Model-Driven Engineering for Designing Safe and Secure Embedded Systems

Ludovic APVRILLE, Letitia W. LI
Institut Mines-Telecom
Telecom ParisTech, CNRS/LTCI
Sophia Antipolis, France
Email: {ludovic.apvrille, letitia.li}@telecom-paristech.fr

Yves ROUDIER
EURECOM
Sophia Antipolis, France
Email: Yves.Roudier@eurecom.fr

Abstract—The communication capabilities of recent embedded systems offer more opportunities for attack to cyber criminals. Moreover, those attacks may compromise the safety of these systems. SysML-Sec is a SysML-based environment for the design of such embedded systems with safety and security features.

The paper focuses on the SysML-Sec methodology containing the following stages: assumptions, requirements, attacks, partitioning, software design and software deployment. Our method is supported by TTool, and offers a press-button approach for formal proof of safety and security. Previous projects and case studies modeled and validated with SysML-Sec range from automotive systems, drone systems, information systems (e.g., the analysis of malware targeting banking systems), industrial systems (Analysis of SCADA malware), and more generally, security protocols.

I. INTRODUCTION

Inter-connected embedded systems and cyber-physical systems offer more opportunities for attack to cyber criminals. To cite only a few examples of recent attacks on such connected systems, we can mention ADSL routers [1], mobile&smart phones [2], avionics [3], automotive systems [4], medical appliances such as the Hospira Symbiq drug pump [5], and smart objects e.g. the recent vulnerability disclosed on the Fitbit [6]. Such attacks also target industrial systems whose sensors are increasingly commonly connected with vulnerable information systems, as demonstrated by Stuxnet, Flame, and Duqu [7]. Attacks threaten the dependability of such systems with various objectives ranging from extortion to terrorist acts.

System complexity, notably in terms of code size, distribution, and heterogeneity, is a major risk factor to safety and security. This issue can only be mitigated by the verification of all the interactions between functional and non-functional requirements throughout a system’s development cycle. The SysML-Sec environment aims to improve the design of such complex systems with respect to their performance, safety, and security [8]. SysML-Sec addresses system development starting from requirements and possible attacks, continuing into software/hardware partitioning, and further progressing into the design of software components. SysML-Sec is implemented within a free/open-source toolkit named “TTool” [9]. TTool offers diagramming capabilities as well as safety and security proofs at the push of a button. This paper summarizes the SysML-Sec methodology, its model-based approach, and its support by TTool.

II. SYSML-SEC METHODOLOGY

A. Methodological stages

The methodology of SysML-Sec, summarized in Figure 1, addresses all stages that are commonly used to design an embedded system.

The requirements/attacks stage intends to identify and analyze both requirements and attacks together with the main application functions (Functional View). Formally defined attack graphs [10] are used to capture attack scenarios, which commonly rely on the exploitation of a combination of vulnerabilities. Once defined, these graphs can be easily migrated for reuse in analysis of other systems. Attacks can be linked together in order to assess the impact of a specific vulnerability and the need to address it at the risk assessment phase, e.g., once a mapping is under evaluation.

The SW/HW Partitioning phase follows the Y-Chart approach with the modeling of logical tasks/channels (Functional view), candidate architectures (Architectural view), and mapping (Mapping view) of tasks and channels onto the architecture. Candidate architectures consist of CPUs, hardware accelerators, buses, bridges, and memory elements. Tasks abstract the system behavior, and define concepts of execution time and inter-task communications. The attributes passed between tasks are abstracted to consider only the size of the data transferred or stored. Once system partitioning has been completed, software
design can begin. The goal of the software analysis and design stages is to develop the software components implementing the functions mapped onto processors at the previous stage. Functions to be implemented are first analyzed with SysML-based use case and scenario views to determine a software design in terms of safety or security-related SysML blocks (Structural view) and their interactions, e.g., security protocols. During the design, software components/blocks are progressively refined until the point where executable code generation is feasible. This refinement also includes adding security-related functions (Behavioral view), e.g., cryptographic algorithms, key management policies, and filtering policies. The deployment view specifies which executable code can be generated: local execution, specific board (hardware architecture previously defined at mapping stage), or virtual prototyping environment [11] (abstracting the same hardware architecture).

Iterations over the complete method are assumption-driven [12]. More precisely, the system specification is first limited in scope, then progressively enlarged to include further details. Assumptions expressing the scope of the specification are explicitly described in a Modeling Assumption Diagram. The safety and security assumptions are included within this model, thus impacting the safety and security proofs at each new iteration. Advancing from version n to version n + 1, modifications on diagrams and properties are thus traced within the Modeling Assumption Diagrams.

B. Verification of properties along the SysML-Sec method

During the functional stage, simulations and (formal) verifications are performed in order to identify safety-related issues, e.g., deadlock situations, non-reachability of error states, etc. Functional models are untimed, which means that no performance study can be conducted on them. However, the mapping of functions over execution nodes gives to the former a logical and physical execution time. Thus, post-mapping simulations and formal verifications are intended to demonstrate the system performance on the selected hardware architecture, including the study of latencies, the load of processor and buses, and communication time. The results are determined how the logical functions - including the security mechanisms - are linked to the underlying hardware. For example, a given security protocol may impact a bus load, a cryptographic function may impact a processor load, and both can consequently increase the overall system latency. The mapping scheme, for example, mapping a cryptographic function over a hardware accelerator, or instead on a general-purpose processor, also impacts system latencies. The performance analysis thus intends to study both safety and security functions mapped on different conditions [13]. The result of this study is a hardware/software architecture that complies with both safety and security requirements, and that can resist attacks of the given risk level.

During the first iterations of the software design, simulation can be used to debug the models [14]. When the model has been refined to include all relevant behavior, formal verification can also be used to assess safety properties [15] [16] (e.g., the reachability of a given state, or its liveness). Security proofs can also be performed on software design diagrams. The latter are transformed into a security-oriented formal specification in pi-calculus [17]. This specification is automatically sent by TTool to ProVerif, along with the confidentiality and authenticity properties to be proved [18]. These properties may refer
to the confidentiality of a SysML block attribute or the authenticity of a message exchanged by two blocks.

When the model is too large to be verified, model-to-code transformations are used to perform security and safety tests on the code itself.

III. TTool

The free and open-source TTool software supports all SysML-Sec methodological stages, including model capture, simulation, and verification. In fact, TTool is a multi-profile toolkit whose main strength is to offer a press-button approach for performing simulation and formal proofs from models. TTool supports the automatic proof of both safety and security properties in LOTOS [19], UPPAAL [16] and ProVerif [18]. For user convenience, results of the verification are back-traced to the graphical models. For example, Figure 2 displays a subset of the software design of HTTPS/TLS. The confidentiality and authenticity proofs have been conducted on this SysML-Sec model, and the results have been back-traced in the form of a lock added adjacent to the relevant model element, such as an authenticity pragma or block attribute whose confidentiality property has been queried. A green lock indicates the property is satisfied, a grey lock indicates the property cannot be proved, and a red lock indicates the property is not satisfied.

IV. Related work

From our experience, partitioning is a central issue in embedded systems. Achieving a correct partitioning that adheres to safety requirements necessitates that the impact of security mechanisms be understood and quantified as early as possible. SecureUML, for example, extends UML to provide capabilities to consider security in a model and verify its security requirements. [20]. We note that only a few authors, notably Eames and Moffet [21], and more recently Pière-Cambacédès [22] and Raspotnig [23], have dealt with the relationships between security and safety requirements. For instance, the last two authors discuss quite thoroughly the relationships that can be established between security and safety requirements. In particular, these studies can describe conflicts, but also reinforcement relationships (when safety and security concur towards the same design), or conditional dependence. We think that obtaining similar descriptions within SysML-Sec would require the engineering methodology to be extended with an additional feedback interaction from all engineering phases to the specification phase: for instance, the satisfaction of safety requirements should be checked based on the security mechanisms introduced before any further safety mechanism would be introduced. We did not evaluate any such methodological step. However, we plan to investigate these issues in the future.

V. Conclusion - Future Work

Attacks are now widely conducted on embedded and cyber-physical systems. Unfortunately, current software engineering methods first focus on the safety and a fast time-to-market of these systems, with considerations for security as an after-thought.

SysML-Sec addresses this issue with a model-driven engineering approach combining semi-formal specifications of both safety and security features and properties at any given development cycle phase. SysML-Sec is supported by a free/open-source toolkit, TTool. Simulations and formal proofs on models can be easily conducted with TTool, in order to assess function, architectural choices and software design choices, in terms of performance, safety properties, and security properties.

SysML-Sec has been previously used in the design and evaluation of embedded systems (e.g., automotive architectures), security protocols (TLS), analysis of complex attacks (Stuxnet, Zeus/Zitmo).

Our future work concerns the enhancement of security modeling and validation capabilities at the partitioning stage. The partitioning of tasks onto execution nodes impacts security, as data sent between two tasks mapped to the same CPU cannot be intercepted. Such consideration of security may reduce latencies or hardware in removing the need to encrypt certain data. Furthermore, channels can be mapped onto either public or private buses. Similarly to the ProVerif-based security proof of software design, we indeed intend to define and implement a mapping-to-proverif model transformation to consider security. We also intend to introduce a security-oriented modeling assistant to help identify threats, their countermeasures, and supporting hardware and software architectures. This assistance might be based on a library of modeling patterns.

REFERENCES


Fig. 2. SysML-Sec model in TTool featuring the results of a security formal verification


