dependability modeling and analysis with the marte-dam profile · 2010. 9. 29. · dependability...
TRANSCRIPT
![Page 1: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/1.jpg)
Dependability modeling and analysis with the MARTE-DAM
profilePaCo Meeting, 25-26/06/09
UNITO Task: Development of a UML profile for dependability analysis
Simona BernardiUNITO
![Page 2: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/2.jpg)
Recently completed works
S.Bernardi, J. Merseguer, D.C. Petriu, A Dependability Profile within MARTE. Submitted to SOSYM journal, 2009.
S.Bernardi, J. Merseguer, D.C. Petriu, Adding Dependability Analysis capabilities to the MARTE profile. MODELS08, October 2008.
S. Bernardi, J. Merseguer, D.C. Petriu, An UML profile for dependability analysis and modeling of software systems, Tech.Rep. no. RR-08-05, DIIS, Universidad de Zaragoza, Spain, May, 2008.
![Page 3: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/3.jpg)
Motivation and objectives The current standard UML profiles do not provide
concrete capabilities for dependability analysis in a light-weight fashion
Several proposals on deriving dependability models from UML-based models
Propose a UML profile for quantitative dependability analysis of sw systems modeled with UML
Focus on availability, reliability, maintainability and safety properties
![Page 4: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/4.jpg)
Methodological approach overviewLiterature review: UML profiles Dependability literature Survey on UML dep.analysis
Definition of DAM domain model
Reqschecklist
Completenessassessement
of the DAM model
Complete?
Design of the DAM profile
no
yes
DAM profileassessment
All reqssatisfied?
no
yes Definition of DAM stereotypes
Definition of DAMlibrary using MARTE
![Page 5: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/5.jpg)
Information requirement checklist
ID Requirement DescriptionR1 Identification of the DAM context: reliability, availability, maintainability,
safetyR2 Specification of dependability reqs in terms of upper/lower boundsR3 Specification of dependability metrics to be estimated and properties to be
verified (to assess R2)R4 Threats characterization (faults, errors, failures, hazards, accidents) that
may affect both hw/sw resources and their relationships (FEF chain, H-A, error propagation)
R5 (For repairable systems) Characterization of repair/recovery processes that remove basic/derived threats from the system
R6 Specification of incorrect behavior of the system affected by threats as well as the recovery actions that restore the system state
R7 (For fault tolerant systems) Specification of hw/sw redundant structures
![Page 6: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/6.jpg)
DAM domain model overview
System
MaintenanceThreats
DAMdomainModel
Core
Redundancy
System
Top-level package System package
![Page 7: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/7.jpg)
DAM domain model: Core & Threats
Core
MaintenanceThreats
DAMdomainModel
Core
Redundancy
System
Top-level package System package
![Page 8: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/8.jpg)
DAM Core model
Step
ServiceexecProb/ssAvailinstAvailunreliability/reliabilitymissionTimeavailLevelreliabLevelsafetyLevelcomplexity
ComponentstatefuloriginisActivefailureCoverage/percPermFault/ssAvailunreliability/reliabilitymissionTimeavailLevelreliabLevelsafetyLevelcomplexity
Connectorcoupling
DependabilityAnalysis Context
<<user>>ServiceRequest
accessProbserviceProb[1..*]{ordered}
requests
provides
interacts-via
requests{ordered}
basicServicessub
1..*
1..*
1..*
1..*
1..*
1..*
*
*
*
*
**
2
0..1 0..1
{ordered}
1..*1..*
{Component.provides->lowerBound()+Component.requests->lowerBound()>=1}
MARTE::GRM::ResourceCore::Resource
MARTE::GQAM::AnalysisContext
MARTE::GQAM::GQAM_Workload::BehaviorScenario
MARTE::GQAM::GQAM_Workload::Step
![Page 9: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/9.jpg)
DAM Threats model
System::Core::Component
Impairment
domainMTTF….
System::Core::Connector
System::Core::Service
System::Redundancy::RedundantStructure
SystemCore::Core::Step
Fault Error Failure Hazardcause effect cause
effect
ErrorStep FailureStep HazardStep
FaultGenerator
ErrorPropagation
cause effect
from
to effect
cause
ErrorPropagationRelation
severityrisk….
![Page 10: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/10.jpg)
DAM profile definition• The mapping process from the domain model
elements to the DAM profile has been an iterative one
• We applied several guidelines (Selic) and patterns (Lagarde&al) to design a technically correct and consistent profile
• We used best practise of MARTE to trace the mapping
• We specialized MARTE to reuse already defined concepts
![Page 11: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/11.jpg)
DAM profile overview
<<profile>>MARTE::GQAM
<<profile>>DAM
<<modelLibrary>>DAM_Library
DAM_UML_Extensions
<<import>>
<<import>>
<<modelLibrary>>MARTE::MARTE_Library::BasicNFP_Types
<<modelLibrary>>DAM::DAM_Library
Basic_DA_Types
Complex_DA_Types
<<import>>
<<import>>
<<profile>>MARTE::NFPs
<<profile>>MARTE::VSL::
DataType
<<apply>>
<<apply>>
![Page 12: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/12.jpg)
Mapping of domain classes• Domain classes are good candidates to
become stereotypes, but eventually only a subset of them have been mapped to a stereotype
• Objective: provide a “small” set of stereotypes– Abstract classes not considered– Threat/Maintenance concepts are complex
dependability types of the DAM library– “Subsuming taxonomic concept pattern”: E/F/H
steps classes become enumeration type values
![Page 13: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/13.jpg)
Stereotype definition
ServiceComponent Connector
<<stereotype>>DaConnector
<<stereotype>>DaService<<stereotype>>
DaComponent
<<stereotype>>MARTE::GQAM::
GaScenario
<<stereotype>>MARTE::GRM::
Resource <<metaclass>>Connector
<<metaclass>>…
<<metaclass>>Message
UML2-BaseClasses
DAMDomain
Model
DAM profile<<extend>>
![Page 14: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/14.jpg)
Mapping of domain attributes/associations
• Attributes have been mapped to either tags of stereotypes or to attributes of complex dependability types
– For each attribute• A basic dependability type is associated/defined• A multiplicity is defined
• For associations, the “reference association pattern” is applied
![Page 15: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/15.jpg)
Tag/attribute definition (I)Component
<<stereotype>>DaComponent
DAMConceptual
Model
DAM profile
ssAvail
ssAvail:NFP_Percentage[*]
Hazardseverityrisk
<<tupleType>>DaHazard
severity: DaCriticalityLevel[*]risk: NFP_Real[*]
<<dataType,nfpType>>DaCriticalityLevel{valueAttr=value}
value:CriticalLevel
<<dataType,nfpType>>MARTE::MARTE_Library::
Basic_NFPTypes::NFP_CommonTypeexpr:VSL_Expressionsource:SourcestatQ:StatisticalQualifierdir:DirectionKind
<<enumeration>>CriticalityLevel
MinorMarginalMajorCatastrophic
![Page 16: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/16.jpg)
Tag/attribute definition (II)
<<stereotype>>DaComponent
DAM profile
<<tupleType>>DaHazard
failure:DaFailure[*] hazard: DaHazard[*]
impairment*Component
DAMConceptual
ModelImpairment
domainMTTF….
Failure Hazardseverityrisk….
<<tupleType>>DaFailure
domain:Domain[0..1]MTTF:NFP_Duration[*]
severity:DaCriticalityLevel[*]risk:NFP_Real[*]
![Page 17: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/17.jpg)
Usage of the DAM profile• Normal way of usage
– At model spec level, the analyst may apply a DAM stereotype provided that the target model element belongs to a meta-class extended by that stereotype (e.g., DaService use case)
• Non trivial threat assumption specification– State-based failure conditions– Common-mode failures/hazards– Error propagation
![Page 18: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/18.jpg)
Normal way of DAM usage• Pacemaker example
– From Goseva et al. “Architectural-Level Risk Analysis Using UML” TSE 29(10),2003
– Where a methodology for safety risk assessment of UML based system models is presented
• No UML extensions were used by Goseva et al., NFP parameters were introduced in tabular form
• We use the DAM to annotate the UML model with NFPs
![Page 19: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/19.jpg)
Use Case DiagramIn Goseva&al.each UC is represented by a (set of) UML SD(s)
AAI
VVI
AAT
AVI
VVT
PatientHeart
<<DaService>>{execProb=(value=0.29,source=assm), hazard = (risk=(value=$R_AVI, source=pred))}
<<stereotype>>DaService
execProb:NFP_Real[*]hazard:DaHazard[*]....
<<tupleType>>DaHazard
severity:DaCriticalityLevel[*]risk:NFP_Real[*]...
DAM annotations DAM extensions
![Page 20: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/20.jpg)
Pacemaker architecture<<stereotype>>DaComponent
complexity:NFP_Real[*]originhazard:DaHazard[*]....
<<tupleType>>DaHazard
severity:DaCriticalityLevel[*]risk:NFP_Real[*]...
VENTRICULAR
ATRIAL
REED_SWITCH <<DaComponent>>COMM_GNOME
COIL_DRIVER
{complexity=(value=0.3,source=assm), origin = sw, hazard = (severity = (value=marginal,source=assm),... risk = (value=$R_CG, source=pred))}
<<DaConnector>>{coupling=(value=0.00039,source=assm); errorProp =(from=COMM_GNOME,to=VENTRICULAR); hazard = ( severity = (value=marginal,source=assm),… risk = (value=$R_CG-VT,source=pred);)}
DAMextensionsDAM annotations
<<stereotype>>DaConnector
coupling:NFP_Real[*]errorProp:DaErrorProp[*]hazard:DaHazard[*]....
![Page 21: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/21.jpg)
State-based failure conditions
<<DaComponent>>B
<<DaComponent>>A
{origin=sw; failure = (condition=(component=B, state=degraded) OR(component=B, state=failed));}
<<tupleType>>DaFailure
domain:Domain[0..1]MTTF:NFP_Duration[*]…condition:FailureExpression[0..1]
DAM annotations DAM extensions
![Page 22: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/22.jpg)
Common-mode failure/hazard
<<DaController>>B
<<DaVariant>>A
{commonModeFailure = (occurrenceProb=0.0001);}
<<DaRedundantStructure>> Package1
<<stereotype>>DaRedundantStructure
commonModeFailure:DaFailure[*]....
OCL constraints:1) self.ownedElements.size()>=22) self.ownedElements → forall(e|e.oclIsKindOf(DaController or DaVariant or DaAdjudicator or DaSpare) )
DAM annotations DAM extensions
![Page 23: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/23.jpg)
DAM profile assessment Verification of the extensions w.r.t. the information
requirement checklist (manual) Application of DAM to the examples in the literature
and case studies Production cell (Bondavalli et al.(1999)] Mail system [D'Ambrogio et al.(2002)] Pacemaker [Goseva et al. (2003)] Elevator control system [Cortellessa et al.(2004)] Message redundancy service [Bernardi et al.(2009)] Intrusion tolerant firewall [Bernardi et al.(2009)]
![Page 24: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/24.jpg)
On-going/future work
• Still assessing for completeness and consistency....
• Performability issues• DAM within UP
![Page 25: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/25.jpg)
Dependability requirement gathering in UP with the MARTE-DAM profile
PaCo Meeting, 25-26/06/09
UNITO Task: Development of a UML profile for dependability analysis
Simona BernardiUNITO
![Page 26: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/26.jpg)
Recently completed works
S.Bernardi, J. Merseguer, R.R.Lutz, Reliability and availability requirement engineering with UP and DAM profile. Submitted to ISSRE, 2009.
![Page 27: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/27.jpg)
Outline• Toward the definition of a methodology for the synergetic use
of dependability techniques within the sw development process
• Why the Unified Process (UP) ?– Incremental & iterative: manages risks and handles changes in
sw projects better than waterfall models– Uses UML as its specification language– Can be customized for different kind of sw systems/application
domains
• UP pays little attention to non-functional reqs
• Several UML profiles exist that help to gather NFPs– DAM profile for dependability NFPs
![Page 28: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/28.jpg)
Unified Process & req. workflow
Preliminary Iterations
Workflows
Requirements
Analysis
Implementation
Test
Design
Inception Elaboration Construction Transition
It.#1
It.#2
It.#i
It.#i+1
It.#n
It.#n+1
It.#n+2
It.#m
It.#m+1
Phases
Find actors & UCs Structure UC model
Detail UCs
Prioritize UCs
Prototype UI
System Analyst
Architect
UC Specifier
UI Designer
![Page 29: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/29.jpg)
A running example from CRUTIAL project
WAN LAN
CIS
CIS
CIS
Hub Hub
Message
Host
LAN
WAN
LAN Traffic Replicator
WAN TrafficReplicator
CIS Firewall
send receive
1..*
2..*join
* *
trusted
outgoing
incoming
untrusted
1..*
1..*
![Page 30: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/30.jpg)
The set of dependability reqs specification techniques
• (Mis)Use cases• IEEE Std. 830-1998
– IEEE Recommended practise for sw requirements specification
• DAM profile• Fault Trees
![Page 31: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/31.jpg)
(Mis)Use Cases
Attacker
Ouside Threat
Inside Threat
Destination
Sender
CIS PS
PRRWService
Generationof illegal
traffic
Payload corruption<<include>>
<<mitigates>>
<<threatens>>
<<mitigates>>
SCADA
• Use Cases are textual specifications• Use of templates, like the Cockburn's one
![Page 32: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/32.jpg)
IEEE 830-1998• Recommends
approaches for sw req specification and describes contents and qualities of a good SRS
• UP Supplementary Spec document inspired by IEEE 830-1998
3.6 Other requirements: (Fault Tolerance) There shall be at least2f+1 CIS Firewalls to tolerate f concurrentfaults
![Page 33: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/33.jpg)
DAM profile• DAM Profile has been devised to annotate the
design, in this work we use it to specify dependability reqs.
• MARTE NFP types enable to describe relevant dependability aspect using properties:
– Value: value/parameter name– Expr: VSL expression– Source: origin of the NFP (req,est,msr,assm)– StatQ: statistical qualifier (mean,min,max,..)
![Page 34: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/34.jpg)
Fault Trees●FTs are used to
● Gather information about the potential contributing causes to threats
● Trace the combination of faults/failures to use and misuse cases
● Explore mitigating strategies for removing identified threats to dependability
![Page 35: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/35.jpg)
Step-by-step process: ith iteration in the requirement workflow
Input: DMi-1,UCDi-1,SSi-1Output: DMi,UCDi,SSi1 Discover new UCs,MUCs and actors: UCDi ← UCDi-1 U UCnew U MUCnew U ACnew2 Select UCs to be specified: selUCi UDCi3 Forall uc selUCi do
1 Specify(uc)
4 Select MUCs related to selUCi: selMUCi UDCi5 Forall muc selMUCi do
1 Specify(muc)
6 Discover new NFRs: SSi ← SSi-1 U NFRnew7 Select a subset of requirements: selNFRi SSi8 Forall nfr selNFRi do
1 Elaborate(nfr)
9 Restructure UCDi and DMi if necessary
![Page 36: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/36.jpg)
UC specify activity• Textual description of the UC using Cockburn
template• Dependability reqs from the Special
Requirement section– Application of DAM profile for rewriting them in a
standard and disciplined form
![Page 37: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/37.jpg)
CIS PS use case descriptionUC Name CIS Protection ServiceScope SCADAMain Actors Sender (computer from the WAN), Receiver (computer of the
protected LAN)Success guarantee The correct message is eventually delivered
The illegal message is not deliveredMain scenario A message is sent by Sender to Receiver
1 It arrives to the CIS Firewall2 Each CIS Firewall checks if it satisfies the security policy and votes3 The CIS firewalls agree upon a final judgement (majority voting)4 The message is correct and the CIS Firewall leader forwards it to the Receiver
Alternate scenarios 4.a The message is illegal, then it is not deliveredSpecial Reqs A1. The CIS PS should be available 99.99% of the time
R1. The MTBF shall be at least 6 monthsRelationships CIS includes PRRW Service, Payload Corruption threatens CIS
PS, CIS PS mitigates Generation of illegal traffic
![Page 38: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/38.jpg)
DAM annotation to CIS PS use case
Destination
Sender
<<DaService>>CIS PS
ssAvail=(value=99.99%,statQ=min,source=req);failure = (MTBF = (value=(6,month),statQ=min,source=req)
<<stereotype>>DaService
ssAvail:NFP_Percent[*]failure:DaFailure[*]....
<<tupleType>>DaFailure
MTBF:NFP_Duration[*]...
DAM annotationDAM extensions
![Page 39: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/39.jpg)
MUC specify activity• Textual description of the MUC using Cockburn template
• Threats information from Success guarantee, Main/Alternate scenario and Other Reqs sections
– Application of the DAM profile to characterize from both a qualitative/quantitative viewpoints faults/failures
• Faults Trees are used to formally specify UCD relationships– Among Negative Actor actions and Misuse Case success– Among Misuse Cases and related Use Case
![Page 40: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/40.jpg)
Payload Corruption MUC descriptionMUC Name Payload Corruption
Scope CIS PS
Main Actors Attacker: Outside and Inside Threats
Success guarantee
The Payload evaluates as “correct” an illegal message or it evaluate as “illegal” a correct message (FM1), or it is subject to a temporary omission (FM2)
Main Scenario(Outside Threat)
The Attacker identifies the WAN traffic replicator as potential target1 The Attacker sniffs the network traffic2 The Attacker gets an unauthorized access to an host in the LAN3 The Attacker install a malicious logics in the accessed host4 The hosted Payload behaves in an unpredicted manner.
Special Reqs F1. At most f Payloads can be concurrently corruptedF2. f should be se according to the expected rate of fault occurrence
Relationships Payload Corruption threatens CIS PS
![Page 41: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/41.jpg)
DAM annotation to Payload Corruption MUC
<<DaService>>CIS PS
<<DaFaultGenerator>>Payload corruption
<<threatens>>
Attacker
numberOfFaults=(value=$f,statQ=max,source=est/msr);fault = (type = (value=malicious-logic); occurrenceRate = (value=$fr1,statQ=mean,source=est/msr); effect = (domain = (value=invalid,omission)));
type:FaultType[*]occurrenceRate:NFP_Frequency[*]effect: DaFailure[*]
DAM annotationDAM extensions
numerOfFaults:NFP_Integer[*]fault:DaFault
<<stereotype>>DaFaultGenerator
<<tupleType>>DaFault
domain:Domain[*]...
<<tupleType>>DaFailure
![Page 42: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/42.jpg)
Use of FT to formalize MUC-UC relationships
CIS PS failure
Quorum not reached or
wrong judgement
The leader is corrupted(fails to fwd the approvedmessage to Destination)
[n/2]+1:n
Pncorrupted
P omission(FM2)P is the
leader
...P1 corrupted
P1 omission(FM2)
P1 invalid(FM1)
![Page 43: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/43.jpg)
NFR elaboration activity
• Rewriting of further NFR from the SS, related to dependability/fault-tolerance with the DAM profile
– Annotation in the Domain Model/Use Case Diagrams
![Page 44: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/44.jpg)
DAM annotation to the CIS Firewall Domain Model
Message
Host
LAN
WAN
LAN Traffic Replicator
WAN TrafficReplicator
<<DaVariant>>CIS Firewall
send receive
1..*
2..*join
* *
trusted
outgoing
incoming
untrusted
1..*
1..*
multiplicity=(value=$n,expr=($n>=2*$f+1),source=req);
3.6 Other requirements: (Fault Tolerance) There shall be at least2f+1 CIS Firewalls to tolerate f concurrentfaults
![Page 45: Dependability modeling and analysis with the MARTE-DAM profile · 2010. 9. 29. · Dependability Profile within MARTE. Submitted to SOSYM journal, 2009. S.Bernardi, J. Merseguer,](https://reader035.vdocument.in/reader035/viewer/2022062610/611198639474f71cdf0daceb/html5/thumbnails/45.jpg)
Conclusions
●The DAM annotated UML artifacts (UCD,DM) provide input for the other UP workflows (design,test,..) as well as for V&V activities
●Next steps: ● Study of the DAM applicability in the other UP
workflows● V&V activities driven by DAM annotated M(UC)s