Experimental Physics and
| |||||||||||||||||
|
> Is it your position that any software that has been demonstrated to be
“safe” for use in mitigating risks to personnel health and safety is
also safe from external vulnerabilities due to the development process? Yes, but you have to be careful to account for the scope of what was demonstrated. We verified that the input-output behavior of the EPICS database record types we used in our application conformed to their descriptions in the EPICS Record Reference Manual (RRM). Our verification would have detected discrepancies between EPICS behavior and the RRM arising from any cause. We were worried about undiscovered coding errors in EPICS (or writing errors in the RRM), but the verification would also have detected discrepancies caused by malicious tampering. > However
the verification process you are
referring to seems like it is highly dependent on the specific
application and specific integration of otherwise established code. Yes it was. The properties we verified were carefully chosen and limited to just those we needed to ensure the safety and correctness of our particular application. And, our application was carefully designed so that its safety and correctness depended on a limited number of properties that we expected would be feasible to verify. So we only used some (but not all) EPICS record types, we didn't use the EPICS state machine, we didn't use subroutine records or any custom coding in records, etc. I believe it is not meaningful to make statements like "EPICS is safe" or "EPICS is secure". EPICS is a large collection of components that can be used in many ways. You can only investigate whether a particular EPICS application -- a selected subset of EPICS components programmed to behave in a particular way, running in a particular environment, for a particular purpose -- is safe or secure. For example, on tech-talk Joshua Einstein-Curtis wrote, " formally verified code does not mean the communication network between meets the same level of safety." That is correct. We designed our system so the safety requirements were met by an EPICS program (database composed of the record types we verified) running on a single IOC, without depending on the EPICS Channel Access (CA) network protocol. This was a deliberate design decision made (in part) so we would not need to verify CA. -- Jon Jacky
| ||||||||||||||||
ANJ, 12 Jul 2023 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing · |