software lopa
play

Software LOPA Approach to Performing a Layers of Protection Analysis - PowerPoint PPT Presentation

Nov 20, 2023 •166 likes •537 views

Software LOPA Approach to Performing a Layers of Protection Analysis for Complex Software OpenTech Andreas Platschek < andreas.platschek@opentech.at > May 23, 2017 Andreas Platschek (OpenTech) c May 23, 2017 1 / 31 Andreas

  1. Software LOPA Approach to Performing a Layers of Protection Analysis for Complex Software OpenTech Andreas Platschek < andreas.platschek@opentech.at > May 23, 2017 � Andreas Platschek (OpenTech) c May 23, 2017 1 / 31

  2. � Andreas Platschek (OpenTech) c May 23, 2017 2 / 31

  3. ”Yet further concerns relate to whether a consequence can be so severe that the frequency of the hazardous situation should not be taken into account, thus negating the concept fo ’risk’ in selecting the appropriate set of implementation techniques. In order to address this concern IEC 61511 formalised the concept of ’layers of protection’ requiring diversity between the different layers.” Audrey Canning , in: Functional Safety: Where have we come from? Where are we going? � Andreas Platschek (OpenTech) c May 23, 2017 3 / 31

  4. LOPA Principle IE1 Identi ed IE5 Hazard IE2 IE4 IE3 IE1-IE5 . . . I nitiating E vents IPL1-IPL4 . . . I ndependent L ayers of P rotection � Andreas Platschek (OpenTech) c May 23, 2017 4 / 31

  5. LOPA Principle IPL1 IPL2 IPL3 IE1 IPL4 Identi ed IE5 Hazard IE2 IE4 IE3 IE1-IE5 . . . I nitiating E vents IPL1-IPL4 . . . I ndependent L ayers of P rotection � Andreas Platschek (OpenTech) c May 23, 2017 5 / 31

  6. LOPA Principle IPL1 IPL2 IPL3 IE1 IPL4 Identi ed IE5 Hazard IE2 IE4 IE3 IE1-IE5 . . . I nitiating E vents IPL1-IPL4 . . . I ndependent L ayers of P rotection � Andreas Platschek (OpenTech) c May 23, 2017 6 / 31

  7. LOPA Basics Properties Independence Effectiveness Auditability � Andreas Platschek (OpenTech) c May 23, 2017 7 / 31

  8. Auditability Open-Source Rules! � Andreas Platschek (OpenTech) c May 23, 2017 8 / 31

  9. Auditability Open-Source Rules! If a Software LOPA is doable at all, then open-source software is definitely the prime suspect. � Andreas Platschek (OpenTech) c May 23, 2017 8 / 31

  10. Effectiveness Do the IPLs actually mitigate against the hazard? � Andreas Platschek (OpenTech) c May 23, 2017 9 / 31

  11. Independence Multiple layers only make sense if they fail independently! � Andreas Platschek (OpenTech) c May 23, 2017 10 / 31

  12. Independence Multiple layers only make sense if they fail independently! BUT “Independence is an important concept, although absolute independence is generally not achievable. ... However, IPLs should be sufficiently independent such that the degree of interdependence is not statistically significant.“ [1 , Section 3 . 2] � Andreas Platschek (OpenTech) c May 23, 2017 10 / 31

  13. Prospective SW IPLs (SIL2LinuxMP Context) seccomp cgroups CPU-shielding Namespaces PALLOC . . . Code Review (assure restricted use of syscalls) Static Code Analysis (coccinelle) Error Handling to detect faults � Andreas Platschek (OpenTech) c May 23, 2017 11 / 31

  14. Hardened NooM Container SIL2LinuxMP base system SIL 2 SIL 2 Safety app. Safety app. Monitoring 32bit FP 64bit INT SIL 0 busybox glibc 32bit glibc 64bit Debian Container seccomp seccomp glibc CPU 1 CPU 0 CPU 2 CPU 3 RAMbank n+1..m RAMbank m+1..i RAMbank i+1..j RAMbank 0..n At present this is the strongest multi-layer approach we are looking � Andreas Platschek (OpenTech) c May 23, 2017 12 / 31

  15. Independence of Layers How to perform LOPA and show INDEPENDECE of those different protection layers? � Andreas Platschek (OpenTech) c May 23, 2017 13 / 31

  16. Independence of Layers How to perform LOPA and show INDEPENDECE of those different protection layers? Static code analysis Development data � Andreas Platschek (OpenTech) c May 23, 2017 13 / 31

  17. Static Code Analysis Analyze functions called by subsystems (callgraphs) Find and analyze overlaps in callgraphs � Andreas Platschek (OpenTech) c May 23, 2017 14 / 31

  18. Intersection of Configurations Basecon ✁ g+Seccomp (SEC) Basecon ✁ g (BASE) � Andreas Platschek (OpenTech) c May 23, 2017 15 / 31

  19. Intersection outside of Baseconfig Basecon ✁ g+Seccomp (SEC) Basecon ✁ g (BASE) (SEC ✂ CGR) \ BASE = Ȃ Basecon ✁ g+CGROUPS (CGR) � Andreas Platschek (OpenTech) c May 23, 2017 16 / 31

  20. Intersection in Baseconfig Basecon ✁ g � Andreas Platschek (OpenTech) c May 23, 2017 17 / 31

  21. Analysis of Subsystems funcs_base_both RCU f3 new_funcs_base_both atomic � Andreas Platschek (OpenTech) c May 23, 2017 18 / 31

  22. Preliminary Results Set Nr. Functions baseconfig 20829 baseconfig+seccomp 21401 seccomp 572 baseconfig+cgroups 21120 cgoups 679 both not in baseconfig 0 funcs base 13792 funcs base seccomp 7131 funcs base cgroups 7391 funcs base both 6665 rcu funcs 6511 atomic funcs 294 new funcs base both 185 � Andreas Platschek (OpenTech) c May 23, 2017 19 / 31

  23. Developers Overlap seccomp cgroups Author cur hist cur hist Kees Cook 2740 26 4 2 Arnaldo Carvalho de Melo 50 2 18 6 Linus Torvalds 44 15 1 139 Daniel Borkmann 61 5 201 6 Paul Mundt 10 1 1 1 Al Viro X 1 X 10 Andrew Morton X 1 X 2 Fabian Frederick X 1 X 2 James Morris X 2 X 6 Stephen Rothwell X 2 X 2 David Howells X 3 X 5 cur . . . Number of lines in v4.9.18 . hist . . . Number of commits in all versions. � Andreas Platschek (OpenTech) c May 23, 2017 20 / 31

  24. Analysis of Effectiveness Similar to traditional LOPA . . . Identify all IEs (Hazard Analysis) Identify suitable IPLs for each identified IE Choose IPLs that are used � Andreas Platschek (OpenTech) c May 23, 2017 21 / 31

  25. Example Scenario: An application uses 2 devices, one is only written to, the second one is only read from. � Andreas Platschek (OpenTech) c May 23, 2017 22 / 31

  26. Example Scenario: An application uses 2 devices, one is only written to, the second one is only read from. IE: Writing to the read-only device leads to a hazardous situation. � Andreas Platschek (OpenTech) c May 23, 2017 22 / 31

  27. Example Scenario: An application uses 2 devices, one is only written to, the second one is only read from. IE: Writing to the read-only device leads to a hazardous situation. Error handling. Source-code review/audit. cgroups device controller rules prevent wrong access to devices. seccomp rules check if system calls to wrong usage are performed. � Andreas Platschek (OpenTech) c May 23, 2017 22 / 31

  28. Evidence Let’s check it out! � Andreas Platschek (OpenTech) c May 23, 2017 23 / 31

  29. Literature [0] IEC 61511: Functional safety – Safety instrumented systems for the process industry sector [1] Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, Center for Chemical Process Safety [2] Safety Integrity Level Selection – Systematic Methods Including Layer of Protection Analysis, Ed Marszal and Eric Scharpf [3] Lines of Defence/Layers of Protection Analysis in the COMAH Context, Prepared by Amey VECTRA Limited for the Health and Safety Executive , http://www.hse.gov.uk/research/misc/vectra300-2017-r02.pdf [4] Functional Safety: Where have we come from? Where are we going? Audrey Canning � Andreas Platschek (OpenTech) c May 23, 2017 24 / 31

  30. Questions? Ask now, or e-mail me later! Andreas Platschek < andreas.platschek@opentech.at > � Andreas Platschek (OpenTech) c May 23, 2017 25 / 31

  31. Seccomp Developers Lines in current version linux-stable$ find . -name *seccomp*\.[ch] | \ xargs git log --no-merges --format="%an" | sort | \ uniq -c | sort -nr 27 Kees Cook 7 Will Drewry 7 Andy Lutomirski 7 Alexei Starovoitov 5 Daniel Borkmann 4 Micka¨ el Sala¨ un 4 Matt Redfearn 3 Ralf Baechle 3 David Howells 3 Andrea Arcangeli � Andreas Platschek (OpenTech) c May 23, 2017 26 / 31

  32. cgroup developers Lines in current version linux-stable$ find . -name *cgroup*\.[ch] | \ xargs git log --no-merges --format="%an" | sort | \ uniq -c | sort -nr 641 Tejun Heo 137 Li Zefan 42 Paul Menage 29 Vivek Goyal 22 Al Viro 18 Aristeu Rozanski 15 Ben Blum 13 Lai Jiangshan 12 Daniel Wagner 11 Johannes Weiner � Andreas Platschek (OpenTech) c May 23, 2017 27 / 31

  33. seccomp developers commits over all versions linux-stable$ for FILE in $(find . -name *seccomp*\.[ch]); do \ git blame --line-porcelain $FILE | egrep "^author "; done | \ cut -d " " -f 2- | sort | uniq -c | sort -nr 2740 Kees Cook 241 Will Drewry 100 Andy Lutomirski 89 Tycho Andersen 69 Matt Redfearn 61 Daniel Borkmann 55 AKASHI Takahiro 50 Arnaldo Carvalho de Melo 48 David Howells 44 Linus Torvalds � Andreas Platschek (OpenTech) c May 23, 2017 28 / 31

  34. cgroups developers commits over all versions linux-stable$ for FILE in $(find . -name *cgroup*\.[ch]); do \ git blame --line-porcelain $FILE | egrep "^author "; done | \ cut -d " " -f 2- | sort | uniq -c | sort -nr 8772 Tejun Heo 907 Paul Menage 492 Aristeu Rozanski 407 Aneesh Kumar K.V 366 Aleksa Sarai 318 Serge E. Hallyn 288 Li Zefan 211 Sargun Dhillon 204 Daniel Borkmann 192 Aditya Kali � Andreas Platschek (OpenTech) c May 23, 2017 29 / 31

  35. seccomp Default behavior – deny all system calls: ctx = seccomp init(SCMP ACT KILL); Add used, safe system calls explicitly: seccomp rule add exact(ctx, SCMP ACT ALLOW, SCMP SYS(read), 1, SCMP A0(SCMP CMP EQ, fd)); � Andreas Platschek (OpenTech) c May 23, 2017 30 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Basis of SIL Determination &amp; Introduction to Layers of Protection Analysis (LOPA) Fayyaz

Basis of SIL Determination &amp; Introduction to Layers of Protection Analysis (LOPA) Fayyaz

Basis of SIL Determination &amp; Introduction to Layers of Protection Analysis (LOPA) Fayyaz Moazzam, CFSE Principal Consultant PetroRisk Middle East, Abu Dhabi, United Arab Emirates Email: info@petrorisk.com What is LOPA? Evaluate

507 views • 38 slides
Preparing Preparing for a for a Succe Successful ssful HAZOP/LO HAZOP/LOPA PA (Making or

Preparing Preparing for a for a Succe Successful ssful HAZOP/LO HAZOP/LOPA PA (Making or

Preparing Preparing for a for a Succe Successful ssful HAZOP/LO HAZOP/LOPA PA (Making or Breaking Quality &amp; Efficiency) (GCPS-2018 Paper 513595) Steven T. Maher, PE CSP / Carine M. Black / John M. Johnson Risk Management

397 views • 29 slides
Basic Introduction to SIL Assessment using Layers of Protection Analysis (LOPA) Fayyaz Moazzam

Basic Introduction to SIL Assessment using Layers of Protection Analysis (LOPA) Fayyaz Moazzam

Basic Introduction to SIL Assessment using Layers of Protection Analysis (LOPA) Fayyaz Moazzam Principal Consultant PetroRisk Middle East, Abu Dhabi, United Arab Emirates T. + 97126778792 M. +971561273688 F. +97126778795

1.23k views • 64 slides
Using HAZOP/LOPA Early and Throughout the Design Cycle to Accomplish Multiple Design Objectives

Using HAZOP/LOPA Early and Throughout the Design Cycle to Accomplish Multiple Design Objectives

Using HAZOP/LOPA Early and Throughout the Design Cycle to Accomplish Multiple Design Objectives and Reduce Project Costs (GCPS-2019 Paper 548409) Steven T. Maher, PE CSP Risk Management Professionals www.RMPCorp.com

500 views • 12 slides
HAZOP/LOPA Sessions &amp; Documentation (GCPS-2019 Paper 548413) Steven T. Maher &amp; Morgan

HAZOP/LOPA Sessions &amp; Documentation (GCPS-2019 Paper 548413) Steven T. Maher &amp; Morgan

Avoiding Quality Pitfalls for HAZOP/LOPA Sessions &amp; Documentation (GCPS-2019 Paper 548413) Steven T. Maher &amp; Morgan T. McVey Risk Management Professionals www.RMPCorp.com Presentation/Handout

361 views • 20 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 8 January 2019 OSU CSE 1 Restated Learning Outcomes Theme 1: software engineering concepts Be familiar with sound software engineering

535 views • 17 slides
Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An

Presentation Software Presentation Software Presentation Software Presentation Software An introduction to creating electronic presentations using Microsoft PowerPoint 2010 ABT COLLABORATIVE BCCAMPUS Except for third party materials and

1.7k views • 94 slides
ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan,

ARM Software Suite Powered by GDM Why use ARM Software? ARM is the software solution to plan, create, manage, analyze and report agricultural experiments 2 ARM Software Overview Why use ARM Software? ARM provides: Resulting benefits

542 views • 9 slides
KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we create new software development solutions for projects with sizable data requirements. Having a background in mining industry, KAI Software have

267 views • 26 slides
CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and

CSE 2221 Software I: Software Components and CSE 2231 Software II: Software Development and Design 7 January 2020 OSU CSE 1 Welcome to CSE 2231! Class attendance is required . You will be allowed 4 lecture absences and 4 lab

863 views • 7 slides
Introducing Software Software Applications A.Y. 2020/2021 What is software? What is software?

Introducing Software Software Applications A.Y. 2020/2021 What is software? What is software?

Introducing Software Software Applications A.Y. 2020/2021 What is software? What is software? - Nave answer: anything that is not hardware - A collection of data or computer instructions that tell the computer how to work, in contrast to

1.72k views • 32 slides
B U Y I N G Q U A L .. I T Y SOFTWARE by HENRY OLDERS presented at SOFTWARE '77 -~ B U Y I

B U Y I N G Q U A L .. I T Y SOFTWARE by HENRY OLDERS presented at SOFTWARE '77 -~ B U Y I

B U Y I N G Q U A L .. I T Y SOFTWARE by HENRY OLDERS presented at SOFTWARE '77 -~ B U Y I N G QUALITY SOFTWARE The author describes his experiences in purchasing applications software for real time process control systems.

641 views • 4 slides
Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of

Software Engineering Topics Computer science v. software engineering Definition of software engineering Types of software The nature of software Software history and the software crisis Software quality Elements of

818 views • 67 slides
ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint

ClickPoint Software Lead Management Software ClickPoint Software Confidential ClickPoint Software was created because there was no software that was easy to implement for managing and distributing leads and phone calls. The process was

225 views • 11 slides
Software NFs The good: The fmexibility of software The software development cycle The bad: The

Software NFs The good: The fmexibility of software The software development cycle The bad: The

Automated Synthesis of Adversarial Workloads for Network Functions Luis Pedrosa, Rishabh Iyer, Arseniy Zaostrovnykh, Jonas Fietz, Katerina Argyraki N etwork A rchitecture L aboratory Software NFs The good: The fmexibility of software The

710 views • 54 slides
How Software Projects Fail Software Failures Software appears, by its nature, to be difficult to

How Software Projects Fail Software Failures Software appears, by its nature, to be difficult to

How Software Projects Fail Software Failures Software appears, by its nature, to be difficult to engineer on a large scale. Nevertheless, there is an insatiable demand for sizeable, well-engineered software. Dr. James A. Bednar We continue to

69 views • 6 slides
United States Government: How You Can Help Kirstie M. Pottmeyer April 28, 2015 The Issue: A

United States Government: How You Can Help Kirstie M. Pottmeyer April 28, 2015 The Issue: A

The Financial Report of the United States Government: How You Can Help Kirstie M. Pottmeyer April 28, 2015 The Issue: A Disclaimer of Opinion Since 1997, the Bureau of the Fiscal Service has compiled agency financial data to prepare the

284 views • 12 slides
CSSE 220 More interfaces More recursion More fun? Check out RecursiveHelperFunctions and

CSSE 220 More interfaces More recursion More fun? Check out RecursiveHelperFunctions and

CSSE 220 More interfaces More recursion More fun? Check out RecursiveHelperFunctions and BettingInterfaces from SVN Exercise time Solve the sumArray function recursively I ts in the RecursiveHelperFunctions project You can work

237 views • 9 slides
The potential in Drupal 8.x and how to realize it Angela Byron, Gbor Hojtsy 1. Drupal 8: The

The potential in Drupal 8.x and how to realize it Angela Byron, Gbor Hojtsy 1. Drupal 8: The

The potential in Drupal 8.x and how to realize it Angela Byron, Gbor Hojtsy 1. Drupal 8: The dawn of new possibilities Making big changes in 8.x: It's possible! Intro to semantic versioning We are here Incentive to contribute

525 views • 30 slides
Course Evaluations 1. More examples This was the top request 2. Visuals/diagrams 3. Extra

Course Evaluations 1. More examples This was the top request 2. Visuals/diagrams 3. Extra

Course Evaluations 1. More examples This was the top request 2. Visuals/diagrams 3. Extra resources Problem sets Content from the the web Course Evaluations 4. Too fast topics seem to get left behind pretty fast topics build

433 views • 21 slides
Real-time Operating Systems VO Embedded Systems Engineering Armin Wasicek 11.12.2012 Overview

Real-time Operating Systems VO Embedded Systems Engineering Armin Wasicek 11.12.2012 Overview

Real-time Operating Systems VO Embedded Systems Engineering Armin Wasicek 11.12.2012 Overview Introduction OS and RTOS RTOS taxonomy and architecture Application areas Mixed-criticality systems Examples: UAV, Synthetic

1.01k views • 52 slides
Making Model-Driven Verification Practical and Scalable: Experiences and Lessons Learned Lionel

Making Model-Driven Verification Practical and Scalable: Experiences and Lessons Learned Lionel

Making Model-Driven Verification Practical and Scalable: Experiences and Lessons Learned Lionel Briand IEEE Fellow, FNR PEARL Chair Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg

717 views • 59 slides
1. What are the two principal kinds of plants, the way of modelling them and of controlling them?

1. What are the two principal kinds of plants, the way of modelling them and of controlling them?

EPFL, LAMS Course Industrial Automation Dr. Yvonne-Anne Pignolet yvonneanne.pignolet@epfl.ch Dr. Jean-Charles Tournier jeancharles.tournier@epfl.ch Exam 2019 Conditions The exam comprises the course as it is downloadable as power point

198 views • 5 slides
Part 2: Audio-Visual HRI: Methodology and Applications in Assistive Robotics Petros Maragos and

Part 2: Audio-Visual HRI: Methodology and Applications in Assistive Robotics Petros Maragos and

Computer Vision, Speech Communication &amp; Signal Processing Group, Intelligent Robotics and Automation Laboratory National Technical University of Athens, Greece (NTUA) Robot Perception and Interaction Unit, Athena Research and Innovation

747 views • 59 slides

More recommend