Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
ITEA2 project #11011
2012 – 2015
MERgE: Multi-Concerns Interactions
System Engineering
Stéphane Paul – Thales Research & Technology
SafeComp ISSE Workshop 2014, Florence
September 8th, 2014
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Context
• IT Systems grow larger, more complex, whilst their engineering suffers
from increased cost-reduction pressure, so:
• Model Based Engineering (MBE)
• Separation of Concerns (i.e. Multi-Viewpoint Engineering)
• Safety-critical systems have a long engineering history, with well-
established standards, methods & tools, but:
• Extended connectivity growing security concerns!
• Managing interactions between concerns?
Project Goal
• Build your own engineering workbench suited to your needs
(incl. trade-off between user-defined concerns)
• Using a generic meta-tooling environment
• Specific guidance concerning safety and security co-engineering
ITEA2 project #11011, 2012-2015 2
Context and project rationale
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
ITEA2 project #11011, 2012-2015 3
Project Work Breakdown & Presentation Outline
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Polarsys Kitalpha (open-source
software)
• Multi-viewpoint meta-workbench
https://www.polarsys.org/projects/
polarsys.kitalpha
SIRIUS (open-source software)
• Enables the specification of a modelling workbench in terms of graphical,
or table editors, with validation rules and actions, using declarative
descriptions
https://projects.eclipse.org/projects/modeling.sirius
ITEA2 project #11011, 2012-2015 4
The MERgE platform: core results
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Design Patterns Technology
Integration of Kermeta CVL (open-source software)
• Variability modelling (Common Variability Language standard)
with customisation of the semantics of CVL variation points (Kermeta)
Architecture Multi-criteria Evaluation Framework
And more…
ITEA2 project #11011, 2012-2015 5
The MERgE platform: core results
[Upcoming soon]
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Automotive Test Case – Melexis
• Design of the sensors (embedded software/firmware, hardware design)
• Safety verification and certification, Reuse, Integration, Variability
Communications Test Case (Software-Defined Radio) - Thales
• (Re-)Programmable Software, Secure Communications, Open System
Architecture, Architecture Evaluation
Aerospace Test Case - SpaceApplications
• Dependable embedded and real-time on-board software development
process
Industrial Control Test Case
• Focus on post-development
assessment (i.e. assurance)
ITEA2 project #11011, 2012-2015 6
Test Cases – On-going Validation
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Essentially state of the art work
• Report on open-issues in security and safety concern integration (D3.4.1), March 2014
• Recommendations for security and safety co-engineering (D3.4.2), 1st draft, June 2014
Some initial engineering trials
• J. Brunel, L. Rioux, S. Paul, A. Faucogney, F. Vallée, Formal Safety and Security Assessment of an Avionic Architecture with Alloy, 3rd International Workshop on Engineering Safety and Security Systems (ESSS'14), EPTCS, 2014, pp. 8-19, Singapore, May 13, 2014. DOI: 10.4204/EPTCS.150.2
• P. Bieber , J. Brunel, From Safety Models to Security Models: Preliminary Lessons Learnt, ISSE workshop (at 2PM today)
• J. Brunel, D. Chemouil, L. Rioux, M. Bakkali, F. Vallée, A Viewpoint-Based Approach for Formal Safety & Security Assessment of System Architectures, Workshop ModeVVA’14, MODELS Conference, Valencia, Spain (to be published)
ITEA2 project #11011, 2012-2015 7
Advanced concepts in S&S co-engineering
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
And to conclude…
Bringing grist for the (panel-discussion) mill!
ITEA2 project #11011, 2012-2015 8
3 assumptions
3 proposals
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Assumption n
1: Industrial Safety and Security Engineering
Processes / Methods are difficult, and at best very slow, to
change because they are:
• Domain Standard-Related
• Customer RFT-Related
• Legacy-Related
• Proprietary-Related
• Etc.
Grounds supporting that assumption
• Most (if not all) standards are specialty-specific (if not domain-specific)
• The state of the art shows that numerous co-engineering processes have
been proposed, but none have really emerged
ITEA2 project #11011, 2012-2015 9
Assumptions
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Assumption n
2: Safety and Security Jargon is difficult, and
at best very slow, to change because it is:
• Specialty Community-Related
• Process-Related
• Domain Standard-Related
• Customer RFT-Related
• Legacy-Related
• Proprietary-Related
• Etc.
Grounds supporting that assumption
• Communities of specialty-experts are and remain apart
• There is no common glossary
ITEA2 project #11011, 2012-2015 10
Assumptions
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Assumption n
3: Safety and Security Tools are Diverse, but
tend towards a Formalisation of their Conceptual Data
Model in particular
• To suppress ambiguities & ensure coverage
• To support analyses
• To support interchange between tools
Grounds supporting that assumption
• The DO-178C / ED-12C standards now recommend the use of formal
methods
• Fault trees, Altarica, (Attack Trees)… support formal analyses
• OpenPSA initiative
ITEA2 project #11011, 2012-2015 11
Assumptions
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Proposal n
1: Intermediate Safety and Security Work
Products can be Shared as long as the specialty-specific jargon
is maintained for each specialty
• Definition of a Safety and Security Common Model ( cross-fertilisation?)
• Mapping between Specialty-Concepts and the Common Model
• Specialties retain concepts that cannot be shared
Question: mapping independence wrt. abstraction level?
ITEA2 project #11011, 2012-2015 12
Way Forward Proposals
Common Model Safety Model Security Model
Hazard Feared Event
Target
level of
safety
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Analysed standards
• ISO 15408
• ISO 61508
• ISO 27k
• ED-109/DO-178C
ITEA2 project #11011, 2012-2015 13
Looking into conceptual models (on-going work)
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Proposal n
2: Work on Common Intermediate Safety and
Security Work Products should be transparent for each
specialty except in case of conflict / inconsistencies
• Cases of conflict / inconsistencies should be analysed
• Is the safety-first or security-first hypothesis dimensioning?
• Can conflict / inconsistencies be detected and how?
• Is there a need for automated support for the resolution?
ITEA2 project #11011, 2012-2015 14
Way Forward Proposals
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
Proposal n
3: A new tooled-up process may be acceptable by
the industry if it is solely an add-on to existing processes
with added-value related to formal analyses
• Proposed technique must be proven in the other specialty
• Choice of the most relevant abstraction level(s)
• Definition of the process(es)
• Will new processes have synchronisation side-effects on existing processes?
• Definition of the supporting tools
ITEA2 project #11011, 2012-2015 15
Way Forward Proposals
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
For more details
Project Coordinator: Charles Robinson
Web site:
http://www.merge-project.eu/
ITEA2 project #11011, 2012-2015 16
Questions?
Ref
eren
ce: T
RT
-Fr/
ST
I/L
SE
C/S
PA
,14/0
048
ITEA2 project #11011, 2012-2015 17
Consortium