CN113051581A

CN113051581A - Highly-integrated complex software security analysis method

Info

Publication number: CN113051581A
Application number: CN202110448125.0A
Authority: CN
Inventors: 牟明; 刘灿; 陆敏敏; 于沛; 王闯; 杨爱民
Original assignee: Avic Airborne System General Technology Co Ltd
Current assignee: Avic Airborne System General Technology Co Ltd
Priority date: 2021-04-25
Filing date: 2021-04-25
Publication date: 2021-06-29

Abstract

The invention discloses a highly integrated complex software security analysis method, which comprises the following steps: 1) the method in civil airworthiness standards ARP4754A and ARP4761 is adopted to carry out system security analysis and identify the security requirement of the system; 2) distributing system security requirements to software, and determining software security requirements; 3) performing security analysis on internal elements of the software from a code level; 4) software integration and validation was performed using the method in DO-178C. The invention belongs to the technical field of software security, and particularly provides a method for analyzing system security by adopting the standards of local computers ARP4754A and ARP4761 to obtain the security requirement of the system; aiming at internal elements of the software, the software is used as a system for safety analysis; a highly integrated complex software security analysis method that guarantees the implementation of software security requirements with a rigorous development process based on the DO-178C standard.

Description

Highly-integrated complex software security analysis method

Technical Field

The invention belongs to the technical field of software security, and particularly relates to a highly-integrated complex software security analysis method.

Background

Software is an important component of various equipment systems, and is combined with system hardware to complete various calculation, processing and control tasks, so that the software has a vital role in fully utilizing the performance of hardware equipment and ensuring the function, safety and reliability of equipment. With the rapid advance of informatization and modernization of equipment, the application range, scale, integration degree, safety requirement and the like of software in the equipment are greatly changed, and the software is gradually becoming highly integrated complex software. "highly integrated" means that the software is used to complete or provide multiple functions, and "complex" means that the software is scaled above a certain magnitude, and the software functions and security attributes cannot be proven by only a single software test.

Software security is the ability that a software product should have to not cause casualties, system damage, significant property damage, or risk personnel health and the environment. As an important component of an equipment system, software cannot directly endanger the safety of life, property, environment and the like, but human-computer interaction realized by the aid of the software can cause misoperation due to software failure to form danger, and for an embedded system without a human-computer interaction interface, catastrophic consequences can be caused due to the fact that the software controls the system wrongly.

At present, security analysis methods for highly integrated complex software can be mainly divided into two major categories, namely software ontology-based and system-based security analysis methods. The typical idea of the software ontology-based security analysis method is that a software engineering method must be adopted to ensure that software is developed strictly according to the engineering method, and methods such as software fault tolerance, fault tree analysis and the like are usually adopted to reduce the probability of software failure. However, the security problem cannot be completely solved by only starting from the software ontology, for example, even if the software does not fail, it may cause equipment damage by sending an improper instruction to the system. The software security problem, which relates to complex factors such as software, a system where the software resides, users, an external environment, time and the like, occurs because the software triggers system vulnerability, i.e., system requirements or design defects, to turn the system to an unsafe state. Software security is thus decoupled from the system and must be analyzed from a higher system level.

The safety analysis method based on the system locates the vulnerability of the system by technical means such as fault tree, functional hazard analysis, Markov analysis and the like, so as to solve the safety problem caused by single-point faults and predictable combined faults. However, the degree of densification of highly integrated complex software and the interaction between system components is too complex, resulting in system vulnerabilities that are difficult to fully locate and predict. If the security analysis is performed only on the system level, repeated iteration of the system is caused, and the development cost of software and the system is greatly increased. Meanwhile, the independence of the software and the interaction between the internal elements of the software are also ignored, so that the analysis is insufficient.

Disclosure of Invention

In order to solve the existing problems, the invention provides a method which adopts the standards of civil ARP4754A and ARP4761 to analyze the system security and obtain the security requirement of the system; distributing system security requirements to software, and designing a framework to analyze the software code level layer by layer; aiming at internal elements of the software, the software is used as a system for safety analysis; a highly integrated complex software security analysis method that guarantees the implementation of software security requirements with a rigorous development process based on the DO-178C standard.

The technical scheme adopted by the invention is as follows: a highly integrated complex software security analysis method comprises the following steps:

1) the method in civil airworthiness standards ARP4754A and ARP4761 is adopted to carry out system security analysis and identify the security requirement of the system;

2) distributing system security requirements to software, and determining software security requirements;

3) performing security analysis on internal elements of the software from a code level;

4) software integration and verification are performed by adopting a method in DO-178C: software integration and verification are carried out based on the DO-178C standard, the coordination among software codes and between the software codes and hardware is checked, whether the software is correct or not is verified, the safety design is realized, and the safety requirement of the software is met.

Further, the step 1) specifically comprises the following steps:

1.1) combining the system theory integrity principle, and from the system perspective, distributing the security function to each element through the overall analysis of the system security;

1.2) identifying system danger, wherein civil aircrafts are typical highly-integrated complex systems and have extremely high requirements on safety, so that the system is checked by referring to methods in civil aircrafts airworthiness standards ARP4754A and ARP4761 to identify the danger existing in the system;

1.3) after the danger existing in the system is identified, further identifying system safety related requirements and system safety constraints of a system level for preventing the danger, wherein the system safety constraints are the same as general functional requirements and only require the system to carry out certain special control, so as to avoid entering a dangerous state;

1.4) after the system safety related requirements and the system safety constraints are identified, designing a control structure to carry out preliminary control on the system according to the system safety related requirements and the system safety constraints, wherein the control structure design should meet the system safety requirements and is continuously analyzed in the design refinement, so that the control structure is improved, when the control structure is defined, a safety control interface of software must be separately defined, a set of safety mechanism is ensured to exist in the software, and the system safety cannot be influenced when the software fails;

1.5) identifying potential abnormal control behaviors, one control actuator can generally generate four types of control exceptions including failure to provide an expected control behavior, incorrect or unsafe control behavior, too late control behavior start and too early control behavior end, so that corresponding abnormal control behaviors are identified according to different control actuators, and the abnormal control behaviors identify interface control mainly concerned between systems and systems, systems and software;

1.6) finding out the reasons of the abnormal control behaviors according to the control structure, wherein the reasons of the abnormal control are divided into two types of control defects and insufficient control behaviors, and the control defects refer to that the abnormal control behaviors are caused by errors of a control algorithm, errors of a control process and insufficient coordination among actuators and are identified by checking a process control loop; inadequate control behavior means that abnormal control behavior is caused by a defect or erroneous sensor or data of the actuator itself when the process model is correct;

1.7) identifying and eliminating the constraint condition and design decision of abnormal control behavior according to the analysis of the step 1.5), further perfecting the safety requirement of the system, defining a new control structure and analyzing again.

Further, the step 2) specifically comprises the following steps:

2.1) grading the software according to the influence degree of software failure on the system safety, and determining the target required to be met in the development process of the software with different levels based on the DO-178C standard;

2.2) decomposing the identified system safety requirement, searching a safety function related to the software as the input of the software life cycle process, and further distributing the system safety requirement to the software;

2.3) further refining the system safety requirements distributed to the software, analyzing the software failure mode possibly causing system risks, the reasons for failure and the influence caused by failure, and providing corresponding improvement measures to form the software safety layer requirements;

and 2.4) forming a software level architecture according to the requirement of a software security high layer, analyzing the reasons of failure modes layer by layer according to different types of software failure modes, and providing corresponding improvement measures until the software code level.

Further, the step 3) specifically comprises the following steps:

3.1) considering from the hierarchy principle of the system theory, ensuring the independence of the software elements, regarding the software as a system to analyze the safety problem of the body of the software, considering the mutation caused by the interaction between the internal elements of the software from the aspects of the stability and the mutation principle of the system theory, and further analyzing the safety of the internal elements of the software from the code hierarchy;

3.2) analyzing the running mode and the running state and condition, searching whether conditions and potential failure risks which can cause unsafe states exist in the whole software requirement, such as conditions of out-of-order, wrong events, improper magnitude, improper polarity, unintentional commands, errors caused by environmental interference, command failure modes and the like, coping with all the unsafe state conditions and potential failure risks, and making appropriate response requirements;

3.3) fault-tolerant and failure-tolerant analysis, wherein a fault-tolerant system is used for processing most possible faults and faults which have low probability of occurrence but are dangerous, a failure-tolerant system is used for processing higher-level errors which can cause system failure, the failure tolerance requirement of software is determined according to the safety level of the software, and a redundancy strategy, conversion logic, a fault detection mechanism, an isolation mechanism and a recovery mechanism are formulated;

3.4) dangerous order processing analysis, identify can cause serious or catastrophic danger, can cause dangerous command that control ability reduce to deal with, include the hardware or software function of receiving, transmitting, starting the critical signal or dangerous order;

3.5) interface analysis, analyzing the error mode and error probability of the interface, and determining a communication method, a data coding method, an error checking method, a synchronization method and a check and error correction code method based on the error mode and error probability of the interface, and ensuring the consistency and integrity of communication protocols of both communication parties when the communication interface data is defined;

3.6) data analysis, defining various data used by software, including defining logic structures of static data, dynamic input and output data and internal generation data, listing a data list and explaining the constraint on the data; specifying data acquisition requirements, specifying characteristics, requirements and ranges of the acquired data; establishing a data dictionary to explain the source, processing and destination of data;

3.7) timing, throughput and software scale analysis, considering system resources and time constraint conditions for safety key functions, analyzing software requirements related to execution time, I/O data rate and memory/storage allocation, such as critical time, automatic safety protection time, sampling rate, memory resources and the like, and designing corresponding margins;

and 3.8) analyzing and designing the software code levels layer by layer to form a low-level requirement of software safety, then compiling the code according to the low-level requirement, and feeding back insufficient or incorrect input found in the coding process to the relevant software process for clarification or correction.

Further, the key internal elements of the safety analysis in step 3.1) include operation mode and operation state and condition, fault tolerance and failure tolerance, dangerous command processing, interface, data, timing, throughput and software scale.

By adopting the scheme, the invention has the following beneficial effects: on one hand, in the aspect of the system theory correlation principle, the invention combines a software body-based and system-based software security analysis method, provides an all-aspect software security analysis flow from a system layer to a software code layer, and effectively improves the integrity of software security requirement acquisition; on the other hand, the requirement of ensuring the software safety is realized through strict process control, safety analysis and design ideas aiming at specific software internal elements are provided, the DO-178C standard is supplemented, and the implementation of software design is ensured.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.

FIG. 1 is a software system security analysis flowchart of a highly integrated complex software security analysis method according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

As shown in fig. 1, a method for analyzing security of highly integrated complex software includes the following steps:

Wherein, the step 1) comprises the following steps:

The step 2) specifically comprises the following steps:

The step 3) specifically comprises the following steps:

3.1) considering from the hierarchy principle of the theory of the system, guaranteeing the independence of the software elements, regarding the software as a system to analyze the safety problem of the body, considering the mutation caused by the interaction between the internal elements of the software from the perspective of the stability and the mutation principle of the theory of the system, further performing safety analysis on the internal elements of the software from the code hierarchy, wherein the key internal elements of the safety analysis comprise an operation mode, an operation state and conditions, fault tolerance and failure tolerance, dangerous command processing, an interface, data, timing, throughput and software scale;

The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by the present specification, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A highly integrated complex software security analysis method is characterized by comprising the following steps:

2. The highly integrated complex software security analysis method according to claim 1, wherein the step 1) specifically comprises the following steps:

1.2) identifying system danger, checking the system by referring to methods in civil aviation airworthiness standards ARP4754A and ARP4761, and identifying the danger existing in the system;

1.5) identifying potential abnormal control behaviors, wherein one control actuator can generally generate four types of control abnormalities, including failure to provide expected control behaviors, error or insecurity of control behaviors, too late control behavior start and too early control behavior end, corresponding abnormal control behaviors are identified according to different control actuators, and the abnormal control behaviors identify interface control mainly concerned between systems and systems, systems and software and between software and software;

3. The method for analyzing the safety of the highly integrated complex software according to claim 1, wherein the step 2) specifically comprises the following steps:

4. The method for analyzing the safety of the highly integrated complex software according to claim 1, wherein the step 3) specifically comprises the following steps:

3.2) analyzing the running mode, the running state and the conditions, searching whether conditions and potential failure hidden dangers which can cause unsafe states exist in the whole software requirement, and making appropriate response requirements for all the conditions and potential failure hidden dangers of the unsafe states;

3.3) fault tolerance and fault tolerance analysis, determining the fault tolerance requirement of the software according to the safety level of the software, and making a redundancy strategy, a conversion logic and a fault detection, isolation and recovery mechanism;

3.7) timing, throughput and software scale analysis, for safety critical functions, taking into account system resources and time constraints, analyzing software requirements related to execution time, I/O data rates and memory/storage allocation and designing corresponding margins;

5. A highly integrated complex software security analysis method as claimed in claim 4, wherein the key internal elements of the security analysis in step 3.1) include operation mode and operation status and condition, fault tolerance and failure tolerance, dangerous command processing, interface, data, timing, throughput and software scale.