[SystemSafety] "Ripple20 vulnerabilities will haunt the IoT landscape for years to come"
Peter Bernard Ladkin
ladkin at causalis.com
Wed Jul 1 17:11:55 CEST 2020
To answer Martyn's question,
it depends upon what stage in development you are at.
If you are programming, it may be that you can avoid unit tests in favor of verification, if you are
using CbyC techniques. If you aren't, then you are in the Beizer/Caner/Tockey-quote situation.
If you have components A and B, developed by different teams, then performing integration tests on
A+B will show you they fit together. One successful test will show you that, but you'll need to
perform more than one to show it wasn't a fluke; that they actually work together more often than
not. This is important if the Spec for A was developed by one team, the Spec for B by another, and
the Spec for (A+B) was derived from a system spec produced by a third. For example, the units
problem on the Mars Climate Orbiter. Units are not something which is settled by any specification
language of which I am aware; there is no theorem prover which will tell you you have a unit issue.
You actually have to set up a suitable test harness, put the bits together and see how they work
together.
Wasn't done for Ariane Flight 501. Should have been. It is hard for me to see how an analysis of the
specification for the Ariane-4-reused component along with the spec for the Ariane 5 is at all
likely to have flagged such a discrepancy.
It is similar with some distributed systems. A major civil-airframe builder discovered it had a
problem with Byzantine failures generated on a critical bus (reported by Kevin D. et al in 1993
Safecomp). After the problem had arisen, it was replicated and analysed through tests, not through
logical analysis of specifications and re-verification that artifacts implemented the specs. Kevin &
colleagues mentioned "slightly out of specification" (SoS) failures. You can't catch those with
theorem-proving from specifications.
Almost all complex control systems have regions of instability. Theoretically, you can find those by
performing some appropriate math. But practically you can't. It is said to be the mark of a good
test pilot that they can find those regions when flying the airplane. Remember the Gripen lost in an
air display over the middle of Stockholm
(I think it was August 1993) - that instability wasn't found until then.
PBL
Prof. Peter Bernard Ladkin, Bielefeld, Germany
Styelfy Bleibgsnd
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200701/ab0f88e3/attachment-0001.sig>
More information about the systemsafety
mailing list