Dependability and its Threats: A Taxonomywebhost.laas.fr/TSF/IFIPWG/Top3/02-Laprie.pdf · Non...

Dependability and its Threats:A Taxonomy

Al Avizienis Jean-Claude Laprie Brian Randell

18th IFIP World Computer Congress

Dependability: ability to deliver service that can justifiably be trusted

Service delivered by a system: its behavior as it is perceived by itsuser(s)

User: another system that interacts with the former

Function of a system: what the system is intended to do

(Functional) Specification: description of the system function

Correct service: when the delivered service implements the systemfunction

Service failure: event that occurs when the delivered service deviatesfrom correct service, either because the system does not comply with

the specification, or because the specification did not adequatelydescribe its function

Failure modes: the ways in which a system can fail, ranked according tofailure severities

Part of system state that may cause a subsequent service failure: errorAdjudged or hypothesized cause of an error: fault

Dependability: ability to avoid service failures that are more frequent

or more severe than is acceptable

When service failures are more frequent or more severe thanacceptable: dependability failure

Absenceof catastrophic

consequences onthe user(s) and the environment

Continuityof service

Readinessfor usage

Absence of unauthorized

disclosure of information

Absenceof improper

systemalterations

Ability toundergo

repairs andevolutions

SafetyReliability ConfidentialityAvailability Integrity Maintainability

Dependability

Security

Authorized actions

Absence of unauthorized access to, or handling of, system state

Fault

Prevention

Fault

ToleranceFault

RemovalFault

Forecasting

SafetyReliability ConfidentialityAvailability Integrity Maintainability

Faults Errors FailuresActivation Propagation Causation

FaultsFailures …… Causation

Attributes

Availability

Reliability

Safety

Confidentiality

Integrity

Maintainability

Dependability Means

Fault Prevention

Fault Tolerance

Fault Removal

Fault Forecasting

Threats

Faults

Errors

Failures

Situation

Relationship between dependability and security

Alternate definition of dependability

Service failures distinguished from dependability failures

Expanded classification of faults, including criterion of capabilityin the classification of human-made non-malicious faults

competence

Dependability issues of the development process development failures

Dependability related to dependence and trust

Dependability compared with high confidence, survivability,trustworthiness

Faults Errors Failures

Phase of creationor occurrence

Development faults

Operational faults

System boundariesInternal faults

External faults

DimensionHardware faults

Software faults

Phenomenologicalcause

Natural faults

Human-made faults

PersistencePermanent faults

Transient faults

FaultsFailures ……

CapabilityAccidental faults

Incompetence faults

ObjectiveMalicious faults

Non-malicious faults

Service Threats

Faults

Phase of creation

or occurrence

System boundaries

Phenomenological

cause

Dimension

Objective

Intent

Capability

Persistence Per Per Per Per Per Per Per Per Per Per Per Per Tr Per Tr Tr Tr Tr Per Tr Per Tr PerTr PerTr Tr Tr Per Tr

Acc Inc Acc Inc Acc Inc Acc Inc Acc Acc Acc Acc Inc Acc Inc Acc Inc Acc Inc

NonDel

Del Del Del NonDel

Del NonDel

NonDel

NonDel

NonDel

Del Del Del DelNonDel

NonMalicious

NonMalicious

MalMal

Software Hardware

NonMal

NonMal

NonMal

NonMalicious

NonMalicious

Mal Mal

Hdw Hdw Hdw Hardware Software

Human-made Human-madeNat Nat Nat

Internal Internal External

Development Operational

Development Faults Physical Faults Interaction Faults

Per

Faults

Phase of creation

or occurrence

System boundaries

Phenomenological

cause

Dimension

Objective

Intent

Capability



NonDel

Del Del Del NonDel

Del NonDel

NonDel

NonDel

NonDel


NonMalicious

NonMalicious

MalMal

Software Hardware

NonMal

NonMal

NonMal

NonMalicious

NonMalicious

Mal Mal






Per

SoftwareFlaws

LogicBombs

Hardw Errata

Produc Defects

Faults

Phase of creation

or occurrence

System boundaries

Phenomenological

cause

Dimension

Objective

Intent

Capability



NonDel

Del Del Del NonDel

Del NonDel

NonDel

NonDel

NonDel


NonMalicious

NonMalicious

MalMal

Software Hardware

NonMal

NonMal

NonMal

NonMalicious

NonMalicious

Mal Mal






Per

LogicBombs

Hardw Errata

Produc Defects

PhysDeter

PhysicalInterference

IntrusionAttempts

Faults

Phase of creation

or occurrence

System boundaries

Phenomenological

cause

Dimension

Objective

Intent

Capability



NonDel

Del Del Del NonDel

Del NonDel

NonDel

NonDel

NonDel


NonMalicious

NonMalicious

MalMal

Software Hardware

NonMal

NonMal

NonMal

NonMalicious

NonMalicious

Mal Mal






Per

PhysicalInterference

IntrusionAttempts

VW

InputMistakes

Human-made Faults

Non-malicious MaliciousObjective

IntentNon-deliberate

(Mistake)Deliberate

(Bad decision)Deliberate

Accidental Incompetence Accidental IncompetenceCapability

Interaction(operators,

maintainers)&

Development(designers)

Malicious logicfaults:

logic bombs,Trojan horses,

trapdoors,viruses,

worms,zombies

Intrusionattempts

Individuals&

organizations

Decision by

independent

professional

judgement by

board of enquiry or

legal proceedings

in court of law

Faults Errors Failures

Signaled failures

Unsignaled failuresDetectability

FaultsFailures ……

ConsistencyConsistent failures

Inconsistent failures

Consequences

Minor failures

Catastrophic failures

Domain

Content failures

Early timing failures

Late timing failures

Halt failures

Erratic failures

Service Threats

Fault Error FailureFailure… …Fault

Error

altersserviceFacility for

stoppingrecursion

Context

dependent

PropagationActivation Causation

Interactionor

composition

Activationreproducibility

Solid

(hard)faults

Elusive

(soft)faults

Elusive permanent faultsand

Transient faults

Intermittent faults

Interaction

faults

Prior presence

of avulnerability:

Internal faultthat enables

an external

fault to harmthe system

Non-malicious faults

15-20%2~ 60%1Development

40-50%1~ 20%2Human-made interaction *

15-20%2~ 10%3Physical interaction

15-20%2~ 10%3Physical internal

ProportionRankProportionRankFaults

Larger, controlledsystems

(e.g., Commercialairplanes; telephone

network; webapplications)

Computer systems

(e.g., Transactions,

Electronic switching,Back-end servers)

Number of failures

[consequences and outage

durations highlyapplication-dependent]

* Root analysis evidences that they often can be traced to

development faults

NetCraft — Uptime statistics (Dec 1, 2003)

Top 50 most requested sites

12849

0

200

400

600

800

1000

1200

1400

1600

1800

4389

6298

2605

1895

1337

1312

1084

1027

936

809

744

695

611

avg

max

Avg 92

Avg 259

www.whitehouse.govwww.google.com

www.daiko-lab.co.jp

www.microsoft.com

Number of requests

Up

tim

e (

hours

)

Yearly survey on computer damages in France — CLUSIF (2000, 2001, 2002)

Occurrence impact

3 year trends stable increase decrease

Occurrences

Risk perception

0

5,0%

10,0%

15,0%

20,0%

25,0%

Internal failures Loss of

essential services

Naturalevents

Physical accidents

Utilization errors

Design errorsVirus

infection

Targetted logic

attacks

Disclosures and frauds

Image damage

Thefts

Physical sabotage

Non malicious causes71%

Malicious causes29%

Non malicious causes29%

Internal failures

Loss of essential services

Naturalevents

Physical accidents

Utilization errors

Design errorsVirus

infection

Targetted logic

attacks

Disclosures and frauds

Image damage

Thefts

Physical sabotage

Malicious causes71%

10,0%

20,0%

30,0%

Loss ess. serv.

Int. fail.

Nat events

Util. err.

Des. err.

Virus Infec.

Thefts

High

Average

Low

Non malicious causes Malicious Causes

0%

20%

40%

60%

80%

100%

Global Information Security Survey 2003 — Ernst & Young

0% 5% 10% 15% 20%

Hardware failures

Software failure

Third party failure

Infrastructure failure

DDOS attack

Natural disaster

Malicious technical acts

Business partner misconduct

Telecommunications failures

Viruses and worms

Operational errors

System capacity failure

Employee misconduct

Inadvertent act of bus. partner(s)

Former employee misconduct

Non malicious faults81%

Malicious faults19%

Development failures

Development process terminates before the system

is accepted for use and placed into service

Inadequate

design wrt

functionality

or

performance

Incomplete

or faulty

specifications

Excessive

number of

specification

changes

Too many

development

faults

Insufficient

predicted

dependability

Faulty

estimates of

development

costs

Partial development failures

Budget or schedule overruns

Downgrading to less functionality, performance, dependability

3881Estimated lost value for software projects in the USA, in G$

225250Total estimated budget for software projects in the USA, in G$

52%61%Left functions for challenged projects

82%89%Overruns for challenged projects

15%31%Canceled projects

51%53%Challenged projects (completed and operational but over-budget, over the time estimate, and offers fewer features andfunctions than originally specified)

34%16%Successful projects (completed on-time and on-budget, with allfeatures and functions as initially specified)

13,5228,380Number of surveyed projects

20021994

Standish Group (Chaos reports)

Dependability and its attributes

Definitions of dependability

Original definition: ability to deliver service that canjustifiably be trusted

Aimed at generalizing availability, reliability, safety,

confidentiality, integrity, maintainability, that arethen attributes of dependability

Alternate definition: ability to avoid service failures that

are more frequent or more severe than is acceptable

A system can, and usually does, fail. Is it however

still dependable ? When does it become

undependable ?

criterion for deciding whether or not, in spite of

service failures, a system is still to be regarded asdependable.

Dependability and security

Dependability SecurityAuthorized

actions

Availability

Reliability

Safety

Confidentiality

Integrity

Maintainability

Dependence and trust

Dependence of system A on system B is the extent

to which system A’s dependability is (or would be)affected by that of system B

Trust: accepted dependence

1) hostile attacks(from hackers orinsiders)

2) environmental

disruptions(accidental disruptions,either man-made ornatural)

3) human and

operator errors (e.g.,

software flaws,mistakes by humanoperators)

1) attacks (e.g.,

intrusions, probes,denials of service)

2) failures (internally

generated events dueto, e.g., softwaredesign errors,hardware degradation,human errors,corrupted data)

3) accidents(externally generatedevents such as naturaldisasters)

• internal and

external threats

• naturally

occurring hazards

and malicious

attacks from a

sophisticated and

well-funded

adversary

1) development

faults (e.g., software

flaws, hardware errata,malicious logic)

2) physical faults(e.g., productiondefects, physicaldeterioration)

3) interaction faults(e.g., physicalinterference, inputmistakes, attacks,including viruses,worms, intrusions)

Threats

present

assurance that a

system will perform

as expected

capability of a

system to fulfill its

mission in a timely

manner

consequences of

the system

behavior are well

understood and

predictable

1) ability to deliver

service that can

justifiably be

trusted

2) ability of a

system to avoid

service failures that

are more frequent

or more severe

than is acceptable

Goal

TrustworthinessSurvivabilityHigh ConfidenceDependabilityConcept

Conclusion

Further discussion

Confidentiality

Trust and risk management

Human-machine interactions

Unified measures of dependability wrt nonmalicious and malicious faults

+New technologies, such as emerging from bio-info-nano convergence

Dependability and its Threats: A Taxonomywebhost.laas.fr/TSF/IFIPWG/Top3/02-Laprie.pdf · Non...

Documents

Transcript of Dependability and its Threats: A Taxonomywebhost.laas.fr/TSF/IFIPWG/Top3/02-Laprie.pdf · Non...