A Methodology for the Analysis and Modeling ofSf Security ... · Vasily Desnitsky Antonio Maña...
Transcript of A Methodology for the Analysis and Modeling ofSf Security ... · Vasily Desnitsky Antonio Maña...
A Methodology for the Analysis and A Methodology for the Analysis and f Sf SModeling of Security Threats and Modeling of Security Threats and
Attacks for Systems of EmbeddedAttacks for Systems of EmbeddedAttacks for Systems of Embedded Attacks for Systems of Embedded ComponentsComponents
Andrey Chechulin, Igor Kotenko, V il D it k
Jose Fran. Ruiz, Rajesh Harjani, Antonio MañaVasily Desnitsky
Laboratory of Computer Security Problems
Antonio Maña
Department of Computer Sciencey p ySt. Petersburg Institute for Informatics and
AutomationSaint-Petersburg Russia
University of MalagaMalaga, Spain
PDP-2012, 15-17 February 2012
Saint-Petersburg, Russia
Table of contentTable of content
SecFutur projectSecFutur projectSecFutur project SecFutur project IntroductionIntroductionSecurity Engineering ProcessSecurity Engineering ProcessIntruder modelIntruder modelIntruder modelIntruder modelThreat modelingThreat modelingA l i d d li f it th t f EDA l i d d li f it th t f EDAnalysis and modeling of security threats for ED Analysis and modeling of security threats for ED systemssystemsUseUse--CaseCaseConclusionsConclusionsConclusionsConclusions
PDP-2012, 15-17 February 2012
SecFutur project (1/3)SecFutur project (1/3)Common descriptionCommon descriptionCommon descriptionCommon description
EU FP7 SecFutur projectEU FP7 SecFutur projectDesign of Secure and energy-efficient embedded systems for Future Internet applicationsFuture Internet applications
Engineering process for secure systems with embedded devicesembedded devicesGoals of the SecFutur project
Security enabled Engineering process taking into accountSecurity enabled Engineering process taking into account security at every stage of itProcess automationProcess automationAchievement trade-off between
Security of the systemResource consumption Functionality
PDP-2012, 15-17 February 2012
Cost
SecFutur project (2/3)SecFutur project (2/3)Modeling in Engineering processModeling in Engineering processModeling in Engineering processModeling in Engineering process
Requirements Abstractmodeling testingto embedded
device
Abstract system model Static testing
g testing
configuring
Design system model Analytical modeling
implementing
ED simulator or implementationDynamic testing
Simulation
testing
PDP-2012, 15-17 February 2012
implementationy g
SecFutur project (3/3)SecFutur project (3/3)Why do we need to use threat model?Why do we need to use threat model?Why do we need to use threat model?Why do we need to use threat model?
Models of threats and attacks are applied forModels of threats and attacks are applied forAutomated verification of Abstract Model to reveal potential vulnerabilitiesvulnerabilitiesAutomated construction test-vectors to check the system at the physical layer Facilitating security-related decisions for Security Building Blocks selectionDetermination of required protection level
They are created by expert engineersIt allows the use of threats and attacks expertise for system engineers (who does not have this expertise)It can be updated with new info and used in different system models
PDP-2012, 15-17 February 2012
y
Introduction (1/3)Introduction (1/3)What isWhat is ““Embedded DeviceEmbedded Device””??What is What is Embedded DeviceEmbedded Device ??
TelecommunicationTelecommunicationMobile phones, routers, IP telephony, PDAs ...
AviationAviationFlight control systems, supervisory control ...
CCarsEngine control, automatic transmission, alarm ...
H h ld liHousehold appliancesTelevisions, refrigerators, alarms ...
Commercial equipmentPOS, inventory control system ...
PeripheralsPrinters, input devices …
PDP-2012, 15-17 February 2012
Introduction (2/3)Introduction (2/3)Why do we need new security engineering process?Why do we need new security engineering process?Why do we need new security engineering process?Why do we need new security engineering process?
Evolution of embedded systems towards devicesEvolution of embedded systems towards devices connected via Internet, wireless communication or other interfaces as well as the trend towards alwaysother interfaces as well as the trend towards always growing numbers of devices requires a reconsideration of embedded systems engineeringreconsideration of embedded systems engineering processes.It is no longer possible to achieve the required level ofIt is no longer possible to achieve the required level of security by adding security measures late in the development processdevelopment process.Security engineering needs to be part of the development in all stages of the processdevelopment in all stages of the process.
PDP-2012, 15-17 February 2012
Introduction (Introduction (3/3)3/3)Security Engineering ProcessSecurity Engineering ProcessSecurity Engineering ProcessSecurity Engineering Process
Suits specific needs of systems with embedded components, taking into account their distributed natureSupports developers of systems with embedded components in making security design decisionsFacilitates evolution of secure systems based on the replacement of the embedded components while
i th i itensuring their securityEncourages separation of responsibilitiesb t it t d t ibetween security experts and system engineersIntegrates seamlessly with rigorous models of
b dd d t i th f f b ildiembedded components in the form of building blocks
PDP-2012, 15-17 February 2012
Security Engineering Process (1/Security Engineering Process (1/22) ) ArchitectureArchitectureArchitectureArchitecture
UML Metamodel
Core Security Metamodel
Domain-Specific MetamodelDomain-Specific Metamodel
System model
PDP-2012, 15-17 February 2012
Security Engineering Process (Security Engineering Process (22/2)/2)CSM architectureCSM architectureCSM architectureCSM architecture
Threat Model Diagram
PDP-2012, 15-17 February 2012
Intruder model (1/5) Intruder model (1/5) Classification of attackersClassification of attackersClassification of attackersClassification of attackers
Main types of attacker’s accessMain types of attacker s accessno access (Type 0)no direct access (Type 1)no direct access (Type 1)remote access (Type 2)outward access (Type 3)outward access (Type 3)full access (Type 4)
Levels of attacker’s possibilitiesLevels of attacker s possibilitieshas no or insufficient knowledge and can access only commonly available tools (Level 1)y ( )possess own information on the ED and access to an advanced attack tools (Level 2)represents an organization able to assemble teams of 2-nd level attackers (Level 3)
PDP-2012, 15-17 February 2012
Intruder model (2/5) Intruder model (2/5) Type 1 attackerType 1 attackerType 1 attackerType 1 attacker
ED represents some host (IP p (address) in the networkMain threats: interception, p ,analysis and forging of messages, carrying out Internetg , y gnetwork attacksClassification of attackers by
Internet
C ass cat o o attac e s bylevels
Level 1: use common software tools and well-known exploitsLevel 2: use all available information and produce exploitsLevel 3: fulfill distributed attacks and conduct crypto analysis of protocols
PDP-2012, 15-17 February 2012
Intruder model (3/5) Intruder model (3/5) Type 2 attackerType 2 attackerType 2 attackerType 2 attacker
ED represents a real object, to hi h h i l iwhich physical access is
prohibitedMain threats: interceptionMain threats: interception, analysis and forging of messages in wireless channels side-channelin wireless channels, side channel attacks, remote attacks on the device, etcClassification of attackers by levels
Level 1: use known vulnerabilities during legal connectionLevel 2: use their own wireless modules and software for
idi tt kproviding attacksLevel 3: extend level 2 attacks by including resource-intensive attack e g remote effect on ED by high-frequency radiation
PDP-2012, 15-17 February 2012
attack e.g. remote effect on ED by high frequency radiation
Intruder model (4/5) Intruder model (4/5) Type 3 attackerType 3 attackerType 3 attackerType 3 attacker
ED represents a “black box” with unlimited physical access to the external interfacesMain threats: direct attacks on the interfaces of ED, major part of side-channel attacks, fully controlled environment, etcClassification of attackers by levels
Level 1: use known vulnerabilities during legal connectionLevel 2: use their equipment for providing attacks through direct
ti t th ED tconnection to the ED portsLevel 3: extend level 2 attacks by including resource-intensive attack e g putting the ED into a fullycontrolled environment
PDP-2012, 15-17 February 2012
attack e.g. putting the ED into a fullycontrolled environment
Intruder model (5/5) Intruder model (5/5) Type 4 attackerType 4 attackerType 4 attackerType 4 attacker
ED represents a set of particular i i it ith li it dmicrocircuits with unlimited
access to the circuitsMain threats: disassembling theMain threats: disassembling the device and applying hardware exploits for internal interfacesexploits for internal interfaces, hidden ports, inter-chip communication, etcClassification of attackers by levels
Level 1: attackers have no possible attackLevel 2: perform only simple attacks e.g. providing DoS attacks b hby hummerLevel 3: realize any attacks e.g. read and modify data directly in the microcircuits replace of ED’s blocks analyze microcircuit by
PDP-2012, 15-17 February 2012
the microcircuits, replace of ED s blocks, analyze microcircuit by electronic microscope, etc
Threat modeling (1/2)Threat modeling (1/2)
The Threat Model specifies the threats attacks andThe Threat Model specifies the threats, attacks and tests of the DSM. It contains the representation of threats and associated conceptsthreats and associated concepts.It is composed of two parts: a threat modeling part and a test modeling partand a test modeling part.The relation between them is that the modeled attacks can be tested in the user model to check itsattacks can be tested in the user model to check its behavior and functionality using this specification.
PDP-2012, 15-17 February 2012
Application of approach to the ED systems (1/4Application of approach to the ED systems (1/4))
Our proposed methodology features a process for theOur proposed methodology features a process for the creation of security properties that can be used in the modeling of systems of embedded components in themodeling of systems of embedded components in the initial modeling phase.The methodology is composed of two differentThe methodology is composed of two different processes: (i) the Engineering Process for Security Aspects and (ii) the Intruder ModelAspects and (ii) the Intruder Model.
PDP-2012, 15-17 February 2012
Application of approach to the ED systems (2/4Application of approach to the ED systems (2/4))
PDP-2012, 15-17 February 2012
Application of approach to the ED systems (3/4Application of approach to the ED systems (3/4))
Intruder Model describes possible types of intrudersIntruder Model describes possible types of intruders and attacks, covering from intruder’s capabilities and type of access to the device to the different attackstype of access to the device to the different attacks he/she can realize in a specific domain.
Input Element ResultspSecurity PropertiesIntr ders
->->>
ThreatsAttacks
Intruders ->Security Properties
->->
Verification of the propertyope es
Tests ->p ope y
PDP-2012, 15-17 February 2012
Application of approach to the ED systems (4/4Application of approach to the ED systems (4/4))
After we define the attacks for different threat theAfter we define the attacks for different threat, the attackers that can perform these attacks and the tests defined in the Intruder Model we transform this modeldefined in the Intruder Model, we transform this model into the Threat Model of the DSM.For each of the different elements of the IM we canFor each of the different elements of the IM we can find an equivalent attribute in the DSM. The equivalency between the IM and the DSM ThreatThe equivalency between the IM and the DSM Threat Model is very intuitive. U i th th t i f ti th IM h dUsing the threats information, the IM researches and describes the different attacks that implement each threatthreat.
PDP-2012, 15-17 February 2012
UseUse--Case (1/5)Case (1/5)Common useCommon use--case descriptioncase descriptionCommon useCommon use case descriptioncase description
Embedded device: Secure Connection GatewaysyMain function: to transfer data between a personal computer and a server, which is placed in the Internetp , pTwo types of connections: wired (SCG-user) and wireless (SCG-Internet-database)wireless (SCG Internet database)
Security Requirement Security PropertySecurity Requirement Security PropertyTrusted authentication of the user AuthenticationIntegrity and confidentiality of transmitted through and Integrity, Confidentiality
PDP-2012, 15-17 February 2012
g y y gstored in SCG data
g y, y
UseUse--Case (2/5)Case (2/5)Example of DSMExample of DSMExample of DSMExample of DSM
Analyzed security property: confidentiality propertyAnalyzed security property: confidentiality property in the user-SCG transmitted data Confidentiality DSM example:Confidentiality DSM example:
Attribute ValueAttribute ValueName ConfidentialityD i Wi d i tiDomain Wired communicationModel Element Data interchange operationsAttributes Time-out
Users with access to the data
PDP-2012, 15-17 February 2012
UseUse--Case (3/5)Case (3/5)Example of intruder model applicationExample of intruder model applicationExample of intruder model applicationExample of intruder model application
Type 1 attackers: not exist becauseType 1 attackers: not exist, because connection between SCG and user isn’t included in Internetincluded in InternetType 2 attackers: not exist, because there is no wireless connection in that caseis no wireless connection in that caseType 3 attacker: mount side-channel attacks direct attacks on ED interfaces andattacks, direct attacks on ED interfaces and modification of ED preferences routing directory violation that allows the intruder todirectory violation that allows the intruder to intercept information flowsType 4 attacker: read data directly fromType 4 attacker: read data directly from the microcircuits (e.g. data on keys in use, etc )
PDP-2012, 15-17 February 2012
etc.)
UseUse--Case (4/5)Case (4/5)Example of threat modelExample of threat modelExample of threat modelExample of threat model
Threat {Name: confidentiality violation, Active: active, Threat_Environment: wired communication, Motivation: obtain privileged data, Impact: medium-high, Objective:
fid ti l i f ti th ft}confidential information theft}Attack { Name: interception, Domain: wired communication, Type: active, coordinated, Description: Interception of messages from the system within TCP/IP traffic}Attacker Type {Type: Type 3, Name: Wired Type 1, Domain: Wired, Capacity: overhear, intercept messages, Information: medium, Resources: medium (standard software tools such as Wireshark), Ability: medium}Test {Analysis of device’s protection against Side-Channel attacks, Check for the use of secure protocols for interaction
PDP-2012, 15-17 February 2012
with exterior devices, Use of crypto resistant ciphers}
UseUse--Case (5/5)Case (5/5)Example of dynamic testingExample of dynamic testingExample of dynamic testingExample of dynamic testing
Finally after the security-enhanced system model isFinally, after the security-enhanced system model is transformed into a design model, the dynamic testing performingperforming
Type Target Example of static testingType 1 SCG as the Internet
hostWhat is the minimum level of DDoS attack in which a ED can not work properly?
Type 2 Wireless connection and interfaces
What is the minimum noise level needded to break the link between server and SCG?
T 3 Wi d i C SCG d b f k hType 3 Wired connection and interfaces
Can SCG detect brute force attack on the authentication system?
Type 4 SCG as physical What is the minimum weight of the hammerType 4 SCG as physical object
What is the minimum weight of the hammer which allows an attacker to carry out a DoS attack?
PDP-2012, 15-17 February 2012
Conclusion (1/3Conclusion (1/3))
This paper presents the treatment of Security ThreatsThis paper presents the treatment of Security Threats in the framework of an integrated methodology for the modeling of security-enhanced systems of embeddedmodeling of security enhanced systems of embedded components.The security is specified by means of securityThe security is specified by means of security requirements based on security properties.We provide a modeling tool namely Domain SecurityWe provide a modeling tool, namely Domain Security Metamodel (DSM) that contains a detailed model of a series of security properties for a specific domainseries of security properties for a specific domain.The methodology presented here is composed of the Security Framework for Security Aspects (for systemsSecurity Framework for Security Aspects (for systems development) and the Intruder Model (for DSM development)
PDP-2012, 15-17 February 2012
development).
Conclusion (2/3Conclusion (2/3))
Our approach describes a semi-automatic andOur approach describes a semi-automatic and efficient tool for the definition and use of security properties and its threatsproperties and its threats.This process allows non-expert users to define and test the resilience of their applicationstest the resilience of their applications.Our process allows a very wide and open definition of attacks attackers etcattacks, attackers, etc.
PDP-2012, 15-17 February 2012
Conclusion (3/3)Conclusion (3/3)Future researchFuture researchFuture researchFuture research
Related to the intruder modelRelated to the intruder modelrefinement of the proposed model by adding the additional parameters and detailing the existing onesparameters and detailing the existing onesextending of detailed protection requirements and possible security building blocks against each of possible attacks in the intruder modeldeveloping a methodology for experimental analysis of ED securitysecurity
Related to the DSM modeld ti d i f th DSM ith f t tupdating and improve of the DSM with references to actors,
validation and verification elements, assurance, etc.creation of a UML plugin tool for MagicDraw that allows thecreation of a UML plugin tool for MagicDraw that allows the creation of secure system models using the methodology showed here (work in progress)
PDP-2012, 15-17 February 2012
QuestionsQuestions
Thank you for your attention. Questions?y y
Contact information:Andrey Chechulin ([email protected])
Igor Kotenko ([email protected])Vasily Desnitsky ([email protected])
Jose Fran. Ruiz ([email protected])Rajesh Harjani ([email protected])
Antonio Maña ([email protected])
This research is being supported by grants of the Russian Foundation of Basic Research (projects 10-01-00826 and 11-07-00435), the Program ofBasic Research (projects 10 01 00826 and 11 07 00435), the Program of fundamental research of the Department for Nanotechnologies and Informational Technologies of the Russian Academy of Sciences, State contract #11 519 11 4008 and partly funded by the EU as part of the
PDP-2012, 15-17 February 2012
contract #11.519.11.4008 and partly funded by the EU as part of the SecFutur and MASSIF projects.