Critical system properties: survey and taxonomy

Abstract Computer systems are increasingly employed in circumstances where their failure (or even their correct operation, if they are built to flawed requirements) can have serious consequences. There is a surprising diversity of opinion concerning the properties that such ‘critical systems’ should possess, and the best methods to develop them. The dependability approach grew out of the tradition of ultra-reliable and fault-tolerant systems, while the safety approach grew out of the tradition of hazard analysis and system safety engineering. Yet another tradition is found in the security community, and there are further specialized approaches in the tradition of real-time systems. In this article are examined the critical properties considered in each approach, and the techniques that have been developed to specify them and to ensure their satisfaction. Since systems are now being constructed that must satisfy several of these critical system properties simultaneously, there is particular interest in the extent to which techniques from one tradition support or conflict with those of another, and in whether certain critical system properties are fundamentally compatible or incompatible with each other. As a step toward improved understanding of these issues, it is suggested that a taxonomy, based on Perrow's analysis (Perrow, C. Normal Accidents: Living with High Risk Technologies. Basic Books, New York, 1984), that considers the complexity of component interactions and tightness of coupling as primary factors, is used.

[1]  Edsger W. Dijkstra,et al.  Self-stabilizing systems in spite of distributed control , 1974, CACM.

[2]  Virgil D. Gligor A Note on Denial-of-Service in Operating Systems , 1984, IEEE Transactions on Software Engineering.

[3]  Lui Sha,et al.  Priority Inheritance Protocols: An Approach to Real-Time Synchronization , 1990, IEEE Trans. Computers.

[4]  J-C. Laprie,et al.  DEPENDABLE COMPUTING AND FAULT TOLERANCE : CONCEPTS AND TERMINOLOGY , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[5]  Virgil D. Gligor,et al.  A formal specification and verification method for the prevention of denial of service , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[6]  Alan Burns,et al.  On the Meaning of Safety and Security , 1992, Comput. J..

[7]  Henk Schepers Tracing Fault Tolerance , 1993 .

[8]  Steven B. Lipner,et al.  Non-Discretionery Controls for Commercial Applications , 1982, 1982 IEEE Symposium on Security and Privacy.

[9]  P. M. Melliar-Smith,et al.  An interval logic for higher-level temporal reasoning , 1983, PODC '83.

[10]  Nancy G. Leveson Software Safety in Computer-Controlled Systems , 1984, Computer.

[11]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[12]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[13]  Wa Halang,et al.  REAL-TIME SYSTEMS .2. , 1989 .

[14]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[15]  Nancy G. Leveson,et al.  Software safety in embedded computer systems , 1991, CACM.

[16]  Lui Sha,et al.  Sources of unbounded priority inversions in real-time systems and a comparative study of possible solutions , 1992, OPSR.

[17]  Flaviu Cristian,et al.  Systematic Detection of Exception Occurrences , 1981, Sci. Comput. Program..

[18]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[19]  Maurice Herlihy,et al.  Specifying Graceful Degradation , 1991, IEEE Trans. Parallel Distributed Syst..

[20]  Fred B. Schneider Decomposing Properties into Safety and Liveness Using Predicate Logic. , 1987 .

[21]  J. Van Leeuwen,et al.  Handbook of theoretical computer science - Part A: Algorithms and complexity; Part B: Formal models and semantics , 1990 .

[22]  J.S. Ostroff,et al.  A logic for real-time discrete event processes , 1990, IEEE Control Systems Magazine.

[23]  Dave E. Eckhardt,et al.  A Theoretical Basis for the Analysis of Multiversion Software Subject to Coincident Errors , 1985, IEEE Transactions on Software Engineering.

[24]  P. M. Melliar-Smith Extending Interval Logic to Real Time Systems , 1987, Temporal Logic in Specification.

[25]  Randy H. Katz,et al.  A case for redundant arrays of inexpensive disks (RAID) , 1988, SIGMOD '88.

[26]  Lui Sha,et al.  Solutions for Some Practical Problems in Prioritized Preemptive Scheduling , 1986, IEEE Real-Time Systems Symposium.

[27]  Aloysius K. Mok,et al.  Safety analysis of timing properties in real-time systems , 1986, IEEE Transactions on Software Engineering.

[28]  Constance L. Heitmeyer,et al.  Engineering CASE tools to support formal methods for real-time software development , 1992, [1992] Proceedings of the Fifth International Workshop on Computer-Aided Software Engineering.

[29]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[30]  Thomas A. Henzinger,et al.  A really temporal logic , 1989, 30th Annual Symposium on Foundations of Computer Science.

[31]  Martín Abadi,et al.  Composing specifications , 1989, TOPL.

[32]  Oliver Costich,et al.  A multilevel transaction problem for multilevel secure database systems and its solution for the replicated architecture , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[33]  Nancy G Leveson,et al.  Software safety: why, what, and how , 1986, CSUR.

[34]  J K Millen,et al.  Computer Security Models , 1984 .

[35]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[36]  Jonathan K. Millen,et al.  A resource allocation model for denial of service , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[37]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[38]  Thomas A. Henzinger,et al.  Logics and Models of Real Time: A Survey , 1991, REX Workshop.

[39]  James W. Gray,et al.  On information flow security models , 1991, Proceedings Computer Security Foundations Workshop IV.

[40]  Friedrich W. von Henke,et al.  Formal Verification of Algorithms for Critical Systems , 1993, IEEE Trans. Software Eng..

[41]  David Lorge Parnas,et al.  On satisfying timing constraints in hard-real-time systems , 1991 .

[42]  John C. Knight,et al.  A Framework for Software Fault Tolerance in Real-Time Systems , 1983, IEEE Transactions on Software Engineering.

[43]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[44]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[45]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[46]  Paul A. Karger,et al.  Implementing commercial data integrity with secure capabilities , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[47]  Jane W.-S. Liu,et al.  Scheduling Periodic Jobs That Allow Imprecise Results , 1990, IEEE Trans. Computers.

[48]  David F. McAllister,et al.  An Experimental Evaluation of Software Redundancy as a Strategy For Improving Reliability , 1991, IEEE Trans. Software Eng..

[49]  Johnny S. Wong,et al.  Detecting Unsafe Error Recovery Schedules , 1992, IEEE Trans. Software Eng..

[50]  Virgil D. Gligor,et al.  A Specification and Verification Method for Preventing Denial of Service , 1990, IEEE Trans. Software Eng..

[51]  Leslie Lamport,et al.  Artificial Intelligence and Language Processing ]acques Cohen Editor a Simple Approach to Specifying Concurrent Systems , 2022 .

[52]  Flaviu Cristian,et al.  Agreeing on who is present and who is absent in a synchronous distributed system , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[53]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[54]  Theodore M. P. Lee,et al.  Using mandatory integrity to enforce 'commercial' security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[55]  Yves Deswarte,et al.  Intrusion-Tolerance Using Fine-Grain Fragmentation-Scattering , 1986, 1986 IEEE Symposium on Security and Privacy.

[56]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[57]  E. A. Addy A case study on isolation of safety-critical software , 1991, COMPASS '91, Proceedings of the Sixth Annual Conference on Computer Assurance.

[58]  R. H. Campbell,et al.  A fault-tolerant scheduling problem , 1989, IEEE Transactions on Software Engineering.

[59]  Jens Nordahl Design for Dependability , 1993 .

[60]  Peter G. Neumann,et al.  On hierarchical design of computer systems for critical applications , 1986, IEEE Transactions on Software Engineering.

[61]  C. A. R. Hoare,et al.  A Calculus of Durations , 1991, Inf. Process. Lett..

[62]  Flaviu Cristian,et al.  Understanding fault-tolerant distributed systems , 1991, CACM.

[63]  Roy H. Campbell,et al.  APPLICATION OF THE FAULT-TOLERANT DEADLINE MECHANISM TO A SATELLITE ON-BOARD COMPUTER SYSTEM. , 1980 .

[64]  Nancy G. Leveson,et al.  Safety verification in MURPHY using fault tree analysis , 1988, Proceedings. [1989] 11th International Conference on Software Engineering.

[65]  Ricky W. Butler,et al.  The infeasibility of experimental quantification of life-critical software reliability , 1991 .

[66]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[67]  T. Taylor Comparison Paper between the Bell and LaPadula Model , 1984, 1984 IEEE Symposium on Security and Privacy.

[68]  Anish Arora,et al.  Closure and convergence: a formulation of fault-tolerant computing , 1992, [1992] Digest of Papers. FTCS-22: The Twenty-Second International Symposium on Fault-Tolerant Computing.

[69]  Bev Littlewood,et al.  Conceptual Modeling of Coincident Failures in Multiversion Software , 1989, IEEE Trans. Software Eng..

[70]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[71]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[72]  Natarajan Shankar Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization , 1992, FTRTFT.

[73]  Roger M. Needham,et al.  Sequencing computation steps in a network , 1981, SOSP.

[74]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[75]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[76]  John P. Lehoczky,et al.  The rate monotonic scheduling algorithm: exact characterization and average case behavior , 1989, [1989] Proceedings. Real-Time Systems Symposium.

[77]  James W. Layland,et al.  Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment , 1989, JACM.

[78]  Hermann Kopetz,et al.  Fault-Tolerant Membership Service in a Synchronous Distributed Real-Time System , 1991 .

[79]  D. L. Palumbo,et al.  Measurement of SIFT operating system overhead , 1985 .

[80]  Patrick Lincoln,et al.  The Formal Verification of an Algorithm for Interactive Consistency under a Hybrid Fault Model , 1993, CAV.

[81]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[82]  Robyn R. Lutz,et al.  Analyzing software requirements errors in safety-critical, embedded systems , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[83]  D. L. Simms,et al.  Normal Accidents: Living with High-Risk Technologies , 1986 .

[84]  G. B. Finelli,et al.  The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software , 1993, IEEE Trans. Software Eng..

[85]  K. A. Helps Some verification tools and methods for airborne safety-critical software , 1986, Softw. Eng. J..

[86]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[87]  Dale A. Mackall Development and flight test experiences with a flight-crucial digital control system , 1988 .

[88]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[89]  Bev Littlewood,et al.  Validation of ultrahigh dependability for software-based systems , 1993, CACM.

[90]  Douglas A. Stuart Implementing a verifier for real-time systems , 1990, [1990] Proceedings 11th Real-Time Systems Symposium.

[91]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[92]  Carl E. Landwehr,et al.  A security model for military message systems , 1984, TOCS.

[93]  Chris J. Walter Identifying the cause of detected errors , 1990, [1990] Digest of Papers. Fault-Tolerant Computing: 20th International Symposium.

[94]  David Lorge Parnas,et al.  Evaluation of safety-critical software , 1990, CACM.

[95]  Philip M. Thambidurai,et al.  Interactive consistency with multiple failure modes , 1988, Proceedings [1988] Seventh Symposium on Reliable Distributed Systems.

[96]  Nancy G. Leveson,et al.  Analyzing Software Safety , 1983, IEEE Transactions on Software Engineering.

[97]  Glenn K. Manacher,et al.  Production and Stabilization of Real-Time Task Schedules , 1967, JACM.

[98]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[99]  D. G. Weber,et al.  Formal specification of fault-tolerance and its relation to computer security , 1989, IWSSD '89.

[100]  A. Avizienis,et al.  Dependable computing: From concepts to design diversity , 1986, Proceedings of the IEEE.

[101]  J. Goldberg,et al.  SIFT: Design and analysis of a fault-tolerant computer for aircraft control , 1978, Proceedings of the IEEE.

[102]  Leslie Lamport Solved problems, unsolved problems and non-problems in concurrency , 1985, OPSR.

[103]  Richard G. Hamlet Are we testing for true reliability? , 1992, IEEE Software.

[104]  Leslie Lamport,et al.  What Good is Temporal Logic? , 1983, IFIP Congress.

[105]  Algirdas Avizienis,et al.  A fault tolerance approach to computer viruses , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[106]  Geneva G. Belford,et al.  SIMULATIONS OF A FAULT-TOLERANT DEADLINE MECHANISM. , 1979 .

[107]  Anish Arora,et al.  Closure and Convergence: A Foundation of Fault-Tolerant Computing , 1993, IEEE Trans. Software Eng..

[108]  Mikhail Chernyshov,et al.  Post-mortem on failure , 1989, Nature.

[109]  Brian Randell System structure for software fault tolerance , 1975 .

[110]  Patrick Lincoln,et al.  A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault Model , 1993, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[111]  W. Hatcher The logical foundations of mathematics , 1981 .

[112]  Jonathan K. Millen,et al.  Hookup security for synchronous machines , 1990, [1990] Proceedings. The Computer Security Foundations Workshop III.

[113]  E. Douglas Jensen Asynchronous Decentralized Realtime Computer Systems , 1992, NATO ASI RTC.

[114]  J. Thomas Haigh,et al.  Extending The Non-Interference Version Of MLS For Sat , 1987, 1986 IEEE Symposium on Security and Privacy.

[115]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[116]  F. Javier Thayer,et al.  Security and the Composition of Machines , 1988, CSFW.

[117]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[118]  John McLean,et al.  A Comment on the 'Basic Security Theorem' of Bell and LaPadula , 1985, Inf. Process. Lett..

[119]  Ira B. Greenberg,et al.  Single-level multiversion schedulers for multilevel secure database systems , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[120]  Marco Schneider,et al.  Self-stabilization , 1993, CSUR.

[121]  Stuart W. Katzke,et al.  Report of the Invitational Workshop on Integrity Policy in Computer Information Systems (WIPCIS) , 1989 .

[122]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[123]  Luigi V. Mancini,et al.  Towards a Theory of Replicated Processing , 1988, FTRTFT.

[124]  John M. Rushby,et al.  Formal Specification and Verification of a Fault-Masking and Transient-Recovery Model for Digital Flight-Control Systems , 1992, FTRTFT.