A Methodology for the Analysis and Modeling ofSf Security ... · Vasily Desnitsky Antonio Maña...

A Methodology for the Analysis and A Methodology for the Analysis and f Sf SModeling of Security Threats and Modeling of Security Threats and

Attacks for Systems of EmbeddedAttacks for Systems of EmbeddedAttacks for Systems of Embedded Attacks for Systems of Embedded ComponentsComponents

Andrey Chechulin, Igor Kotenko, V il D it k

Jose Fran. Ruiz, Rajesh Harjani, Antonio MañaVasily Desnitsky

Laboratory of Computer Security Problems

Antonio Maña

Department of Computer Sciencey p ySt. Petersburg Institute for Informatics and

AutomationSaint-Petersburg Russia

University of MalagaMalaga, Spain

PDP-2012, 15-17 February 2012

Saint-Petersburg, Russia

Table of contentTable of content

SecFutur projectSecFutur projectSecFutur project SecFutur project IntroductionIntroductionSecurity Engineering ProcessSecurity Engineering ProcessIntruder modelIntruder modelIntruder modelIntruder modelThreat modelingThreat modelingA l i d d li f it th t f EDA l i d d li f it th t f EDAnalysis and modeling of security threats for ED Analysis and modeling of security threats for ED systemssystemsUseUse--CaseCaseConclusionsConclusionsConclusionsConclusions

PDP-2012, 15-17 February 2012

SecFutur project (1/3)SecFutur project (1/3)Common descriptionCommon descriptionCommon descriptionCommon description

EU FP7 SecFutur projectEU FP7 SecFutur projectDesign of Secure and energy-efficient embedded systems for Future Internet applicationsFuture Internet applications

Engineering process for secure systems with embedded devicesembedded devicesGoals of the SecFutur project

Security enabled Engineering process taking into accountSecurity enabled Engineering process taking into account security at every stage of itProcess automationProcess automationAchievement trade-off between

Security of the systemResource consumption Functionality

PDP-2012, 15-17 February 2012

Cost

SecFutur project (2/3)SecFutur project (2/3)Modeling in Engineering processModeling in Engineering processModeling in Engineering processModeling in Engineering process

Requirements Abstractmodeling testingto embedded

device

Abstract system model Static testing

g testing

configuring

Design system model Analytical modeling

implementing

ED simulator or implementationDynamic testing

Simulation

testing

PDP-2012, 15-17 February 2012

implementationy g

SecFutur project (3/3)SecFutur project (3/3)Why do we need to use threat model?Why do we need to use threat model?Why do we need to use threat model?Why do we need to use threat model?

Models of threats and attacks are applied forModels of threats and attacks are applied forAutomated verification of Abstract Model to reveal potential vulnerabilitiesvulnerabilitiesAutomated construction test-vectors to check the system at the physical layer Facilitating security-related decisions for Security Building Blocks selectionDetermination of required protection level

They are created by expert engineersIt allows the use of threats and attacks expertise for system engineers (who does not have this expertise)It can be updated with new info and used in different system models

PDP-2012, 15-17 February 2012

y

Introduction (1/3)Introduction (1/3)What isWhat is ““Embedded DeviceEmbedded Device””??What is What is Embedded DeviceEmbedded Device ??

TelecommunicationTelecommunicationMobile phones, routers, IP telephony, PDAs ...

AviationAviationFlight control systems, supervisory control ...

CCarsEngine control, automatic transmission, alarm ...

H h ld liHousehold appliancesTelevisions, refrigerators, alarms ...

Commercial equipmentPOS, inventory control system ...

PeripheralsPrinters, input devices …

PDP-2012, 15-17 February 2012

Introduction (2/3)Introduction (2/3)Why do we need new security engineering process?Why do we need new security engineering process?Why do we need new security engineering process?Why do we need new security engineering process?

Evolution of embedded systems towards devicesEvolution of embedded systems towards devices connected via Internet, wireless communication or other interfaces as well as the trend towards alwaysother interfaces as well as the trend towards always growing numbers of devices requires a reconsideration of embedded systems engineeringreconsideration of embedded systems engineering processes.It is no longer possible to achieve the required level ofIt is no longer possible to achieve the required level of security by adding security measures late in the development processdevelopment process.Security engineering needs to be part of the development in all stages of the processdevelopment in all stages of the process.

PDP-2012, 15-17 February 2012

Introduction (Introduction (3/3)3/3)Security Engineering ProcessSecurity Engineering ProcessSecurity Engineering ProcessSecurity Engineering Process

Suits specific needs of systems with embedded components, taking into account their distributed natureSupports developers of systems with embedded components in making security design decisionsFacilitates evolution of secure systems based on the replacement of the embedded components while

i th i itensuring their securityEncourages separation of responsibilitiesb t it t d t ibetween security experts and system engineersIntegrates seamlessly with rigorous models of

b dd d t i th f f b ildiembedded components in the form of building blocks

PDP-2012, 15-17 February 2012

Security Engineering Process (1/Security Engineering Process (1/22) ) ArchitectureArchitectureArchitectureArchitecture

UML Metamodel

Core Security Metamodel

Domain-Specific MetamodelDomain-Specific Metamodel

System model

PDP-2012, 15-17 February 2012

Security Engineering Process (Security Engineering Process (22/2)/2)CSM architectureCSM architectureCSM architectureCSM architecture

Threat Model Diagram

PDP-2012, 15-17 February 2012

Intruder model (1/5) Intruder model (1/5) Classification of attackersClassification of attackersClassification of attackersClassification of attackers

Main types of attacker’s accessMain types of attacker s accessno access (Type 0)no direct access (Type 1)no direct access (Type 1)remote access (Type 2)outward access (Type 3)outward access (Type 3)full access (Type 4)

Levels of attacker’s possibilitiesLevels of attacker s possibilitieshas no or insufficient knowledge and can access only commonly available tools (Level 1)y ( )possess own information on the ED and access to an advanced attack tools (Level 2)represents an organization able to assemble teams of 2-nd level attackers (Level 3)

PDP-2012, 15-17 February 2012

Intruder model (2/5) Intruder model (2/5) Type 1 attackerType 1 attackerType 1 attackerType 1 attacker

ED represents some host (IP p (address) in the networkMain threats: interception, p ,analysis and forging of messages, carrying out Internetg , y gnetwork attacksClassification of attackers by

Internet

C ass cat o o attac e s bylevels

Level 1: use common software tools and well-known exploitsLevel 2: use all available information and produce exploitsLevel 3: fulfill distributed attacks and conduct crypto analysis of protocols

PDP-2012, 15-17 February 2012


ED represents a real object, to hi h h i l iwhich physical access is

prohibitedMain threats: interceptionMain threats: interception, analysis and forging of messages in wireless channels side-channelin wireless channels, side channel attacks, remote attacks on the device, etcClassification of attackers by levels

Level 1: use known vulnerabilities during legal connectionLevel 2: use their own wireless modules and software for

idi tt kproviding attacksLevel 3: extend level 2 attacks by including resource-intensive attack e g remote effect on ED by high-frequency radiation

PDP-2012, 15-17 February 2012

attack e.g. remote effect on ED by high frequency radiation


ED represents a “black box” with unlimited physical access to the external interfacesMain threats: direct attacks on the interfaces of ED, major part of side-channel attacks, fully controlled environment, etcClassification of attackers by levels

Level 1: use known vulnerabilities during legal connectionLevel 2: use their equipment for providing attacks through direct

ti t th ED tconnection to the ED portsLevel 3: extend level 2 attacks by including resource-intensive attack e g putting the ED into a fullycontrolled environment

PDP-2012, 15-17 February 2012

attack e.g. putting the ED into a fullycontrolled environment


ED represents a set of particular i i it ith li it dmicrocircuits with unlimited

access to the circuitsMain threats: disassembling theMain threats: disassembling the device and applying hardware exploits for internal interfacesexploits for internal interfaces, hidden ports, inter-chip communication, etcClassification of attackers by levels

Level 1: attackers have no possible attackLevel 2: perform only simple attacks e.g. providing DoS attacks b hby hummerLevel 3: realize any attacks e.g. read and modify data directly in the microcircuits replace of ED’s blocks analyze microcircuit by

PDP-2012, 15-17 February 2012

the microcircuits, replace of ED s blocks, analyze microcircuit by electronic microscope, etc

Threat modeling (1/2)Threat modeling (1/2)

The Threat Model specifies the threats attacks andThe Threat Model specifies the threats, attacks and tests of the DSM. It contains the representation of threats and associated conceptsthreats and associated concepts.It is composed of two parts: a threat modeling part and a test modeling partand a test modeling part.The relation between them is that the modeled attacks can be tested in the user model to check itsattacks can be tested in the user model to check its behavior and functionality using this specification.

PDP-2012, 15-17 February 2012

Threat modeling (2/2)Threat modeling (2/2)

PDP-2012, 15-17 February 2012

Application of approach to the ED systems (1/4Application of approach to the ED systems (1/4))

Our proposed methodology features a process for theOur proposed methodology features a process for the creation of security properties that can be used in the modeling of systems of embedded components in themodeling of systems of embedded components in the initial modeling phase.The methodology is composed of two differentThe methodology is composed of two different processes: (i) the Engineering Process for Security Aspects and (ii) the Intruder ModelAspects and (ii) the Intruder Model.

PDP-2012, 15-17 February 2012


PDP-2012, 15-17 February 2012


Intruder Model describes possible types of intrudersIntruder Model describes possible types of intruders and attacks, covering from intruder’s capabilities and type of access to the device to the different attackstype of access to the device to the different attacks he/she can realize in a specific domain.

Input Element ResultspSecurity PropertiesIntr ders

->->>

ThreatsAttacks

Intruders ->Security Properties

->->

Verification of the propertyope es

Tests ->p ope y

PDP-2012, 15-17 February 2012


After we define the attacks for different threat theAfter we define the attacks for different threat, the attackers that can perform these attacks and the tests defined in the Intruder Model we transform this modeldefined in the Intruder Model, we transform this model into the Threat Model of the DSM.For each of the different elements of the IM we canFor each of the different elements of the IM we can find an equivalent attribute in the DSM. The equivalency between the IM and the DSM ThreatThe equivalency between the IM and the DSM Threat Model is very intuitive. U i th th t i f ti th IM h dUsing the threats information, the IM researches and describes the different attacks that implement each threatthreat.

PDP-2012, 15-17 February 2012

UseUse--Case (1/5)Case (1/5)Common useCommon use--case descriptioncase descriptionCommon useCommon use case descriptioncase description

Embedded device: Secure Connection GatewaysyMain function: to transfer data between a personal computer and a server, which is placed in the Internetp , pTwo types of connections: wired (SCG-user) and wireless (SCG-Internet-database)wireless (SCG Internet database)

Security Requirement Security PropertySecurity Requirement Security PropertyTrusted authentication of the user AuthenticationIntegrity and confidentiality of transmitted through and Integrity, Confidentiality

PDP-2012, 15-17 February 2012

g y y gstored in SCG data

g y, y

UseUse--Case (2/5)Case (2/5)Example of DSMExample of DSMExample of DSMExample of DSM

Analyzed security property: confidentiality propertyAnalyzed security property: confidentiality property in the user-SCG transmitted data Confidentiality DSM example:Confidentiality DSM example:

Attribute ValueAttribute ValueName ConfidentialityD i Wi d i tiDomain Wired communicationModel Element Data interchange operationsAttributes Time-out

Users with access to the data

PDP-2012, 15-17 February 2012

UseUse--Case (3/5)Case (3/5)Example of intruder model applicationExample of intruder model applicationExample of intruder model applicationExample of intruder model application

Type 1 attackers: not exist becauseType 1 attackers: not exist, because connection between SCG and user isn’t included in Internetincluded in InternetType 2 attackers: not exist, because there is no wireless connection in that caseis no wireless connection in that caseType 3 attacker: mount side-channel attacks direct attacks on ED interfaces andattacks, direct attacks on ED interfaces and modification of ED preferences routing directory violation that allows the intruder todirectory violation that allows the intruder to intercept information flowsType 4 attacker: read data directly fromType 4 attacker: read data directly from the microcircuits (e.g. data on keys in use, etc )

PDP-2012, 15-17 February 2012

etc.)

UseUse--Case (4/5)Case (4/5)Example of threat modelExample of threat modelExample of threat modelExample of threat model

Threat {Name: confidentiality violation, Active: active, Threat_Environment: wired communication, Motivation: obtain privileged data, Impact: medium-high, Objective:

fid ti l i f ti th ft}confidential information theft}Attack { Name: interception, Domain: wired communication, Type: active, coordinated, Description: Interception of messages from the system within TCP/IP traffic}Attacker Type {Type: Type 3, Name: Wired Type 1, Domain: Wired, Capacity: overhear, intercept messages, Information: medium, Resources: medium (standard software tools such as Wireshark), Ability: medium}Test {Analysis of device’s protection against Side-Channel attacks, Check for the use of secure protocols for interaction

PDP-2012, 15-17 February 2012

with exterior devices, Use of crypto resistant ciphers}

UseUse--Case (5/5)Case (5/5)Example of dynamic testingExample of dynamic testingExample of dynamic testingExample of dynamic testing

Finally after the security-enhanced system model isFinally, after the security-enhanced system model is transformed into a design model, the dynamic testing performingperforming

Type Target Example of static testingType 1 SCG as the Internet

hostWhat is the minimum level of DDoS attack in which a ED can not work properly?

Type 2 Wireless connection and interfaces

What is the minimum noise level needded to break the link between server and SCG?

T 3 Wi d i C SCG d b f k hType 3 Wired connection and interfaces

Can SCG detect brute force attack on the authentication system?

Type 4 SCG as physical What is the minimum weight of the hammerType 4 SCG as physical object

What is the minimum weight of the hammer which allows an attacker to carry out a DoS attack?

PDP-2012, 15-17 February 2012

Conclusion (1/3Conclusion (1/3))

This paper presents the treatment of Security ThreatsThis paper presents the treatment of Security Threats in the framework of an integrated methodology for the modeling of security-enhanced systems of embeddedmodeling of security enhanced systems of embedded components.The security is specified by means of securityThe security is specified by means of security requirements based on security properties.We provide a modeling tool namely Domain SecurityWe provide a modeling tool, namely Domain Security Metamodel (DSM) that contains a detailed model of a series of security properties for a specific domainseries of security properties for a specific domain.The methodology presented here is composed of the Security Framework for Security Aspects (for systemsSecurity Framework for Security Aspects (for systems development) and the Intruder Model (for DSM development)

PDP-2012, 15-17 February 2012

development).

Conclusion (2/3Conclusion (2/3))

Our approach describes a semi-automatic andOur approach describes a semi-automatic and efficient tool for the definition and use of security properties and its threatsproperties and its threats.This process allows non-expert users to define and test the resilience of their applicationstest the resilience of their applications.Our process allows a very wide and open definition of attacks attackers etcattacks, attackers, etc.

PDP-2012, 15-17 February 2012

Conclusion (3/3)Conclusion (3/3)Future researchFuture researchFuture researchFuture research

Related to the intruder modelRelated to the intruder modelrefinement of the proposed model by adding the additional parameters and detailing the existing onesparameters and detailing the existing onesextending of detailed protection requirements and possible security building blocks against each of possible attacks in the intruder modeldeveloping a methodology for experimental analysis of ED securitysecurity

Related to the DSM modeld ti d i f th DSM ith f t tupdating and improve of the DSM with references to actors,

validation and verification elements, assurance, etc.creation of a UML plugin tool for MagicDraw that allows thecreation of a UML plugin tool for MagicDraw that allows the creation of secure system models using the methodology showed here (work in progress)

PDP-2012, 15-17 February 2012

QuestionsQuestions

Thank you for your attention. Questions?y y

Contact information:Andrey Chechulin ([email protected])

Igor Kotenko ([email protected])Vasily Desnitsky ([email protected])

Jose Fran. Ruiz ([email protected])Rajesh Harjani ([email protected])

Antonio Maña ([email protected])

This research is being supported by grants of the Russian Foundation of Basic Research (projects 10-01-00826 and 11-07-00435), the Program ofBasic Research (projects 10 01 00826 and 11 07 00435), the Program of fundamental research of the Department for Nanotechnologies and Informational Technologies of the Russian Academy of Sciences, State contract #11 519 11 4008 and partly funded by the EU as part of the

PDP-2012, 15-17 February 2012

contract #11.519.11.4008 and partly funded by the EU as part of the SecFutur and MASSIF projects.

A Methodology for the Analysis and Modeling ofSf Security ... · Vasily Desnitsky Antonio Maña...

Documents

Transcript of A Methodology for the Analysis and Modeling ofSf Security ... · Vasily Desnitsky Antonio Maña...