Multiple security domain nondeducibility air traffic surveillance systems

Traditional security models partition the security universe into two distinct and completely separate worlds: high and low level. However, this partition is absolute and complete. The partition of security domains into high and low is too simplistic for more complex cyber-physical systems (CPS). Absolute divisions are conceptually clean, but they do not reflect the real world. Security partitions often overlap, frequently provide for the high level to have complete access to the low level, and are more complex than an impervious wall. The traditional models that handle situations where the security domains are complex or the threat space is ill defined are limited to mutually exclusive worlds. These models are limited to accepting commands from a single source in a system but the CPS accepts commands from multiple sources. This paper utilizes Multiple Security Domain Nondeducibility (MSDND) as a model to determine information flow among multiple partitions, such as those that occur in a CPS. MSDND is applied to selected aspects of Traffic Collision and Avoidance System (TCAS) and Automatic Dependent Surveillance-Broadcast (ADS-B) air traffic surveillance systems under various physical and cyber security vulnerabilities to determine when the actual operational state can, and cannot be, deduced. It is also used to determine what additional information inputs and flight physics are needed to determine the actual operational state. Several failure scenarios violating the integrity of the system are considered with mitigation using invariants --Abstract, page iii

Cyber physical security of avionic systems

“Cyber-physical security is a significant concern for critical infrastructures. The exponential growth of cyber-physical systems (CPSs) and the strong inter-dependency between the cyber and physical components introduces integrity issues such as vulnerability to injecting malicious data and projecting fake sensor measurements. Traditional security models partition the CPS from a security perspective into just two domains: high and low. However, this absolute partition is not adequate to address the challenges in the current CPSs as they are composed of multiple overlapping partitions. Information flow properties are one of the significant classes of cyber-physical security methods that model how inputs of a system affect its outputs across the security partition. Information flow supports traceability that helps in detecting vulnerabilities and anomalous sources, as well as helps in rendering mitigation measures. To address the challenges associated with securing CPSs, two novel approaches are introduced by representing a CPS in terms of a graph structure. The first approach is an automated graph-based information flow model introduced to identify information flow paths in the avionics system and partition them into security domains. This approach is applied to selected aspects of the avionic systems to identify the vulnerabilities in case of a system failure or an attack and provide possible mitigation measures. The second approach is based on graph neural networks (GNN) to classify the graphs into different security domains. Using these two approaches, successful partitioning of the CPS into different security domains is possible in addition to identifying their optimal coverage. These approaches enable designers and engineers to ensure the integrity of the CPS. The engineers and operators can use this process during design-time and in real-time to identify failures or attacks on the system”--Abstract, page iii

Cyber-physical security of an electric microgrid

Cyber-physical systems (CPSs) are physical systems that are controlled or monitored by computer-based systems. CPSs are a combination of computation, networking, and physical processes. As CPSs are a combination of various diverse components, they are vulnerable to several security threats. Moreover, there are many different security domains (not just high/low, nor necessarily hierarchical). This paper utilizes previously developed multiple security domain nondeducibility (MSDND) to uncover potential integrity vulnerabilities in an electric microgrid. Invariants are manually generated using the insights obtained through MSDND analysis and use linear regression to automate the generation of invariants. The vulnerabilities are then mitigated, to the extent possible, by adding executable invariants on system operation. Implementation on the Electric Power and Intelligent Control (EPIC) testbed at the Singapore University of Technology and Design is reported. Limitations of the design and successes/shortcomings of attack mitigation are reported --Abstract, page iii

Formal Methods for Wireless Systems

I sistemi wireless sono costituiti da dispositivi che comunicano tra loro per mezzo di un canale radio. Questo paradigma di rete presenta molti vantaggi, ma la presenza del canale radio lo rende intrinsecamente vulnerabile. Di conseguenza, in tale ambito la sicurezza rappresenta un tema importante. I meccanismi di sicurezza messi a punto per i sistemi cablati presentano molti limiti quando vengono utilizzati in una rete wireless. I problemi principali derivano dal fatto che essi operano in modo centralizzato e sotto l'ipotesi di un “mondo chiuso”. Pertanto tecniche formali sono necessarie per stabilire una connessione matematicamente rigorosa tra la modellazione e gli obiettivi di sicurezza. Nella presente tesi si applica il formalismo ben noto del "process calculus" per modellare le principali caratteristiche della comunicazione wireless. Il contributo scientifico è essenzialmente teorico. Verrà proposto un primo process calculus per modellare il passaggio del tempo nei sistemi wireless. Verranno dimostrate alcune interessanti proprietà relative al tempo. Inoltre verrà presentata una rigorosa trattazione dei problemi di collisione. Verranno fornite anche “equivalenze comportamentali” (behavioural equivalence) e verranno dimostrate una serie di leggi algebriche. L'usabilità del calcolo verrà mostrata modellando il Carrier Sense Multiple Access, un diffuso protocollo di livello MAC in cui un dispositivo ascolta il canale prima di trasmettere. Verranno poi analizzati alcuni aspetti di sicurezza, in particolare verrà proposto un modello di trust per le reti ad hoc mobili. Tali reti sono costituite da nodi mobili che comunicano senza l’ausilio di altre infrastrutture. Le reti di tale calcolo verranno modellate come sistemi multilivello perché le relazioni di trust associano ai nodi livelli di sicurezza in base al loro comportamento. Tale modello di trust verrà incluso in un process calculus per reti ad hoc che sarà dotato di equivalenze comportamentali a partire dalle quali verrà sviluppata una "teoria osservazionale" (observational theory). Saranno garantiti sia alcune interessanti proprietà relative alla sicurezza, come la safety in presenza di nodi compromessi, sia risultati di non interferenza. Tale calcolo verrà utilizzato per analizzare una versione “sicura” di un algoritmo per il leader election nelle reti ad hoc. Verrà fornita anche una codifica del protocollo di routing per reti ad hoc chiamato endairA. Infine, il calcolo sul trust verrà esteso con aspetti legati al tempo, per spiegare la relazione tra tempo e trust. Infine quest’ultimo calcolo verrà applicato per dare una codifica del protocollo di routing per reti ad hoc chiamato ARAN.Wireless systems consist of wireless devices which communicate with each other by means of a radio frequency channel. This networking paradigm offers much convenience, but because of the use of the wireless medium it is inherently vulnerable to many threats. As a consequence, security represents an important issue. Security mechanisms developed for wired systems present many limitations when used in a wireless context. The main problems stem from the fact that they operate in a centralised manner and under the assumption of a \closed world". Formal techniques are therefore needed to establish a mathematically rigorous connection between modelling and security goals. In the present dissertation we apply the well-known formalism of process calculus to model the features of wireless communication. The scientic contributions are primarily theoretical.We propose a timed process calculus modelling the communication features of wireless systems and enjoying some desirable time properties. The presence of time allows us to reason about communication collisions. We also provide behavioural equivalences and we prove a number of algebraic laws. We illustrate the usability of the calculus to model the Carrier Sense Multiple Access scheme, a widely used MAC level protocol in which a device senses the channel before transmitting. We then focus on security aspects, in particular we propose a trust model for mobile ad hoc networks, composed only of mobile nodes that communicate each other without relying on any base station. We model our networks as multilevel systems because trust relations associate security levels to nodes depending on their behaviour. Then we embody this trust model in a process calculus modelling the features of ad hoc networks. Our calculus is equipped with behavioural equivalences allowing us to develop an observational theory. We ensure safety despite compromised nodes and non interference results. We then use this calculus to analyse a secure version of a leader election algorithm for ad hoc networks. We also provide an encoding of the endairA routing protocol for ad hoc networks. Finally, we extend the trust-based calculus with timing aspects to reason about the relationship between trust and time. We then apply our calculus to formalise the routing protocol ARAN for ad hoc networks

Multiple Security Domain Nondeducibility Air Traffic Surveillance Systems

Traditional security models partition the securityuniverse into two distinct and completely separate worlds: highand low level. This partition is absolute and complete. Morecomplex situations, such as those that arise in cyber-physicalsystems (CPS) are better treated as sets of increasingly moresecure domains. In a CPS, security partitions often overlap andthe high-low distinction does not hold well. This paper utilizes Multiple Security Domain Nondeducibility(MSDND) as a model to determine information flow amongmultiple partitions, such as those that occur in a CPS. MSDND isapplied to selected aspects of Automatic Dependent Surveillance-Broadcast(ADS-B) air traffic surveillance system under variousphysical and cyber security vulnerabilities to determine when theactual operational state can, and cannot be, deduced. It is alsoused to determine what additional information inputs and flightphysics are needed to determine the actual operational state. Several failure scenarios violating the integrity of the system areconsidered with mitigation using invariants