pSHIELD<strong>System</strong> <strong>Architecture</strong> <strong>Design</strong>PU• Fault prevention, tolerance, diagnosis• Error detection, correction• Failure rate, failure mode4.1.2.2 The attributesDependability is a concept composed by the following basic attributes• Availability• Reliability• Safety• Confidentiality• Integrity• MaintainabilityThe description of the required goals of those attributes in terms of frequency, severity and duration offailure modes for a specific set of failure modes in a specific environment, is the dependability requirementof the system.Depending on the indented application of the system, those attributes contribute in different weights to thedependability requirement. Availability is always a prerequisite, but reliability, safety and confidentialitymay be required to a limited degree in certain applications.Integrity is a prerequisite for availability, reliability and safety but not always for confidentiality. Forexample, attacks via passive listening can lead to loss of confidentiality without threatening integrity.Security, although not included as a single attribute of dependability, can be described as the combinationof confidentiality, integrity and availability.There are also some secondary attributes, especially relevant to security, which can be defined when wedistinguish amongst various types of information• Accountability: availability and integrity of the identity of the person that performs an operation• Authenticity: integrity of the source and content of a message and other attributes of the messagesuch as time of emission• Non-repudiation: availability and integrity of the identity of the sender and receiver of a messageThe different weights that are put on those attributes directly affect the means that are to be used in orderto make the resulting system dependable. Most of the times, those attributes are also conflicting with eachother and several design trade-offs are required.4.1.2.3 The meansThe four main techniques utilized for the development of a dependable computing system are thefollowing• Fault prevention: It is attained by employing quality control during the design and implementationphases. For software, these include structured programming and modularization and forhardware, rigorous design rules. Physical faults are prevented through shielding, radiationhardening etc. Interaction faults are prevented through training and rigorous procedures.Malicious faults are prevented through the use of firewalls, intrusion detection systems and similardefences• Fault tolerance: Is the notion of delivering the correct service even during the presence of activefaults. This is achieved by error detection and system recovery in the forms of rollback,PUD2.3.2Issue 5 Page 52 of 122
pSHIELD<strong>System</strong> <strong>Architecture</strong> <strong>Design</strong>PUcompensation or roll forward. Fault tolerance is not restricted to accidental faults. Malicious faultsare also the target of the error detection mechanisms• Fault removal: This is preformed during both development and operational phases. During thedevelopment life cycle, fault removal is consisting of three steps; verification, diagnosis,correction. During the normal operational phase, fault removal is performed via corrective andpre-emptive maintenance. Pre-emptive maintenance aims on removing faults before they causeerrors during operationFault forecasting: Is the outcome of the evaluation of the system behaviour with respect to faultoccurrence. The main metric used in this process is failure intensity. The alteration of correct-incorrectservice delivery is quantified to define reliability, availability and maintainability as measures ofdependability.4.2 Embedded <strong>System</strong>s4.2.1 IntroductionIn addition to the typical requirements for responsiveness, reliability, availability, robustness andextensibility, many conventional embedded systems and applications have significant securityrequirements. However, security is a resource-demanding function that needs special attention inembedded computing. Furthermore, the wide deployment of small devices which are used in criticalapplications has triggered the development of new, strong attacks that exploit more systemiccharacteristics, in contrast to traditional attacks that focused on algorithmic characteristics, due to theinability of attackers to experiment with the physical devices used in secure applications. Thus, design ofsecure embedded systems requires special attention.4.2.2 <strong>Design</strong> of Secure Embedded <strong>System</strong>sSecure embedded systems must provide basic security properties, such as data integrity, as well asmechanisms and support for more complex security functions, such as authentication and confidentiality.Furthermore, they have to support the security requirements of applications, which are implemented, inturn, using the security mechanisms offered by the system.4.2.2.1 <strong>System</strong> <strong>Design</strong> Issues<strong>Design</strong> of secure embedded systems needs to address several issues and parameters ranging from theemployed hardware technology to software development methodologies. Although several techniquesused in general-purpose systems can be effectively used in embedded system development as well, thereare specific design issues that need to be addressed separately, because they are unique or weaker inembedded systems, due to the high volume of available low cost systems that can be used fordevelopment of attacks by malicious users. The major of these design issues are tamper-resistanceproperties, memory protection, Intellectual Property (IP) protection, management of processing power,communication security and embedded software design.Modern secure embedded systems must be able to operate in various environmental conditions, withoutloss of performance and deviation from their primary goals. In many cases they must survive variousphysical attacks and have tamper resistance mechanisms. Tamper resistance is the property that enablessystems to prevent the distortion of physical parts. Additionally to tamper resistance mechanisms, thereexist tamper evidence mechanisms, which allow users or technical stuff to identify tampering attacks andtake countermeasures.IP protection of manufacturers is an important issue addressed in secure embedded systems.Complicated systems tend to be partitioned in smaller independent modules leading to module reusabilityand cost reduction. These modules include IP of the manufacturers, which needs to be protected fromPUD2.3.2Issue 5 Page 53 of 122