Re: [SystemSafety] Autonomous Vehicles and "Hacking" Threats

From: Peter Bernard Ladkin < >
Date: Sun, 23 Nov 2014 11:01:02 +0100

On 2014-11-21 17:38 , Stefan Winter wrote:
> ......
> I had hoped for some better estimate of defect densities ...... The best approximation I
> had come up with so far is the product of "lines of code in a modern car" (100 million for a premium
> car in 2009) and "defect count per line of code in really critical software" (10^-4).....
> If anyone has a better idea or wants to share more accurate numbers, please let me know.

Is your interest strictly automotive, or in gathering information from various sectors? Assuming it's the latter, here is some more info.

The main problem in gathering good statistics, in any sector, is that it mostly has to be hearsay. Companies are loathe to suggest or admit, or even in some cases contemplate, that their critical SW is anything but perfect. For reasons of liability and consumer trust. (I expect the first slide in a business talk about developing client trust to say just one thing: "Earn it!". I am mostly disappointed.)

Banks, for example, are not going to let you know how anything about how buggy or vulnerable their ATM code may be or may have been (see Ross Anderson's writing on the John Munden case in the Risks Form and on his WWW site). I have not yet indulged in on-line banking with my local bank because continuing requests for information about how secure their systems are has been met with promises to have someone contact me, and then silence, for a decade. Even though they had a glitch a few years ago about suspending access because of a code breach that made it onto the front page of the local newspaper, they are unwilling to share information: "Oh, that! That was precaution - none of our customers lost any money." They used to send out by post pseudo-one-time-pads, called TANs. After the "glitch" they abandoned that system. So, I said, that surely shows us there was a structural vulnerability that they couldn't fix, and it's that kind of stuff that concerns me. "Oh, no, we were testing our new system and just thought it was a good time to transition." The new system being one that sends your next pseudo-one-time access code to your mobile phone.

My thoughts on that are as follows. Whatever "glitch" it was, it was not somebody at the post office steaming open envelopes containing the next batch of your numbers. Because they couldn't use them unless they know what your account details are, and what your primary access information is, namely your logon password (they know who you are, of course, from the name and address). So it's something with someone who knows all that information, but who is just lacking the pseudo-one-time-access code. If you can figure out how those are generated, and it's not that random, then you can execute playback attacks quite easily. Ross Anderson and co (again) have a paper on how secure many of the ATM systems with pseudo-one-time-pads around Cambridge actually are (answer: not by any means as much as you might like).

Pre-Internet, someone in an authoritative position to know told me in the mid-1990's that the cost of fraudulent activity in interbank electronic transfer systems was, as he said, higher than my worst guess, whatever that guess might be.

John McDermid and Tim Kelly have a paper from 2006, Software in Safety Critical Systems: Achievement and Prediction (Nuclear Safety 02(03), 2006), available from York's WWW site, in which they have a section Industry Data with subsections Fault Density and Failure Rates, which discuss just that. Here's a version; I don't know if it is identical with the published one wait a mo, here is the published version from John's page:

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sun Nov 23 2014 - 11:01:15 CET

This archive was generated by hypermail 2.3.0 : Sat Feb 16 2019 - 08:17:06 CET