WESPr 18 presentation slides CAV Taguchi

copyright@2018 CAV Technologies Co., Ltd. all rights reserved.
Security First
CAV Technologies
SAFETY & SECURITY CO-ENGINEERING
- A NEW EMERGING DISCIPLINE FOR SAFE AND SECURE SYSTEM DEVELOPMENT -
KENJI TAGUCHI
CAV TECHNOLOGIES CO. LTD.
4 DEC 2018

ADVERTISEMENTS FOR MYSELF
[Career]
Founder and CEO of CAV Techs, April 2011～
11 years experience in Software Industry
– R&D and Consulting
 20 years in Academia
– Universities in Japan （3 years）, Kyushu Uni, etc
– Universities in Europe (5 years) , Uppsala U. (Sweden), U. of Bradford (UK)
– National Research institutes （12 years) :
• Professor by special appointment (National Institute of Informatics)
• Invited Researcher (National Institute of Advanced Industrial Science and Technology)
[Standardization and academic commitments]
 Co-founder of iFM (Integrated Formal Methods) Conference series
 International Conference on Formal Engineering Methods 2012 program co-chair
 Member of Formal Methods Europe Education SG
 SICE Certification Engineering WG Chair
 FP7 OPENCOSS, External Advisory Board Member
 JASPAR Functional Safety, Safety Argument SWG (2016)
 OMG System Assurance Platform Task Force co-chair
 IEC TC65/WG 20 (Framework to bridge the requirements for safety and security) Expert
 International Workshop on Assurance Cases for Software-intensive Systems (2017) Program co-chair
[Research Areas]
+ Safety/Security/Software Engineering and Formal Methods
+ Served as PC and/or co-chairs of numerous international conferences/workshops （in ’18 for ASSURE ’18,
SAFECOMP ‘18 ）

CO-AUTHORED BOOKS, EDITED CONFERENCE PROCEEDINGS AND JOURNALS
Integrated Formal Methods (iFM) Conference Series, Co-Founder (1999）
International Conference on Formal Engineering Methods (ICFEM), co-chair/co-
editor (2012)
Basics of Software Science ソフトウェア科学基礎、近代科学社, Co-author (2008)
ACM SIGCSE, inRoads Bulletin, Special Issue on Formal Methods Education and
Training, co-editor (2009)
Security Software Engineering is useful in practice? Information Processing
Society of Japan, co-editor (2009)

MAIN SERVICES OF MY COMPANY
• C(ertification）
‒ Certification support for several international standards on safety and security, e.g.,
automotive and railway
 ISO 26262/J3061
 EN 50128
• A(ssurance）
‒ Assurance for system safety and security
 Safety and Security analyses
 Safety/Cybersecurity Cases
 Third Party V&V
• V(verification)
‒ Formal Verification (Model Checking/Formal Specification)
 Hands-on Training
 V&V Support
Model Checking（SPIN, PAT)
Formal Verification（VDM, Z)
Attack Tree
GSN

SECULIA
• SecuLia is a threat analysis tool jointly developed by our company and Gaio.
‒ https://www.gaio.co.jp/product/dev_tools/pdt_seculia.html
‒ Add-in application of Enterprise Architect （Sparx Systems)
• Main functionalities
‒ Fault Tree Analysis
‒ Attack Tree Analysis
 Risk assessment a la EVITA, i.e., risk parameters from CC/CEM and AND/OR gates as min/max.
 Minimal cut set
‒ FT-AT Analysis
 Analysis on interference of security against safety (I/F for HARA and TARA)
‒ Extendable risk assessment
 Programmable Risk assessment I/F

SECURITY ANALYSIS PLATFORM
• Developed as a part of research
project on V2X security.
‒ funded by METI
• Security ad-on to Model-based
Engineering
• Implemented as an Ad-on
program on Enterprise Architect
(Sparx Systems)
• Various diagramming techniques
for design and analysis for secure
architecture, TARA (Threat
Analysis and Risk Analysis), etc
‒ Security extension of SysML
 Secure block definition diagram
 Security requirements diagram
‒ Attack trees (Seculia)
‒ New diagram for system level threat
analysis
• Planned to be placed in public
domain in 2019.
class FT 例
3G/LTE 回線から第三者が定常運
転時に故意に制御 ECU の制御機
能を停止させる
制御ECUの制御機
能を停止させる動
機がある
ゲートウェイにセンタ側サーバに
なりすましてアクセスする
ゲートウェイ/センタ側
サーバ間で使用する
認証データを盗聴し
てなりすます
ゲートウェイ/センタ側
サーバ間の認証を
繰り返し試行してな
りすます
3G/LTEインタフェー
スからゲートウェイを
介して制御ECUに
不正なデータを送り
こむ
利用者が第三者に
攻撃されていること
に気づかない

SAFETY VS SECURITY

SAFETY VS SECURITY: WHAT IS THE PROBLEM?
• Many industrial sectors which manufacture safety critical systems such
as railway, automobile, avionics, nuclear plants face security threats
which may have serious consequences to safety.
What is the cause of an incident?
Mechanica
l Failure? Hacking?
Traditionally safety critical
systems are immune to
security threats. Now they
are targeted by hackers.

• Jeep Cherokee was remotely hacked by C.
Miller and C. Valasek
‒ Black Hat 2015, Remote Exploitation of an
Unaltered Passenger Vehicle, 2015
• Attack vectors
‒ Remote attack
 No direct injection of CAN messages on the CAN
Bus.
 Remote access via Infotainment device
‒ Spoof CAN messages
 Enforce an ECU into diagnostic mode and spoof
the control messages from it.
• Safety mechanism against security threat!
‒ An ECU can only be put under diagnostic mode at
a low speed.
‒ A safety mechanism somehow defends an ECU
from this attack vector.
JEEP CHEROKEE HACK
（Memory stick distributed on recall)

• Hack on Tesla Model S was reported in 2016
‒ Black Hat 2016, Free-Fall: Hacking Tesla From
Wireless to CAN Bus
• Same attack vectors
‒ Remote attack
 via Infotainment system
 Used vulnerabilities commonly found in IT
‒ Spoof CAN messages
 Spoof control messages to ECUs
• Defended by safety mechanism!
‒ Some ECUs do not respond under driving mode
TESLA MODEL S HACK

BASIC CONCEPTS RELATED TO SAFETY
• Safety related concepts such as hazard, accident, risk, failure have different definitions and
understanding in industries and countries.
• Definitions (from ISO 26262)
‒ Hazard
 potential source of harm caused by malfunctioning behaviour of the item
‒ Safety mechanism
 technical solution implemented by E/E functions or elements, or by other technologies,
to detect faults or control failures in order to achieve or maintain a safe state.
 Remark: Safety mechanism includes simple monitor-arbitration logic to more complex
fault tolerant/redundancy mechanisms
hazard
Safety mechanism
Examples of hazard:
1) Overheat of battery charging device causes its explosion and/or make burns.
2) ECU produces unintended assist torque.
The following simplified figure is used to represent safety mechanism against hazard.

THREAT AND HAZARD: HOW DO THEY INTERACT EACH OTHER?
• There is no clear and definitive definition on how
threat and hazard are related each other.
• Definitions (from J3061)
‒ Threat
 A circumstance or event with the potential to
cause harm, where harm may be with
respect to financial, reputation, privacy,
safety, or operational.
• We take that a hazard may be caused by threat as a
working assumption.
Hazard: Overheat of battery charging device causes its explosion and/or makes burns.
Threat (action): Malware causes malfunction of battery charging device.
Hazard: ECU produces unintended assist torque.
Threat (action): Control message is spoofed.
hazardthreat
That a threat causes a hazard relationship

SAFETY MECHANISM AGAINST SECURITY THREAT
Safety mechanism against hazard
hazard
Safety mechanism
Security threat causes hazard
hazardthreat
Jeep/Tesla Hack
hazardthreat
Safety mechanism

OVERRIDE SAFETY MECHANISM
hazardthreat
Safety mechanism
How did hackers overcome this obstacle?
hazardthreat
Safety mechanism
Override the safety mechanism

SAFETY MECHANISM AND SECURITY MECHANISM
hazardthreat
Safety MechanismSecurity Mechanism
Best relationship between Safety and Security Mechanisms
hazardthreat
This figure matches the doctrine that security mechanisms should work
to maintain the integrity level of safety mechanism.
Security mechanisms prevent from evolving threat to hazard!

HARMONIZATION BETWEEN SAFETY MECHANISM AND SECURITY
MECHANISM?
hazardthreat
Are we agreed on the best relationship between safety and security mechanisms is the following?
hazardthreat
Security Mechanism＋ Safety Mechanism
Synthesis of Safety and Security Mechanisms
What about the following?

TRADE-OFF/SYNERGY BETWEEN SAFETY AND SECURITY: SESAMO
• SESAMO is an European research project which investigates inter-relation
between safety and security
‒ http://sesame-project.eu/
‒ Security and Safety modeling: D2.1 – Specification of Safety and Security
Mechanisms, Version 0 1, 29 May 2013 Final.
• Function building blocks in which trade-offs and synergies are described are presented.
‒ E.g.,
 Encryption/decryption
Safety Security
Trade-off Delay Type of mechanism dependent level of security
Delay Key length dependent level of security
Synergies Cryptographic checksums for fault detection

DETECTION AND DEGRADATION IN SAFETY AND SECURITY CONTEXT
• When security threat violates safety mechanism, the best design would be to
gracefully degrade the system into a safe state, which would be slightly different
from traditional safety mechanism.
hazardthreat
Safety mechanism
Degradation
Threat detection (Security)
Driver Warning
Fault detection (Safety)
Sate state
Attack succeeds!

PROCESS INTEGRATION

ISO 26262
• Only a part of safety concept phase is dealt with in this talk.
‒ I.E., Part 3 of ISO 26262, the safety concept phase.
Safety
concept
phase
ISO 26262

PROCESS POINT OF VIEW – SAFETY AND SECURITY
• Take an example process at
an early stage from
automotive safety and
security standards
• Functional safety standard
‒ ISO 26262 Part3, Road
Vehicles –Functional
Safety, 2011
 Part 3: Concept
phase
• Cybersecurity standard
‒ SAE J3061,
Cybersecurity Guidebook
for Cyber-Physical
Vehicle Systems, 2016,
 Cybersecurity
concept phase
J3061ISO 26262-3

BAD EXAMPLE?
Is this OK to do safety first and then security?
• Can we just proceed from safety and security?
Safety Security Safety
Security

PROCESS PATTERNS
• There are several open issues as to how to integrate safety and
security processes.
• There are some proposals but still needs some time to be
applied in real industrial setting.
• Some existing proposals can be classified into the following
patterns.
Uni-directional Reference
Abstraction from DO-326A
Subordinate
Safety subsumes Security
Interrelated
SESAMO （FP7）
Trade-off between processes
SafSec
SafSec standards
Basic Pattern
K. Taguchi, D. Souma, H. Nishihara: Safe & Sec Case Patterns, ASSURE 2015

UNI-DIRECTIONAL REFERENCE PROCESS PATTERN
• Security and safety processes
are separated but the security
part will refer to some results
of the safety part.
‒ In this example, the result
of hazard identification is
used in threat
identification.
• This process pattern can be
witnessed in the
airworthiness security
standard DO-326A.

SUBORDINATE PROCESS PATTERN
• Some of activities related to security are subordinate to its counterparts in safety.
‒ Requirements:
 Need methodological supports, e.g, safety analysis method which also can analyze security threats.
• This view appears to be predominant in the safety critical systems community.
The above tree represents a methodological
support for the subordinate approach, which
integrates Fault Tree (FT) analysis with
Attack Tree (AT) analysis.
Steiner, M., Liggesmeyer, P.: Combination of Safety and Security Analysis - Find-
ing Security Problems That Threaten The Safety of a System.

INTERRELATED (INDEPENDENT) PROCESS PATTERN
• Security and safety processes
run independently, but the trade-
off analysis on risk reduction
measures (safety requirements)
and mitigation methods (security
requirements) should be carried
out.
‒ It is witnessed in FP7 SESAMO
Project.
• The aim of the analysis is to
identify potential feature
interaction between functional
safety requirements and security
requirements.
‒ For instance, timing constraints
on a functional safety
requirement may be interfered by
time-consuming encryption
mechanism of security
requirement.
SESAMO: http://sesamo-project.eu
Born, M.: An Approach to Safety and Security Analysis for Automotive Systems: SAE 2014 World Congress and Exhibition (2014)

COMMUNICATION POINTS/PATHS IN J3061
• In J3061, the notion of communication point/path is implicitly used to explain how
to communicate issues raised from one side of a process to another.
• We can apply this for process integration.
(J3061, p40)

PROCESS INTEGRATION: ANALYZE AND COMBINE (1)
• Find out some communication points in both processes
• If the communication is uni-directional, add a new process path to an opposite
direction.
J3061ISO 26262-3
A threat may have an effect on hazards. A new directed process path may be added
ISO 26262-3 J3061
Analyze! Combine!

J3061ISO 26262-3
• If the path is bidirectional, create a new process which analyze impact of
and trade-off of work products from each process.
PROCESS INTEGRATION: ANALYZE AND COMBINE (2)
Safety and security requirements may
Interfere each other.
Create a new process which analyze impact
of and trade-off of both work products.
ISO 26262-3 J3061
Analyze! Combine!

ATTACK TREE ANALYSIS

ATTACK TREE ANALYSIS (ATA)
• Attack Tree Analysis (ATA)/Attack Trees (ATs) was invented by B. Schneier [1].
• An adaptation of FTA (Fault Tree Analysis) to Security Analysis.
• Fault Trees (FTs) were invited in 1960s as a safety analysis method, and have been
extensively used in the development of safety critical systems such as automobiles,
railway, avionics, etc
• FTs are based on Boolean algebra/logic and their risk assessment is based on
probability.
• Contrary to FTs, the risk assessment method for Ats have not been established yet
partly due to the nature of security, i.e., security events are not
quantitative/probabilistic and the interpretation of logical operators (i.e., gate symbols
such as AND and OR) is not yet established.
• FTs are internationally standardized [2], but there is no international standardization
of ATs.
[1] B. Schneier: Attack trees: modeling security threats, Dr. Dobb’s J 24 (1999) pp21-9.
[2] IEC 61025: 2006: Fault Tree Analysis

AT A LA EVITA STYLE
• In EVITA, an attack method is
structured based on the types of
attacks
• Attack Goals
‒ Benefit of an attacker
• Attack Objectives
‒ TO achieve the goal of an
attacker
• Attack Methods
‒ Methods of an attack
• Asset Attack
‒ Assets targeted by an attack
[1] Deliverable D2.3: Security requirements for automotive on-board networks based on dark-side scenarios,
2008
（From [1] , p63）
• Attack Goals
 Harm (Individual, organization)
 Gain benefit
 Obtain information
 Terrorism
• Attack Objectives
 Engine controller receives warning
 Attack C2I message
 Issue bogus speed limit notices to other vehicles
• Attack Methods
 Disable Engine Control Unit
 Message corrupted

WHAT IS EVITA PROJECT?
• EVITA is an European research project for security on V2X
(Vehicle 2 X) communications, i.e., connected cars, and
crypto modules.
• One of the greatest achievements of the EVITA is to
analyze security threats using attack trees and derived
security requirements based on the analyses.
• EVITA adopts security metrics CC(Common Criteria) /
CEM (Common Evaluation Methodology) (from ISO 15026)
[1] Common Methodology for Information Technology Security
Evaluation

RISK ASSESSMENT FOR ATA
• There are several risk assessment metrices for security proposed for
different domains.
‒ CVSS (Common Vulnerability Scoring System)
‒ CC/CEM (Common Criteria/Common Evaluation Method)
• They do not care for how to apply them to a formalism (i.e, tree structure)
like ATs.
• Two essential factors when applying them to ATs.
‒ Allocation of values for metrics
‒ Calculation of logical gate symbols (AND/OR)
[1] Deliverable D2.3: Security requirements for automotive on-board networks based on
dark-side scenarios, 2008

CC/CEM
• Parameters for risk
assessment
‒ ET: Elapsed Time
‒ Ex: Expertise
‒ K: Knowledge of system
‒ W: Window of opportunity
‒ Eq: Equipment

ATTACK PROBABILITY
• Each basic attack event is assessed by the
parameters (T, Ex, K, W, Eq) and the sum is
mapped to attack potential and results in
attack probability.
• Values = ET + Ex + K + W + Eq
Values Attack Potential Attack Probability (AP)
0－9 Basic 5
10－13 Enhanced Basic 4
14－19 Moderate 3
20－24 High 2
≧ 25 Beyond High 1
The higher the attack
probability, the easier the attack
becomes.
Reminder/Assumption: An
attacker is highly likely to
choose the easiest attack.

RISK ASSESSMENT ON AT A LA EVITA
• Calculation of Gates
‒ OR Gate is max
‒ AND Gate is min
• Basic Formula
‒ AP = Attack Probability : (ET, Ex, K, W, Eq) = Values
The calculation of these gates
is intuitively sound due to the
nature of attackers.
Can you see why?

EVITAATTACK TREE EXAMPLE
• Attack tree 9: Attack active brake function (p79) and Table 12 (p96)
ET Ex K W Eq
Attack
Potential

EVITAATTACK TREE EXAMPLE IN SECULIA
class EVITA - 09 At t ack Act ive Brake Function
Use-casesIDs =
Asset-DiagID =
[9] Attack automatic brake
function
[9.1] Delay automatic brake
function by Xms
[9.3] Prevent automatic
brake function
[9.2]Degrade automatic
brake function by Xms/s/s/
kg
SM = (5)
[9.1.1] Delay data
communication
[9.1.2] Delay data
transmission
[9.1.1.1]
(temporary)
Communications
Unit (denial of
service)
SM = (0,3,3,1,4)
[9.1.1.2]
(temporary)
Chassis Safety
Controller (denial
of service)
SM = (10,3,3,1,4)
[9.1.2.1][9.3.1.1]
Wireless
Communications
(jamming) DSRC
communication
SM = (1,3,0,0,4)
[9.1.2.2],[9.3.1.2]
In-car
Communications
(jamming)
Backbone-Bus
SM = (4,3,0,1,4)
[9.1.2.3] [9.3.1.3]
[9.3.2.1] In-car
Communications
(jamming) CS-Bus
SM = (4,3,0,1,4)
[9.3.1] Prevent data
transmission
[9.3.2] Force Brake
Controller to enter Fallback-
Mode (basic braking only, no
ABS, no ESP)
[9.3.2.2] In-car
Sensors (disable
or Denial of
Service)
SM = (4,0,0,1,4)
[9.3.3] Prevent data
computation
[9.3.3.1] Chassis
Safety Controller
(denail of service)
SM = (10,3,3,1,4)
[9.3.3.2] Chassis
Safety Controller
(currupt code or
data)
SM = (10,6,7,1,4)
[9.3.3.3]Communication
Unit (denial of service)
SM = (0,3,3,1,4)
[9.2.1] Manipulate
environment information (e.g.
weather, close subsequent
car, wet street)
SM = (5)
[9.2.1.1] In-car
Sensors
(manipulate)
Manipulate
environment
sensor
SM = (0,0,3,0,0)
[9.2.1.2] In-car
Sensors
(manipulate)
Sensor's
environment
manipulation
SM = (0,0,3,0,0)
[9.2.1.3] In-car
Communications
(listen, intercept,
alter, inject,
replay) fake
environment
information
message on CS-
Bus
SM = (17,6,6,4,4)
SecuLia Assessment Add-in
Risk
Assessment
Basic attack
node
Risk Parameters
Attack Type

EVITAATTACK TREE EXAMPLE (MINIMAL CUT SET)
SecuLia Assessment Add-in
Minimal cut set
Minimal cut set (“,” is OR)
This cut set tell us
that an attacker
may choose
either one of
them as a attack
method (all attack
nodes are
connected by
OR).
[9.2.1.3] is less
likely attack, since
it is ranked
“Beyond High”.
However [9.2.1.2]
is highly likely
attack, since it is
ranked “Basic”.

FT-AT: EXAMPLE
• Interference/disruption
against safety from security
threats has been recognized as
a pressing issue in safety
critical systems.
• One of the ways to analyze
causal relationship between
safety (hazard) and security
(threat) is to represent its
relationship in a combination
of Fault Trees and Attack
Trees.
clas s F T-AT E xamples
Failure of automatic brake
function
P = 0.017
SM = (4)
Failure of monitoring
function
P = 0.01
SM = (_)
Failure due to delay of
braking function
P = 0.007
SM = (4)
Failure of
milimiter-wave
radar
P = 0.01
attack to delay
communication
SM = (4)
DoS to
Communication
Unit
SM = (0,3,3,1,4)
DoS against
Safety Control
Unit
SM = (10,3,3,1,4)
Failure of Com
Unit
P = 0.007

RISK ASSESSMENT ON FT-AT DIAGRAMS
• This is a unique feature of SecuLia.
• Risk metrices are different in safety
and security
‒ FTA（likelihood of faults）
‒ ATA（Attack Probability）
• There is no established theory how to
deal with HARA and TARA
• SecuLia adopts the basic principle
that they do not interfere each other.
Node [Value(s)] Explanation
Event Node ( P, _ ) Faulty Event only holds with
likelihood.
Attack Node ( _, AP) Attack only hold with attack
probability
Event Node ( P, AP) Faulty Event may hold with both
assessment results.
( P, min{AP, AP’} )
( _, AP’ )( P, AP)OR calculation:
(P, AP) OR (P’, AP’) => (P + P’, max{AP, AP’})
An AT may appear as a sub-tree

SAFETY ORIENTED AT PATTERN
• Attacks may disrupt safety functions. In order to analyze an
interference from security against safety, it is recommended to use
safety-oriented attack pattern.
Keywords such as “Delay”,
“Prevent”, “Degrade” may
be applied to each safety
function to analyze
interference from security.

FINAL REMARKS
• How to integrate safety and security is of great importance to industries
such as automotive, railway, avionics, etc and some new methods and
techniques are now being developed to meet this demand.
• Harmonization of safety and security standards is also of crucial
importance, since products may be certified under safety as well as security
standards.
• There are several issues on this integration in terms of education/training,
integration of cultural differences, system lifecycles, development methods
and a few issues are raised and discussed in this talk.
• Hope this talk would motivate you to work on this new engineering arena to
make this world safer and more secure!

WESPr 18 presentation slides CAV Taguchi

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (18)

Semelhante a WESPr 18 presentation slides CAV Taguchi

Semelhante a WESPr 18 presentation slides CAV Taguchi (20)

Último

Último (20)

WESPr 18 presentation slides CAV Taguchi