Skip to content

Commit

Permalink
partly resolve #32: add criticalities and grammar to support it
Browse files Browse the repository at this point in the history
  • Loading branch information
@BenGardiner
BenGardiner committed May 9, 2022
1 parent a7c6b2c commit c73e628
Showing 1 changed file with 65 additions and 0 deletions.
65 changes: 65 additions & 0 deletions 01_gateways.sdoc
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,47 @@
[DOCUMENT]
TITLE: Vehicle Network Gateway Devices Security Requirements

[GRAMMAR]
ELEMENTS:
- TAG: REQUIREMENT
FIELDS:
- TITLE: UID
TYPE: String
REQUIRED: True
- TITLE: LEVEL
TYPE: String
REQUIRED: False
- TITLE: STATUS
TYPE: String
REQUIRED: False
- TITLE: TAGS
TYPE: String
REQUIRED: False
- TITLE: REFS
TYPE: String
REQUIRED: False
- TITLE: TITLE
TYPE: String
REQUIRED: False
- TITLE: STATEMENT
TYPE: String
REQUIRED: False
- TITLE: RATIONALE
TYPE: String
REQUIRED: False
- TITLE: COMMENT
TYPE: String
REQUIRED: False
- TITLE: PUB_REFS
TYPE: String
REQUIRED: False
- TITLE: VERIFICATION
TYPE: String
REQUIRED: False
- TITLE: CRITICALITY
TYPE: String
REQUIRED: False

[FREETEXT]
This document captures security requirements for vehicle network gateway devices: both devices intended to be gateways and those devices which *could be a gateway* (due to malicious code).

Expand Down Expand Up @@ -67,21 +108,25 @@ The following requirements must be satisfied by any device intended to be a gate
UID: AGW-S-000
TITLE: Gateway Configuration Protected
STATEMENT: The device SHALL accept and react only to configuration changes which are correctly authorized and authenticated, regardless of origin of network domain.
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-001
TITLE: Prevents OTA
STATEMENT: The device SHALL prevent Over The Air updates (OTA) (including parameter flash) from *UND* to *TND*, unless with explicitly authorized and authenticated configuration changes via the mode switch.
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-002
TITLE: Prevents DoS
STATEMENT: The device SHALL prevent generating Denial of Service (DoS) on *TND* from messages originating on *UND*.
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-003
TITLE: Prevents Spoofing
STATEMENT: The device SHALL prevent spoofing/masquerading/injection onto *TND*
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-004
Expand All @@ -94,26 +139,31 @@ The device SHALL prevent exfiltration of data from *TND* to *UND*, or vice-versa

<<<
TAGS: CONTAINS_OPTIONS
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-005
TITLE: Prevents Elevation
STATEMENT: The device SHALL prevent abuse of *TND* network domain functionality from *UND* to *TND*, unless with explicitly authorized and authenticated configuration changes via the mode switch.
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-006
TITLE: Prevents Data Loss
STATEMENT: The device SHALL prevent all data loss and/or corruption of information in the bidirectional *UND* ↔ *TND* operation, unless with explicit configuration for rate limiting (AGW-F-006) or translation (AGW-F-002).
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-007
TITLE: Preserves High Side Operation
STATEMENT: The device SHALL prevent degradation of any *TND* operation due to *UND* activity.
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-008
TITLE: Security Assurance
STATEMENT: These devices SHALL satisfy a comprehensive set of product security requirements to yield high assurance of correct operation in the face of adversarial inputs to the device.
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-009
Expand All @@ -122,6 +172,7 @@ REFS:
VALUE: AGW-S-007
TITLE: Preserves Performance
STATEMENT: The device SHALL be scoped to sufficient detail to preserve network domain performance guarantees in *TND*.
CRITICALITY: Medium

[REQUIREMENT]
UID: AGW-S-010
Expand All @@ -141,11 +192,13 @@ The device SHALL have a means to temporarily disable the preventions listed prev

<<<
TAGS: CONTAINS_OPTIONS
CRITICALITY: High

[REQUIREMENT]
UID: AGW-S-011
TITLE: Mode Switch Indicated
STATEMENT: The device SHALL indicate to all domains that it is not performing normal operations.
CRITICALITY: Medium

[SECTION]
TITLE: Security Requirements for CAN Gateways
Expand All @@ -161,6 +214,7 @@ REFS:
VALUE: AGW-S-009
TITLE: Performant
STATEMENT: The device SHALL process and move CAN frames quickly enough to preserve performance on all network domains.
CRITICALITY: Medium

[SECTION]
TITLE: Preserves Atomic Multicast: CGW-S-005* Series
Expand All @@ -176,6 +230,7 @@ REFS:
VALUE: AGW-S-007
TITLE: Won't Drop Frames
STATEMENT: The device SHALL NOT drop CAN frames in its bidirectional *UND* ↔ *TND* operation, unless with explicit configuration for rate limiting (AGW-F-006) or translation (AGW-F-002)
CRITICALITY: High

[REQUIREMENT]
UID: CGW-S-005b
Expand All @@ -184,6 +239,7 @@ REFS:
VALUE: AGW-S-007
TITLE: No Priority Inversion
STATEMENT: The device SHALL schedule egress frames according to the CAN arbitration ID priority in it bidirectional *UND* ↔ *TND* operation, to prevent priority inversion.
CRITICALITY: High

[REQUIREMENT]
UID: CGW-S-005c
Expand All @@ -192,6 +248,7 @@ REFS:
VALUE: AGW-S-007
TITLE: Preserves Ordering
STATEMENT: The device SHALL preserve ordering egress frames wrt their ingress order within an equivalence class of CAN arbitration ID priorities, to prevent out-of-order delivery.
CRITICALITY: High

[REQUIREMENT]
UID: CGW-S-005d
Expand All @@ -200,6 +257,7 @@ REFS:
VALUE: AGW-S-007
TITLE: FIFO but Also Priority
STATEMENT: The device SHALL schedule egress for in-order send but not across CAN arbitration ID priorities.
CRITICALITY: High

[REQUIREMENT]
UID: CGW-S-005e
Expand All @@ -208,6 +266,7 @@ REFS:
VALUE: AGW-S-007
TITLE: Preserves Jitter
STATEMENT: The device SHALL have ingress-to-egress latency variability (jitter) low enough to not affect the *TND* network domain performance requirements in the worst case.
CRITICALITY: Medium

[/SECTION]

Expand All @@ -218,6 +277,7 @@ REFS:
VALUE: AGW-S-002
TITLE: Impervious to Address Claim Attacks
STATEMENT: The device SHALL not be susceptible to address claim attacks.
CRITICALITY: High

[/SECTION]

Expand All @@ -234,6 +294,7 @@ Security requirements that must be satisfied by any device which *could be* a ga
UID: NGW-S-001
TITLE: Security Assurance
STATEMENT: These devices SHALL satisfy a comprehensive set of product security requirements to yield high assurance of correct operation in the face of adversarial inputs to the device.
CRITICALITY: High

[SECTION]
TITLE: Prevents Gateway Functions
Expand All @@ -245,6 +306,7 @@ REFS:
VALUE: NGW-S-001
TITLE: Won't Transport
STATEMENT: These devices SHALL NOT transport/'move' information between two separate network 'domains,' in either bidirection.
CRITICALITY: High

[REQUIREMENT]
UID: NGW-S-003
Expand All @@ -253,6 +315,7 @@ REFS:
VALUE: NGW-S-001
TITLE: Won't Translate
STATEMENT: These devices SHALL NOT translate/transform the information between the separate network domains.
CRITICALITY: High

[REQUIREMENT]
UID: NGW-S-004
Expand All @@ -261,6 +324,7 @@ REFS:
VALUE: NGW-S-001
TITLE: Won't Filter, Drop or Rate Limit
STATEMENT: These devices SHALL NOT select which information is transported and/or translated between the network domains.
CRITICALITY: High

[REQUIREMENT]
UID: NGW-S-005
Expand All @@ -269,6 +333,7 @@ REFS:
VALUE: NGW-S-001
TITLE: Won't Encapsulate
STATEMENT: These devices SHALL NOT encapsulate information as it is transported and/or translated between the network domains.
CRITICALITY: High

[/SECTION]

Expand Down

0 comments on commit c73e628

Please sign in to comment.