Threat analysis for hardware and software products using HazOP

These days, hardware and software products must be designed with security in mind and threat modeling is a fundamental step towards properly securing sensitive areas on the system. The task of identifying all relevant threats, however, is not an easy challenge. Even though use cases may be properly documented and routinely used during the development cycle for elicitation of functional requirements, nonfunctional requirements, such as security, are often neglected due to the priority new functionality receives over other aspects of the product, as well as the complexity of analyzing and planning for the unexpected. Better methods are necessary to protect computing technologies whose complexity and attack surface keeps expanding with more and more features. In the field of process safety, a variety of techniques have emerged to assess and mitigate risk. Since the domains of safety and security share multiple similarities, various authors have suggested that safety techniques might find application in computer security. Actual applicability of these techniques to existing technologies, however, was yet to be demonstrated. This paper takes one such technique, HazOp, and applies it to Intel hardware and software shedding some light on the mechanization of use-case-based threat analysis. It shows how HazOp can be employed on a diverse range of technologies to correctly identify deviations from use cases that may represent a violation to the security objectives of the product. We document the advantages of this method over more traditional ones with regard to efficiency, extensibility and efficacy. The reader will also learn how to apply and, potentially, adapt HazOp to accelerate the discovery of system threats as well as the derivation of test scenarios for purposes of security evaluation.