EN 
DE Using static analysis for better design decisions
Author: Christian Guss, MathWorks
Contribution – Embedded Software Engineering Congress 2017
In the age of networking and machine autonomy (cyber-physical systems), considerable effort is required to ensure that the risk of cybersecurity attacks does not lead to dangerous situations, as hackers can gain access to security-relevant functions. System and component design and implementation often necessitate compromises and decisions, since the requirements regarding functionality, performance, and safety and security are sometimes contradictory, especially when it comes to meeting standards. We present examples and methods for how model-based design, verification, and static code analysis can be used to identify security vulnerabilities, secure applications, develop standards-compliant solutions, and still implement them quickly and efficiently.
introduction
Security and cybersecurity are increasingly becoming a central focus of software development processes. Recent estimates predict billions of networked devices in 2019 [1][2].
The US Department of Homeland Security (DHS), through its Industrial Control Systems (ICS) Cyber Emergency Response Team (ICS-CERT), has determined that the highest percentage of known vulnerabilities or security gaps in ICS software are caused by missing or inadequate input validation (Fig. 1, see PDF).
Often, robust security measures fail due to the limited physical resources of embedded systems, especially when using small, inexpensive components. Once such a system is infected, it is difficult to detect this in order to update the software. Furthermore, in practice, security is often only considered after the devices have already been fully designed and possibly even put into operation.
Due to the high risk of attacks, regulations and standards concerning cybersecurity are increasingly emerging. Standards such as CERT C, ISO-TS 17961, the CWE, and MISRA C:2012 Amendment 1 address the issue of software security. This often necessitates compromises in system and component design and implementation, as the requirements regarding functionality, performance, and safety and security are sometimes conflicting, especially when it comes to compliance with standards.
Model-based threat/risk analysis
Model-based design has proven to be an effective methodology for detecting and correcting errors and weaknesses more cost-effectively during the early development phases than in later phases [4]. Building a model generally corresponds to the application of an embedded software system, which in many cases is connected to external components via interfaces (Fig. 2, see Figure 2). PDFThese interfaces can give unauthorized users access to sensitive areas of their application.
A structured approach to identifying the cause and propagation of attacks is a key success factor. (See Fig. 3) PDF) we see analytical methods that are carried out at different levels, e.g. Assets and Attack Potentials, as well as Threat and Risk Assessment. Targeted attack scenarios are induced on the inputs of the model, consisting of the blocks Sensors, Control and Actuators, in order to find out which channels are vulnerable.
The attack methods used in the model are:
- Attacker centricThis approach starts with the attacker himself, in order to simulate his attack targets.
- Design-centricThis approach examines the design of the system itself and identifies potential weaknesses.
- Asset centricThis approach refers to data, information, or devices that need protection. This mostly highly confidential information has a higher priority than that of the overall system and must therefore be considered and protected separately.
In combination with formal analysis methods, it allows Threat Modeling, The goal is to represent potential attack paths as scenarios and to identify, prioritize, and close vulnerabilities caused by possible attacks. For example, the Simulink Design Verifier [5] uses formal methods to automatically identify vulnerabilities in Simulink models without extensive simulation runs. Property proving demonstrates that the design functions as described in the requirements, taking the attack scenario into account. If this is not the case, a counterexample is determined, which can be executed as a test case on the model to reveal the faulty behavior and/or to validate the security algorithms intended to defend against the attacks (Fig. 4, see Figure 4). PDF).
For threat modeling, the following attack models, for example, can be used:
- Interruption attack model [6]: to interrupt the flow of information
- Overflow attack model [7]: Provoking data type overflows via input channels
- Man-in-the-middle attack [7] : an approach to intercept communication between two systems
Fuzzing (Fig. 5, see PDFFault injection (FIM) is a testing methodology used to feed an application model with valid and invalid inputs, or "fault injections." These are intended to simulate specific attacks on the interfaces. The system is thus examined for specific violations, such as those against functional or performance requirements.
Verification at the code level
Integrating individual software components into a complete system at the code level, which is e.g. multitasking-capable and interruptible, can create additional vulnerabilities that allow attacks and require analysis at the code level.
One approach to complying with security requirements at the code level is to apply established security guidelines to identify and avoid vulnerabilities. Fig. 7 (see PDF) shows an overview of common coding standards with their classification, whether the standard addresses security or safety, based on The CERT C Coding Standard" [8], whereby MISRA C:2012 now also addresses security through Amendment 1.
An effective and cost-efficient approach to verification is static code analysis. This helps to…
- To automate manual code reviews and tests
- To check software for compliance with code guidelines and to document or comment on violations.
- To automatically find weaknesses and defects
An example of a potential vulnerability is data used within a function but passed to that function from an external source (tainted data), such as the size of a passed array. By deliberately manipulating this value, access outside the valid array boundaries, and thus to arbitrary memory, can occur. Tainted data is a popular target for attacks. Such array access can pose both a safety and a security problem. Figure 8 shows an example of how to identify tainted data vulnerabilities using static code analysis (see Figure 8). PDF).
Once the vulnerability is identified, it can be addressed in the design or code, for example by specifically checking the interface for the validity of the parameters passed at runtime, thus increasing the robustness of the application.
Static analysis tools that also have formal control and data flow analysis methods, such as Polyspace Code Prover [9], are also able to prove the absence of certain errors or vulnerabilities, thus reducing the effort required for testing, reviews and demonstrating compliance with standards (Fig. 9, see Figure 9). PDF) significantly reduced. Furthermore, this also allows for increased code performance and reduced memory requirements, as runtime checks can be used or avoided in a much more targeted manner [10].
Summary
The design and implementation of networked software systems often require compromises, especially when it comes to complying with standards and coding guidelines. This makes it crucial to identify and address vulnerabilities and defects early on, ideally during the design and implementation phases. We have demonstrated model- and code-based methods that can simulate attacks early and cost-effectively increase robustness. Formal methods, in particular, can now be easily integrated into the development process to improve code performance and reduce the effort required for testing and compliance. Furthermore, model-based development enables a significantly faster response to constantly changing standards and other requirements than traditionally developed systems.
literature
[1] J. Greenough, „The Internet of Things will be the world's most massive device market and save companies billions of dollars„", Feb 2015
[2] UGCS: Adviser, „The Internet of Things: making most of the Second Digital Evolution„
[4] A. Wasicek, P. Derler, and EA Lee. Aspect-oriented modeling of attacks in automotive cyberphysical systems. In Design Automation Conference (DAC), 2014 51st pages 1-6. IEEE, 2014.
[5] https://de.mathworks.com/products/sldesignverifier/
[6] G. Tassey. The economic impacts of inadequate infrastructure for software testing. RTI Project Number 7007.011, NIST, 2002.
[7] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno, et al. Comprehensive experimental analyzes of automotive attack surfaces. In USENIX Security Symposium. San Francisco, 2011.
[8] Robert C. Seacord, The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems. SEI series in software engineering Addison-Wesley, 2014, ISBN 0321984048, 9780321984043
[9] https://de.mathworks.com/products/polyspace/
[10] https://www.elektronikpraxis.vogel.de/embedded computing/articles/342436/index2.html
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
