



Model-Driven Engineering for Safety,

**Security and Performance:** 

SysML-Sec

**Ludovic APVRILLE** 

ludovic.apvrille@telecom-paristech.fr



Invited talk - ISAE Supaero









### **Telecom ParisTech**

Institut Mines-Telecom





## **Telecom ParisTech**





Jul. 2018



### Research Work: Overview

## Modeling and Verification for Safe and Secure Embedded Systems Security Analysis of Embedded Systems

#### **Application domains**

IoT, Transports (automotive, drones), telecommunication systems (5G, Software-Defined Radio)

### Contracts&projects

Local (Labex, FUI, ...), national (Nokia lab, ...), international (H2020 "AQUAS", ...)





#### Research Work: Ph.D. Positions



- Definition of safe and secure functional strategies for autonomous vehicles using critical scenarios
- Model-based Joint analysis of Safety and Security



Case study



Context: Security for Embedded Systems

#### Context: Security for Embedded Systems Embedded systems

#### SysML-Sec

Method SysML-Sec

#### Case study

Case Study

#### Demo

7/43

Demo

#### Conclusion

Conclusion, future work and references





•00000000

## **Examples of Threats**

### Transport systems

Context: Security for Embedded Systems

- Use of exploits in Flight Management System (FMS) to control ADS-B/ACARS [Teso 2013]
- Remote control of a car through Wifi [Miller 2015] [Tecent 2017]

## Medical appliances

Infusion pump vulnerability, April 2015 http://www.scip.ch/en/?vuldb.75158



(C) Wired - ABC News



(C) Hospira



00000000

## **Examples of Threats (Cont.)**

#### Internet of Things

Context: Security for Embedded Systems

- Proof of concept of attack on IZON camera [Stanislav 2013]
  - Vulnerability on fitbit [Apvrille 2015]



Hacking a professional drone [Rodday 2016]

#### XBee - Man-in-the-Middle Attack



N. Rodday, BlackHat Asia'2016







What's inside? Let's look together!











Don't try this at home!



000000000





Again: don't try this at home!





000000000









000000000

## **Fitbit: Hardware Components**







## **Firmware Dumping**







Case study

## Then, How to Identify Vulnerabilities?

#### Investigations

Context: Security for Embedded Systems

- Testing ports (JTAG interface, UART, ...)
- Firmware analysis
- Memory dump
- Side-channel analysis (e.g. power consumption, electromagnetic waves)
- Fault injection

#### Secure your systems!

Develop your system with security in mind from the very beginning

Our solution: SysML-Sec, supported by TTool



## Goal: Designing Safe and Secure Embedded **Systems**











- ► Model-Driven Engineering tool
- ▶ Free and Open-Source
  - Plug-in can be used to insert private/commercial features
- Easy to use
- Focus on safety, security and performance
- Formal verification at the push of a button





### Common issues (addressed by SysML-Sec):

- Adverse effects of security over safety/real-time/performance properties
  - Commonly: only the design of security mechanisms
- Hardware/Software partitioning
  - Commonly: no support for this in tools/approaches in MDE and security approaches











### Before mapping

Security mechanisms can be captured but not verified



### After mapping

- Verify security (confidentiality, authenticity) according to attacker capabilities
  - Whether different HW elements are or not on the same die
  - Where are stored the cryptographic materials (keys)
  - Where are performed encrypt/decrypt operations
- Impact of security mechanisms on performance and safety
  - e.g. increased latency when inserting security mechanisms

SysML-Sec



## **Partitioning Verification**





## **Safety and Security Mechanisms**





## Safety and Security Mechanisms (Cont.)





## Safety and Security Mechanisms (Cont.)





## **Safety and Security Mechanisms**











# SysML-Sec: SW Design





- Precise model of security mechanisms (security protocols)
- Proof of security properties: confidentiality, authenticity
- Channels between software blocks can be defined as private or public
  - This should be defined according to the hardware support defined during the partitioning phase





Jul. 2018

Case study

•00000000000

### Case Studies

### Cyber security of connected vehicles

- Safety/Security/Performance
- EVITA FP7 Partners: Continental, BMW, Bosch, ...
- VEDECOM

Context: Security for Embedded Systems

#### H2020 AQUAS

- Automated train sub-systems (ClearSy): Safety/Security/Performance
- Industrial Drives (Siemens): Safety/Security/Performance

#### Nokia

Digital architectures for 5G networks (Safety/Performance)



## **Case Study: VEDECOM Autonomous Vehicle**



Verification



Tests



Context: Security for Embedded Systems

- Standard: ISO26262
  - SOTIF: Safety Of The Intended Function
- Security: impact of potential attacks on safety



Case study

0000000000

## Requirements









## **Functional View**







## **Safety Verification (Before Mapping)**

#### Reachability/Liveness



#### **Queries**

Safety Pragma A[] Supervisor.running Perception.distance<threshold --> Supervisor.brakingOrder

SysML-Sec



## **Architecture and Mapping Views**





Jul. 2018



## Safety Verification (After Mapping)

## Reachability Graph iPerceptionCPU 0 Design sec Perception sel Des i(PerceptionCPU\_0\_Design i/PerceptionCPU 0 Design sec Per i/CameraCPU\_0\_Designate/cubs ifPerceptionCPU\_0\_Design\_sec\_Percention\_rd\_Design\_sec\_CamData<1> iPerceptionCPU 0 Design sqg-\_R i(CameraCPU 0 Design sec Camera wr Design sec CamData<1>) itCameraCPU\_0\_Design\_procus itPerceptionCPU\_0\_Design\_sqc\_al











## Backtracing 6 + calcMark = 500 : Natural: + calcMark = 500 : Natural: + calcTraj = 500 : Natural; + calcConfidenceLevel = 500 : Natural; + calcRegulation = 500 : Natural; + calcinfrastruct = 500 : Natural: + calcinfrastruct = 500 : Natural; percharus percStatus2 + calcTraj = 500 : Natural; + calcRegulation = 500 : Natural;

## **Performance Verification**





# SW Design, Code generation, Test

- First SW model from mapping models
- SW model refinement
- SW model verification (safety, security)
- Code generation

Context: Security for Embedded Systems

(Virtual) Prototyping, test





Context: Security for Embedded Systems

### Demo: SmartCard

- Main functions of the system
- Safety of the system (before mapping, after mapping)
- Performance
- Model enhanced with Security
- Impact on performance





SysML-Sec

Jul. 2018



### Conclusion and Future Work

#### Achievements: SysML-Sec

- Methodology for designing safe and secure embedded systems
- Fully supported by TTool
- Applied to different domains, e.g., automotive systems, IoTs. malware

#### Future work

Context: Security for Embedded Systems

- Security risk assistance and backtracing
- Assistance to handle conflicts between security/safety/performance
  - Design space exploration





Context: Security for Embedded Systems

### To Go Further ...

#### Web sites

- https://sysml-sec.telecom-paristech.fr
- https://ttool.telecom-paristech.fr



#### References

- Ludovic Apvrille, Yves Roudier, "SysML-Sec: A SysML Environment for the Design and Development of Secure Embedded Systems", Proceedings of the INCOSE/APCOSEC 2013 Conference on system engineering, Yokohama, Japan, September 8-11, 2013.
- Ludovic Apvrille, Yves Roudier, "Designing Safe and Secure Embedded and Cyber-Physical Systems with SysML-Sec", Chapter in Model-Driven Engineering and Software Development, p293-308, Springer International Publishing, 2015

