SysML-Sec Attack Graphs: Compact Representations for Complex Attacks - - PowerPoint PPT Presentation

sysml sec attack graphs compact representations for
SMART_READER_LITE
LIVE PREVIEW

SysML-Sec Attack Graphs: Compact Representations for Complex Attacks - - PowerPoint PPT Presentation

Jul 10, 2023 234 likes •475 views

SysML-Sec Attack Graphs: Compact Representations for Complex Attacks Institut Ludovic Apvrille Mines-Telecom ludovic.apvrille@telecom-paristech.fr Yves Roudier yves.roudier@eurecom.fr GraMSec2015 Context: Security for Embedded Systems

slide-1
SLIDE 1

Institut Mines-Telecom SysML-Sec Attack Graphs: Compact Representations for Complex Attacks Ludovic Apvrille ludovic.apvrille@telecom-paristech.fr Yves Roudier yves.roudier@eurecom.fr GraMSec’2015

slide-2
SLIDE 2

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Outline

Context: Security for Embedded Systems Embedded systems SysML-Sec Attack trees Contribution Conclusion

2/23 July, 2015 Institut Mines-Telecom

slide-3
SLIDE 3

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Examples of Threats

Transport systems

Use of exploits in Flight Management System (FMS) to control ADS-B/ACARS [Teso 2013]

Internet of Things

Proof of concept of attack on IZON camera [Stanislav 2013]

Medical appliances

Infusion pump vulnerability, April 2015. http://www.scip.ch/en/?vuldb.75158

(C) aviationweek.com (C) Hospira 3/23 July, 2015 Institut Mines-Telecom

slide-4
SLIDE 4

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Designing Safe and Secure Embedded Systems: SysML-Sec

Main idea

◮ Holistic approach: bring together experts in embedded

system architects, system designers and security experts

Common issues (addressed by SysML-Sec):

◮ Adverse effects of security over

safety/real-time/performance properties

◮ Commonly: only the design of security mechanisms

◮ Hardware/Software partitioning

◮ Commonly: no support for this in tools/approaches in MDE

and security approaches

4/23 July, 2015 Institut Mines-Telecom

slide-5
SLIDE 5

Context: Security for Embedded Systems Attack trees Contribution Conclusion

SysML-Sec: Methodology

SW/HW Partitioning Requirements Requirements Attacks Attacks Architectural view Architectural view Mapping view Mapping view

Simulation Formal analysis

Functional view Functional view

Simulation Formal analysis Simulation Formal analysis

System Design System Design Structural view Structural view Behavioral view Behavioral view Deployment view Deployment view

Simulation Formal analysis Test

Fully supported by TTool

5/23 July, 2015 Institut Mines-Telecom

slide-6
SLIDE 6

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Outline

Context: Security for Embedded Systems Attack trees Attack trees Contribution Conclusion

6/23 July, 2015 Institut Mines-Telecom

slide-7
SLIDE 7

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Google-izing Attack Trees

7/23 July, 2015 Institut Mines-Telecom

slide-8
SLIDE 8

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Attack Trees

Definition and purpose

◮ Originate from fault trees, introduced

by Bruce Schneier (1999)

◮ Depict how a system element can be

attacked

◮ Helps finding attack countermeasures

◮ Root attack, children, leaves ◮ OR and AND relations between

children

8/23 July, 2015 Institut Mines-Telecom

slide-9
SLIDE 9

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Attack Trees: Related Work

◮ Generation of ATs from other formalisms [Vigo 2014] ◮ Semantics extensions

◮ [Khand 2009] ◮ PAND, k-out-of-n, CSUB, SEQ, . . . ◮ [Zhao 2014] ◮ Permissions and capabilities on nodes ◮ Applied to malware analysis

◮ Security assessment

◮ Privilege graphs [Dacier 1996] ◮ Petri nets [Dalton 2006] [Pudar 2009] ◮ Markov processes [Pi`

etre-Cambac´ ed` es 2010]

9/23 July, 2015 Institut Mines-Telecom

slide-10
SLIDE 10

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Attack Trees: A Few Issues

Semantics

◮ Semantics of AND and OR is

limited to express complex attack scenarios

◮ No ordering between

attacks

◮ No temporal operators

Relation with other development stages

◮ No relation with (security)

requirements

◮ More generally, not

integrated into methodologies

◮ No relation between attacks

and the HW/SW components of the system

◮ Difficult to figure out the

where and which of countermeasures

10/23 July, 2015 Institut Mines-Telecom

slide-11
SLIDE 11

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Outline

Context: Security for Embedded Systems Attack trees Contribution New operators Conclusion

11/23 July, 2015 Institut Mines-Telecom

slide-12
SLIDE 12

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Overview (with an Example)

◮ SysML Parametric

diagram

◮ Asset = Block ◮ Attacks =

Attributes of blocks

◮ Relation between

attacks = Constraints

◮ Formal semantics

◮ Timed automata

<<block>> AttackerSystem <<block>> AttackedSystem <<attack>> RetrieveUserLoginAndPassword <<block>> AttackerPC <<attack>> SendTANT

  • Server

<<SEQUENCE>> <<BEFORE>> 120 <<attack>> PerformT

  • kenBasedAuthentication

<<attack>> LogOnBankAccount <<root attack>> IllegalBankAccountTransactionBasedOnT

  • ken

<<block>> UserPC <<attack>> InstallKeyLogger <<block>> Windows_Win32 <<attack>> InstallTrojan <<attack>> ExploitVulnerability <<block>> UserMobilePhone_Android <<SEQUENCE>> <<attack>> UserInstallsFakeBankApplication <<attack>> RetrieveTransactionTAN <<attack>> SilentlyInterceptSMS <<block>> Browser <<attack>> RedirectHTTPRequestFromBankT

  • FakeBank

<<attack>> InstallMaliciousPlugin <<attack>> ExploitVunerability <<attack>> RequestUserT

  • InstallMobileFakeBankApplication

<<XOR>> <<AND>> <<SEQUENCE>> <<attack>> ControlFakeHTTPBankURL <<block>> AttackerWebServer <<attack>> GenerateFakeBankWebsite <<block>> OtherSoftwareApplications <<attack>> ExploitVulnerability 1 2 1 1 2 1 2 2

12/23 July, 2015 Institut Mines-Telecom

slide-13
SLIDE 13

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Semantics

◮ Attacks ◮ Intermediate attacks ◮ Root attack ◮ Constraints

◮ AND, OR, XOR, SEQUENCE, BEFORE, AFTER 13/23 July, 2015 Institut Mines-Telecom

slide-14
SLIDE 14

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Semantics of Attacks

Attack Intermediate Attack

14/23 July, 2015 Institut Mines-Telecom

slide-15
SLIDE 15

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Semantics of Constraints

AND SEQUENCE

15/23 July, 2015 Institut Mines-Telecom

slide-16
SLIDE 16

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Semantics of Constraints (Cont.)

OR XOR

16/23 July, 2015 Institut Mines-Telecom

slide-17
SLIDE 17

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Semantics of Constraints (Cont.)

BEFORE AFTER

17/23 July, 2015 Institut Mines-Telecom

slide-18
SLIDE 18

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Formal Verification

◮ Reachability of an attack a ◮ Liveness of an attack a ◮ a1 Leads to a2 (a1 a2)

18/23 July, 2015 Institut Mines-Telecom

slide-19
SLIDE 19

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Disabling Attacks

◮ Right click to

disable/enable an attack

<<block>> UserMobilePhone_Android <<SEQUENCE>> <<attack>> UserInstallsFakeBankApplication <<attack>> RetrieveTransactionTAN <<attack>> SilentlyInterceptSMS disabled 2 1

19/23 July, 2015 Institut Mines-Telecom

slide-20
SLIDE 20

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Temporal Compatibility

◮ Temporal constraints may impact attacks reachability/liveness

<<AFTER>> 15 <<attack>> attack01 <<attack>> attack02 <<BEFORE>> 10 <<attack>> final <<attack>> attack03 1 1 2 2

20/23 July, 2015 Institut Mines-Telecom

slide-21
SLIDE 21

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Outline

Context: Security for Embedded Systems Attack trees Contribution Conclusion Conclusion, future work and references

21/23 July, 2015 Institut Mines-Telecom

slide-22
SLIDE 22

Context: Security for Embedded Systems Attack trees Contribution Conclusion

Conclusion and Future Work

Achievements

◮ Extended and formally defined attack trees ◮ Integrated into SysML-Sec ◮ Fully supported by TTool ◮ Applied to different domains, e.g., malware, automotive

systems

Future work

◮ Handling new situations

◮ Cycles, nb of iterations, priorities

◮ Quantitative assessments of threats

22/23 July, 2015 Institut Mines-Telecom

slide-23
SLIDE 23

Context: Security for Embedded Systems Attack trees Contribution Conclusion

To Go Further ...

Web sites

◮ https://sysml-sec.telecom-paristech.fr ◮ https://ttool.telecom-paristech.fr

References (SysML-Sec)

◮ Ludovic Apvrille, Yves Roudier, ”SysML-Sec: A SysML Environment for the Design and Development of Secure Embedded Systems”, Proceedings of the INCOSE/APCOSEC 2013 Conference on system engineering, Yokohama, Japan, September 8-11, 2013.

23/23 July, 2015 Institut Mines-Telecom