Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems Concurrency Theore3cal Problems that ma=er for Security Sibylle Fröschle Mit Marlon Gräfing, Thomas Strathmann, Alexander Stühring, Jithin Zacharias Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 1 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Networked and Automated Systems Automo3ve & Mari3me Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 2 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Security-News: Automo3ve www.forbes.com 24.07.2013 1 5 2 0 0 7 . 1 . 2 o m . c d o m o i z g D i e W e l t 2 4 . 0 4 . 2 0 1 6 heise Security 15.02.2017 Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 3 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
How can cyber-physical systems be developed and operated in a safe and secure way? How can this be done in a verifiable, and hence cer3fiable, manner? Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 4 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Plan 1. V2X Security Architecture 2. Analysis of Complex Cryptographic Architectures 3. Safety & Security Engineering 4. Conclusions Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 5 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Communica3on Security ˃ Cryptography to ensure message integrity and privacy ˃ Public Key Infrastructure for key management Enrolment Authority Enrolment over Secure Channel Authoriza3on Authority Assump3on: Roadside Unit Authoriza7on over A=acker present (open channel) Coopera7ve Awareness & Secure Channel Safety No7fica7ons with Vehicle Digital Signatures & Pseudonyms PDA Vehicle Example: ETSI V2X Standards Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 6 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Endpoint Security? Enrolment Authority Enrolment over Secure Channel Authoriza3on Authority Roadside Unit Authoriza7on over Coopera7ve Awareness & Secure Channel Assump3on: Safety No7fica7ons with Vehicle Endpoint compromised Digital Signatures & Pseudonyms Malware PDA Vehicle Example: ETSI V2X Standards Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 7 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Endpoint Security ˃ Hardware Security Modules (HSMs) as trust anchors ˃ Enable secure key management and plajorm integrity Enrolment Authority Smartcard Enrolment over Secure Channel Authoriza3on Authority Roadside Unit Trusted Plajorm Authoriza7on over Module Coopera7ve Awareness & Secure Channel Safety No7fica7ons with Vehicle Digital Signatures & Pseudonyms Automo3ve HSM PDA Vehicle Large HSM Example: ETSI V2X Standards Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 8 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Plan 1. V2X Security Architecture 2. Analysis of Complex Cryptographic Architectures 3. Safety & Security Engineering 4. Conclusions Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 9 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Analysis of Cryptographic Architectures Security Protocols Security APIs { N A , A} KB Generate Key (type) h K (= handle ) {N A ,N B } KA Encrypt (data, h K ) { N B } KB HSM Host Alice Bob {data} K Prone to subtle A=acks! Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 10 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Analysis of Cryptographic Architectures Security Protocols Security APIs { N A , A} KB Generate Key (type) h K (= handle ) {N A ,N B } KA Encrypt (data, h K ) { N B } KB HSM Alice {data} K Prone to subtle A=acks! Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 11 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
System-of-Systems Security Goals • Can only be reached in a cumula3ve way • Several Par3es Hardware)security)modules) • Evolu3on Lifecycle Key Management as)anchor)of)trust) E Key)management) E Secure)communica1on) E Secure)storage) E Secure)boot)&)update) Enrolment)Authority) Authoriza1on)Authority) Roadside)Unit) Vehicle) Enrolment) PDA) A utho riza0on) Vehicle) CAM) …)Coopera1ve)Awareness)Message) DENM) …)Decentralized)Environmental)No1fica1on)Message) Key origin authen3ca3on: Whenever cert is a valid cer/ficate for public key K V and according to cert key K V belongs to vehicle V then the corresponding private key K V -1 has been generated within V’s HSM. Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 12 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Concurrency Theore3cal Problems ˃ Context-explicit protocols and APIs ˃ Fröschle, POST‘15, Leakiness is decidable for wellf-founded protols. ˃ Chre3en, Cor3er, Delaune CSF ’ 16 ˃ Towards composi3onal and automated verifica3on of protocols ˃ Use results on infinite-state process calculi & context-explicitness ˃ C.f. Fröschle, ERO ’ 60 (and references therein) ˃ Seman3c clarifica3on: Contract-based requirements for systems of systems ˃ Mul3set rewri3ng, pi-calculus, strand spaces (a par3al order model) ˃ Fröschle Habil‘12, Chapter Models ˃ Contract-based requirements for systems of systems ˃ FOLTL useful! (see API framework, work in progress for SoS) Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 13 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Plan 1. V2X Security Architecture 2. Analysis of Complex Security Architectures 3. Safety & Security Engineering a. System b. System of Systems 4. Conclusions Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 14 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Automo3ve Safety & Security Engineering ISO 26262 & Security Erweiterungen, z.B. SAE J3061 Management of Cybersecurity Initiation of Product Release for Concept Phase Production and Development at System Production Level (Planning) Operation Product Development: Feature Definition System Level Initiation of Cyber- Cybersecurity-related security Lifecycle Product Development: Hardware Level P r production requirements o d u c Threat Analysis & t D e Risk Assessment Integration & Test Phases v Maintenance & Repair e l o p m Cybersecurity Concept Design Phases e n t : Secure Update and S Functional Cybersecurity o Diagnostics f t w Requirements a r e L e v Field Monitoring and Initial Cybersecurity e l Cybersecurity Incident Assessment Response Concept Phase Review Supporting Processes Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 15 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Safety & Security Engineering: System ˃ Exis3ng security mechanisms & architectures not yet integrated into development process ① ˃ Goal: Reduce risk by an integrated safety & security CAN Infotainment TCU analysis and concept in early design phases In-Vehicle A=acker: ① Obtain Remote-Code-Execu3on on EPS PAM Sensor TCU by Sotware-Vulnerability. ② ③ ② Compromise Gateway-ECU, e.g. by ECU Update Gateway CAN Antrieb ③ Inject cyber-physical messages, e.g. messages that control the steering wheel angle. (Necessary CAN Diagnose CAN Komfort for Park Assistance: PAM to EPS.) CAN … Controller Area Network TCU … Telema3cs Control Unit EPS … Electric Power Steering PAM … Park Assist Module Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 16 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Safety & Security Engineering: System ˃ Exis3ng security mechanisms & architectures not yet integrated into development process ① ③ ˃ Goal: Reduce risk by an integrated safety & security CAN Infotainment Context-Check: Execute TCU analysis and concept in early design phases messages that control the steering angle only if : PA = on and v < 8kmh Safety & Security Concept: Defence-in-Depth Security-Measures + Safety-Measures. EPS PAM Sensor ② ① Sotware-Security Gateway CAN Antrieb ② Strong Access Control for ECU Update CAN Diagnose ③ Check of the situa3onal context CAN Komfort before cyber-pysical message is CAN … Controller Area Network executed. TCU … Telema3cs Control Unit EPS … Electric Power Steering PAM … Park Assist Module Project: Interdisciplinary Research Center on Cri3cal Systems Engineering for Socio-Technical Systems (CSE) 17 Web: h=p://www.uni-oldenburg.de/cse/ Event: OPCT, 2017-06-29
Recommend
More recommend