-
Technical Report: Automating Vehicle SOA Threat Analysis using a Model-Based Methodology
Authors:
Yuri Gil Dantas,
Simon Barner,
Pei Ke,
Vivek Nigam,
Ulrich Schoepp
Abstract:
While the adoption of Service-Oriented Architectures (SOA) eases the implementation of features such as autonomous driving and over-the-air updates, it also increases the vehicle's exposure to attacks that may place road-users in harm. To address this problem, standards (ISO 21434/UNECE) expect manufacturers to produce security arguments and evidence by carrying out appropriate threat analysis. As…
▽ More
While the adoption of Service-Oriented Architectures (SOA) eases the implementation of features such as autonomous driving and over-the-air updates, it also increases the vehicle's exposure to attacks that may place road-users in harm. To address this problem, standards (ISO 21434/UNECE) expect manufacturers to produce security arguments and evidence by carrying out appropriate threat analysis. As key threat analysis steps, e.g., damage/threat scenario and attack path enumeration, are often carried out manually and not rigorously, security arguments lack precise guarantees, e.g., traceability w.r.t. safety goals, especially under system updates. This article proposes automated methods for threat analysis using a model-based engineering methodology that provides precise guarantees with respect to safety goals. This is accomplished by proposing an intruder model for automotive SOA which together with the system architecture and the loss scenarios identified by safety analysis are used as input for computing assets, impact rating, damage/threat scenarios, and attack paths. To validate the proposed methodology, we developed a faithful model of the autonomous driving functions of the Apollo framework, a widely used open-source autonomous driving stack. The proposed machinery automatically enumerates several attack paths on Apollo, including attack paths not reported in the literature.
△ Less
Submitted 23 December, 2022;
originally announced December 2022.
-
Automating Safety and Security Co-Design through Semantically-Rich Architecture Patterns
Authors:
Yuri Gil Dantas,
Vivek Nigam
Abstract:
During the design of safety-critical systems, safety and security engineers make use of architecture patterns, such as Watchdog and Firewall, to address identified failures and threats. Often, however, the deployment of safety patterns has consequences on security, e.g., the deployment of a safety pattern may lead to new threats. The other way around may also be possible, i.e., the deployment of a…
▽ More
During the design of safety-critical systems, safety and security engineers make use of architecture patterns, such as Watchdog and Firewall, to address identified failures and threats. Often, however, the deployment of safety patterns has consequences on security, e.g., the deployment of a safety pattern may lead to new threats. The other way around may also be possible, i.e., the deployment of a security pattern may lead to new failures. Safety and security co-design is, therefore, required to understand such consequences and trade-offs, in order to reach appropriate system designs. Currently, pattern descriptions, including their consequences, are described using natural language. Therefore, their deployment in system design is carried out manually, thus time-consuming and prone to human-error, especially given the high system complexity. We propose the use of semantically-rich architecture patterns to enable automated support for safety and security co-design by using Knowledge Representation and Reasoning (KRR) methods. Based on our domain-specific language, we specify reasoning principles as logic specifications written as answer-set programs. KRR engines enable the automation of safety and security co-engineering activities, including the automated recommendation of which architecture patterns can address failures or threats and consequences of deploying such patterns. We demonstrate our approach on an example taken from the ISO 21434 standard.
△ Less
Submitted 27 February, 2022; v1 submitted 25 January, 2022;
originally announced January 2022.
-
Security Engineering for ISO 21434
Authors:
Yuri Gil Dantas,
Vivek Nigam,
Harald Ruess
Abstract:
The ISO 21434 is a new standard that has been proposed to address the future challenges of automotive cybersecurity. This white paper takes a closer look at the ISO 21434 helping engineers to understand the ISO 21434 parts, the key activities to be carried out and the main artefacts that shall be produced. As any certification, obtaining the ISO 21434 certification can be daunting at first sight.…
▽ More
The ISO 21434 is a new standard that has been proposed to address the future challenges of automotive cybersecurity. This white paper takes a closer look at the ISO 21434 helping engineers to understand the ISO 21434 parts, the key activities to be carried out and the main artefacts that shall be produced. As any certification, obtaining the ISO 21434 certification can be daunting at first sight. Engineers have to deploy processes that include several security risk assessment methods to produce security arguments and evidence supporting item security claims. In this white paper, we propose a security engineering approach that can ease this process by relying on Rigorous Security Assessments and Incremental Assessment Maintenance methods supported by automation. We demonstrate by example that the proposed approach can greatly increase the quality of the produced artefacts, the efficiency to produce them, as well as enable continuous security assessment. Finally, we point out some key research directions that we are investigating to fully realize the proposed approach.
△ Less
Submitted 17 January, 2021; v1 submitted 30 December, 2020;
originally announced December 2020.
-
Less Manual Work for Safety Engineers: Towards an Automated Safety Reasoning with Safety Patterns
Authors:
Yuri Gil Dantas,
Antoaneta Kondeva,
Vivek Nigam
Abstract:
The development of safety-critical systems requires the control of hazards that can potentially cause harm. To this end, safety engineers rely during the development phase on architectural solutions, called safety patterns, such as safety monitors, voters, and watchdogs. The goal of these patterns is to control (identified) faults that can trigger hazards. Safety patterns can control such faults b…
▽ More
The development of safety-critical systems requires the control of hazards that can potentially cause harm. To this end, safety engineers rely during the development phase on architectural solutions, called safety patterns, such as safety monitors, voters, and watchdogs. The goal of these patterns is to control (identified) faults that can trigger hazards. Safety patterns can control such faults by e.g., increasing the redundancy of the system. Currently, the reasoning of which pattern to use at which part of the target system to control which hazard is documented mostly in textual form or by means of models, such as GSN-models, with limited support for automation. This paper proposes the use of logic programming engines for the automated reasoning about system safety. We propose a domain-specific language for embedded system safety and specify as disjunctive logic programs reasoning principles used by safety engineers to deploy safety patterns, e.g., when to use safety monitors, or watchdogs. Our machinery enables two types of automated safety reasoning: (1) identification of which hazards can be controlled and which ones cannot be controlled by the existing safety patterns; and (2) automated recommendation of which patterns could be used at which place of the system to control potential hazards. Finally, we apply our machinery to two examples taken from the automotive domain: an adaptive cruise control system and a battery management system.
△ Less
Submitted 21 September, 2020;
originally announced September 2020.
-
On the Accuracy of Formal Verification of Selective Defenses for TDoS Attacks
Authors:
Marcilio O. O. Lemos,
Yuri Gil Dantas,
Iguatemi E. Fonseca,
Vivek Nigam
Abstract:
Telephony Denial of Service (TDoS) attacks target telephony services, such as Voice over IP (VoIP), not allowing legitimate users to make calls. There are few defenses that attempt to mitigate TDoS attacks, most of them using IP filtering, with limited applicability. In our previous work, we proposed to use selective strategies for mitigating HTTP Application-Layer DDoS Attacks demonstrating their…
▽ More
Telephony Denial of Service (TDoS) attacks target telephony services, such as Voice over IP (VoIP), not allowing legitimate users to make calls. There are few defenses that attempt to mitigate TDoS attacks, most of them using IP filtering, with limited applicability. In our previous work, we proposed to use selective strategies for mitigating HTTP Application-Layer DDoS Attacks demonstrating their effectiveness in mitigating different types of attacks. Developing such types of defenses is challenging as there are many design options, eg, which dropping functions and selection algorithms to use. Our first contribution is to demonstrate both experimentally and by using formal verification that selective strategies are suitable for mitigating TDoS attacks. We used our formal model to help decide which selective strategies to use with much less effort than carrying out experiments. Our second contribution is a detailed comparison of the results obtained from our formal models and the results obtained by carrying out experiments. We demonstrate that formal methods is a powerful tool for specifying defenses for mitigating Distributed Denial of Service attacks allowing to increase our confidence on the proposed defense before actual implementation.
△ Less
Submitted 13 September, 2017;
originally announced September 2017.