Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 44
Текст из файла (страница 44)
In such asystem, an error can propagate outside the affected component solely by thetransmission of an incorrect message.In order to avoid that a propagated error infects other – up to that time healthy –components and thus invalidates the component independence assumption, errorpropagation boundaries must be erected around each component. A message canbe incorrect either in the value domain (the data field of the message contains acorrupted value) or in the time domain, i.e., the message is sent at an unintendedinstant or not at all (omission failure). Temporal message failures can be detectedby the communication system, provided the communication system has a prioriknowledge about the correct temporal behavior of a component.
Since a communication system is agnostic about the contents of the value field of a message(see Sect. 4.6.2), it is the responsibility of the receiver of the message to detectcorrupted values, i.e., errors, in the data field of a message.In a cyclic system, the corruption of the g-state (see Sect. 4.2.3) is of particularconcern, since the g-state contains the information of the current cycle thatinfluences the behavior of the next cycle.
Since a latent error in the g-state canbecome an incorrect input to a computation in the next cycle, a gradual increase inthe number of errors in the g-state can occur (called state erosion). If the g-state isempty, then there is no possibility of error propagation of an error from the currentcycle to the next cycle.
In order to avoid error propagation from one cycle to thenext cycle, the integrity of the g-state should be monitored by a special errordetection task of an independent diagnostic component.6.2Information SecurityInformation security deals with the authenticity, integrity, confidentiality, privacy,and availability of information and services that are provided by a computersystem. In the following section, we always mean information security when weuse the term security. We call a deficiency in the design or operation of a computersystem that can lead to a security incident a vulnerability and the successfulexploitation of a vulnerability an intrusion.
The following reasons make clear1426 Dependabilitywhy information security has become a prime concern in the design and operationof embedded systems [Car08]:1. Controllers are computers. Over the past few years, hard-wired electronic controllers have been replaced by programmable computers with non-perfectoperating systems, making it possible for an outsider to exploit the vulnerabilitiesof the software system.2.
Embedded systems are distributed. Most embedded systems are distributed, withwire-bound or wire-less channels connecting the nodes. An outside intrudercan use these communication channels to gain access to the system.3. Embedded systems are connected to the Internet. The connection of anembedded system to the Internet makes it possible for an intruder anywhere inthe world to attack a remote system and to systematically exploit any detectedvulnerability.As of today, there is normally a human mediator between the cyberspace (e.g., theInternet) and actions in the physical world. Humans are supposed to have commonsense and responsibility.
They are able to recognize an evidently wrong computeroutput and will not set any actions in the physical world based on such a wrongoutput. The situation is different in embedded systems connected directly to theInternet – the Internet-of-Things (IoT), where the smart object at the edge of theInternet (e.g., a robot) can immediately interact with the physical world. Anadversary can compromise the integrity of the embedded system by breaching thesecurity walls, thus becoming a safety hazard. Alternatively, an adversary can carryout a denial-of-service attack and thus bring down the availability of an importantservice.
Security and safety are thus interrelated and of utmost concern in embedded systems that are connected to the Internet.Example: Let us assume that an owner of a vacation home can set the temperature of thethermostat of his electric furnace in the vacation home remotely via the Internet. If anadversary gets control of the thermostat he can elevate the temperature to a high level andincrease the energy consumption significantly. If the adversary executes this attack on allvacation homes in a neighborhood, then the total power consumption in the neighborhoodmight increase beyond the critical level that leads to a blackout (example taken fromKoopman [Koo04]).Standard security techniques are based on a sound security architecture that controls the information flow among subsystems of different criticality and confidentiality.
The architectural decisions are implemented by the deployment ofcryptographic methods, such as encryption, random number generation, andhashing. The execution of cryptographic methods requires extra energy and siliconreal estate, which are not always available in a small (portable) embedded systems.6.2.1Secure Information FlowThe main security concerns in embedded systems are the authenticity and integrity ofthe real-time data and of the system configuration, and, to a lesser extent, the control of6.2 Information Security143access to data.
The security policy must specify which processes are authorized tomodify data (data integrity) and which processes are allowed to see the data (confidentiality of data). A security policy for data integrity can be established on the basisof the Biba model, while a security policy for the confidentiality of data can be derivedfrom the Bell-LaPaluda model [Lan81]. Both models classify the processes and thedata files according to an ordered sequence of levels, from highest to lowest. A processmay read and modify data that is at the same level as the process. The respectivesecurity models govern the access and modification of data at a level that is differentfrom the level of the reading or writing process.The concern of the Biba model is the integrity of the data, a concern that ishighly relevant in multi-criticality embedded systems.
The classification of thedata files and the processes is determined by the criticality from the point of view ofthe safety analysis (see Sect. 11.4.2). In order to ensure the integrity of a (high-critical)process, the (high-critical) process must not read data that is classified at a lower levelthan the classification of the (high-critical) process. In order to ensure that a (lowcriticality) process will not corrupt data of a higher criticality level, the Biba modelstates that no (low-criticality) process may modify data that is at a higher criticalitylevel than that of the (low-criticality) process.The concern of the Bell-LaPaluda model is the confidentiality of the data.The classification of the data files and the processes is determined by the confidentiality of the data from top secret to unclassified. In order to ensure theconfidentiality of top-secret data, it must be made certain that no (unclassified)process may read data that is classified at a higher level than the classification ofthe (unclassified) process.
In order to ensure that a (top secret) process will notpublish confidential data to a (unclassified) lower level, the Bell-LaPaludastates no (top secret) process may write data to a data file that is at a lowerconfidentiality level than that of the (top secret) process.The classification of processes and data from the point of view of integrity willnormally be different from classification according to the point of view of confidentiality. These differences can lead to a conflict of interest. In case of such aconflict, the integrity concern is the more important concern in embedded systems.The selected security policy must be enforced by mechanisms that establishthe authenticity of processes and the integrity of the data that is exchanged.
Thesemechanisms make wide use of the well-understood cryptographic methodsdiscussed in Sect. 6.2.3.6.2.2Security ThreatsA systematic security analysis starts with the specification of an attack model.The attack model puts forward an attack hypothesis, i.e., it lists the threats andmakes assumptions about the attack strategy of an adversary. It then outlines theconjectured steps taken by an adversary to break into a system.
In the next phasea defense strategy is developed in order to counter the attack. There is always1446 Dependabilitythe possibility that the attack hypothesis is incomplete and a clever adversaryfinds a way to attack the system by a method that is not covered by the attackhypothesis.The typical attacker proceeds according to the following three phases: accessto the selected subsystem, search for and discovery of a vulnerability, and finally,intrusion and control of the selected subsystem. The control can be passive oractive. In passive control, the attacker observes the system and collects confidentialinformation. In active control, the attacker modifies the behavior of the systemsuch that the system will contribute to the attacker’s mean purpose.
A securityarchitecture must contain observation mechanisms, i.e., intrusion detection mechanisms, to detect malicious activities that relate to any of these three phases of anattack. It also must provide firewalls and procedures that mitigate the consequencesof an attack such that the system can survive.Access to the system must be prevented by requiring strict adherence to amandatory access control procedure, where every person or process must authenticate itself and this authentication is verified by callback procedures. Securityfirewalls play an important role to limit the access to sensitive subsystems toauthorized users.The attacker’s search for vulnerabilities can be detected by intrusion detectionmechanisms, which can be part of an anomaly detection subsystem (see Sect.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
