EN 
DE How to make model-based, informed design decisions
Author: Stefan David, MathWorks
Contribution – Embedded Software Engineering Congress 2016
Abstract
In the age of networking and machine autonomy (cyber-physical systems), considerable effort is required to ensure that the risk of cybersecurity attacks does not lead to dangerous situations where hackers gain access to security-relevant functions. System and component design and implementation often necessitate compromises and decisions, as the requirements regarding functionality, performance, and safety and security are sometimes contradictory, especially when it comes to standards compliance. We present examples and methods for identifying security vulnerabilities, securing applications, developing standards-compliant solutions, and implementing them quickly and efficiently using model-based design, verification, and static code analysis.
1 Introduction
Security and cybersecurity are increasingly becoming a central focus of software development processes. Recent estimates predict billions of connected devices in 2019 [1] [2].
The US Department of Homeland Security (DHS), through its Industrial Control Systems (ICS) Cyber Emergency Response Team (ICS-CERT), has determined that the highest percentage of known vulnerabilities or security gaps in ICS software are caused by missing or inadequate input validation (Fig. 1 [3], see PDF).
Often, robust security measures fail due to the limited physical resources of embedded systems, especially when using small, inexpensive components. Once such a system is infected, it is difficult to detect this in order to update the software. Furthermore, in practice, security is often only considered after the devices have already been fully designed and possibly even put into operation.
Due to the high risk of attacks, regulations and standards for cybersecurity are increasingly emerging. Standards such as CERT C, ISO-TS 17961, CWE, and MISRA C:2012 Amendment 1 address software security. This often necessitates compromises in system and component design and implementation, as requirements regarding functionality, performance, and safety and security are sometimes conflicting, especially when it comes to compliance with standards.
2. Model-based threat/risk analysis
Model-based design has proven to be an effective methodology for detecting and correcting errors and weaknesses more cost-effectively during early development phases than in later phases [4]. The construction of a model generally corresponds to the application of an embedded software system, which in many cases is connected to external components via interfaces (Fig. 2, see Figure 2). PDFThese interfaces can give unauthorized access to sensitive areas of your application.
A structured approach to identifying the cause and propagation of attacks is key to success. (See Fig. 3) PDF) we see analysis methods that are carried out across different levels, e.g. Assets and Attack Potentials and Threat and Risk Assessment. Targeted attack scenarios are induced on the inputs of the model – consisting of the blocks Sensors, Control and Actuators – in order to find out which channels are vulnerable.
The attack methods used in the model are:
- Attacker centricThis approach starts with the attacker himself, in order to simulate his attack targets.
- Design-centricThis approach examines the design of the system itself and identifies potential weaknesses.
- Asset centricThis approach refers to data, information, or devices that need protection. This mostly highly confidential information has a higher priority than that of the overall system and must therefore be considered and protected separately.
In combination with formal analysis methods, it allows Threat Modeling, The aim is to represent possible attack paths as scenarios and to identify, prioritize, and close vulnerabilities through potential attacks. For example, the Simulink Design Verifier [5] uses formal methods to automatically identify vulnerabilities in Simulink models without extensive simulation runs. Property proving can demonstrate whether the design functions as described in the requirements, taking the attack scenario into account. If this proof cannot be provided, a counterexample is determined, which can be executed as a test case on the model to reveal the faulty behavior and/or to validate the security algorithms intended to defend against the attacks (Fig. 4, see Figure 4). PDF).
For threat modeling, the following attack models, for example, can be used:
- Interruption attack model [6]: to interrupt the flow of information
- Overflow attack model [7]: Provoking data type overflows via input channels
- Man-in-the-middle attack [7]: is an approach to intercept communication between two systems.
Fuzzing (Fig. 5, see PDFFault injection (FIM) is a testing methodology used to feed an application model with valid and invalid inputs, or "fault injections." These are intended to simulate specific attacks on the interfaces. The system is then examined for specific violations, such as those against functional or performance requirements.
3. Verification at the code level
Integrating individual software components into a complete system at the code level, which is e.g. multitasking and interruptible, can create additional vulnerabilities that allow attacks and require analysis at the code level.
One approach to complying with the state of the art is the application of security guidelines to identify and avoid vulnerabilities. Fig. 7 (see PDF) shows an overview of common coding standards with their classification whether the standard addresses security or safety, based on "The CERT C Coding Standard" [8], whereby MISRA C:2012 now also addresses security through Amendment 1.
An effective and cost-efficient approach to testing is static code analysis. This helps to…
- To automate manual code reviews and tests
- To check software for compliance with code guidelines and to document or comment on violations.
- To automatically find weaknesses and defects
An example of potential vulnerabilities is data that is used in a function but is passed to that function from an external source (Tainted Data), e.g., the size of a passed array. By deliberately manipulating this value, access outside the valid array boundaries, and thus to an arbitrary memory area, can occur. Tainted data is a popular target for attacks. Such array access can pose both a safety and a security problem. Figure 8 shows an example of identifying tainted data vulnerabilities using static code analysis (see Figure 8). PDF).
Once the vulnerability is identified, it can be addressed in the design or code, for example by specifically checking the interface for the validity of the parameters passed at runtime, thus increasing the robustness of the application.
Static analysis tools that also have formal control and data flow analysis methods, such as Polyspace Code Prover [9], are also able to prove the absence of certain errors or vulnerabilities, thus reducing the effort required for testing, reviews, and demonstrating compliance with standards (Fig. 9, see Figure 9). PDF) significantly reduced. Furthermore, this also allows for increased code performance and reduced memory requirements, as runtime checks can be used or avoided in a much more targeted manner [10].
4 Summary
The design and implementation of networked software systems often require compromises, especially when it comes to complying with standards and coding guidelines. This makes it crucial to identify and address vulnerabilities and defects early on, ideally during the design and implementation phases. We have demonstrated model- and code-based methods that can simulate attacks early and cost-effectively increase robustness. Formal methods, in particular, can now be easily employed to improve code performance and reduce memory requirements. Furthermore, model-based development enables a significantly faster response to changing standards and identified vulnerabilities than traditionally developed systems.
literature
[1] J. Greenough, „The Internet of Things' will be the world's most massive device market and save companies billions of dollars,’ Feb 2015
https://www.businessinsider.de/the-internet-of-things-market-growth-and-trends-2015-2?r=US&IR=T
[2] UGCS: Adviser, „The Internet of Things: Making the most of the Second Digital Evolution“
https://www.gov.uk/government/uploads/attachment_data/file/409774/14-1230-internet-of-things-review.pdf
[4] A. Wasicek, P. Derler, and EA Lee. Aspect-oriented modeling of attacks in automotive cyberphysical systems. In Design Automation Conference (DAC), 2014 51st pages 1-6. IEEE, 2014.
[5] https://de.mathworks.com/products/sldesignverifier/
[6] G. Tassey. The economic impacts of inadequate infrastructure for software testing. RTI Project Number 7007.011, NIST, 2002.
[7] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno, et al. Comprehensive experimental analyzes of automotive attack surfaces. In USENIX Security Symposium. San Francisco, 2011.
[8] Robert C. Seacord, The CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems. SEI series in software engineering Addison-Wesley, 2014, ISBN 0321984048, 9780321984043
[9] https://de.mathworks.com/products/polyspace/
[10] https://www.elektronikpraxis.vogel.de/embedded computing/articles/342436/index2.html
Modeling – MicroConsult Training & Coaching
Do you want to bring yourself up to date with the latest technology?
Then find out more here MircoConsult offers training courses/seminars/workshops and individual coaching on the topic of modeling/embedded and real-time software development.
Training & coaching on the other topics in our portfolio can be found here. here.
Modeling – Expertise
Valuable expertise in modeling/embedded and real-time software development is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
