



Une école de l'IMT

Model-Driven Engineering for Safety,

**Security and Performance:** 

SysML-Sec

Ludovic APVRILLE

ludovic.apvrille@telecom-paristech.fr



Seminar - City University









### **Telecom ParisTech**



### **Telecom ParisTech**







# Context: Security for Embedded Systems Embedded systems

#### SysML-Sec

Method SysML-Sec

#### Case study

Case Study

#### Demo

5/39

Demo

#### Conclusion

Conclusion, future work and references



### Transport systems

- Use of exploits in Flight Management System (FMS) to control ADS-B/ACARS [Teso 2013]
- Remote control of a car through Wifi [Miller 2015] [Tecent 2017]

### Medical appliances

Infusion pump vulnerability, April 2015 http://www.scip.ch/en/?vuldb.75158



(C) Wired - ABC News



(C) Hospira

SysML-Sec





## Examples of Threats (Cont.)

#### Internet of Things

- Proof of concept of attack on IZON camera [Stanislav 2013]
  - Vulnerability on fitbit [Apvrille 2015]



Hacking a professional drone [Rodday 2016]

#### XBee - Man-in-the-Middle Attack



N. Rodday, BlackHat Asia'2016





## Finding Vulnerabilities on IoTs



What's inside? Let's look together!









Don't try this at home!







Again: don't try this at home!





June. 2018







11/39

June. 2018



June. 2018

12/39

### **Fitbit: Hardware Components**













June. 2018



## Then, How to Identify Vulnerabilities?

#### Investigations

- ► Testing ports (JTAG interface, UART, ...)
- Firmware analysis
- Memory dump
- Side-channel analysis (e.g. power consumption, electromagnetic waves)
- Fault injection
- **•** . . .

#### Secure your systems!

Develop your system with security in mind from the very beginning

Our solution: SysML-Sec, supported by TTool





## **Designing Safe and Secure Embedded** Systems: SysML-Sec

#### Main idea

▶ Holistic approach: bring together experts in embedded systems, system architects, system designers and security experts (with SysML)

### Common issues (addressed by SysML-Sec):

- Adverse effects of security over safety/real-time/performance properties
  - Commonly: only the design of security mechanisms
- Hardware/Software partitioning
  - Commonly: no support for this in tools/approaches in MDE and security approaches



15/39

June. 2018





SysML-Sec

## **Partitioning**

### Before mapping

Security mechanisms can be captured but not verified



### After mapping

- Verify security (confidentiality, authenticity) according to attacker capabilities
  - Whether different HW elements are or not on the same die
  - Where are stored the cryptographic materials (keys)
  - Where are performed encrypt/decrypt operations
- Impact of security mechanisms on performance and safety
  - e.g. increased latency when inserting security mechanisms





## **Partitioning Verification**



## **Safety and Security Mechanisms**





## Safety and Security Mechanisms (Cont.)





## Safety and Security Mechanisms (Cont.)







## **Safety and Security Mechanisms**





## Safety/Security/Performance







## SysML-Sec: SW Design



- Precise model of security mechanisms (security protocols)
- Proof of security properties: confidentiality, authenticity
- Channels between software blocks can be defined as private or public
  - This should be defined according to the hardware support defined during the partitioning phase





### Cyber security of connected vehicles

- Safety/Security/Performance
- EVITA FP7 Partners: Continental, BMW, Bosch, ...
- VEDECOM

#### H2020 AQUAS

- Automated train sub-systems (ClearSy): Safety/Security/Performance
- Industrial Drives (Siemens): Safety/Security/Performance

#### Nokia

June. 2018

25/39

Digital architectures for 5G networks (Safety/Performance)



## **Case Study: VEDECOM Autonomous Vehicle**



Verification



Tests





- ► Standard: ISO26262
  - ► SOTIF: Safety Of The Intended Function
- Security: impact of potential attacks on safety



## Requirements







SysML-Sec

### **Functional View**







## **Safety Verification (Before Mapping)**

#### Reachability/Liveness



#### **Queries**

Safety Pragma A[] Supervisor.running Perception.distance<threshold --> Supervisor.brakingOrder



## **Architecture and Mapping Views**







## Safety Verification (After Mapping)

## Reachability Graph iPerceptionCPU 0 Design sec Perception sel Des i(PerceptionCPU\_0\_Design iPerceptionCPU 0 Design sec Per i/CameraCPU\_0\_Designate/cubs ifPerceptionCPU\_0\_Design\_sec\_Percention\_rd\_Design\_sec\_CamData<1> iPerceptionCPU 0 Design sqq-\_R i(CameraCPU 0 Design sec Camera wr Design sec CamData<1>) itCameraCPU\_0\_Design\_procus itPerceptionCPU\_0\_Design\_sqc\_al







## **Security Verification**





### **Performance Verification**





## SW Design, Code generation, Test

- First SW model from mapping models
- SW model refinement
- SW model verification (safety, security)
- Code generation
  - (Virtual) Prototyping, test





### Demo: SmartCard

- Main functions of the system
- Safety of the system (before mapping, after mapping)
- Performance
- Model enhanced with Security
- Impact on performance





June. 2018



### Conclusion and Future Work

#### Achievements: SysML-Sec

- Methodology for designing safe and secure embedded systems
- Fully supported by TTool
- Applied to different domains, e.g., automotive systems, IoTs. malware

#### Future work

- Security risk assistance and backtracing
- Assistance to handle conflicts between security/safety/performance
  - Design space exploration





39/39

June. 2018

### To Go Further ...

#### Web sites

Context: Security for Embedded Systems

- https://sysml-sec.telecom-paristech.fr
- https://ttool.telecom-paristech.fr



#### References

- Ludovic Apvrille, Yves Roudier, "SysML-Sec: A SysML Environment for the Design and Development of Secure Embedded Systems", Proceedings of the INCOSE/APCOSEC 2013 Conference on system engineering, Yokohama, Japan, September 8-11, 2013.
- Ludovic Apvrille, Yves Roudier, "Designing Safe and Secure Embedded and Cyber-Physical Systems with SysML-Sec", Chapter in Model-Driven Engineering and Software Development, p293-308, Springer International Publishing, 2015

