SysML Model Transformation for Safety and Security Florian Lugou, - PowerPoint PPT Presentation

SysML Model Transformation for Safety and Security Florian Lugou, Rabéa Ameur-Boulifa, Ludovic APVRILLE ludovic.apvrille@telecom-paristech.fr ISSA’2018 - Barcelona

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Outline Context: Security for Embedded Systems Embedded systems SysML-Sec Method SysML-Sec Case study Case Study Conclusion Conclusion, future work and references Sept. 2018 Institut Mines-Telecom SysML-Sec 2/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Examples of Threats Transport systems ◮ Use of exploits in Flight Management System (FMS) to control ADS-B/ACARS [Teso 2013] ◮ Remote control of a car through Wifi (C) Wired - ABC News [Miller 2015] [Tecent 2017] Medical appliances ◮ Infusion pump vulnerability, April 2015. http://www.scip.ch/en/?vuldb.75158 (C) Hospira Sept. 2018 Institut Mines-Telecom SysML-Sec 3/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion How to Identify Vulnerabilities? Investigations ◮ Testing ports (JTAG interface, UART, . . . ) ◮ Firmware analysis ◮ Memory dump ◮ Side-channel analysis (e.g. power consumption, electromagnetic waves) ◮ Fault injection ◮ . . . Secure your systems! ◮ Develop your system with security in mind from the very beginning ◮ Our solution: SysML-Sec, supported by TTool Sept. 2018 Institut Mines-Telecom SysML-Sec 4/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Firmware Dumping Sept. 2018 Institut Mines-Telecom SysML-Sec 5/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Goal: Designing Safe and Secure Embedded Systems Safety Security Performance TTool HW/SW Partitioning Soft. Design System specification (includes Formal Verification software Simulation specification) Sept. 2018 Institut Mines-Telecom SysML-Sec 6/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion TTool: Key Features ◮ Model-Driven Engineering tool ◮ Free and Open-Source ◮ Plug-in can be used to insert private/commercial features ◮ Easy to use ◮ Focus on safety, security and performance ◮ Formal verification at the push of a button Sept. 2018 Institut Mines-Telecom SysML-Sec 7/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion SysML-Sec Common issues (addressed by SysML-Sec): ◮ Adverse effects of security over safety/real-time/performance properties ◮ Commonly: only the design of security mechanisms ◮ Hardware/Software partitioning ◮ Commonly: no support for this in tools/approaches in MDE and security approaches Sept. 2018 Institut Mines-Telecom SysML-Sec 8/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Analysis SysML-Sec: Methodology Requirements Attack Trees Fault Trees Safety Functional Security HW/SW Partitioning Attacker Scenarios Application Architecture Safety Countermeasures Security Countermeasures Redundancy, ... Mapping Firewall, Data Security, ... Verification Performance Security Safety Security Countermeasures Software Design Safety Countermeasures Security Algorithms, ... Failsafe Mode, Plausibility Check, ... Legend Verification Modeling Security Safety Performance Verification Security Safety User-defined Code Automatic Generation Reconsideration Fully supported by TTool Sept. 2018 Institut Mines-Telecom SysML-Sec 9/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Analysis Requirements Attack Trees Fault Trees Safety Functional Security Partitioning HW/SW Partitioning Attacker Application Architecture Scenarios Safety Countermeasures Security Countermeasures Redundancy, ... Mapping Firewall, Data Security, ... Verification Safety Performance Security Security Countermeasures Safety Countermeasures Software Design Security Algorithms, ... Failsafe Mode, Plausibility Check, ... Legend Verification Modeling Safety Performance Security Verification Security Safety Code User-defined Generation Automatic Reconsideration Before mapping Functional view Architectural view Functional view Architectural view Simulation ◮ Security mechanisms Formal analysis Mapping view Mapping view can be captured but not Simulation Formal analysis SW/HW Partitioning verified SW/HW Partitioning After mapping ◮ Verify security (confidentiality, authenticity) according to attacker capabilities ◮ Whether different HW elements are or not on the same die ◮ Where are stored the cryptographic materials (keys) ◮ Where are performed encrypt/decrypt operations ◮ Impact of security mechanisms on performance and safety ◮ e.g. increased latency when inserting security mechanisms Sept. 2018 Institut Mines-Telecom SysML-Sec 10/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Partitioning Verification Modeling Automatic Verifjcation Security Safety Performance Sept. 2018 Institut Mines-Telecom SysML-Sec 11/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Security Verification Sept. 2018 Institut Mines-Telecom SysML-Sec 12/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Automated Proverif Specification Generation ◮ Main idea ◮ Decompose SysML-Sec behaviors into a set of basic blocks ◮ Generate Proverif code ◮ The semantic function for generating the code: ◮ Processes generation � . � p E : Basic _ block → Proverif _ process ◮ Main process generation � . � E : SysML _ components → Proverif Sept. 2018 Institut Mines-Telecom SysML-Sec 13/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Safety and Security Mechanisms Data Encryption/ Authentication Safety ? Security Performance Sept. 2018 Institut Mines-Telecom SysML-Sec 14/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Safety and Security Mechanisms (Cont.) Data Security with Hardware Security Module Safety ? Security Performance Sept. 2018 Institut Mines-Telecom SysML-Sec 15/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Safety and Security Mechanisms (Cont.) Redundancy/Coherence Check Add security Add security Safety Security ? Performance ? Sept. 2018 Institut Mines-Telecom SysML-Sec 16/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Safety and Security Mechanisms Failsafe mode Safety Security ? Performance ? Sept. 2018 Institut Mines-Telecom SysML-Sec 17/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Safety/Security/Performance Requirements Security Safety Performance Automated generation System design Verification of design w.r.t. requirements Security Safety Performance Fails Succeeds :-) Fails Fails Reconsider safety req. Reconsider security req. Reconsider performance req. Add/modify safety mech. (e.g. safe modes) Reconsider algorithms Add/modify security mechanisms Modify architecture (e.g. redundancy) Modify architecture (Nb of cores, etc.) Modify architecture (private bus, etc.) Modify mapping Modify mapping Modify mapping Performance issue due to Succeeds :-) Succeeds :-) safety mechanisms Security leads to unsafe behaviour Safety leads to unsecure behaviour Performance issue due to Security leads to degraded perf. security mechanisms (e.g., increased mean latency) Safety leads to degraded performance Sept. 2018 Institut Mines-Telecom SysML-Sec 18/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Analysis Requirements Attack Trees Fault Trees Safety Functional Security SysML-Sec: SW Design HW/SW Partitioning Attacker Application Architecture Scenarios Safety Countermeasures Security Countermeasures Redundancy, ... Mapping Firewall, Data Security, ... Verification Safety Performance Security Security Countermeasures Safety Countermeasures Software Design Security Algorithms, ... Failsafe Mode, Plausibility Check, ... Legend Verification Modeling Safety Performance Security Verification Security Safety Code User-defined Generation Automatic Reconsideration SW Analysis Use case view Scenario view SW Analysis Use case view Scenario view Simulation Structural view Behavioral view Structural view Behavioral view Formal analysis SW Design SW Design Deployment view Test Deployment view ◮ Precise model of security mechanisms (security protocols) ◮ Proof of security properties : confidentiality, authenticity ◮ Channels between software blocks can be defined as private or public ◮ This should be defined according to the hardware support defined during the partitioning phase Sept. 2018 Institut Mines-Telecom SysML-Sec 19/33

Context: Security for Embedded Systems SysML-Sec Case study Conclusion Case Studies Cyber security of connected vehicles ◮ Safety/Security/Performance ◮ EVITA FP7 Partners: Continental, BMW, Bosch, . . . ◮ VEDECOM H2020 AQUAS ◮ Automated train sub-systems (ClearSy): Safety/Security/Performance ◮ Industrial Drives (Siemens): Safety/Security/Performance Nokia ◮ Digital architectures for 5G networks (Safety/Performance) Sept. 2018 Institut Mines-Telecom SysML-Sec 20/33