Generating Test Sequences and Slices for Simulink/Stateflow Models

In a typical software development project more than 50 percent of software development effort is spent in testing phase. Test case design as well as execution consumes a lot of time. So automated generation of test cases is highly required. In our thesis we generated test sequences from Simulink/Stateflow, which is used to develop Embedded control systems. Testing of these systems is very important in order to provide error free systems as well as quality assurance. For these purpose Test cases are used to test the systems. We developed the test sequences which are use to generate test cases. First, we represent the System using Simulink/Stateflow models. For this purpose normally we use Simulink tool, which is available in the MATLAB. We developed the dependency graph from the SL/SF model. For Simulink part of the model we use Out put dependency and for the Stateflow part of the model we use Control dependency graph. From those graphs we generate the test sequences. Simulink/Stateflow models often consist of more than ten thousand blocks and a large number of hierarchi-cal levels. In this, we present an approach for slicing Simulink/Stateflow models using dependence graphs from the automotive and avionics do-main. With slicing, the complexity of a model can be reduced to a given point of interest by removing unrelated model elements

Learning-guided network fuzzing for testing cyber-physical system defences

The threat of attack faced by cyber-physical systems (CPSs), especially when they play a critical role in automating public infrastructure, has motivated research into a wide variety of attack defence mechanisms. Assessing their effectiveness is challenging, however, as realistic sets of attacks to test them against are not always available. In this paper, we propose smart fuzzing, an automated, machine learning guided technique for systematically finding 'test suites' of CPS network attacks, without requiring any knowledge of the system's control programs or physical processes. Our approach uses predictive machine learning models and metaheuristic search algorithms to guide the fuzzing of actuators so as to drive the CPS into different unsafe physical states. We demonstrate the efficacy of smart fuzzing by implementing it for two real-world CPS testbeds---a water purification plant and a water distribution system---finding attacks that drive them into 27 different unsafe states involving water flow, pressure, and tank levels, including six that were not covered by an established attack benchmark. Finally, we use our approach to test the effectiveness of an invariant-based defence system for the water treatment plant, finding two attacks that were not detected by its physical invariant checks, highlighting a potential weakness that could be exploited in certain conditions.Comment: Accepted by ASE 201

HMAKE: Legacy-Compliant Multi-factor Authenticated Key Exchange from Historical Data

In this paper, we introduce two lightweight historical data based multi-factor authenticated key exchange (HMAKE) protocols in the random oracle model. Our HMAKE protocols use a symmetric secret key, as their first authentication factor, together with their second authentication factor, historical data exchanged between the two parties in the past, and the third authentication factor, a set of secret tags associated with the historical data, to establish a secure communication channel between the client and the server. A remarkable security feature of HMAKE is bounded historical tag leakage resilience, which means that (informally speaking) if a small portion of the secret tags is leaked to an adversary, it will not affect the security of one HMAKE protocol with an overwhelming probability. Our first HMAKE protocol can provide static bounded leakage resilience, meaning that the secret tags are leaked at the beginning of the security game. To enhance its security, our second HMAKE protocol makes use of our first protocol as a compiler to transform any passively secure two-message key exchange protocol to an actively secure HMAKE protocol with perfect forward secrecy, and therefore it can be secure even if the historical tags are compromised adaptively by an attacker. In addition to the strong security properties we achieved, our protocols can potentially have great impacts in practice: they are efficient in computation, and they are compatible with legacy devices in cyber-physical systems

Control Behavior Integrity for Distributed Cyber-Physical Systems

Cyber-physical control systems, such as industrial control systems (ICS), are increasingly targeted by cyberattacks. Such attacks can potentially cause tremendous damage, affect critical infrastructure or even jeopardize human life when the system does not behave as intended. Cyberattacks, however, are not new and decades of security research have developed plenty of solutions to thwart them. Unfortunately, many of these solutions cannot be easily applied to safety-critical cyber-physical systems. Further, the attack surface of ICS is quite different from what can be commonly assumed in classical IT systems. We present Scadman, a system with the goal to preserve the Control Behavior Integrity (CBI) of distributed cyber-physical systems. By observing the system-wide behavior, the correctness of individual controllers in the system can be verified. This allows Scadman to detect a wide range of attacks against controllers, like programmable logic controller (PLCs), including malware attacks, code-reuse and data-only attacks. We implemented and evaluated Scadman based on a real-world water treatment testbed for research and training on ICS security. Our results show that we can detect a wide range of attacks--including attacks that have previously been undetectable by typical state estimation techniques--while causing no false-positive warning for nominal threshold values.Comment: 15 pages, 8 figure

A Digital Forensic Taxonomy For Programmable Logic Controller Data Artefacts

The growing complexity of industrial control systems (ICS) and increasing cyber attacks targeting critical infrastructures demand bespoke forensics techniques for Programmable Logic Controllers (PLCs). As they control their critical physical processes, PLCs form the backbone of many ICS. However, due to their unique characteristics and constraints, which include heterogeneous architectures, proprietary technologies and stringent real-time operational requirements, traditional digital forensic techniques may not be directly applicable.PLCs are intricate embedded devices with numerous distinct internal data artefacts, ranging from proprietary firmware to logic codes, safety logs, and process I/O values. Therefore, those tasked with PLC investigation must understand these intricacies and their underlying implications to effectively answer the forensic questions in the aftermath of an incident.To address this need, our paper presents the first tailored taxonomy for digital forensics on PLCs, systematically categorizing the various characteristics, forensic processes and considerations based on the stages involved in a forensic investigation. Furthermore, we employ our developed taxonomy to establish mappings between identified PLC data artefacts and their corresponding attributes, offering a contextualised interrelationships between these artefacts and the PLC forensic investigation steps