Model-Driven Security with A System of Aspect-Oriented Security Design Patterns

Model-Driven Security (MDS) has emerged for more than a decade, as a specialization of Model-Driven Engineering (MDE), to propose sound MD methodologies for supporting secure systems development. Yet, there is still a big gap before making MDS approaches more easily applicable and adoptable by industry. Most current MDS approaches only deal with a specific security concern, e.g. Authorization, and have not taken into account multiple security concerns. Besides, security patterns which are based on domain-independent, time-proven security knowledge and expertise, can be considered as reusable security bricks upon which sound and secure systems can be built. But they are not applied as much as they could be, because developers have problems in selecting them and applying them in the right places, especially at the design phase. In this position paper, we propose an exploratory MDS approach based on a System of aspect-oriented Security design Patterns (SoSPa) in which security design patterns are collected, specified as reusable aspect models to form a coherent system of them that guides developers in systematically selecting the right security design patterns for the job. Our MDS approach allows the selected security design patterns to be automatically composed with the target system model. The woven secure system model can then be used for code generation, including configured security infrastructures

An Educational Framework to Support Industrial Control System Security Engineering

Industrial Control Systems (ICSs) are used to monitor and control critical infrastructure such as electricity and water. ICS were originally stand-alone systems, but are now widely being connected to corporate national IT networks, making remote monitoring and more timely control possible. While this connectivity has brought multiple benefits to ICS, such as cost reductions and an increase in redundancy and flexibility, ICS were not designed for open connectivity and therefore are more prone to security threats, creating a greater requirement for adequate security engineering approaches. The culture gap between developers and security experts is one of the main challenges of ICS security engineering. Control system developers play an important role in building secure systems; however, they lack security training and support throughout the development process. Security training, which is an essential activity in the defence-indepth strategy for ICS security, has been addressed, but has not been given sufficient attention in academia. Security support is a key means by which to tackle this challenge via assisting developers in ICS security by design. This thesis proposes a novel framework, the Industrial Control System Security Engineering Support (ICS-SES), which aims to help developers in designing secure control systems by enabling them to reuse secure design patterns and improve their security knowledge. ICS-SES adapts pattern-based approach to guide developers in security engineering, and an automated planning technique to provide adaptive on-the-job security training tailored to personal needs. The usability of ICS-SES has been evaluated using an empirical study in terms of its effectiveness in assisting the design of secure control systems and improving developers’ security knowledge. The results show that ICS-SES can efficiently help control system designers to mitigate security vulnerabilities and improve their security knowledge, reducing the difficulties associated with the security engineering process, and the results have been found to be statically significant. In summary, ICS-SES provides a unified method of supporting an ICS security by design approach. It fosters a development environment where engineers can improve their security knowledge while working in a control system production line.Libyan Embassy in London, U

Estudo do impacto de transientes elétricos em protocolos de comunicação em sistemas embarcados

O aumento da complexidade e responsabilidade dos dispositivos embarcados nos veículos hoje, tem orientado os esforços no desenvolvimento de sistemas de controle para que estes sejam mais rápidos, precisos, robustos e principamente seguros. Com isso, estes dispositivos estão levando os protocolos de comunicação a um patamar inédito de exigência, tanto no quesito de capacidade como confiabilidade. Protocolos como CAN, CAN-FD e FlexRay entre outros, tem sido utilizados devido às suas características de segurança e a capacidade de atender aos requisitos temporais dos diversos circuitos embarcados. O desenvolvimento e utilização cada vez mais frequente de dispositivos focados em segurança, fazem com que a comunicação entre os diversos componentes destes dispositivos seja exigida ao máximo, levando à necessidade de respostas confiáveis ao extremo. Sistemas como freios ABS, suspensão ativa, frenagem autonoma de emergência, controle de velocidade e distância adaptativo, entre outros, que envolvem várias ECUs distribuídas ao longo do veículo, dispões de frações de segundo para a reação do sistema, entre o sinal de entrada e a atuação correspondente, demandando uma comunicação segura e tolerante à falhas. Os veículos hoje estão passando por grandes mudanças conceituais, trazendo cada vez mais elementos onde o funcionamento demanda mais energia das fontes de alimentação. Diversos sistemas existentes nos veículos geram ruídos como os Transientes Elétricos Rápidos, ou "Electric Fast Transient" (EFT), que estão presentes nas mais simples operações cotidianas do veículo, como ligar e desligar o farol, o ar condicionado, o limpador de para brisas, ou mesmo o acionamento de iluminação diurna (DRL), etc. Neste trabalho foram realizados diversos ensaios, utilizando ECUs com diferentes funções e protocolos, para identificar a susceptibilidade dos referidos sistemas e os protocolos à presença destes ruídos. Visando atender às normas IEC 62228 e a ISO26262, este trabalho demandou o projeto e construção de dois circuitos eletrônicos diferentes, um circuito observando os dados de tempos de subida e de descida (rise and fall time) dos pulsos de EFT, e outro observando a arquitetura do layout da placa de circuito impresso (PCB), as suas entradas, saídas, componentes, etc. Estes ensaios visaram identificar o quanto estes protocolos são suscetíveis à estes tipos de ruídos, utilizando métricas de análise baseadas nos tempos de latência e variação de jitter dos pacotes de comunicação.The increasing complexity and accountability of embedded devices in vehicles today has driven efforts to develop control systems to make them faster, accuratest, safest, robustest. Thus, these devices are taking communication protocols to an unprecedented level of demand, both in terms of capacity and reliability. Protocols such as CAN, CANFD and FlexRay among others have been used due to their safety characteristics and the ability to meet the time requirements of various embedded circuits. The increasing development and use of safety-focused devices, means that communication between the various components of these devices is required to the utmost, leading to the need for extremely reliable responses. Systems such as ABS brakes, active suspension, autonomous emergency braking, adaptative cruise control, among others, which involve various ECUs distributed throughout the vehicle, have milliseconds for system reaction, between input signal and concrete actuation, requiring safe and failure tolerant communication. Vehicles today are undergoing major conceptual changes, bringing more and more elements whose operation require more energy from power supplies. These systems generate noise such as "Electric Fast Transient" (EFT), which are present in the simplest daily operations of the vehicle, such as turning the headlight on, the air conditioner, the windscreen wiper, or even the daytime running light (DRL), etc. In this work several tests were carried out, using different ECUs with different functions and different protocols to identify the susceptibility of these systems and the protocols to these noises. In order to comply with IEC 62228 and ISO 26262 standards, this work required the design and construction of two different electronic circuits, one circuit observing the rise and fall time data of the EFT pulses, and the other observing the architecture of the printed circuit board (PCB) layout, its inputs and outputs, components, etc. These tests aimed to identify how susceptible these protocols are to these types of noise, using analysis metrics based on latency time and jitter variation of communication packets

Metodologia para teste e análise de degradação de desempenho em protocolos de comunicação intra-veiculares

Considerar os efeitos de falhas e interferências que afetam as redes intra-veiculares desde o projeto dos seus sistemas de controle tornou-se fundamental, pois, a complexidade da eletrônica embarcada, o aumento do fluxo de informação e também as possibilidades de ataques maliciosos, tornaram o projeto destes sistemas uma tarefa cada vez mais complexa. Neste contexto, a presente tese visa explorar formas de integrar e modelar os efeitos de degradação causados por diferentes tipos de falhas que afetam os protocolos de comunicação, na interconexão das unidades de controle eletrônicas (ECUs). Dentre estas falhas, a pesquisa destaca o estudo aprofundado dos transientes elétricos rápidos – EFT, que degradam o desempenho e geram efeitos como perda de pacotes e atrasos de comunicação. Desta forma, contribui-se com uma metodologia para o tratamento de falhas em sistemas críticos de tempo real, desde as fases iniciais do projeto, utilizando a modelagem orientada a aspectos para modelar e especificar requisitos do sistema, de acordo com características transversais dos requisitos não funcionais relacionados a falhas. Para a definição dos requisitos não funcionais, esta pesquisa usa como base o framework RTFRIDA (Real-Time From Requirements to Design using Aspects), o qual foi estendido para agregar com mais detalhes a modelagem de falhas. Para fins de validação da metodologia foi desenvolvido um mecanismo de diagnóstico de degradação de desempenho, o qual foi integrado a um sistema de controle de suspensão ativa. O estudo foi avaliado em diferentes cenários de carga da rede e com injeções de falhas usando dois tipos de hardwares que seguem normas de teste usadas na indústria. Os resultados evidenciaram a aplicabilidade da metodologia, com a modelagem de um mecanismo de diagnóstico que detectou e registrou os distúrbios de desempenho nos cenários estudados. As análises enfatizam a degradação de desempenho acentuada registrada com as injeções EFT de maior amplitude de tensão e menor tempo de rajada, com carga de ocupação da rede acima de 30%. Os experimentos avaliaram o desempenho dos atuais protocolos de comunicação, com melhores resultados obtidos em FlexRay e CAN-FD, o que confirma a evolução dos protocolos para atender as recentes demandas de desempenho da indústria automotiva.Embedded computing applications are increasingly demanding performance and reliability because these factors are critical to the safety of real-time systems. Reliability aspects in design phases is a fundamental point of many researches because with the increase of embedded electronics, network data transmission and also possibilities of attacks on them, make the design of these systems an increasingly complex task. The present thesis aims to explore and correlate different fault types that degrade vehicular communication protocols performance used to interconnect embedded control units (ECUs). Among these faults, the electrical fast transients - EFT are highlighted, since they generate effects such as packet loss and communication delays. Thus, a methodology based on aspect-oriented modeling concepts, in real-time critical systems is proposed, to model and specify system requirements according to cross-cutting concerns of non-functional requirements related to faults. For non-functional requirements specification, this work is based on RT-FRIDA (Real-Time From Requirements to Design using Aspects) framework, which was be extended for fault modeling. Thus, the novel methodology allows fault modeling following the aspect-oriented principles from the early design phases. For the methodology validation purposes, a performance degradation diagnostic mechanism was developed, which was integrated into an active suspension control system. The study was evaluated in different network busload scenarios and with fault injections using two hardware types, certified by standards used in the automotive industry. The results present that the developed mechanism detected performance disturbances, recording occurrence data in the studied scenarios. The analyzes emphasize the best performance degradation observed with EFT injection of higher voltage amplitude, shorter burst time, and busload above 30%. The experiments evaluated the performance of current communication protocols, with better results obtained in FlexRay and CAN-FD, which confirms the protocol’s evolution to meet the recent performance demands of the automotive industry