[SystemSafety] Analyses of root causes.

Martyn Thomas martyn at thomas-associates.co.uk
Sat Jun 27 12:53:22 CEST 2015 

Thanks, Drew, but what I'd really like to find are papers that go into
details at the level of "buffer overflow", "untrapped exception", "SQL
injection" etc - where the failure to do acceptable software engineering
is evident.

Martyn

On 27/06/2015 11:33, Drew Rae wrote:
> Martyn,
>
> Without trying to start an argument likely to go nowhere on this list,
> "most common" is only a question that can be answered with respect to
> attribution rather than cause. 
>
> Here's a sample of papers that might fit your requirements. 
>
> There's the Lutz 1993 paper "Analyzing software requirements errors in
> safety-critical, embedded systems" that tries to classify software
> errors. 
>
> There's a paper by one of my MSc Students Barton & Rae 2012 "Unplugged
> perils, lost hazards and failed mitigations" that tries to classify
> problems in the safety lifecycle based on whether the physical hazard
> was unidentified, or whether it was identified but still led to an
> accident. 
>
> There's a series of papers by Chris Johnson and Michael Holloway
> looking at Maritime and Aviation accident reports: e.g. "Distribution
> of Causes in Selected US Aviation Accident Reports between 1996 and 2003"
>
> Of these, the Lutz and Barton papers take a fairly positivist view
> that you can identify the "underlying errors" in hindsight. The Lutz
> paper is a product of its time, and doesn't distinguish between
> categorisation and causation. The Barton paper is a bit more cautious,
> since it focuses on whether things were known, rather than whether
> they should have been known. 
>
> The Johnson and Holloway papers are more candid about the fact that
> they can't distinguish patterns in causation from patterns in attribution.
>
> Regards,
> Drew
>
>
>
>
> * This message is from my work email
> * I can also be contacted on andrew at ajrae.com <mailto:andrew at ajrae.com>
> * My mobile number is 0450 161 361
> * My desk phone is 07 37359764
> * My safety podcast is DisasterCast.co.uk <http://DisasterCast.co.uk>
>
>
>
>
>
> On 27/06/2015, at 8:03 PM, Martyn Thomas wrote:
>
>> Can anyone give me a link to any published analyses that identify the
>> most common underlying errors in software (or systems) engineering
>> that have led to exploitable security vulnerabilities or to
>> safety-related failures?
>>
>> Martyn
>>
>>
>>
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety at TechFak.Uni-Bielefeld.DE
>> <mailto:systemsafety at TechFak.Uni-Bielefeld.DE>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150627/b4d52f6e/attachment.html>

More information about the systemsafety mailing list