Skip to content

Minutes 23 March 2023

Paul Albertella edited this page Mar 23, 2023 · 1 revision

Host: Paul Albertella Participants: Pete Brink, Daniel Krippner, Igor Stoppa, Raffaele Giannessi, Kate Stewart

Agenda: Continue discussing use of STPA

What features of the OS are we going to use and how are these relevant to safety?

Top down approach is important because it starts from where the actual safety concern exists and works down to the element that we are concerned with.

  • Daniel: Can we make Assumptions of Use at the level of a syscall?
  • Paul: Not at a generic level, but for a specific set of expectations, yes. Would need to state what is important to us with respect to that syscall, but on that basis we could define some AoUs
  • Pete: If we make a syscall, how do we know that it did what it was supposed to do? What if it tells you that it didn’t, but it actually didn’t?

Important to understand the context for the component you are analysing What is it responsible for in this context, and what do we assume or require other components to do?

Used diagram from stack memory study to illustrate this:

https://github.com/elisa-tech/wg-osep/blob/reiterative/stack-memory-stpa/stack-memory/control-structure.dot.png

Daniel: Does this imply that the output of this group is only a process recommendation, not concrete assurances about Linux?

  • Igor: Can at least identify what isn’t safe or reliable
  • Paul: Or identify small ‘points of coherence’ (things that need to be true for all or many contexts) that we can build upon
  • Kate: Agreed - we need to start somewhere!

Igor: Should we consider whether or not Linux is running in a hypervisor context?

  • i.e. Could we assume that we are relying on an external mechanism to provide a level of segregation between applications of different safety integrity levels?
  • Paul: We can consider this as a possible system architecture choice that may be appropriate for a given context and use case, but we shouldn’t always assume it
  • Igor: Hypervisor can simplify some aspects of the problem e.g. to isolate two Linux instances from each other
  • Paul: Motivations for using Linux may make using hypervisor undesirable e.g. Cost, Performance, Use of existing hardware integration and associated software libraries

Next steps:

  • Still need to pick an area / topic for analysis
  • Email the wider list to seek topic areas that people are interested in and/or prepared to contribute requirements / technical domain knowledge about
  • Kate can bring in Linux kernel expertise if required
Clone this wiki locally