

Une école de l'IMT



Harmonizing Safety, Security and Performance Requirements in Embedded Systems

<u>Prof Ludovic APVRILLE</u>, Dr Letitia LI ludovic.apvrille@telecom-paristech.fr letitia.li@baesystems.com

**DATE**'2019

Case study



### Context: Security for Embedded Systems Embedded systems

SysML-Sec Method SysML-Sec

Case study Case Study

#### Conclusion

Conclusion, future work and references



# **Examples of Threats**

## Transport systems

- Use of exploits in Flight Management System (FMS) to control ADS-B/ACARS [Teso 2013]
- Remote control of a car through Wifi [Miller 2015] [Tencent 2017]

## Medical appliances

Infusion pump vulnerability, April 2015 http://www.scip.ch/en/?vuldb.75158



(C) Wired - ABC News



(C) Hospira





## Examples of Threats (Cont.)

### Internet of Things

- Proof of concept of attack on IZON camera [Stanislav 2013]
  - Vulnerability on fitbit [Apvrille 2015]



Hacking a professional drone [Rodday 2016]

#### XBee - Man-in-the-Middle Attack



N. Rodday, BlackHat Asia'2016



0000

# **Vulnerability Identification**







March 2019



# **Vulnerability Identification (Cont.)**

## Investigations

- ► Testing ports (JTAG interface, UART, ...)
- Firmware analysis
- Memory dump
- Side-channel analysis (e.g. power consumption, electromagnetic waves)
- Fault injection
- **.**..

## Secure your systems!

Develop your system with security in mind from the very beginning

Our solution: SysML-Sec, supported by TTool





#### Main idea

► Holistic approach: bring together embedded system experts, system architects, system designers and security experts (with SysML)

#### Common issues (addressed by SysML-Sec):

- Adverse effects due to security on safety/real-time/performance properties
  - Commonly: only the design of security mechanisms
- Hardware/Software partitioning and Design Space **Exploration** 
  - Commonly: no support for security





**Fully supported by TTool** 



Conclusion



## Before mapping

 Security mechanisms can be captured but not verified



#### After mapping

- Verify security (confidentiality, authenticity) according to attacker capabilities
  - Whether different HW elements are or are not on the same die
  - Where cryptographic materials (keys) are stored
  - Where encrypt/decrypt operations are performed
- Impact of security mechanisms on performance and safety
  - e.g. increased latency when adding security mechanisms











## Safety/Security/Performance



SysML-Sec





11/31 March 2019



## Safety, Security and Perf. Mechanisms

## Safety

- Fail-safe mode
- Redundancy
- Resistance to external phenomenon
- System monitoring, event logging and watchdogs
- Plausibility check
- Anomaly detection
- RTOS (determinism)

12/31

### Security

- ▶ TPMs
- Cryptography
- Security protocols
- Firewalls
- Intrusion detection Systems
- Secure boot

#### Performance

- Faster hardware
- Less complex versions of algorithms
- Move software functions to hardware

















SysML-Sec

# Safety and Security Mechanisms (Cont.)











# SysML-Sec: SW Design



- Precise model of security mechanisms (security protocols)
- Proof of security properties: confidentiality, authenticity
- Channels between software blocks can be defined as private or public
  - This should be defined according to the hardware support defined during the partitioning phase



17/31

March 2019



#### Cyber security of connected vehicles

- Safety/Security/Performance
- EVITA FP7 Partners: Continental, BMW, Bosch, ...
- VEDECOM

#### H2020 AQUAS

- Automated train sub-systems (ClearSy): Safety/Security/Performance
- ► Industrial Drives (Siemens): Safety/Security/Performance

#### Nokia

Digital architectures for 5G networks (Safety/Performance)



## **Case Study: VEDECOM Autonomous Vehicle**



Verification



Tests







- ► Standard: ISO26262
  - ► SOTIF: Safety Of The Intended Function
- Security: impact of potential attacks on safety



# Requirements













SysML-Sec







# **Safety Verification (Before Mapping)**

#### Reachability/Liveness



#### **Queries**

Safety Pragma A[] Supervisor.running Perception.distance<threshold --> Supervisor.brakingOrder



# Architecture and Mapping Views









# Safety Verification (After Mapping)

# Reachability Graph iPerceptionCPU 0 Design sec Perception sel Des i(PerceptionCPU\_0\_Design i/PerceptionCPU 0 Design sec Per i/CameraCPU\_0\_Designate/cubs i(PerceptionCPU\_0\_Design\_sec\_Perception\_rd\_Design\_sec\_CamData<1>) iPerceptionCPU 0 Design sqg-\_R I/CameraCPU 0 Design sec Camera wr Design sec CamData<1>) itCameraCPU\_0\_Design\_procus itPerceptionCPU\_0\_Design\_sqc\_al













SysML-Sec

## **Performance Verification**





SysML-Sec

## SW Design, Code generation, Test

- First SW model from mapping models
- SW model refinement
- SW model verification (safety, security)
- Code generation
  - (Virtual) Prototyping, test







#### Conclusion and Future Work

### Achievements: SysML-Sec

- Methodology for designing safe and secure embedded systems
- Fully supported by TTool
- Applied to different domains, e.g., automotive systems, IoTs. malware

#### Future work

- Security risk assessment and backtracing
- Assistance in handling conflicts between security/safety/performance
  - Design space exploration





#### For more information ...

#### Web sites

- https://sysml-sec.telecom-paristech.fr
- https://ttool.telecom-paristech.fr



#### References

- Ludovic Apvrille, Yves Roudier, "SysML-Sec: A SysML Environment for the Design and Development of Secure Embedded Systems", Proceedings of the INCOSE/APCOSEC 2013 Conference on system engineering, Yokohama, Japan, September 8-11, 2013.
- Ludovic Apvrille, Yves Roudier, "Designing Safe and Secure Embedded and Cyber-Physical Systems with SysML-Sec", Chapter in Model-Driven Engineering and Software Development, p293-308, Springer International Publishing, 2015



31/31 March 2019