Towards enhanced system dependability: Integrating safety-threat analysis with functional modeling

Software engineers design software with the mindset of its functionalities and cost. They usually focus on the operational behavior while safety and security concerns are neglected or marginally considered. Safety and security specialists, on the other hand, use tree models such as fault trees and attack trees to perform safety-threat analysis on the system after it is designed or implemented. These are high level abstraction models that are incapable of representing safety and security concerns in a precise and concise way. They also are open to subjective interpretations and are incapable of representing complex hazards and attacks. As a result, software engineers build the software while lacking the knowledge about software safety, software security and their effect on the system. Consequently, design errors, inconsistencies, incompleteness and missing constraints in system specifications can cause safety hazards or can be wrongly exploited by security attacks.;This study introduces a methodology that improves on the dependability of software through the focus on its safety and security properties. The proposed approach designs the dynamic behavior of hazards and threats modularly through the use of components and reusability. This focus on the behavior of failure allows software engineers to clearly define and understand safety and security concerns as the application is being designed and developed. The methodology also builds a semantic link with the functional behavior to facilitate the verification and correction of errors and vulnerabilities.;The methodology is composed of two parts: a safety and a threat-driven approach. The safety approach incorporates fault trees with system specifications. The resultant safety model shows how the system behaves when a failure condition occurs. It identifies the effect of one or more malfunctioning components on the system behavior. It also identifies the safety critical components that are responsible for the failure. Next, the threat approach integrates attack trees into the system statechart. The resultant threat model specifies the system functionalities that were normally used during the attack and those that were exploited. Hence, through the integration of both functional and failure behavior, software engineers can clearly define, understand and correct dependability features as software is designed.