arrow means that activities happen in parallel Failure Mode and Effects Analysis (FMEA ) Fault Tree Analysis (FTA) Failure Modes, Effects, and Diagnostic Analysis (FMEDA) Requirements and Ideation (C in CDIO!) Operation (O in CDIO!)
  20. 20. HSPE Tech Exchange8/26/202020 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Safety/Security Requirements Flow Definition of security environment5 Threat Analysis and Risk Assessment (TARA)6 Security requirements8 Overall Hazard and Risk Analysis9 Safety/Security requirements10 Safety/Security requirements allocation11 Security objectives7 Definition of concept1 Safety scope and definition2 Hazard Analysis and Risk Assessment (HARA)3 Safety requirements4 Functional Safety Flow Security Flow Unified (System Architecture) Flow
  21. 21. HSPE Tech Exchange8/26/202021 Systems Architecture with the emphasis on Functional Safety and Security Interoperability TARA Threat Security Goals AssetOwner Attacker Malicious Action Attack Potential Point of Attack with regard to with risk of has a value for has for execution of reduced by performed at
  22. 22. HSPE Tech Exchange8/26/202022 Systems Architecture with the emphasis on Functional Safety and Security Interoperability HARA (FuSa) and TARA Done Together Threats Security Goals AssetOwner Attacker Malicious Action Attack Potential Point of Attack with regard to with risk of has a value for has for execution of reduced by performed at TARA HARA Define the safety item Determine features to realize safety item Determine malfunctions of functions Determine operational scenarios Identify possible hazards (effects) Safety Goals
  23. 23. HSPE Tech Exchange8/26/202023 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Incoming Message Integrity Message Received Integrity Check Sender Authentication Authorization Message Consumed by an App CRC MAC/Signature Source Address Plausibility Checks Source Access ACL Safety Security
  24. 24. HSPE Tech Exchange8/26/202024 Systems Architecture with the emphasis on Functional Safety and Security Interoperability • Systems Architecture • How Systems Fail • Functional Safety & Security Interoperability • Systems Security • Automotive Cluster Example • Summary Agenda
  25. 25. HSPE Tech Exchange8/26/202025 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Information Security Goals 1. Secure boot 2. Secure auditing and logging 3. Authentication and authorization 4. Session Management 5. Input validation and output encoding 6. Exception management 7. Key management, cryptography 8. Security of data at rest 9. Security of data in motion 10. Configuration management 11. Incidence response and patching Together, these formulate the end-to-end security architecture for the product and thus should be considered alongside one another—not in isolation. Also, each of the categories has many sub-topics within it. For example, under authentication and authorization there are aspects of discretionary access controls and mandatory access controls to consider. Security policies for the product are an outcome of the implementation decisions made during development across these categories. We already know that a “control” strategy fails worse than a “resilience” strategy.
  26. 26. HSPE Tech Exchange8/26/202026 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Cyberattacks to CPS Control Layers Control Layer Regulatory Control Supervisory Control Deception attacks Spoofing, replay Set-point change Measurement substitution Controller substitution DoS attacks Physical jamming Network flooding Increase in latency Operational disruption Estimation of CPS risks by naively aggregating risks due to reliability and security failures leads to grossly suboptimal responses to CPS risks. To thwart the outcomes that follow sentient opponent actions, diversity of mechanism is required.
  27. 27. HSPE Tech Exchange8/26/202027 Systems Architecture with the emphasis on Functional Safety and Security Interoperability The Honeymoon Affect Design specifications miss important security details that appear only in code. For most programmers it's hard enough to get the code into a state where the compiler reads it and correctly interprets it; worrying about making human-readable code is a luxury. The software industry needs to change its outlook from trying to achieve code perfection to recognizing that code will always have security bugs. FailureRate Number of Months 0.09 0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0 1 2 43 5 6 7 8 109 11 VulnerabilitiesperMonth Months since Release Current Software Engineering literature supports the Brooks life-cycle model - image taken from “Post- release reliability growth in software products”, ACM Trans. Softw. Eng Methodol. 2008
  28. 28. HSPE Tech Exchange8/26/202028 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Cryptography ≠ Security Whoever thinks his problem can be solved using cryptography, doesn’t understand his problem and doesn’t understand cryptography. – Attributed by Roger Needham and Butler Lampson to each other Cryptography rots, just like food. Every key and every algorithm has shelf time. Some have very short shelf time. • How long do you need your cryptographic keys or algorithms to be secure? – this is cryptography shelf life (x years) • How long will it take to extract secrets out of your system? – this is the end of honeymoon (z years) • What are your parameters to reduce attack surface and to update keys or algorithms? -  (pronounced Xi) 𝐼𝑓 𝑧 < 𝑥 + 𝜉, 𝑖𝑚𝑝𝑟𝑜𝑣𝑒 𝑦𝑜𝑢𝑟 𝑎𝑟𝑐ℎ𝑖𝑡𝑒𝑐𝑡𝑢𝑟𝑒 𝑎𝑛𝑑 𝑖𝑛𝑓𝑟𝑎𝑠𝑡𝑟𝑢𝑐𝑡𝑢𝑟𝑒! Cryptographic Agility
  29. 29. HSPE Tech Exchange8/26/202029 Systems Architecture with the emphasis on Functional Safety and Security Interoperability • Systems Architecture • How Systems Fail • Functional Safety & Security Interoperability • Systems Security • Automotive Cluster Example • Summary Agenda
  30. 30. HSPE Tech Exchange8/26/202030 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Mixed-Criticality Cluster
  31. 31. HSPE Tech Exchange8/26/202031 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Graphics Fail-Safe Step By Step 1. Monitor parses configuration file for checking criteria 2. Cluster app requests Screen to display a symbol 3. Cluster app requests Monitor to check the rendered symbol 4. Monitor retrieves the framebuffer from Screen 5. Monitor performs checking according to criteria from (1) 6. Monitor notifies the cluster app of the checking results 7. Cluster app decides the course of action Safety Architecture! Increases complexity and attack surface!!!
  32. 32. HSPE Tech Exchange8/26/202032 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Add Security Mechanisms 1. Monitor parses configuration file for checking criteria (Was the file tampered with? Is the monitor trusted?) 2. Cluster app requests Screen to display a symbol (Does the application run in a trusted sandbox? Is the application trusted?) 3. Cluster app requests Monitor to check the rendered symbol 4. Monitor retrieves the framebuffer from Screen 5. Monitor performs checking according to criteria from (1) 6. Monitor notifies the cluster app of the checking results 7. Cluster app decides the course of action Does the application trust the message? Was the configuration file tampered? Is the application trusted? Is the monitor trusted? Security Architecture! Is done after the Safety Mechanism has been added!
  33. 33. HSPE Tech Exchange8/26/202033 Systems Architecture with the emphasis on Functional Safety and Security Interoperability • Envision how your solution will be operated • Design for maintainability • Add safety concept • Add security mechanisms • Build for failure Summary
  34. 34. HSPE Tech Exchange8/26/202034 Systems Architecture with the emphasis on Functional Safety and Security Interoperability Legal Disclaimer The information in this presentation is provided for information only and is not to be relied upon for any other purpose than educational. The views expressed in this presentation are the views of the presenter and not Intel Corporation (“Intel”). The presenter and Intel make no representations or warranties regarding the accuracy or completeness of the information in this presentation. Neither Intel nor the presenter accept any duty to update this presentation based on more current information. Neither Intel nor the presenter are liable for any damages, direct or indirect, consequential or otherwise, that may arise, directly or indirectly, from the use or misuse of the information in this presentation. © 2020 Intel Corporation.

×