This document discusses security and safety requirements for Intel systems. It describes performing threat analysis and risk assessment (TARA) along with hazard analysis and risk assessment (HARA) to define security and safety goals. Additionally, it proposes adding security mechanisms such as checking for file tampering and application trust when monitoring graphics systems to protect against threats.
What Does The Engine Malfunction Reduced Power Message Mean For Your BMW X5
Functional Safety and Security process alignment
1. Intel Confidential 1
Safety/Security Requirements Flow
Definition of security environment5
Threat Analysis and Risk Assessment (TARA)6
Security requirements8
Overall Hazard and Risk Analysis9
Safety/Security requirements10
Safety/Security requirements allocation11
Security objectives7
Definition of concept1
Safety scope and definition2
Hazard Analysis and Risk Assessment (HARA)3
Safety requirements4
Functional Safety Flow Security Flow Unified Flow
2. Intel Confidential 2
HARA and TARA Done Together
Threat
Security Goal
AssetOwner
Attacker
Malicious Action
Attack Potential
Point of Attack
with regard to
with risk of
has a value for
has
for execution of reduced by
performed at
TARA HARA
Define the safety item
Determine features to
realize safety item
Determine malfunctions of
functions
Determine operational
scenarios
Identify possible hazards
(effects)
Evaluate the ASIL and
determine the safety goals
4. Intel Confidential 4
Graphics Fail-Safe Step By Step
1. Monitor parses configuration file for checking criteria
2. Cluster app requests Screen to display a symbol
3. Cluster app requests Monitor to check the rendered symbol
4. Monitor retrieves the framebuffer from Screen
5. Monitor performs checking according to criteria from (1)
6. Monitor notifies the cluster app of the checking results
7. Cluster app decides the course of action
5. Intel Confidential 5
Security Mechanism to Protect Graphics
1. Monitor parses configuration file for checking criteria
(Was the file tampered with? Is the monitor trusted?)
2. Cluster app requests Screen to display a symbol (Does
the application run in a trusted sandbox? Is the
application trusted?)
3. Cluster app requests Monitor to check the rendered
symbol
4. Monitor retrieves the framebuffer from Screen
5. Monitor performs checking according to criteria from
(1)
6. Monitor notifies the cluster app of the checking
results
7. Cluster app decides the course of action
Does the application
trust the message?
Was the configuration
file tampered?
Is the application
trusted?
Is the monitor trusted?