Transcript Claims, Arguments, Evidence - next generation and CAE Blocks plugin

CAE – Next generation and Building Blocks
Presented by: Dr Kate Netkachova
ASCE User Forum
03 June 2015
Exmouth House 3–11 Pine Street London EC1R 0JH
T +44 20 7832 5850 F +44 20 7832 5853 E [email protected] W www.adelard.com
Outline
•
New trends and general concept
•
CAE stack of resources
•
Collection of basic blocks
•
Composite blocks
•
Templates, fragments
•
Tool Support
© ADELARD LLP
2
Claims, arguments, evidence (CAE)
•
“a documented body of evidence that provides a convincing and valid argument that a
system is adequately safe for a given application in a given environment”
© ADELARD LLP
3
Security-informed Safety Cases
C02 Deployed
service does not
facilitate attacks
on itself or
others
C01 Deployed
device delivers
service OK
Justification of safety which specifically takes
into account the impact of security.
Attribute
split
C2
Confidentiality
is maintained
C! Delivers
safe
service
Time split
• Security consideration
• Impact on the Case Structure
• Some observations
C11 OK
initially
Argue over
deployment
C21
Configured
device OK
C22
Training
OK
C12 OK
future
Consider all (benign
and malicious)
events) events
C23 Benign
events
detected and
responded to
Configurati
on
Supply chain integrity.
Malicious events post deployment.
Design changes to address user interactions,
training, configuration, vulnerabilities. Additional
functional requirements that implement security
controls.
Possible exploitation of the device/service
to attack itself or others.
C61
Specified
OK
C31
Purchased
device OK
Supply
chain
C41
Evaluated
device OK
C42 Supply
chain
delivers
equivalent
device
Attribute
expansion
"OK": good
design,
behaviour
C52
Vulnerabilities
and hazards
addressed
C51 Safety
properties
OK
Additional
dsign basis
threats
addressed
Attributes
expansion
C62
Implemented
OK
C53 Design
minimises
deployment risks
C65 by
organisation
C64 by
lifecycle
© ADELARD LLP
4
Enumerate
deployment
hazards
C63 by
product
C66 Address supply,
configuration, user
interaction, use, storage
C23
Malicious
events
detected and
responded to
Levels of abstraction
• L0 Policy and requirements – the highest level of abstraction
where the system represents its requirements, and defines safety
and security policies and their interaction;
• L1 Architectural layer – the intermediate level where the abstract
system components and architecture are analysed;
• L2 Implementation layer – the detailed level where the
implementation of specific components and their integration within
the specific system architecture are scrutinised.
© ADELARD LLP
5
Development of the Blocks approach
© ADELARD LLP
6
Schematic of the CAE stack
© ADELARD LLP
7
Instantiating an assurance case
© ADELARD LLP
5 Building Blocks
•
Partition some aspect of the claim
Decomposition
Calculation
Concretion
Decomposition
Substitution
Evidence
incorporation
•
Substitution
Refine a claim about an object into
claim about an equivalent object
•
Evidence incorporation
Evidence supports the claim
•
Concretion
Some aspect of the claim is given a
more precise definition
•
Calculation or proof
Some value of the claim can be
computed or proved
© ADELARD LLP
9
General structure of the block
CAE blocks are a series of archetypal argument fragments. They are based on
the CAE normal form with further simplification and enhancements.
Claim
Side
warrant
Argument
Subclaim 1
Subclaim 2
---
Subclaim n
General block structure
© ADELARD LLP
10
System
information
External
backing
Decomposition block
This block is used to claim that a conclusion about the whole object,
process, property or function can be deduced from the claims or facts
about constituent parts.
𝑃1 𝑋1 ⋀𝑃2 𝑋2 ⋀ … ⋀𝑃𝑖 𝑋𝑛 ⇒ 𝑃 𝑋
P(X)
(P(X1) /\ P(X2) /\ ... /\P(Xn) =
P(X1+X2+...+Xn)) /\
(X=X1+X2+...+Xn)
Decomposition
P(X1)
© ADELARD LLP
---
P(X2)
P(Xn)
Example of a single object decomposition
11
Examples of single decomposition
System hazards are
mitigated
Architectural
decomposition
Subsystem 1
hazards are
mitigated
© ADELARD LLP
Subsystem 2
hazards are
mitigated
12
System is composed
of Subsystem 1,
Subsystem 2 and
interaction
Interaction hazards
are mitigated
Substitution block
This block is used to claim that if a property holds for one object, then it
holds for an equivalent object. The nature of this ‘equivalence’ will vary with
the object and property and will need to be defined.
P(X)
Substitution
P(X)
X is
equivalent to
Y
Substitution
P(Y)
Q(X)
Property substitution
Object substitution
© ADELARD LLP
13
P is
equivalent to
Q
Examples of substitution
Devices of type X are safe
Product X is reliable
Object
substitution
Product X and
product Y are
equivalent
Object
substitution
The device analysed,
being of type X, was safe
Product Y is reliable
Product substitution
© ADELARD LLP
All devices of type X
are equivalent
Generalised: product type substitution
14
Evidence incorporation
This block is used to incorporate evidence elements into the case.
A typical application of this block is at the edge of a case tree where a
claim is shown to be directly satisfied by its supporting evidence.
P(X)
P(X)
evidence
incorporation
Results R
Results R
© ADELARD LLP
15
Example of evidence incorporation
There are 25
successful tests
Test report directly
shows that there are
25 successful tests
evidence
incorporation
Test report
© ADELARD LLP
16
Concretion
This block is used when a claim needs to be given a more precise
definition or interpretation. The top claim P(X, Cn, En) can be replaced with
a more precise or defined claim P1(X1, Cn, En)
P(X)
P:=P1, X:=X1
Concretion
P1(X1)
© ADELARD LLP
17
Example of concretion
Risks due to CCF are
tolerable in the deployed
system
Property concretion
The operational
environment is safe
The risks due to CCF are
considered tolerable iif
they are < target
Environment
concretion
A locked room is a safe
operating environment
Pfd due to CCF < target
Property concretion
© ADELARD LLP
Environment concretion
18
The operational
environment is a
locked room
Calculation
This block is used to claim that the value of a property of a system can be
computed from the values of related properties of other objects. Show that
the value b of property P(X, b, E, C) of system X in env E and conf C can be
calculated from values Q1 ( X1 , a1 , E, C), Q2 ( X 2 , a2 , E, C),...,Qn ( X n , an , E, C)
Q(X, b)
b= F(a1, a2, ..., ai)
Calculation
Q1(X1, a1)
© ADELARD LLP
Q2(X2, a2)
------
19
Qi(Xi, ai)
Example of calculation
Availability of the
system is a
Calculation
Recovery time of the
system is rt
Failure rate of the
system is fr
© ADELARD LLP
a= 1 - fr * rt / 2
20
‘Helping hand’ - guidance on selecting Blocks
© ADELARD LLP
21
Composite blocks
•
•
•
Substitution + Decomposition
Concretion + Decomposition
Any basic block + Evidence incorporation
The equipment is safe in
service
The equipment is safe in
service
Safe after any changes
implies safe in service
Substitution
Substitution +
decomposition
Proper change
accommodation process
and infrastructure imply safe
in service
The equipment will continue
to be safe after any changes
Safe after any changes is
derived from proper change
accommodation process and
good accommodation
infrastructure employed
Decomposition
Changes are
accommodated properly
© ADELARD LLP
Change accommodation
infrustructure is trusted
Changes are
accommodated properly
Change accommodation
infrastructure is trusted
22
Example of a composite block and its expansion
to show the underlying basic blocks
Fragments/Templates
X1,
C
M(X1),M(C)
Oracle
Test Cases
True
Test
Harness
© ADELARD LLP
False
Alternative
resolution
True
False
CAE normal form
•
•
•
•
•
•
•
Claim nodes may only be connected to argument nodes
Argument nodes may only be connected to claim and evidence nodes
Each argument node may only have one outbound link to a claim node
Each claim is to be supported by only one argument
Argument nodes must be supported by at least one subclaim or evidence node
Evidence nodes represent the bottom of the safety argument and are not supported
A claim, subclaim or evidence may support more than one argument
Claim
Claim C
Arg
Claim
Arg
Arg
Evidence
Claim C
Arg
Arg
Arg
Evidence
Claim
Claim
Claim
Claim
Claim
Claim
Arg
Evidence
Evidence
Example of a claim structure before and after normal form
© ADELARD LLP
Arg
Claim
24
Claim
Positive outcome
1. Standardised way of creating cases
2. Simple patterns, easy to use
3. Structured vs narrative argument
4. Explicit backing for the argument/side-warrant
5. Explicit links to system models, etc.
6. Prototype tool support
© ADELARD LLP
25
Tool Support – Enable the Blocks plugin
© ADELARD LLP
Tool Support – Use the Blocks schema
© ADELARD LLP
Tool support – Add/Edit Block
© ADELARD LLP
Tool support – use the plugin
© ADELARD LLP