Software LOPA Approach to Performing a Layers of Protection Analysis - - PowerPoint PPT Presentation

Software LOPA

Approach to Performing a Layers of Protection Analysis for Complex Software OpenTech Andreas Platschek <andreas.platschek@opentech.at> May 23, 2017

c Andreas Platschek (OpenTech) May 23, 2017 1 / 31

c Andreas Platschek (OpenTech) May 23, 2017 2 / 31

”Yet further concerns relate to whether a consequence can be so severe that the frequency of the hazardous situation should not be taken into account, thus negating the concept fo ’risk’ in selecting the appropriate set of implementation techniques. In order to address this concern IEC 61511 formalised the concept of ’layers of protection’ requiring diversity between the different layers.” Audrey Canning, in: Functional Safety: Where have we come from? Where are we going?

c Andreas Platschek (OpenTech) May 23, 2017 3 / 31

LOPA Principle

Identi ed Hazard IE1 IE2 IE3 IE4 IE5

IE1-IE5 . . . Initiating Events IPL1-IPL4 . . . Independent Layers of Protection

c Andreas Platschek (OpenTech) May 23, 2017 4 / 31

LOPA Principle

Identi ed Hazard IPL3 IPL2 IPL1 IE1 IE2 IE3 IE4 IE5 IPL4

IE1-IE5 . . . Initiating Events IPL1-IPL4 . . . Independent Layers of Protection

c Andreas Platschek (OpenTech) May 23, 2017 5 / 31

LOPA Principle

Identi ed Hazard IPL3 IPL2 IPL1 IE1 IE2 IE3 IE4 IE5 IPL4

IE1-IE5 . . . Initiating Events IPL1-IPL4 . . . Independent Layers of Protection

c Andreas Platschek (OpenTech) May 23, 2017 6 / 31

LOPA Basics Properties

Independence Effectiveness Auditability

c Andreas Platschek (OpenTech) May 23, 2017 7 / 31

Auditability

Open-Source Rules!

c Andreas Platschek (OpenTech) May 23, 2017 8 / 31

Auditability

Open-Source Rules!

If a Software LOPA is doable at all, then open-source software is definitely the prime suspect.

c Andreas Platschek (OpenTech) May 23, 2017 8 / 31

Effectiveness

Do the IPLs actually mitigate against the hazard?

c Andreas Platschek (OpenTech) May 23, 2017 9 / 31

Independence

Multiple layers only make sense if they fail independently!

c Andreas Platschek (OpenTech) May 23, 2017 10 / 31

Independence

Multiple layers only make sense if they fail independently! BUT

“Independence is an important concept, although absolute independence is generally not achievable. ... However, IPLs should be sufficiently independent such that the degree of interdependence is not statistically significant.“ [1, Section3.2]

c Andreas Platschek (OpenTech) May 23, 2017 10 / 31

Prospective SW IPLs

(SIL2LinuxMP Context)

seccomp cgroups CPU-shielding Namespaces PALLOC . . . Code Review (assure restricted use of syscalls) Static Code Analysis (coccinelle) Error Handling to detect faults

c Andreas Platschek (OpenTech) May 23, 2017 11 / 31

Hardened NooM Container

CPU 0

RAMbank 0..n

CPU 1

RAMbank n+1..m

CPU 2

RAMbank m+1..i

CPU 3

RAMbank i+1..j

glibc busybox

Monitoring

glibc 32bit seccomp

Safety app. 32bit FP

glibc 64bit seccomp

Safety app. 64bit INT

SIL 0 Debian Container

SIL 2 SIL 2 SIL2LinuxMP base system

At present this is the strongest multi-layer approach we are looking

c Andreas Platschek (OpenTech) May 23, 2017 12 / 31

Independence of Layers

How to perform LOPA and show INDEPENDECE of those different protection layers?

c Andreas Platschek (OpenTech) May 23, 2017 13 / 31

Independence of Layers

How to perform LOPA and show INDEPENDECE of those different protection layers? Static code analysis Development data

c Andreas Platschek (OpenTech) May 23, 2017 13 / 31

Static Code Analysis

Analyze functions called by subsystems (callgraphs) Find and analyze overlaps in callgraphs

c Andreas Platschek (OpenTech) May 23, 2017 14 / 31

Intersection of Configurations

Basecon

Basecon

c Andreas Platschek (OpenTech) May 23, 2017 15 / 31

Intersection outside

• f Baseconfig

Basecon

Basecon

Basecon

(SEC ✂ CGR) \ BASE = Ȃ

c Andreas Platschek (OpenTech) May 23, 2017 16 / 31

Intersection in Baseconfig

Basecon

c Andreas Platschek (OpenTech) May 23, 2017 17 / 31

Analysis of Subsystems

f3 RCU atomic new_funcs_base_both funcs_base_both

c Andreas Platschek (OpenTech) May 23, 2017 18 / 31

Preliminary Results

Set

• Nr. Functions

baseconfig 20829 baseconfig+seccomp 21401 seccomp 572 baseconfig+cgroups 21120 cgoups 679 both not in baseconfig funcs base 13792 funcs base seccomp 7131 funcs base cgroups 7391 funcs base both 6665 rcu funcs 6511 atomic funcs 294 new funcs base both 185

c Andreas Platschek (OpenTech) May 23, 2017 19 / 31

Developers Overlap

seccomp cgroups Author cur hist cur hist Kees Cook 2740 26 4 2 Arnaldo Carvalho de Melo 50 2 18 6 Linus Torvalds 44 15 1 139 Daniel Borkmann 61 5 201 6 Paul Mundt 10 1 1 1 Al Viro X 1 X 10 Andrew Morton X 1 X 2 Fabian Frederick X 1 X 2 James Morris X 2 X 6 Stephen Rothwell X 2 X 2 David Howells X 3 X 5

cur . . . Number of lines in v4.9.18 . hist . . . Number of commits in all versions. c Andreas Platschek (OpenTech) May 23, 2017 20 / 31

Analysis of Effectiveness

Similar to traditional LOPA . . . Identify all IEs (Hazard Analysis) Identify suitable IPLs for each identified IE Choose IPLs that are used

c Andreas Platschek (OpenTech) May 23, 2017 21 / 31

Example

Scenario: An application uses 2 devices, one is only written to, the second one is only read from.

c Andreas Platschek (OpenTech) May 23, 2017 22 / 31

Example

Scenario: An application uses 2 devices, one is only written to, the second one is only read from. IE: Writing to the read-only device leads to a hazardous situation.

c Andreas Platschek (OpenTech) May 23, 2017 22 / 31

Example

Scenario: An application uses 2 devices, one is only written to, the second one is only read from. IE: Writing to the read-only device leads to a hazardous situation. Error handling. Source-code review/audit. cgroups device controller rules prevent wrong access to devices. seccomp rules check if system calls to wrong usage are performed.

c Andreas Platschek (OpenTech) May 23, 2017 22 / 31

Evidence

Let’s check it out!

c Andreas Platschek (OpenTech) May 23, 2017 23 / 31

Literature

[0] IEC 61511: Functional safety – Safety instrumented systems for the process industry sector [1] Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, Center for Chemical Process Safety [2] Safety Integrity Level Selection – Systematic Methods Including Layer of Protection Analysis, Ed Marszal and Eric Scharpf [3] Lines of Defence/Layers of Protection Analysis in the COMAH Context, Prepared by Amey VECTRA Limited for the Health and Safety Executive , http://www.hse.gov.uk/research/misc/vectra300-2017-r02.pdf [4] Functional Safety: Where have we come from? Where are we going? Audrey Canning

c Andreas Platschek (OpenTech) May 23, 2017 24 / 31

Questions?

Ask now, or e-mail me later! Andreas Platschek <andreas.platschek@opentech.at>

c Andreas Platschek (OpenTech) May 23, 2017 25 / 31

Seccomp Developers

Lines in current version

linux-stable$ find . -name *seccomp*\.[ch] | \ xargs git log --no-merges --format="%an" | sort | \ uniq -c | sort -nr 27 Kees Cook 7 Will Drewry 7 Andy Lutomirski 7 Alexei Starovoitov 5 Daniel Borkmann 4 Micka¨ el Sala¨ un 4 Matt Redfearn 3 Ralf Baechle 3 David Howells 3 Andrea Arcangeli

c Andreas Platschek (OpenTech) May 23, 2017 26 / 31

cgroup developers

Lines in current version

linux-stable$ find . -name *cgroup*\.[ch] | \ xargs git log --no-merges --format="%an" | sort | \ uniq -c | sort -nr 641 Tejun Heo 137 Li Zefan 42 Paul Menage 29 Vivek Goyal 22 Al Viro 18 Aristeu Rozanski 15 Ben Blum 13 Lai Jiangshan 12 Daniel Wagner 11 Johannes Weiner

c Andreas Platschek (OpenTech) May 23, 2017 27 / 31

seccomp developers

commits over all versions

linux-stable$ for FILE in $(find . -name *seccomp*\.[ch]); do \ git blame --line-porcelain $FILE | egrep "^author "; done | \ cut -d " " -f 2- | sort | uniq -c | sort -nr 2740 Kees Cook 241 Will Drewry 100 Andy Lutomirski 89 Tycho Andersen 69 Matt Redfearn 61 Daniel Borkmann 55 AKASHI Takahiro 50 Arnaldo Carvalho de Melo 48 David Howells 44 Linus Torvalds

c Andreas Platschek (OpenTech) May 23, 2017 28 / 31

cgroups developers

commits over all versions

linux-stable$ for FILE in $(find . -name *cgroup*\.[ch]); do \ git blame --line-porcelain $FILE | egrep "^author "; done | \ cut -d " " -f 2- | sort | uniq -c | sort -nr 8772 Tejun Heo 907 Paul Menage 492 Aristeu Rozanski 407 Aneesh Kumar K.V 366 Aleksa Sarai 318 Serge E. Hallyn 288 Li Zefan 211 Sargun Dhillon 204 Daniel Borkmann 192 Aditya Kali

c Andreas Platschek (OpenTech) May 23, 2017 29 / 31

seccomp

Default behavior – deny all system calls: ctx = seccomp init(SCMP ACT KILL); Add used, safe system calls explicitly: seccomp rule add exact(ctx, SCMP ACT ALLOW, SCMP SYS(read), 1, SCMP A0(SCMP CMP EQ, fd));

c Andreas Platschek (OpenTech) May 23, 2017 30 / 31

cgroups

Add a new cgroup (device controller):

# cd /sys/fs/cgroup/devices/ # mkdir newgroup # cd newgroup

Access Permissions per cgroup (read/write/mknod) are defined per device:

# echo a > devices.deny # echo ’c 1:3 w’ > devices.allow

Add application to cgroup:

# echo $$ > tasks

EPERM is returned by systemcalls that violate cgroups device controller rules:

• pen("/dev/urandom", O RDWR) = -1 EPERM (Operation not permitted)

c Andreas Platschek (OpenTech) May 23, 2017 31 / 31