Engineering for System Assurance

This guidebook discusses system assurance by specifically addressing the assurance of security properties throughout the system life cycle. These properties include confidentiality, integrity, availability, authentication, accountability (including non-repudiation), and auditability. It does not address assurance for quality, safety, or dependability, as there are existing documents that address those issues. However, an intelligent adversary may be able to subvert a system’s functionality, quality, safety, or dependability if there is inadequate assurance of security properties.

This guidebook focuses on assurance of the entire system, not merely of specific system elements. Systems are normally composed from many elements—some commercial and some custom—with many different levels of assurance. Some elements may be “high assurance,” meaning that compelling evidence is provided that the element delivers its services in a manner that satisfies certain critical properties (including compelling evidence that there are no software defects that would interfere with those properties). Developing software for high-assurance elements often relies on formal methods, which are rigorous, mathematically based techniques and tools for specifying, designing, and verifying hardware and software systems (Butler 2006), as well as extensive testing. Some elements may be “medium assurance,” meaning that the element has been designed to meet its critical properties, and that significant effort has been expended to detect and address potential failures to meet critical properties (but not to the level of a high-assurance element). The assurance of an entire system depends on some (or all) of the system elements, but assuring specific elements is insufficient—the system must be considered as a whole. System developers may leverage specific high-assurance elements (so others need less assurance), design the system (e.g., by limiting privileges) so that weaknesses in one element will not harm system assurance, or use compensating processes. A systems view is vital for achieving system assurance.