nmfta-repo / vcr-experiment Goto Github PK

part of #33

the strictdoc dev, Stanislav, infomed us that the heuristic for detecting multi-line fields is going to change: soon all fields above TITLE in the grammar will be single-line and all those below will be multi-line strictdoc-project/strictdoc#1210 (comment)

For our grammar that means moving the following up to above TITLE in

• TAGS
• CRITICALITY
• CATEGORY

Executing these changes will put diffs all over the files to re-order the fields. Because we still have #53 in-flight we will need to wait until that is merged before we can safely do this change. @jmaag15 that's a ++ to do a review there please 🙏

All of the requirements:

CGW-S-006 Won't Drop Frames
CGW-S-007 No Priority Inversion
CGW-S-008 Preserves Ordering
CGW-S-009 FIFO but Also Priority
CGW-S-010 Preserves Jitter

must be satisfied to in turn satisfy CGW-S-005 Preserves Atomic Multicast. Should these be composite requirements or children?

and include a download link from the docs

AGW-S-008 is a child of NGW-F-001 -- so is NGW-S-001 which makes sense. But where should the Abstract GW AGW-S-008 security assurance requirement be rooted? Perhaps AGW-S-005 Prevents Elevation ?

we agreed to use the TND and UND acronyms when referring to the trusted/untrusted / trustworthy/un and inside/outside domains. But we should probably define what is expected of those domains so that fleets and OEM can evaluate applicability of the requirements.

part of #33

related to #16: AGW-F-003 is a currently a composite requirement that needs to have all of it's component requirements satisfied. Whereas the other composite requirements need to have one of their component requirements satisfied.

The requirements here use the parent ref to indicate that the child requirement 'replaces' the parent requirement in a more specific context.

That should be captured in the intro to subsections for these more specific contexts e.g. Security Requirements for CAN Gateways

rewrite or masking can be used to prevent exfil in systems other than CAN. It is also one of the ways to prevent exfil alongside encryption which is what AGW-F-005 will be moved to (see issue #5 )

since there is no way to model composite requirements in ReqIF (nor in requirements management tools strictdoc-project/strictdoc#630 (reply in thread)) the use of them should be avoided here

Rate limiting is 'a means' of filtering but doesn't replace the filters requirement. This is probably better modeled as a composite requirement rather than parent-child.

AGW-F-005 Protect Confidentiality is the child of AGW-F-004. This is perhaps a security requirement in the functional requirements section. Should it move to security requirements and keep the same parent? OR is the protection of confidentiality of vehicle data (for the fleet) a functional requirement of the gateway and this is correctly rooted?

from @jmaag15 in #36

consider: can an intentional gateway move information from a TND to another TND (while not attached to an UND )? Have we covered that use case in these requirements?

To make it clearer what ISN'T PERMITTED of "Devices NOT Intended to be a Gateway" : take each of AGW-F- requirements and list them as composite members of NGW-F-011

The CGW-S-100 Impervious to Address Claim Attacks under AGW-S-002 Prevents DoS seems like the correct rooting of the requirement and prevention of that attack is desirable. I think the presence of this single attack in the set of requirements needs to be abstracted OR we need to complete the set of attacks under CAN.

part of #33

There's nothing about this requirement that is CAN specific. It should be an Abstract (Intended) Gateway (AGW-S-) security requirement

We're producing a set of security requirements so the functional requirements are out of place.

Articulating them helped us define what security assurances are required to prevent unwanted actions by unintended gateways.

It could also help by making the definition of a gateway clearer -- which will help in https://github.com/nmfta-repo/nmfta-vehicle_cybersecurity_requirements when fleets need to assign classes to devices.