ware accelerators (HSM - Hardware Security Mod-
ule), the ECU asking for a session key (ECU1), the
Key Master (KM), and the ECUs that will participate
to the session and thus need the session key. The sim-
ulation shows a much higher load on the main CAN
bus during a key distribution, and a much higher la-
tency was observed for all classes of traffic not re-
lated to the key distribution (Schweppe et al., 2011):
this security mechanism do impact the safety of the
system. To solve that issue, one solution we exper-
imented with was to split in several successive mes-
sages the authentication information.
7 CONCLUSION AND FUTURE
WORK
Many attacks are now conducted on embedded sys-
tems and cyber-physical systems. A short time-to-
market combined with strong safety and security re-
quirements encourages the introduction of new devel-
opment methodologies for those systems.
SysML-Sec integrates in the same development
cycle semi-formal specifications of both safety and
security features and properties. Simulations and for-
mal proofs on models can be easily conducted with
TTool, so as to assess architectural choices and design
choices, in terms of performance, safety properties,
and security properties. Moreover, SysML is based
on a well known and recognize language for system
engineering, and is totally supported by TTool.
SysML-Sec has been defined and used in the
scope of the EVITA project, that is, to secure an
automotive embedded system. The case study pre-
sented in this paper is extracted from this project, and
demonstrates the interest and choices of SysML-Sec.
One important objective of our work is now to add
reasoning capabilities to SysML-Sec. More precisely,
our goal is to verify that critical functionalities are
not inhibited by the introduction of security mecha-
nisms, e.g. message ciphering or network filtering.
This could be done with logic inference rules.
REFERENCES
Apvrille, A. and Strazzere, T. (2012). Reducing the window
of opportunity for android malware. gotta catch’em
all. Journal in Computer Virology, 8(1-2):61–71.
Apvrille, L. and Becoulet, A. (2012). Prototyping an Em-
bedded Automotive System from its UML/SysML
Models. In ERTSS’2012, Toulouse, France.
Apvrille, L. and De Saqui Sannes, P. (2011).
AVATAR/TTool : un environnement en mode
libre pour SysML temps r
´
eel. G
´
enie Logiciel,
(98):22–26.
Apvrille, L. and De Saqui-Sannes, P. (2013). Requirements
analysis. Embedded Systems: Analysis and Modeling
with SysML, UML and AADL.
Apvrille, L., Mifdaoui, A., and De Saqui-Sannes, P. (2010).
Real-time distributed systems dimensioning and vali-
dation: The turtle method. Studia Informatica Univer-
salis, 8(3):47–69.
Apvrille, L., Muhammad, W., Ameur-Boulifa, R., Coudert,
S., and Pacalet, R. (2006). A UML-Based Environ-
ment for System Design Space Exploration. In Elec-
tronics, Circuits and Systems, 2006. ICECS ’06. 13th
IEEE International Conference on, pages 1272 –1275.
Apvrille, L. and Roudier, Y. (2013). SysML-Sec: A SysML
environment for the design and development of secure
embedded systems. In APCOSEC 2013, Yokohama,
Japan.
Armando, A., Basin, D., Boichut, Y., Chevalier, Y.,
Compagna, L., Cuellar, J., Drielsma, P., Hem, P.,
Kouchnarenko, O., Mantovani, J., Mdersheim, S.,
Oheimb, D., Rusinowitch, M., Santiago, J., Turuani,
M., Vigan, L., and Vigneron, L. (2005). The avispa
tool for the automated validation of internet secu-
rity protocols and applications. In Etessami, K. and
Rajamani, S., editors, Computer Aided Verification,
volume 3576 of Lecture Notes in Computer Science,
pages 281–285. Springer Berlin Heidelberg.
Assolini, F. (2012). The Tale of One Thousand and One
DSL Modems, kaspersky lab.
Balarin, F., Watanabe, Y., Hsieh, H., Lavagno, L.,
Passerone, C., and Sangiovanni-Vincentelli, A.
(2003). Metropolis: An Integrated Electronic System
Design Environment. Computer, 36(4):45–52.
Beck, K. and Andres, C. (2004). Extreme Programming
Explained: Embrace Change (2nd Edition). Addison-
Wesley Professional.
Bengtsson, J. and Yi., W. (2004). Timed automata: Seman-
tics, algorithms and tools. In Lecture Notes on Con-
currency and Petri Nets, pages 87–124. W. Reisig and
G. Rozenberg (eds.), LNCS 3098, Springer-Verlag.
Blanchet, B. (2009). Automatic Verification of Correspon-
dences for Security Protocols. Journal of Computer
Security, 17(4):363–434.
D. P. Eames, D. P. and Moffett, J. (1999). The integration
of safety and security requirements. In SAFECOMP,
pages 468–480.
Esser, S. (2011). Exploiting the iOS Kernel. In BlackHat
2011.
Garavel, H., Lang, F., Mateescu, R., and Serwe, W. (2007).
CADP 2006: A Toolbox for the Construction and
Analysis of Distributed Processes. In Proceedings of
the 19th International Conference on Computer Aided
Verification CAV 2007.
Huang, A. (2002). Keeping Secrets in Hardware: the Mi-
crosoft XBox Case Study, AI Memo 2002-008, Mas-
sachusetts Institute of Technology, Artificial Intelli-
gence Laboratory. Technical report.
Jaber, C. (2011). High-Level SoC Modeling and
Performance Estimation Applied to a Multi-
SysML-Sec-AModelDrivenApproachforDesigningSafeandSecureSystems
663