2.xii - dependability and security

Question 1

term proposed by Laprie (1995) to cover the related systems attributes of availability, reliability, safety, and security

Answer 1

dependability

Question 2

enumeration

4 reasons dependability of systems is now MORE important than their detailed functionality

Answer 2

1. system failures affect a large number of people
2. users often reject systems that are unreliable, unsafe, or insecure
3. system failure costs may be enormous
4. undependable systems may cause information loss

Question 3

If this functionality were left out of the system, only a small number of users would be affected. System failures, which affect the availability of a system, potentially affect all users of the system. Failure may mean that normal business is impossible.

Answer 3

system failures affect a large number of people

Question 4

If users find that a system is unreliable or insecure, they will refuse to use it. Furthermore, they may also refuse to buy or use other products from the same company that produced the unreliable system, because they believe that these products are also likely to be unreliable or insecure.

Answer 4

users often reject systems that are unreliable, unsafe, or insecure

Question 5

For some applications, such as a reactor control system or an aircraft navigation system, the cost of system failure is orders of magnitude greater than the cost of the control system.

Answer 5

system failure costs may be enormous

Question 6

Data is very expensive to collect and maintain; it is usually worth much more than the computer system on which it is processed. The cost of recovering lost or corrupt data is usually very high.

Answer 6

undependable systems may cause information loss

Question 7

is always a part of a broader system

Answer 7

software

Question 8

enumeration

3 considerations when designing a dependable system

Answer 8

1. hardware failure
2. software failure
3. operational failure

Question 9

system hardware may fail because of mistakes in its design, because components fail as a result of manufacturing errors, or because the components have reached the end of their natural life.

Answer 9

hardware failure

Question 10

System software may fail because of mistakes in its specification, design, or implementation.

Answer 10

software failure

Question 11

human users may fail to use or operate the system correctly. As hardware and software have become more reliable, failures in operation are now, perhaps, the largest single cause of system failures.

Answer 11

operational failure

Question 12

Some classes of system are (1) where system failure may result in injury to people, damage to the environment, or extensive economic losses

Answer 12

critical systems

Question 13

a property of the system that reflects its trustworthiness

Answer 13

dependability of a computer system

Question 14

degree of confidence a user has that the system will operate as they expect

Answer 14

trustworthiness

Question 15

[true or false]

it is meaningful to express dependability numerically

Answer 15

false; we use relative terms such as ‘not dependable,’ ‘very dependable,’ and ‘ultra-dependable’ to reflect the degrees of trust that we might have in a system

Question 16

enumeration

4 principal dimensions to dependability

Answer 16

1. availability
2. reliability
3. safety
4. security

Question 17

probability that it will be up and running and able to deliver useful services to users at any given time.

Answer 17

availability

Question 18

probability, over a given period of time, that the system will correctly deliver services as expected by the user.

Answer 18

reliability

Question 19

a judgment of how likely it is that the system will cause damage to people or its environment.

Answer 19

safety

Question 20

judgment of how likely it is that the system can resist accidental or deliberate intrusions.

Answer 20

security

Question 21

[true or false]

these 4 principal dependability properties are not all applicable to all systems

Answer 21

true

Question 22

enumeration

4 other system properties as dependability properties

Answer 22

1. repairability
2. maintainability
3. survivability
4. error tolerance

Question 23

(1) in software is enhanced when the organization using the system has access to the source code and has the skills to make changes to it. Open source software makes this easier but the reuse of components can make it more difficult.

Answer 23

repairability

Question 24

the software can be adapted economically to cope with new requirements, and where there is a low probability that making changes will introduce new errors into the system.

Answer 24

maintainability

Question 25

is the ability of a system to continue to deliver service whilst under attack and, potentially, whilst part of the system is disabled.

Answer 25

survivability

Question 26

enumeration

3 strategies used to enhance survivability

Answer 26

1. resistance to attack
2. attack recognition
3. recovery from the damage cause by an attack

Question 27

This property can be considered as part of usability and reflects the extent to which the system has been designed so that user input errors are avoided and tolerated. When user errors occur, the system should, as far as possible, detect these errors and either fix them automatically or request the user to reinput their data.

Answer 27

error tolerance

Question 28

enumeration

ensure these 4 to develop a DEPENDABLE software

Answer 28

1. avoid the introduction of accidental errors into the system during software specification and development.
2. design verification and validation processes that are effective in discovering residual errors that affect the dependability of the system.
3. design protection mechanisms that guard against external attacks that can compromise the availability or security of the system.
4. configure the deployed system and its supporting software correctly for its operating environment.

Question 29

[true or false]

assume that your software is not perfect and no software failures may occur

Answer 29

false; assume that your software is not perfect and THAT software failures may occur

Question 30

dependable systems have to include redundant code to help them monitor themselves, detect erroneous states, and recover from faults before failures occur.

Answer 30

need for fault tolerance

Question 31

are high for systems that must be ultra-dependable such as safetycritical control systems.

Answer 31

validation costs

Question 32

[true or false]

As testing is very expensive, this dramatically decreases the cost of high-dependability systems.

Answer 32

false; As testing is very expensive, this dramatically INCREASES the cost of high-dependability systems.

Question 33

probability of failure-free operation over a specified time, in a given environment, for a specific purpose.

Answer 33

reliability

Question 34

probability that a system, at a point in time, will be operational and able to deliver the requested services.

Answer 34

availability

Question 35

One of the practical problems in developing reliable systems

Answer 35

our intuitive notions of reliability and availability are sometimes broader than these limited definitions

Question 36

[true or false]

The standard definitions of availability and reliability do not take into account
the severity of failure or the consequences of unavailability

Answer 36

true; people often accept minor system failures but are very concerned about serious failures that have high consequential costs

Question 37

Human behavior that results in the introduction of faults into a system. For example, in the wilderness weather system, a programmer might decide that the way to compute the time for the next transmission is to add 1 hour to the current time. This works except when the transmission time is between 23.00 and midnight (midnight is 00.00 in the 24-hour clock).

Answer 37

human error or mistake

Question 38

A characteristic of a software system that can lead to a system error. The fault is the inclusion of the code to add 1 hour to the time of the last transmission, without a check if the time is greater than or equal to 23.00.

Answer 38

system fault

Question 39

An erroneous system state that can lead to system behavior that is unexpected by system users. The value of transmission time is set incorrectly (to 24.XX rather than 00.XX) when the faulty code is executed.

Answer 39

system error

Question 40

An event that occurs at some point in time when the system does not deliver a service as expected by its users. No weather data is transmitted because the time is invalid.

Answer 40

system failure

Question 41

[true or false]

System faults do always result in system errors and system errors do not necessarily result in system failures

Answer 41

System faults DO NOT always result in system errors and system errors do not necessarily result in system failures

Question 42

enumeration

3 reasons why system faults =/= system errors and system errors =/= system failures

Answer 42

1. not all code in a program is executed
2. errors are transient
3. system may include fault detection and protetion mechanisms

Question 43

The code that includes a fault (e.g., the failure to initialize a variable) may never be executed because of the way that the software is used.

Answer 43

not all code in a program is executed

Question 44

A state variable may have an incorrect value caused by the execution of faulty code. However, before this is accessed and causes a system failure, some other system input may be processed that resets the state to a valid value.

Answer 44

errors are transient

Question 45

ensure that the erroneous behavior is discovered and corrected before the system services are affected

Answer 45

system may include fault detection and protetion mechanisms

Question 46

enumeration

3 complementary approaches to improve reliability of a system

Answer 46

1. fault avoidance
2. fault detection and removal
3. fault tolerance

Question 47

Development techniques are used that either minimize the possibility of human errors and/or that trap mistakes before they result in the introduction of system faults. Examples of such techniques include avoiding error-prone programming language constructs such as pointers and the use of static analysis to detect program anomalies.

Answer 47

fault avoidance

Question 48

The use of verification and validation techniques that increase the chances that faults will be detected and removed before the system is used. Systematic testing and debugging is an example of a faultdetection technique.

Answer 48

fault detection and removal

Question 49

These are techniques that ensure that faults in a system do not result in system errors or that system errors do not result in system failures. The incorporation of self-checking facilities in a system and the use of redundant system modules are examples of fault tolerance techniques.

Answer 49

fault tolerance

Question 50

are systems where it is essential that system operation is always safe

Answer 50

safety-critical systems

Question 51

simpler to implement and analyze
than software control

Answer 51

hardware control of safety-critical systems

Question 52

enumeration

2 classes of safety-critical software

Answer 52

1. primary safety-critical software
2. secondary safety-critical software

Question 53

This is software that is embedded as a controller in a system. Malfunctioning of such software can cause a hardware malfunction, which results in human injury or environmental damage. The insulin pump software, introduced in Chapter 1, is an example of a primary safety-critical system. System failure may lead to user injury.

Answer 53

primary safety-critical software

Question 54

This is software that can indirectly result in an injury. An example of such software is a computer-aided engineering design system whose malfunctioning might result in a design fault in the object being designed. This fault may cause injury to people if the designed system malfunctions. Another example of a secondary safety-critical system is the mental health care management system, MHC-PMS. Failure of this system, whereby an unstable patient may not be treated properly, could lead to that patient injuring themselves or others.

Answer 54

secondary safety-critical software

Question 55

enumeration

4 reasons software systems that are reliablie =/= safe

Answer 55

1. never 100% sure that a system is fault-free and fault-tolerant
2. specification may be incomplete and not describe required behavior of the system
3. hardware malfunctions may cause system to behave in unpredictable way
4. system operators may generate inputs that are not individually incorrect but can lead to a system malfunction

Question 56

An unplanned event or sequence of events which results in human death or injury, damage to property, or to the environment. An overdose of insulin is an example of an accident.

Answer 56

accident (or mishap)

Question 57

A condition with the potential for causing or contributing to an accident. A failure of the sensor that measures blood glucose is an example of a hazard.

Answer 57

hazard

Question 58

A measure of the loss resulting from a mishap. Damage can range from many people being killed as a result of an accident to minor injury or property damage. Damage resulting from an overdose of insulin could be serious injury or the death of the user of the insulin pump.

Answer 58

damage

Question 59

An assessment of the worst possible damage that could result from a particular hazard. Hazard severity can range from catastrophic, where many people are killed, to minor, where only minor damage results. When an individual death is a possibility, a reasonable assessment of hazard severity is ‘very high.’

Answer 59

hazard severity

Question 60

The probability of the events occurring which create a hazard. Probability values tend to be arbitrary but range from ‘probable’ (say 1/100 chance of a hazard occurring) to ‘implausible’ (no conceivable situations are likely in which the hazard could occur). The probability of a sensor failure in the insulin pump that results in an overdose is probably low.

Answer 60

hazard probability

Question 61

This is a measure of the probability that the system will cause an accident. The risk is assessed by considering the hazard probability, the hazard severity, and the probability that the hazard will lead to an accident. The risk of an insulin overdose is probably medium to low.

Answer 61

risk

Question 62

enumeration

3 ways to assure safety through minimal to zero accident consequences

Answer 62

1. hazard avoidance
2. hazard detection and removal
3. damage limitation

Question 63

The system is designed so that hazards are avoided. For example, a cutting system that requires an operator to use two hands to press separate buttons simultaneously avoids the hazard of the operator’s hands being in the blade pathway.

Answer 63

hazard avoidance

Question 64

The system is designed so that hazards are detected and removed before they result in an accident. For example, a chemical plant system may detect excessive pressure and open a relief valve to reduce these pressures before an explosion occurs.

Answer 64

hazard detection and removal

Question 65

The system may include protection features that minimize the damage that may result from an accident. For example, an aircraft engine normally includes automatic fire extinguishers. If a fire occurs, it can often be controlled before it poses a threat to the aircraft.

Answer 65

damage limitation

Question 66

An analysis of serious accidents by (1) suggests that they were almost all due to a combination of failures in different parts of a system

Answer 66

(Perrow, 1984)

Question 67

a system attribute that reflects the ability of the system to protect itself from external attacks, which may be accidental or deliberate

Answer 67

security

Question 68

Something of value which has to be protected. The asset may be the software system itself or data used by that system.

Answer 68

asset

Question 69

Possible loss or harm to a computing system. This can be loss or damage to data, or can be a loss of time and effort if recovery is necessary after a security breach.

Answer 69

exposure

Question 70

A weakness in a computer-based system that may be exploited to cause loss or harm.

Answer 70

vulnerability

Question 71

An exploitation of a system’s vulnerability. Generally, this is from outside the system and is a deliberate attempt to cause some damage.

Answer 71

attack

Question 72

Circumstances that have potential to cause loss or harm. You can think of these as a system vulnerability that is subjected to an attack.

Answer 72

threats

Question 73

A protective measure that reduces a system’s vulnerability. Encryption is an example of a control that reduces a vulnerability of a weak access control system.

Answer 73

control

Question 74

example give the term

The records of each patient that is receiving or has received treatment.

Answer 74

asset

Question 75

example give the term

Potential financial loss from future patients who do not seek treatment because they do not trust the clinic to maintain their data. Financial loss from legal action by the sports star. Loss of reputation.

Answer 75

exposure

Question 76

example give the term

A weak password system which makes it easy for users to set guessable passwords. User ids that are the same as names.

Answer 76

vulnerability

Question 77

example give the term

An impersonation of an authorized user.

Answer 77

attack

Question 78

example give the term

An unauthorized user will gain access to the system by guessing the credentials (login name and password) of an authorized user.

Answer 78

threat

Question 79

example give the term

A password checking system that disallows user passwords that are proper names or words that are normally included in a dictionary.

Answer 79

control

Question 80

enumeration

3 types of security threats

Answer 80

1. Threats to the confidentiality of the system and its data
2. Threats to the integrity of the system and its data
3. Threats to the availability of the system and its data

Question 81

These can disclose information to people or programs that are not authorized to have access to that information.

Answer 81

Threats to the confidentiality of the system and its data

Question 82

These threats can damage or corrupt the software or its data.

Answer 82

Threats to the integrity of the system and its data

Question 83

These threats can restrict access to the software or its data for authorized users.

Answer 83

Threats to the availability of the system and its data

Question 84

enumeration

3 controls to put in place to enhance system security

Answer 84

1. Vulnerability avoidance
2. Attack detection and neutralization
3. Exposure limitation and recovery

Question 85

Controls that are intended to ensure that attacks are unsuccessful. The strategy here is to design the system so that security problems are avoided. For example, sensitive military systems are not connected to public networks so that external access is impossible. You should also think of encryption as a control based on avoidance. Any unauthorized access to encrypted data means that it cannot be read by the attacker. In practice, it is very expensive and time consuming to crack strong encryption.

Answer 85

Vulnerability avoidance

Question 86

Controls that are intended to detect and repel attacks. These controls involve including functionality in a system that monitors its operation and checks for unusual patterns of activity. If these are detected, then action may be taken, such as shutting down parts of the system, restricting access to certain users, etc.

Answer 86

Attack detection and neutralization

Question 87

Controls that support recovery from problems. These can range from automated backup strategies and information ‘mirroring’ to insurance policies that cover the costs associated with a successful attack on the system.

Answer 87

Exposure limitation and recovery

Question 88

can lead to large economic losses, serious information loss, physical damage, or threats to human life.

Answer 88

Failure of critical computer systems

Question 89

a system property that reflects the user’s degree of trust in the system. The most important dimensions of dependability are availability, reliability, safety, and security.

Answer 89

dependability of a computer system

Question 90

related to the probability of an error occurring in operational use. A program may contain known faults but may still be experienced as reliable by its users. They may never use features of the system that are affected by the faults.

Answer 90

perceived reliability

Question 91

system attribute that reflects the system’s ability to operate, normally or abnormally, without injury to people or damage to the environment.

Answer 91

safety of a system

Question 92

[true or false]

If a system is unreliable, it is easier to ensure system safety or security, as they may be compromised by system failures.

Answer 92

false; If a system is unreliable, it is DIFFICULT to ensure system safety or security, as they may be compromised by system failures.