软件安全关键环节.ppt

软件安全需求 软件安全需求的类型 功能需求 如果safe ? correct behaviour那么功能需求也是安全需求 e.g. ATP曲线计算功能 包括条件约束, e.g. ATO 曲线必须在ATP曲线之下 事件响应需求 例如，用于诊断和消除硬件失效的功能 开发和确认程序需求 例如，Safety Integrity / Development Assurance Levels (SILs, DALs…) 危险失效模式的可接受出现概率 例如，omission of command to set signal to red NB: Must be used with extreme care 软件安全需求的易犯错误 假设 往往会缺少假设条件的检查或者遗漏假设条件 Control performance specified by point values Statement “it is obvious that” the behaviour is linear in between Apart from the mode change …! 模糊或不完整描述 Set “alarm when the average level X for more than four seconds” average = mean, mode, …? four seconds continuously, over a minute, …? 过多细节 算法，例如控制方式，但是对于输入，目的没有描述… 软件安全需求 辨识出软件安全需求后应做如下检查： 系统层需求是否分析了所有隐患（hazards）? Each functional requirement subjected to FFA or similar 是否分析了所有软件层需求？ Using HAZOP or similar 是否包括所有(new) DSRs? 对既有需求的改进As modifications to existing requirements 增加既有需求By additions to existing requirements 与相关隐患分析对应Traced back to the relevant hazard analysis Subjected to hazard analysis where they introduce new functions If not – further work is needed 软件安全关键环节 Software Hazard Analysis Software Requirements Software Verification Evidence Causal Analysis Causal Analysis 原因分析 安全分析必须包括软件 在需求分解和系统确认阶段 对于复杂软件，应该考虑每一个软件组件 可以使用传统安全分析方法： FTA more credible, but consider common causes, etc. 基于模型的安全分析技术 e.g. AltaRica developed specifically for this role 在工程实践中，通常使用软件测试和分析 Malfunction of a Complex Software Component – will require further development (e.g. to reflect tripple modular redundancy architecture) “Normal controls from VOBC command movement into unsafe portion of the line” “Internal malfunction of ATO leading to …” Covers: Random failure ofhardware platform Error in ATO software(systematic failure) Potential for common causes (e.g. with ATP malfunctions) due to the reuse of code, specification errors, etc. Potential for common causes due to the shared hardware resources (CPU, RAM, etc) 软件安全关键环节 Software Hazard Analysis Software Requirements Software Verification Evidence