Re: [SystemSafety] Analyses of root causes.

From: Martyn Thomas < >
Date: Sat, 27 Jun 2015 11:53:22 +0100


Thanks, Drew, but what I'd really like to find are papers that go into details at the level of "buffer overflow", "untrapped exception", "SQL injection" etc - where the failure to do acceptable software engineering is evident.

Martyn

On 27/06/2015 11:33, Drew Rae wrote:
> Martyn,
>
> Without trying to start an argument likely to go nowhere on this list,
> "most common" is only a question that can be answered with respect to
> attribution rather than cause.
>
> Here's a sample of papers that might fit your requirements.
>
> There's the Lutz 1993 paper "Analyzing software requirements errors in
> safety-critical, embedded systems" that tries to classify software
> errors.
>
> There's a paper by one of my MSc Students Barton & Rae 2012 "Unplugged
> perils, lost hazards and failed mitigations" that tries to classify
> problems in the safety lifecycle based on whether the physical hazard
> was unidentified, or whether it was identified but still led to an
> accident.
>
> There's a series of papers by Chris Johnson and Michael Holloway
> looking at Maritime and Aviation accident reports: e.g. "Distribution
> of Causes in Selected US Aviation Accident Reports between 1996 and 2003"
>
> Of these, the Lutz and Barton papers take a fairly positivist view
> that you can identify the "underlying errors" in hindsight. The Lutz
> paper is a product of its time, and doesn't distinguish between
> categorisation and causation. The Barton paper is a bit more cautious,
> since it focuses on whether things were known, rather than whether
> they should have been known.
>
> The Johnson and Holloway papers are more candid about the fact that
> they can't distinguish patterns in causation from patterns in attribution.
>
> Regards,
> Drew
>
>
>
>
> * This message is from my work email
> * I can also be contacted on andrew_at_xxxxxx > * My mobile number is 0450 161 361
> * My desk phone is 07 37359764
> * My safety podcast is DisasterCast.co.uk <http://DisasterCast.co.uk>
>
>
>
>
>
> On 27/06/2015, at 8:03 PM, Martyn Thomas wrote:
>
>> Can anyone give me a link to any published analyses that identify the
>> most common underlying errors in software (or systems) engineering
>> that have led to exploitable security vulnerabilities or to
>> safety-related failures?
>>
>> Martyn
>>
>>
>>
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety_at_xxxxxx >> <mailto:systemsafety_at_xxxxxx >



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sat Jun 27 2015 - 12:53:30 CEST

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 09:17:07 CEST