SysML-Sec - A Model Driven Approach for Designing Safe and Secure Systems

Yves Roudier, Ludovic Apvrille

2015

Abstract

Security flaws are open doors to attack embedded systems and must be carefully assessed in order to determine threats to safety and security. Subsequently securing a system, that is, integrating security mechanisms into the system’s architecture can itself impact the system’s safety, for instance deadlines could be missed due to an increase in computations and communications latencies. SysML-Sec addresses these issues with a model-driven approach that promotes the collaboration between system designers and security experts at all design and development stages, e.g., requirements, attacks, partitioning, design, and validation. A central point of SysML-Sec is its partitioning stage during which safety-related and security-related functions are explored jointly and iteratively with regards to requirements and attacks. Once partitioned, the system is designed in terms of system’s functions and security mechanisms, and formally verified from both the safety and the security perspectives. Our paper illustrates the whole methodology with the evaluation of a security mechanism added to an existing automotive system.

References

  1. Apvrille, A. and Strazzere, T. (2012). Reducing the window of opportunity for android malware. gotta catch'em all. Journal in Computer Virology, 8(1-2):61-71.
  2. Apvrille, L. and Becoulet, A. (2012). Prototyping an Embedded Automotive System from its UML/SysML Models. In ERTSS'2012, Toulouse, France.
  3. Saqui Sannes, P. (2011).
  4. un environnement en mode Apvrille, L., Muhammad, W., Ameur-Boulifa, R., Coudert, S., and Pacalet, R. (2006). A UML-Based Environment for System Design Space Exploration. In Electronics, Circuits and Systems, 2006. ICECS 7806. 13th IEEE International Conference on, pages 1272 -1275.
  5. Apvrille, L. and Roudier, Y. (2013). SysML-Sec: A SysML environment for the design and development of secure embedded systems. In APCOSEC 2013, Yokohama, Japan.
  6. Assolini, F. (2012). The Tale of One Thousand and One DSL Modems, kaspersky lab.
  7. Balarin, F., Watanabe, Y., Hsieh, H., Lavagno, L., Passerone, C., and Sangiovanni-Vincentelli, A. (2003). Metropolis: An Integrated Electronic System Design Environment. Computer, 36(4):45-52.
  8. Beck, K. and Andres, C. (2004). Extreme Programming Explained: Embrace Change (2nd Edition). AddisonWesley Professional.
  9. Bengtsson, J. and Yi., W. (2004). Timed automata: Semantics, algorithms and tools. In Lecture Notes on Concurrency and Petri Nets, pages 87-124. W. Reisig and G. Rozenberg (eds.), LNCS 3098, Springer-Verlag.
  10. Blanchet, B. (2009). Automatic Verification of Correspondences for Security Protocols. Journal of Computer Security, 17(4):363-434.
  11. D. P. Eames, D. P. and Moffett, J. (1999). The integration of safety and security requirements. In SAFECOMP, pages 468-480.
  12. Esser, S. (2011). Exploiting the iOS Kernel. In BlackHat 2011.
  13. Garavel, H., Lang, F., Mateescu, R., and Serwe, W. (2007). CADP 2006: A Toolbox for the Construction and Analysis of Distributed Processes. In Proceedings of the 19th International Conference on Computer Aided Verification CAV 2007.
  14. Huang, A. (2002). Keeping Secrets in Hardware: the Microsoft XBox Case Study, AI Memo 2002-008, Massachusetts Institute of Technology, Artificial Intelligence Laboratory. Technical report.
  15. Kelling, E., Friedewald, M., Leimbach, T., Menzel, M., Säger, P., Seudié, H., and Weyl, B. (2009). Specification and Evaluation of e-Security Relevant Use cases. Technical Report Deliverable D2.1, EVITA Project.
  16. Knorreck, D., Apvrille, L., and De Saqui-Sannes, P. (2011). TEPE: A SysML Language for Time-Constrained Property Modeling and Formal Verification. ACM SIGSOFT Software Engineering Notes, 36(1):1-8.
  17. Leboudec, J. and Thiran, P. (2001). Network Calculus. Springer Verlag LNCS volume 2050.
  18. Maslennikov, D. (2010). Russian cybercriminals on the move: profiting from mobile malware. In The 20th Virus Bulletin Internation Conference, pages 84-89, Vancouver, Canada.
  19. Maynor, D. (2006). Scada security and terrorism: We're not crying wolf! In Invited presentation at BlackHat BH 2006. Presentation available at: https://www.blackhat.com/presentations/bh-federal06/BH-Fed-06-Maynor-Graham-up.pdf, USA.
  20. Nhlabatsi, A., Nuseibeh, B., and Yu, Y. (2010). Security Requirements Engineering for Evolving Software Systems: a survey. Technical Report 1, The Open University.
  21. Nuseibeh, B. (2001). Weaving Together Requirements and Architectures. IEEE Computer, 34(3):115-117.
  22. OMG (2005). OMG Profile for Scheduling, Performance and Time. In http://www.omg.org/spec/SPTP/.
  23. OMG (2012). OMG Systems Modeling Language. In http://www.sysml.org/specs/.
  24. Pedroza, G. (2013). Assisting the design of secured applications for mobile vehicles. In Ph.D. of Ecole doctorale informatique, télécommunications et électronique of Paris.
  25. Pietre-Cambacedes, L. and Bouissou, M. (2013). Crossfertilization between safety and security engineering. Rel. Eng. & Sys. Safety, 110:110-126.
  26. Proofpoint (2014). Your Fridge is Full of SPAM: Proof of An IoT-driven Attack. In http://www.proofpoint.com/threatinsight/posts/yourfridge-is-full-of-spam-proof-of-a-Iot-drivenattack.php.
  27. Raspotnig, C. and Opdahl, A. L. (2013). Comparing risk identification techniques for safety and security requirements. Journal of Systems and Software, 86(4):1124-1151.
  28. Schneier, B. (1999). Threats.
  29. Schweppe, H., Roudier, Y., Weyl, B., Apvrille, L., and Scheuermann, D. (2011). C2X communication: Securing the last meter. In The 4th IEEE International Symposium on Wireless Vehicular Communications: WIVEC2011, San Francisco, USA.
  30. Teso, H. (2013). Aircraft Hacking. In HITB Security Conference, Amsterdam, The Netherlands.
  31. Van Lamsweerde, A. (2007). Engineering Requirements for System Reliability and Security. Software System Reliability and Security, 9:196-238.
  32. Vidal, J., de Lamotte, F., Gogniat, G., Soulard, P., and Diguet, J.-P. (2009). A Co-Design Approach for Embedded System Modeling and Code Generation with UML and MARTE. In Design, Automation and Test in Europe Conference and Exhibition, 2009. DATE'09, pages 226-231.
  33. Waters, K. (2012). All About Agile: Agile Management Made Easy! CreateSpace Independent Publishing Platform.
Download


Paper Citation


in Harvard Style

Roudier Y. and Apvrille L. (2015). SysML-Sec - A Model Driven Approach for Designing Safe and Secure Systems . In Proceedings of the 3rd International Conference on Model-Driven Engineering and Software Development - Volume 1: SPIE, (MODELSWARD 2015) ISBN 978-989-758-083-3, pages 655-664. DOI: 10.5220/0005402006550664


in Bibtex Style

@conference{spie15,
author={Yves Roudier and Ludovic Apvrille},
title={SysML-Sec - A Model Driven Approach for Designing Safe and Secure Systems},
booktitle={Proceedings of the 3rd International Conference on Model-Driven Engineering and Software Development - Volume 1: SPIE, (MODELSWARD 2015)},
year={2015},
pages={655-664},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005402006550664},
isbn={978-989-758-083-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Model-Driven Engineering and Software Development - Volume 1: SPIE, (MODELSWARD 2015)
TI - SysML-Sec - A Model Driven Approach for Designing Safe and Secure Systems
SN - 978-989-758-083-3
AU - Roudier Y.
AU - Apvrille L.
PY - 2015
SP - 655
EP - 664
DO - 10.5220/0005402006550664