SysML Model Transformation for Safety and Security Florian Lugou, - - PowerPoint PPT Presentation

sysml model transformation for safety and security
SMART_READER_LITE
LIVE PREVIEW

SysML Model Transformation for Safety and Security Florian Lugou, - - PowerPoint PPT Presentation

Nov 02, 2022 25 likes •358 views

SysML Model Transformation for Safety and Security Florian Lugou, Raba Ameur-Boulifa, Ludovic APVRILLE ludovic.apvrille@telecom-paristech.fr ISSA2018 - Barcelona Context: Security for Embedded Systems SysML-Sec Case study Conclusion

slide-1
SLIDE 1

SysML Model Transformation for Safety and Security Florian Lugou, Rabéa Ameur-Boulifa, Ludovic APVRILLE ludovic.apvrille@telecom-paristech.fr ISSA’2018 - Barcelona

slide-2
SLIDE 2

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Outline

Context: Security for Embedded Systems Embedded systems SysML-Sec Method SysML-Sec Case study Case Study Conclusion Conclusion, future work and references

2/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-3
SLIDE 3

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Examples of Threats

Transport systems

◮ Use of exploits in Flight

Management System (FMS) to control ADS-B/ACARS [Teso 2013]

◮ Remote control of a car through Wifi

[Miller 2015] [Tecent 2017]

Medical appliances

◮ Infusion pump vulnerability, April

2015. http://www.scip.ch/en/?vuldb.75158

(C) Wired - ABC News (C) Hospira 3/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-4
SLIDE 4

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

How to Identify Vulnerabilities?

Investigations

◮ Testing ports (JTAG interface, UART, . . . ) ◮ Firmware analysis ◮ Memory dump ◮ Side-channel analysis (e.g. power consumption,

electromagnetic waves)

◮ Fault injection ◮ . . .

Secure your systems!

◮ Develop your system with security in mind from the very

beginning

◮ Our solution: SysML-Sec, supported by TTool

4/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-5
SLIDE 5

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Firmware Dumping

5/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-6
SLIDE 6

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Goal: Designing Safe and Secure Embedded Systems

System specification (includes software specification)

TTool

Safety Security Performance HW/SW Partitioning

  • Soft. Design

Formal Verification Simulation

6/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-7
SLIDE 7

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

TTool: Key Features

◮ Model-Driven Engineering tool ◮ Free and Open-Source

◮ Plug-in can be used to insert private/commercial features

◮ Easy to use ◮ Focus on safety, security and performance ◮ Formal verification at the push of a button

7/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-8
SLIDE 8

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

SysML-Sec

Common issues (addressed by SysML-Sec):

◮ Adverse effects of security over

safety/real-time/performance properties

◮ Commonly: only the design of security mechanisms

◮ Hardware/Software partitioning

◮ Commonly: no support for this in tools/approaches in MDE

and security approaches

8/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-9
SLIDE 9

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

SysML-Sec: Methodology

Analysis Requirements Security Safety Functional Attack Trees HW/SW Partitioning Application Architecture Mapping Software Design Verification Safety Security Performance Code Generation

Legend

Modeling Verification User-defined Automatic Reconsideration Safety Countermeasures Security Countermeasures Safety Countermeasures Security Countermeasures Verification Safety Security Performance Firewall, Data Security, ... Redundancy, ... Failsafe Mode, Plausibility Check, ... Security Algorithms, ... Attacker Scenarios Fault Trees Security Safety

Fully supported by TTool

9/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-10
SLIDE 10

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Partitioning

Before mapping

◮ Security mechanisms

can be captured but not verified

SW/HW Partitioning SW/HW Partitioning Architectural view Architectural view Mapping view Mapping view Functional view Functional view

Simulation Formal analysis Simulation Formal analysis

After mapping

◮ Verify security (confidentiality, authenticity) according to

attacker capabilities

◮ Whether different HW elements are or not on the same die ◮ Where are stored the cryptographic materials (keys) ◮ Where are performed encrypt/decrypt operations

◮ Impact of security mechanisms on performance and safety

◮ e.g. increased latency when inserting security mechanisms 10/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

Analysis Requirements Security Safety Functional Attack Trees HW/SW Partitioning Application Architecture Mapping Software Design Verification Safety Security Performance Code Generation Legend Modeling Verification User-defined Automatic Reconsideration Safety Countermeasures Security Countermeasures Safety Countermeasures Security Countermeasures Verification Safety Security Performance Firewall, Data Security, ... Redundancy, ... Failsafe Mode, Plausibility Check, ... Security Algorithms, ... Attacker Scenarios Fault Trees Security Safety
slide-11
SLIDE 11

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Partitioning Verification

Security

Automatic Verifjcation

Modeling

Safety Performance

11/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-12
SLIDE 12

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Security Verification

12/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-13
SLIDE 13

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Automated Proverif Specification Generation

◮ Main idea

◮ Decompose SysML-Sec behaviors into a set of basic blocks ◮ Generate Proverif code

◮ The semantic function for generating the code:

◮ Processes generation

.p

E : Basic_block → Proverif_process

◮ Main process generation

.E : SysML_components → Proverif

13/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-14
SLIDE 14

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Safety and Security Mechanisms

Safety Security Performance

Data Encryption/ Authentication

?

14/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-15
SLIDE 15

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Safety and Security Mechanisms (Cont.)

Safety Security Performance

Data Security with Hardware Security Module

?

15/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-16
SLIDE 16

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Safety and Security Mechanisms (Cont.)

Redundancy/Coherence Check

Safety Security Performance

Add security Add security

? ?

16/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-17
SLIDE 17

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Safety and Security Mechanisms

Failsafe mode

Safety Security Performance

? ?

17/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-18
SLIDE 18

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Safety/Security/Performance

Requirements Security Safety Performance

Security Performance Safety

Fails

System design

Add/modify security mechanisms Modify architecture (private bus, etc.) Modify mapping

Fails

Add/modify safety mech. (e.g. safe modes) Modify architecture (e.g. redundancy) Modify mapping Reconsider algorithms Modify architecture (Nb of cores, etc.) Modify mapping

Fails

Security leads to unsafe behaviour Reconsider security req. Reconsider safety req. Security leads to degraded perf. (e.g., increased mean latency) Reconsider performance req. Safety leads to degraded performance

Automated generation

Performance issue due to security mechanisms Performance issue due to safety mechanisms

Verification of design w.r.t. requirements

Succeeds :-) Succeeds :-) Succeeds :-)

Safety leads to unsecure behaviour

18/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-19
SLIDE 19

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

SysML-Sec: SW Design

SW Analysis SW Design SW Analysis SW Design Structural view Structural view Behavioral view Behavioral view Deployment view Deployment view

Test

Use case view Use case view Scenario view Scenario view

Simulation Formal analysis

◮ Precise model of security mechanisms (security protocols) ◮ Proof of security properties : confidentiality, authenticity ◮ Channels between software blocks can be defined as

private or public

◮ This should be defined according to the hardware support

defined during the partitioning phase

19/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

Analysis Requirements Security Safety Functional Attack Trees HW/SW Partitioning Application Architecture Mapping Software Design Verification Safety Security Performance Code Generation Legend Modeling Verification User-defined Automatic Reconsideration Safety Countermeasures Security Countermeasures Safety Countermeasures Security Countermeasures Verification Safety Security Performance Firewall, Data Security, ... Redundancy, ... Failsafe Mode, Plausibility Check, ... Security Algorithms, ... Attacker Scenarios Fault Trees Security Safety
slide-20
SLIDE 20

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Case Studies

Cyber security of connected vehicles

◮ Safety/Security/Performance ◮ EVITA FP7 Partners: Continental, BMW, Bosch, . . . ◮ VEDECOM

H2020 AQUAS

◮ Automated train sub-systems (ClearSy):

Safety/Security/Performance

◮ Industrial Drives (Siemens): Safety/Security/Performance

Nokia

◮ Digital architectures for 5G networks (Safety/Performance)

20/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-21
SLIDE 21

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Case Study: VEDECOM Autonomous Vehicle

Model

Verifjcation Tests

<<MEMORY>> MemorySystem2 <<BUS-RR>> MemoryBus2 <<CPURR>> CameraCPU Design::Camera <<BUS-RR>> EthernetCamera <<CPURR>> PerceptionCPU Design::Perception <<BUS-RR>> CANVedecom <<MEMORY>> MemorySystem <<BUS-RR>> MemoryBus <<CPURR>> IMU_CPU Design::IMU <<BUS-RR>> BusIMU <<CPURR>> SupervisorCPU Design::Supervisor

21/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-22
SLIDE 22

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Constraints

◮ Standard: ISO26262

◮ SOTIF: Safety Of The Intended Function

◮ Security: impact of potential attacks on safety

22/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-23
SLIDE 23

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Requirements

<<deriveReqt>> <<deriveReqt>> <<refine>> <<refine>> <<refine>> <<deriveReqt>> <<Requirement>> SecurityMain ID=0 T ext="The autonomous system will be secure" Kind="Functional" Risk="Low" Reference elements="" <<Requirement>> ConfidentialGPS ID=8 T ext="The system will not broadcast previous GPS locations" Kind="Privacy" Risk="Low" Reference elements="" <<Requirement>> ConfidentialKeys ID=7 T ext="The system will ensure Confidentiality of Keys" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> SensorT ampering ID=11 T ext="The system will verify sensor data" Kind="Integrity" Risk="Low" Reference elements="" <<Requirement>> ID=10 T ext="The system will protect against replay attacks." Kind="Freshness" Risk="Low" Reference elements="" <<Requirement>> VerifySensor ID=14 T ext="The system will verify laser/radar/camera data received is from the installed sensor." Kind="Data origin authenticity" Risk="Low" Reference elements="" <<Requirement>> SecureFirmware ID=1 T ext="The system will not allow modification of control/perception firmware." Kind="Integrity" Risk="Low" Reference elements="" <<Requirement>> notAllSensors ID=0 T ext="The attacker must not be able to compromise all sensors" Kind="Integrity" Risk="Low" Reference elements="" <<Requirement>> externalMsg ID=0 T ext="The system will not send data to external components(V2I, camera...)" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> ConfidentialityReq ID=0 T ext="The system will ensure Confidentiality" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> AuthenticityFirmware ID=0 T ext="The system will ensure authenticity of firmware" Kind="Integrity" Risk="Low" Reference elements="" <<Requirement>> AuthenticityReq ID=0 T ext="The system will ensure Authenticity" Kind="Integrity" Risk="Low" Reference elements="" <<Requirement>> ConfidentialitydataFlow ID=0 T ext="The system will allow data to be sent only in certain directions" Kind="Controlled access (authorization)" Risk="Low" Reference elements="" <<Requirement>> AuthenticitySensor ID=0 T ext="The system will ensure Authenticity of sensor data" Kind="Integrity" Risk="Low" Reference elements="" <<Requirement>> ConfidentialityFirmware ID=0 T ext="The system will ensure Confidentiality of firmware" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> V2XConfidentiality ID=2 T ext="The system will ensure Confidentiality in the V2X system" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> EthernetConfidentiality ID=3 T ext="The system will ensure Confidentiality in the Ethernet network" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> networkFirmware ID=5 T ext="The system will not send firmware on the network" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> FirmwareProtect ID=17 T ext="Firmware will be encrypted" Kind="Confidentiality" Risk="Low" Reference elements="" <<Requirement>> LANConfidentiality ID=18 T ext="The system will not allow external connections to the LAN" Kind="Controlled access (authorization)" Risk="Low" Reference elements="" <<Requirement>> checkSumFirmware ID=19 T ext="The system will use a checksum or something to ensure integrity of firmware" Kind="Integrity" Risk="Low" Reference elements="" <<Requirement>> V2XConfidentialitydata ID=21 T ext="The system will only send traffic data
  • ver V2X"
Kind="Confidentiality" Risk="Low" Reference elements=""

23/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-24
SLIDE 24

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Attacks

<<block>> Vehicle <<root attack>> attackBraking <<attack>> preventObstacleDetection <<OR>> <<attack>> preventBrakingFunction <<attack>> preventBrakingCommandIssue <<OR>> <<attack>> manipulateCamera <<attack>> manipulateLIDAR <<AND>> <<attack>> preventDataComputation <<attack>> disableSensors <<OR>> <<attack>> corruptControllerCode <<attack>> jamPerceptionCommunications <<attack>> forgeECUCommands <<OR>> <<attack>> jamECUCommunications <<attack>> forgePerceptionData <<OR>> <<countermeasure>> authenticateECUCommands <<countermeasure>> authenticatePerceptionData <<countermeasure>> filterCommunications <<countermeasure>> checkComponentStatus

24/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-25
SLIDE 25

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Functional View

Radar + signal : Natural; + radarInterval : Natural; Camera + signal : Natural; + cameraInterval : Natural; FusionLidar + signal : Natural; + fusionInterval : Natural;

AutonomousSystem

ExteriorInterface Perception + perceptData : Natural; + plan : Natural; + calcMark : Natural; + calcObstacle : Natural; + calcVehStat : Natural; + calcInfrastruct1 : Natural; + calcInfrastruct2 : Natural; + calcTraj : Natural; + calcRegulation : Natural; + calculateConfidenceLevel : Natural; Supervisor + error : Boolean; + calcTraj : Natural; + calcRegulation : Natural;

destData

MABX + command : Natural; UI + dest : Natural; ECU + command : Natural; V2X + traffic : Natural; GPS + GPSinterval : Natural; IMU ECUcommand UIdata V2Xdata MABXcommand destData V2Idata percStatus LidarData RadarData CamData vehStatus GPSRTK IMUdata V2Vdata ECUdata

25/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-26
SLIDE 26

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Safety Verification (Before Mapping)

Reachability/Liveness Queries

26/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-27
SLIDE 27

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Architecture and Mapping Views

<<CPURR>> Camera Design::Camera Design::Camera <<BUS-CAN>> EthernetCamera <<CPURR>> Radar Design::Radar Design::Radar <<BUS-CAN>> CANRadar <<CPURR>> FusionCPU Design::FusionLidar Design::FusionLidar <<CPURR>> System Design::Supervisor Design::Supervisor Design::Perception Design::Perception <<CPURR>> MABX Design::MABX Design::MABX <<BUS-CAN>> CANVedecom <<BUS-CAN>> EthernetLaser <<BUS-CAN>> WiFI <<CPURR>> UI Design::UI Design::UI <<MEMORY>> MemorySystem <<BUS-CAN>> internalBus <<CPURR>> InterfaceCPU Design::ExteriorInterface Design::ExteriorInterface <<CPURR>> V2X Design::V2X Design::V2X <<BUS-CAN>> CANV <<BUS-CAN>> EthernetIHM <<CPURR>> vehicle Design::ECU Design::ECU <<BUS-CAN>> CANIntersystem <<CPU>> CPU0 Design::GPS Design::GPS <<BUS-CAN>> EthernetV2IGPS <<CPURR>> IMU Design::IMU Design::IMU <<BUS-CAN>> Bus0 <<BUS-CAN>> CANdiagnostics

27/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-28
SLIDE 28

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Safety Verification (After Mapping)

Reachability Graph Minimized RG

28/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-29
SLIDE 29

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Security Verification

Dialog window Backtracing

29/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-30
SLIDE 30

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Performance Verification

Latency Bus/CPU Load

30/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-31
SLIDE 31

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

SW Design, Code generation, Test

◮ First SW model from mapping models ◮ SW model refinement ◮ SW model verification (safety, security) ◮ Code generation

◮ (Virtual) Prototyping, test 31/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-32
SLIDE 32

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

Conclusion and Future Work

Achievements: SysML-Sec

◮ Methodology for designing safe and secure embedded

systems

◮ Fully supported by TTool ◮ Applied to different domains, e.g., automotive systems,

IoTs, malware

Future work

◮ Security risk assistance and backtracing ◮ Assistance to handle conflicts between

security/safety/performance

◮ Design space exploration 32/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec

slide-33
SLIDE 33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion

To Go Further ...

Web sites

◮ https://sysml-sec.telecom-paristech.fr ◮ https://ttool.telecom-paristech.fr

References

◮ Ludovic Apvrille, Yves Roudier, "SysML-Sec: A SysML Environment for the Design and Development of Secure Embedded Systems", Proceedings of the INCOSE/APCOSEC 2013 Conference on system engineering, Yokohama, Japan, September 8-11, 2013. ◮ Ludovic Apvrille, Yves Roudier, "Designing Safe and Secure Embedded and Cyber-Physical Systems with SysML-Sec", Chapter in Model-Driven Engineering and Software Development, p293–308, Springer International Publishing, 2015

33/33

  • Sept. 2018

Institut Mines-Telecom SysML-Sec