Real Time

Safety

Threat Modeling forSecurity Assessment inCyber-physical Systems

Janusz ZalewskiFlorida Gulf Coast University

Steven Drager & William McKeeverAir Force Research Lab, Rome, NY

Andrew J. KorneckiEmbry-Riddle Aeronautical University

Copyright © A.J. Kornecki, 2013 page 1

Embry-Riddle Aeronautical University

Presented by A.J. Kornecki at AGH, Krakow, June 25, 2013Based on a paper:

Zalewski, J., Drager, S., McKeever, W., Kornecki A.J. "Threat Modeling for Security Assessment in Cyber-physical Systems", CSIIRW'2012, ACM 978-1-4503-1687-3/12/10, Oak Ridge, Tenn., USA,

October 30 - November 1, 2012

Real Time

Safety

Overview

� Introduction and Motivation� How to Measure? � Control and Cyber-physical Systems� Threat Modeling� Security Risk Assessment� Experiments� Conclusion

Copyright © A.J. Kornecki, 2013 page 2

� Conclusion

Real Time

Safety

Why Threat Modeling?

� System designers must first determine what threats are feasible [and then what security policies make economic sense relative to the values of resources exposed to a threat]exposed to a threat]

Source: D. Kleidermacher, M. Kleidermacher, Embedded Systems Security, Newnes/Elsevier, Oxford, 2012

� In case of imminent security breach: “cyber-physical systems requires either reconfiguration to reacquire the needed resources automatically or a graceful

Copyright © A.J. Kornecki, 2013 page 3

the needed resources automatically or a graceful degradation if they the resources are not available”

Source: National Research Council, Committee for Advancing Software-Intensive Systems Producibility Critical Code: Software Producibility for Defense National Academies Press, 2010

Real Time

Safety

Threat Trends

Denial of Service

“Stealth”/AdvancedScanning Techniques

High

BOTS

Morphing

Malicious Code

Att

ack

So

ph

isti

cati

on

STUXNET/Flame

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Hijacking Sessions

Sweepers

Sniffers

Distributed Attack Tools

Denial of Service

GUIPacket Spoofing

Network Management Diagnostics

Automated Probes/Scans

WWW Attacks

Intr

ud

er K

no

wle

dg

e

Attackers

Back Doors

Zombies

BOTS

Att

ack

So

ph

isti

cati

on

Copyright © A.J. Kornecki, 2013 page 4

• Threats become more complex as attackers proliferate

Password GuessingSelf-Replicating Code

Password Cracking

1980 1985 1990 1995 2000 2005 2012

Intr

ud

er K

no

wle

dg

e

Low

Att

ack

So

ph

isti

cati

on

Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002, page 10.

Real Time

Safety

Example: Modern Aircraft Threat Trends

Copyright © A.J. Kornecki, 2013 page 5 5

{courtesy of Volpe National Transportation System Center, June 2013}

Real Time

Safety

Aircraft Data Network (ADN)

Aircraft control Airline Information Services

Passenger Information and Entertainment

Passenger-Owned Devices

Flight and Embedded Control Cabin Core Entertainment

ServicesControl Systems

Cabin Core

Control the Airplane

Operate the Airline

Entertain the Passengers

Entertain the Passengers

AFDX IFE- TBD

EFB/Gatelink

Engine HUMS

Copyright © A.J. Kornecki, 2013 page 66

Control the Airplane

Operate the Airline

Entertain the Passengers

Entertain the Passengers

Closed Private Public

{source –ARINC 664, Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection}

Real Time

Safety

Security Standards Guidelines & Initiatives

� FAA/RTCA SC-216 (Aeronautical System Security) & Eurocae WG-72 Subcommitteeso DO-326: Airworthiness Security Process Specification o DO-XXX: Security Assurance and Assessment Methods for o DO-XXX: Security Assurance and Assessment Methods for

Safety-Related Aircraft Systemso DO-YYY: Security Guidance for Instructions for Continuing

Airworthiness (ICA)o FAA Advisory Circular (AC)

� ARINC Network Infrastructure and Security (NIS) Working Group

Copyright © A.J. Kornecki, 2013 page 7

o Best Practices (Security Catalog)o ARINC 842: Guidance for Usage of Digital Certificates

� ICAO Twelfth ANC: o Working Paper 122: Cyber Security For Civil Aviation

(November 2012)

Real Time

Safety

Are We Preoccupied with Measurements?

� We are missing good (any) measures to characterize non-functional software properties related to trustworthiness (safety, security, dependability, etc.), as opposed, for example, to timing properties as opposed, for example, to timing properties (responsiveness, timeliness, schedulability, predictability)

� But there are other means … � How to assess security before the system is put into

operation?

o Theoretical Assessment (analytical model)

Copyright © A.J. Kornecki, 2013 page 8

o Theoretical Assessment (analytical model)o Actual Experiments (measurements)o Simulation (numerical calculations)

Real Time

Safety

A Side-bar: How to Measure?

� NOW: Definition of a metric (meter) is “the length of the path traveled by light in

� For example:

� Property – length� Metric – meter� Measure – devicetraveled by light in

vacuum during a time interval of 1/299 792 458 of a second”

� EARLIER: King Henry I is believed to decree that a yard should be:

� Measure – device

Copyright © A.J. Kornecki, 2013 page 9

that a yard should be: “the distance from the King’s nose to the end of his outstretched thumb”

Real Time

Safety

Classical Views of a Control System

CONVENTIONAL

Copyright © A.J. Kornecki, 2013 page 10

MODERN(cyber-physical)

Real Time

Safety

Cyber-physical System

� Relationship between the computer/software system and its operational environment

SOFTWARESYSTEM OPERATIONAL

ENVIRONMENT

SAFETY

SECURITY

RELIABILITY

Copyright © A.J. Kornecki, 2013 page 11

Real Time

Safety

Safety/Security Views of a Cyber-physical System

SAFETY

Copyright © A.J. Kornecki, 2013 page 12

SECURITY

Real Time

Safety

Analytical Models to Describe System Behavior

� Continuous:

o Differential Equations� Discrete:

o Finite State Machineso Finite Automata

o Petri Netso Bayesian Belief Networkso Queuing Theory

o Rule-based Reasoning

Copyright © A.J. Kornecki, 2013 page 13

o Rule-based Reasoningo Markov Chains ***

Real Time

Safety

Example: Discrete-Time Markov Chains

� It is generally not possible to predict future states

� However, the statistical properties of future states can be predictedThe set of all states and transition probabilities � The set of all states and transition probabilities characterize completely with the Markov chain

� A finite-state machine can be used as a graphical representation of a Markov chain

� How to develop state transition probabilities? � Base them on heuristic analysis of the chain

Copyright © A.J. Kornecki, 2013 page 14

� Base them on heuristic analysis of the chain

More in: Kornecki, A., Stevenson, W., Zalewski, J., "Availability Assessment of Embedded Systems with Security Vulnerabilities", proceedings of 34th IEEE Software Engineering Workshop SEW 2011, Limerick, Ireland, June 20-21, 2011

Real Time

Safety

Case Study - Security Impact Assessment

� A simple case study of a Cooperative Adaptive Cruise Control (CACC)

� Identification of vulnerabilities in incoming messages (commission, omission, corruption, flooding) (commission, omission, corruption, flooding)

Copyright © A.J. Kornecki, 2013 page 15

Real Time

Safety

Case Study – Markov Model

� Markov model with Relex Reliability Studio* tool was used to assess the availability of the system with and without the security component

� CACC implemented as a discrete-time Markov model � CACC implemented as a discrete-time Markov model with three states and the transitions determined by failure rates or repair rates

o Operational State (Normal)

o Degraded State

Copyright © A.J. Kornecki, 2013 page 16

o Degraded State (Flooding, Corruption, Introduction, Deletion)

o Failed State

* http://www.relex.se/

Real Time

Safety

Threats

� Two aspects of handling potential threats in cyber-physical systems:o Threat Modeling: A systematic exploration

technique to expose any circumstance or event technique to expose any circumstance or event having the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service [IEEE 1074-2006]1

o Threat Assessment: Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat

Copyright © A.J. Kornecki, 2013 page 17

enterprise and describing the nature of the threat [CNSS-4009]2

1. IEEE Standard for Developing a Software Project Life Cycle Processhttp://standards.ieee.org/findstds/standard/1074-2006.html2. National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf

Real Time

Safety

Threat Handling Process: a Sequence of Actions

1. Understand the Adversary’s View2. Create a Model: Data Flow Diagrams3. Determine and Investigate the Threats:

a) Use STRIDE to identify/define the threatsb) Use Threat Trees to assess vulnerabilities

c) Use DREAD to characterize risks

4. Mitigate the Threats

Copyright © A.J. Kornecki, 2013 page 18

4. Mitigate the Threats5. Validate the Mitigations

Real Time

Safety

Understanding the Adversary’s View

Copyright © A.J. Kornecki, 2013 page 19

Real Time

Safety

Identify and Define Threats: STRIDE

� What is STRIDE? � identify and define threats

o Spoofing - a situation in which an attacker successfully masquerades as legitimate party

o Tamperingo Tampering - intentional modification of data by an attacker that would make them harmful to the user

o Repudiation - authentication between users that they can be confident in the authenticity of the messages (but it cannot be provided to an attacker after the event)

o Information Disclosure - a situation when the user data is available to the attacker

Copyright © A.J. Kornecki, 2013 page 20

data is available to the attacker

o Denial of Service - making a resource not available to its intended users due to a malicious attack

o Elevation of Privilege - gaining access to resources that are normally protected from an attacker

Real Time

Safety

Threat Tree Example

Root

Threat

Mitigated

Condition

Mitigated

Condition

Unmitigated

Condition

Copyright © A.J. Kornecki, 2013 page 21

Mitigated

Condition

Mitigated

Condition

Unmitigated

Condition

Real Time

Safety

Characterize Risk: DREAD

� What is DREAD? � characterize risk

o Damage Potential – severity as related to equipment, resources, and environment

o Reproducibility – likelihood of an ability of an event to be reproduced

o Exploitability – likelihood to use system unethically or for malicious purpose

o Affected Users – severity as related to human population

Copyright © A.J. Kornecki, 2013 page 22

o Discoverability – likelihood of a capacity of data/information to be found (being discoverable)

Real Time

Safety

How to Evaluate Security Risk?

� Safety risk is evaluated as a product of severity of consequences and the likelihood of hazards

� Security risk is a measure of the extent to which an entity is threatened by a potential circumstance or entity is threatened by a potential circumstance or event, and typically is a function of [CNSS-4009] :o the adverse impacts that would arise if the event

occurs; and

o the likelihood of occurrence � We need a system for assessing the severity of

computer system security vulnerabilities

Copyright © A.J. Kornecki, 2013 page 23

computer system security vulnerabilities

� Examples: STRIDE Threat Library, Common Weakness Enumeration (CWE), Common Vulnerabilities/Exposures (CVE), and …

Real Time

Safety

What is Common Vulnerability Scoring System?

� CVSS is a system for assessing the severity of computer system security vulnerabilities

http://www.first.org/cvss/cvss-guide.pdf� CVSS defines three groups of metrics for assessing � CVSS defines three groups of metrics for assessing

vulnerabilities: base, temporal and environmental (however, only the base is mandatory)

Copyright © A.J. Kornecki, 2013 page 24

Real Time

Safety

CVSS Base – Impact & Exploitability Metrics

� The base group consists of six metrics divided into two subcategories: impact and exploitability metrics (in lieu of severity)

� Metrics are evaluated on a three-level non-numerical � Metrics are evaluated on a three-level non-numerical scale mapped onto numeric values (1, 2, and 3)

o Impact metrics: � Confidentiality, Integrity, Availability: None,

Partial, Completeo Exploitability metrics:

Copyright © A.J. Kornecki, 2013 page 25

� Access Vector: Local, Adjacent, Full

� Access Complexity: High, Medium, Low� Authentication: Multiple, Single, None

Real Time

Safety

Proposed CVSS Base Scoring Formula:

� All six values are related with different weights by a formula, thus, producing a unique number of the base metric

o BaseScore6 = = ((0.6*Impact) + (0.4*Exploitability) – 1.5)*f(Impact)

o Impact =

= 10.41*(1-(1-Conf.Impact)*(1-Integ.Impact)*(1-Avail.Impact))o Exploitability =

Copyright © A.J. Kornecki, 2013 page 26

o Exploitability = = 20*Access.Vector*Access.Complexity*Authentication

o f(Impact) = 0 if Impact is equal to 0

= 1.176 otherwise

Real Time

Safety

How the Threat Model is Used?

� How the Threat Model is Used?

o In Design: Code Reviewo In Implementation: Penetration Testingo *** In Security Assessment: Simulationo *** In Security Assessment: Simulation

� Example: mapping a cyber-physical system into SDL threat modeling tool (CACC imitation)

Copyright © A.J. Kornecki, 2013 page 27

Real Time

Safety

Microsoft SDL Threat Modeling Tool

� Threat Modeling Is a core element of the Microsoft Security Development Lifecycle (hence SDL) for every-day user making threat modeling easy

� The SDL Threat Modeling Tool enables any developer � The SDL Threat Modeling Tool enables any developer or software architect to:

o Communicate about the security design of their systems

o Analyze designs for security issues using a

Copyright © A.J. Kornecki, 2013 page 28

security issues using a proven methodology

o Suggest and manage mitigations for security issues

Real Time

Safety

Example Microsoft SDL screen-shot

Copyright © A.J. Kornecki, 2013 page 29

http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx

Real Time

Safety

Security Assessment via Simulation

� An actual example of a message exchange system over the CAN network has been set up

� The example includes two CAN nodes communicating with each other over the CAN bus, with additional with each other over the CAN bus, with additional Internet connectivity for both nodes

� The arrangement imitates part of the functionality of a larger CACC system

CVE ID Publish Date

Update Date

Score Access Complexity Authentication Confiden-tiality

Integrity Availa-bility

CVE-2011-4415 2008-07- 2012-05- 1.2 Remote High Not Required None None None

Copyright © A.J. Kornecki, 2013 page 30

CVE-2011-4415 2008-07-01

2012-05-11

1.2 Remote High Not Required None None None

The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.

Real Time

Safety

Copyright © A.J. Kornecki, 2013 page 31

Real Time

Safety

Copyright © A.J. Kornecki, 2013 page 32

Real Time

Safety

Conclusions

� Firm modeling process established

� Experimental measurement process set up� Tools ready and easy to use� Potential Case Studies:

o CAN (Controller Area Network)

o Industrial Control Systems: SCADAo Wireless Sensor Networks: Zigbeeo RFID/NFC

o Time-Triggered Systems

Copyright © A.J. Kornecki, 2013 page 33

o Time-Triggered Systems

Real Time

Safety

Comments/Questions

Copyright © A.J. Kornecki, 2013 page 34