

Une école de l'IMT

Model-Driven Engineering for Safety,

Security and Performance:

SysML-Sec

Ludovic APVRILLE ludovic.apvrille@telecom-paristech.fr



InS3PECT'2017

Case study and Demo

Conclusion



#### Context: Security for Embedded Systems Embedded systems

SysML-Sec Method SysML-Sec

Case study and Demo Case Study and Demo

#### Conclusion

Conclusion, future work and references



Case study and Demo

Conclusion

# **Examples of Threats**

#### Transport systems

- Use of exploits in Flight Management System (FMS) to control ADS-B/ACARS [Teso 2013]
- Remote control of a car through Wifi [Miller 2015] [Tecent 2017]

### Medical appliances

 Infusion pump vulnerability, April 2015. http://www.scip.ch/en/?vuldb.75158



(C) Wired - ABC News



(C) Hospira



Case study and Demo

Conclusion

# **Examples of Threats (Cont.)**

#### Internet of Things

- Proof of concept of attack on IZON camera [Stanislav 2013]
  - Vulnerability on fitbit [Apvrille 2015]



 Hacking a professional drone [Rodday 2016]



#### XBee – Man-in-the-Middle Attack



SysML-Sec

Case study and Demo

Conclusion

## Finding Vulnerabilities on IoTs



#### What's inside? Let's look together!

|      |           |                        |           | TELECOM           |   | ć |
|------|-----------|------------------------|-----------|-------------------|---|---|
| 5/29 | Dec. 2017 | Institut Mines-Telecom | SysML-Sec | ParlsTech<br>■密設計 | ė |   |

SysML-Sec

Case study and Demo

Conclusion





#### Don't try this at home!



SysML-Sec

Case study and Demo

Conclusion

## Inside a Fitbit (Cont.)



#### Again: don't try this at home!



SysML-Sec



SysML-Sec

Case study and Demo

Conclusion

## Inside a Fitbit (Cont.)





Case study and Demo

Conclusion

### Fitbit: Hardware Components





Case study and Demo

Conclusion

# Then, How to Identify Vulnerabilities?

#### Investigations

- JTAG interface
- Testing ports
- Firmware analysis
- Memory dump
- ► ...

#### You want to better resist this?

Develop your system with security in mind from the very beginning

Our solution: SysML-Sec, supported by TTool



# Designing Safe and Secure Embedded Systems: SysML-Sec

#### Main idea

 Holistic approach: bring together experts in embedded systems, system architects, system designers and security experts

#### Common issues (addressed by SysML-Sec):

- Adverse effects of security over safety/real-time/performance properties
  - Commonly: only the design of security mechanisms
- Hardware/Software partitioning
  - Commonly: no support for this in tools/approaches in MDE and security approaches



Case study and Demo

Conclusion

## SysML-Sec: Methodology



SysML-Sec

Case study and Demo

Conclusion

# Partitioning

### Before mapping

 Security mechanisms can be captured but not verified



## After mapping

- Impact of security mechanisms on performance and safety
  - e.g. increased latency when inserting security mechanisms
- Verify security (confidentiality, authenticity) according to possible attacks
  - Depends on the attacker capabilities
  - Whether different HW elements are or not on the same die
  - Where to store the cryptographic materials (keys)
  - Where to perform encrypt/decrypt operations



Case study and Demo

Conclusion

## **Attacker Model**





SysML-Sec

Case study and Demo

Conclusion

## **Partitioning Verification**





Dec. 2017

16/29

SysML-Sec

Case study and Demo

Conclusion

# Safety and Security Mechanisms





Case study and Demo

Conclusion

# Safety and Security Mechanisms





Case study and Demo

Conclusion

# Safety and Security Mechanisms





Case study and Demo

Conclusion

## **Partitioning Approach**





Case study and Demo

Conclusion

# SysML-Sec: SW Design



- Precise model of security mechanisms (security protocols)
- Proof of security properties : confidentiality, authenticity
- Channels between software blocks can be defined as private or public
  - This should be defined according to the hardware support defined during the partitioning phase



Case study and Demo

Conclusion

## **Case Study: Autonomous Vehicle**









Case study and Demo

Conclusion

## **Functional View**





Case study and Demo

Conclusion

## Safety Verification (Before Mapping)





Case study and Demo

Conclusion

## Architecture and Mapping Views





Case study and Demo

Conclusion

## Safety Verification (After Mapping)





Case study and Demo

Conclusion

# **Security Verification**

### **Dialog window**

| Generate ProVerif                                                                                                           | code in: /Users/lud                                                                                                | ovicapyrille/TTool/ | oroverif/                            |                                 |
|-----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------|--------------------------------------|---------------------------------|
| Execute ProVerif a                                                                                                          |                                                                                                                    | rif/proverif        |                                      |                                 |
| Compute state rea                                                                                                           | achability: 🖲 all                                                                                                  | selecte             | ed                                   | 0                               |
| Allow message du                                                                                                            | plication in private cha                                                                                           | annels: 🖲 Yes       |                                      | 0                               |
| Generate type                                                                                                               | d Pi calculus                                                                                                      |                     |                                      |                                 |
| Limit on loop iter                                                                                                          | ations: 1                                                                                                          |                     |                                      |                                 |
|                                                                                                                             |                                                                                                                    |                     |                                      |                                 |
|                                                                                                                             |                                                                                                                    |                     |                                      |                                 |
|                                                                                                                             |                                                                                                                    |                     |                                      |                                 |
| V2X.percData2                                                                                                               |                                                                                                                    |                     |                                      |                                 |
| Satisfied Weak Au                                                                                                           |                                                                                                                    |                     |                                      |                                 |
| Satisfied Weak Au<br>PerceptionCalc1e                                                                                       | thenticity:<br>encrypt_percData1_perc                                                                              |                     |                                      |                                 |
| Satisfied Weak Au<br>PerceptionCalc1e<br>PerceptionCalc2e                                                                   | encrypt_percData1.perc<br>encrypt_percData2.perc                                                                   |                     |                                      |                                 |
| PerceptionCalc2e<br>Non Satisfied Auti<br>PerceptionCalc1.si                                                                | encrypt_percData1.perc<br>encrypt_percData2.perc<br>henticity:<br>ignalstate_writechanne                           | Data2 ==> Super     | rvisor.decrypt_p<br>rcStatus.percSta | ercData2_dumr<br>atus_chData == |
| Satisfied Weak Au<br>PerceptionCalc1e<br>PerceptionCalc2e<br>Non Satisfied Auti<br>PerceptionCalc1.si<br>PerceptionCalc2.si | encrypt_percData1.perc<br>encrypt_percData2.perc<br>henticity:<br>ignalstate_writechanne<br>ignalstate_writechanne | Data2 ==> Super     | rvisor.decrypt_p<br>rcStatus.percSta | ercData2_dumr<br>atus_chData == |
| Satisfied Weak Au<br>PerceptionCalc1e<br>PerceptionCalc2e<br>Non Satisfied Auti<br>PerceptionCalc1.si                       | encrypt_percData1.perc<br>encrypt_percData2.perc<br>henticity:<br>ignalstate_writechanne                           | Data2 ==> Super     | rvisor.decrypt_p<br>rcStatus.percSta | ercData2_dumr<br>atus_chData == |





Case study and Demo ○○○○○● Conclusion

## **Performance Verification**





Case study and Demo

Conclusion ●○

# **Conclusion and Future Work**

#### Achievements: SysML-Sec

- Methodology for designing safe and secure embedded systems
- Fully supported by TTool
- Applied to different domains, e.g., automotive systems, IoTs, malware

#### Future work

- Security risk assistance and backtracing
- Improve security provers
- Assistance to handle conflicts between security/safety/performance
  - Design space exploration



Case study and Demo

Conclusion ○●

# To Go Further ...

#### Web sites

- https://sysml-sec.telecom-paristech.fr
- https://ttool.telecom-paristech.fr

#### References

- Ludovic Apvrille, Yves Roudier, "SysML-Sec: A SysML Environment for the Design and Development of Secure Embedded Systems", Proceedings of the INCOSE/APCOSEC 2013 Conference on system engineering, Yokohama, Japan, September 8-11, 2013.
- Ludovic Apvrille, Yves Roudier, "Designing Safe and Secure Embedded and Cyber-Physical Systems with SysML-Sec", Chapter in Model-Driven Engineering and Software Development, p293–308, Springer International Publishing, 2015

