Towards the design of a DSL to enable the secure Runtime Monitoring and Verification of Safety-Critical CPS

3rd Doctoral Congress in Engineering will be held at FEUP on the 27th to 28th of June, 2019Safety-critical systems commonly face unpredictable and hostile environments, with emergent behaviors and with a growing number of external, malicious attackers. These are risk factors that should be taken into account during these systems design phases, but that is not always possible due to the overall complexity of the interaction between the systems and its external operational environment. Cyber-Physical Systems (CPS) are notable examples of practical implementations of safety-critical systems. Being able to guarantee that safetycritical CPS do not fail upon operation can easily become a huge challenge, depending on how complex the system is. Among the most promising approaches to reduce the complexity of designing safety-critical CPS are Runtime Monitoring (RM) (Watterson and Heffernan 2017) and Runtime Verification (RV) (Bartocci Et al. 2018), where monitors are generated and orchestrated in a software architecture that can be coupled to the target system, observe it during its execution, and identify aspects that were not foreseen during design phase, or that could not be proved to be absent via static verification methods. Monitors can be used to verify the correct functioning of a system by analyzing direct (and/or indirect) aspects of it. This can be especially useful when considering a security-oriented point of view, where monitors can identify possible security attacks to a system when exposed to the events taking place or the patterns of data being processed.info:eu-repo/semantics/publishedVersio

Detecting Fault Injection Attacks with Runtime Verification

International audienceFault injections are increasingly used to attack/test secure applications. In this paper, we define formal models of runtime monitors that can detect fault injections that result in test inversion attacks and arbitrary jumps in the control flow. Runtime verification monitors offer several advantages. The code implementing a monitor is small compared to the entire application code. Monitors have a formal semantics; and we prove that they effectively detect attacks. Each monitor is a module dedicated to detecting an attack and can be deployed as needed to secure the application. A monitor can run separately from the application or it can be weaved inside the application. Our monitors have been validated by detecting simulated attacks on a program that verifies a user PIN

A Taxonomy for Classifying Runtime Verification Tools

International audienceOver the last 15 years Runtime Verification (RV) has grown into a diverse and active field, which has stimulated the development of numerous theoretical frameworks and tools. Many of the tools are at first sight very different and challenging to compare. Yet, there are similarities. In this work, we classify RV tools within a high-level taxonomy of concepts. We first present this taxonomy and discuss the different dimensions. Then, we survey RV tools and classify them according to the taxonomy. This paper constitutes a snapshot of the current state of the art and enables a comparison of existing tools

LNCS

We argue that the time is ripe to investigate differential monitoring, in which the specification of a program's behavior is implicitly given by a second program implementing the same informal specification. Similar ideas have been proposed before, and are currently implemented in restricted form for testing and specialized run-time analyses, aspects of which we combine. We discuss the challenges of implementing differential monitoring as a general-purpose, black-box run-time monitoring framework, and present promising results of a preliminary implementation, showing low monitoring overheads for diverse programs