

# Architecture and Protocol Verification and Attack Analysis

Ludovic Apvrille

Institut Telecom, Telecom ParisTech Iudovic.apvrille@telecom-paristech.fr

July, 1, 2010



## Outline

#### Introduction

Context Performance and attack analysis Our Toolkit: TTool

#### Performance analysis

DIPLODOCUS Case study: Active Brake

#### Attack analysis

TURTLE Case study: Needham-Schoreder

## Outlook

<ロ> (四) (四) (三) (三)

#### Introduction

Performance analysis Attack analysis Outlook Context Performance and attack analysis Our Toolkit: TTool



# Outline

#### Introduction

Context Performance and attack analysis Our Toolkit: TTool

Performance analysis

Attack analysis

Outlook

イロン 不同と 不同と 不同とう

Context Performance and attack analysis Our Toolkit: TTool

# **On-board Vehicle Systems**

## On-board vehicle system

- ECUs (Electronic Control Units) = set of hardware components
  - Execution elements (CPUs, HWAs)
  - Communication elements (e.g., busses)
  - Storage elements (e.g., RAM, flash)
  - I/O devices, including sensors / actuators
- Software components
  - Executed on CPUs

#### One of EVITA's goals:

Proving security properties on those systems



イロト イヨト イヨト



Context Performance and attack analysis Our Toolkit: TTool



# Proving Security Properties: Overall Methodology

## Methodology

- 1. Requirement identification
- 2. Architecture specification
- 3. Specification of security-related protocols
- 4. Verification of security properties on the overall system (Architecture + protocols)
  - Performance analysis
  - Attack analysis

## Objective of this demonstration

Focus on the last stage (verification)

A B A B A
 A
 B
 A
 A
 B
 A
 A
 B
 A
 A
 B
 A
 A
 B
 A
 A
 B
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A
 A

**Context** Performance and attack analysis Our Toolkit: TTool



Proving Security Properties: Overall Methodology (Cont'd)

## Performance evaluation

Impact of security mechanisms on system performance

## Attack analysis

#### Magnified view approach

 Proof of security properties on a subpart of the EVITA architecture (e.g., a given protocol).

## Global composition approach

- Reuse of proofs performed on sub-elements to validate requirements over the full system
- Next presentation

イロト イヨト イヨト

Introduction

Performance analysis Attack analysis Outlook Context Performance and attack analysis Our Toolkit: TTool



## lssues

## (1) Performance properties

- Impact of the EVITA security architecture on system performance?
  - Cryptographic algorithms and protocols
- Partitioning issue
  - Shall algorithms be software or hardware implemented? Distributed among ECUs or centralized in a given ECU

## (2) Security properties

- Security requirements have been previously identified
- Derive attacks from requirements and ...
- Prove that those attacks are not possible in the EVITA infrastucture

Context Performance and attack analysis Our Toolkit: TTool



# Modeling and Verification Approach

## Objective

- Performance evaluation, Attack analysis (magnified view approach)
- Consider inputs (e.g., EVITA deliverables)
- Make a model, using e.g. SysML and UML models
- Verify properties using simulation or formal verification techniques



イロン 不同と 不同と 不同とう

Context Performance and attack analysis Our Toolkit: TTool



# Modeling and Verification Approach (Cont'd)

| Analysis     | (1) Performance analysis | (2) Attack analysis      |
|--------------|--------------------------|--------------------------|
| Profile      | DIPLODOCUS               | TURTLE                   |
| Verification | Simulation               | Formal verification      |
| technique    |                          | (model-checking)         |
| Focus of the | Application complex-     | Protocol description and |
| model        | ity and architecture     | basic architecture ele-  |
|              | elements                 | ments. Attacks modeling  |
| Tools        | TTool (edition, simula-  | TTool, CADP, UPPAAL      |
|              | tor)                     |                          |

イロン 不同と 不同と 不同とう

Introduction

Performance analysis Attack analysis Outlook Context Performance and attack analysis Our Toolkit: TTool



# TTool: Main Features

- Open-source UML toolkit
- Meant to support UML2 profiles
  - 8 UML profiles are currently supported
    - e.g., TURTLE, DIPLODOCUS
- Mostly programmed in Java
  - Editor, interfaces with external tools
  - Simulators are programmed in C++ or SystemC
- Formal verification and simulation features
  - Hides formal verification and simulation complexity to modelers
  - Relies on external tools
  - Press-button approach

イロト イポト イヨト イヨト

Introduction

Performance analysis Attack analysis Outlook Context Performance and attack analysis Our Toolkit: TTool



## TTool: TURTLE and DIPLODOCUS



DIPLODOCUS Case study: Active Brake



# Outline

#### Introduction

## Performance analysis DIPLODOCUS Case study: Active Brake

Attack analysis

Outlook

イロト イヨト イヨト

DIPLODOCUS Case study: Active Brake



# **DIPLODOCUS** in a Nutshell



## DIPLODOCUS = UML Profile

- System-level Design Space Exploration
- Y-Methodology
- MARTE compliant

## Main features

- Data are abstracted
- Formal semantics
- Very fast simulation support
- Fully supported by an open-source toolkit
  - TTool

・ロト ・回ト ・ヨト ・ヨト

13 of 37

DIPLODOCUS Case study: Active Brake



# DIPLODOCUS: Methodology for Performance Evaluation



14 of 37

DIPLODOCUS Case study: Active Brake



# DIPLODOCUS: Methodology for Performance Evaluation (Cont'd)



DIPLODOCUS Case study: Active Brake



# Description of the Active Brake Use Case

- Message sent from one car to another car (car2car)
  - Immediate danger of collision
  - Instant brake manoeuvre
- Message received and checked at Communication Unit level
- Plausibility check at Chassis Safety Controller level
  - If braking is the best solution, a brake order is sent to the brake control unit
    - Power Train Controller is also informed (to decelerate, etc.).
  - Braking information might be forwarded to other neighbour cars

イロト イヨト イヨト イヨト

DIPLODOCUS Case study: Active Brake



# Application Modeling



Ludovic Apvrille

Architecture / Protocols / Attacsk

17 of 37

DIPLODOCUS Case study: Active Brake



# Architecture Modeling and Mapping



DIPLODOCUS Case study: Active Brake



## A Few Simulation Results

## CPUs and Hardware Accelerators

| CPU               | Load    | Contention delay |
|-------------------|---------|------------------|
| Load_Emulation    | 0.15711 | 29973            |
| CPU_CU            | 0.11244 | 0                |
| HSM_CU            | 0.11939 | 0                |
| CPU_BCU           | 0.00010 | 6806             |
| HSM_BCU           | 0.00004 | 0                |
| CPU_PTC           | 0.00018 | 0                |
| CPU_ChassisSensor | 0.00035 | 200000           |
| CPU_EnvSensor     | 0.01115 | 5818             |
| HSM_CSC           | 0.11827 | 0                |
|                   |         |                  |

DIPLODOCUS Case study: Active Brake



# A Few Simulation Results (Cont'd)

#### Buses

| Bus           | Load    |
|---------------|---------|
| BCU_local_Bus | 0.00017 |
| CSC_local_Bus | 0.56926 |
| PTC_local_Bus | 0.00026 |
| CU_local_Bus  | 0.55783 |
| CU_SOC_Bus    | 0.78811 |
| Main_CAN      | 0.71469 |
| CSC_SOC_bus   | 0.74216 |
|               |         |

<ロ> (四) (四) (三) (三)

TURTLE Case study: Needham-Schoreder



# Outline

Introduction

Performance analysis

Attack analysis TURTLE Case study: Needham-Schoreder

Outlook

イロト イヨト イヨト

TURTLE Case study: Needham-Schoreder



# TURTLE in a Nutshell

## TURTLE = UML Profile

- Targets temporally constrained embedded systems
- Three sub-profiles: analysis, design, deployment
- Formal verification (and simulation)
- ▶ TURTLE Design = class diagram + a set activity diagrams

## Main features

- Non deterministic operators
  - Choice, delays
- Fully supported by an open-source toolkit
  - TTool

・ロト ・同ト ・ヨト ・ヨト

TURTLE Case study: Needham-Schoreder



# TURTLE: Methodology for Attack Analysis



Ludovic Apvrille Architecture / Protocols / Attacsk 23 of 37

TURTLE Case study: Needham-Schoreder



## Model: Main Principles

## Modeled elements

- Hardware elements in ECUs
  - HSM
  - Communication networks
- Software elements
  - Protocol stack at involved ECUs

## Proving security properties

- Observer technique
- Model-checking is used to search for a given action

<ロ> (四) (四) (三) (三) (三)

TURTLE Case study: Needham-Schoreder



# Description of the Case Study

## Why this case study (not directly related to EVITA)?

- Illustrate proofs of security requirements with TURTLE
- A small yet representative system
- Contains all interesting concepts:
  - Entities, network elements, crypto functions and protocols, attacks

## Description

- Alice and Bob, who want to exchange a confidential data
- Use the Needham-Schroeder protocol to setup a session key K, using a trusted server
- Then, Bob sends the data to Alice using K

TURTLE Case study: Needham-Schoreder



# The Needham-Schroeder Protocol

## Description

A represents Alice, B Bob, S the Server;  $R_X$  is a random number generated by X, and  $K_{XY}$  a key used by X and Y to cipher / decipher information with a symmetric encryption algorithm

1.  $A \rightarrow S : A, B, R_A$ 2.  $S \rightarrow A : \{R_A, B, K_{AB}, \{K_{AB}, A\}_{K_{BS}}\}_{K_{AS}}$ 3.  $A \rightarrow B : \{K_{AB}, A\}_{K_{BS}}$ 4.  $B \rightarrow A : \{R_B\}_{K_{AB}}$ 5.  $A \rightarrow B : \{R_R - 1\}_{K_{AB}}$ 

#### Requirement req1

The data sent by Bob to Alice shall be confidential.

(ロ) (同) (E) (E) (E)

TURTLE Case study: Needham-Schoreder



# Attacks on the Needham-Schroeder Protocol

- Several known attacks against Needham-Schroeder
- Considered attack: S. Gurgens et al., "Role based specification and security analysis of cryptographic protocols using asynchronous product automata", Database and Expert Systems Applications, Sept. 2002.

(Cx denotes an attacker pretending to be an entity x):

1. 
$$A \to C_{S} : A, B, R_{A}$$
  
2.  $C_{B} \to S : B, A, R_{C}$   
3.  $S \to C_{B} : \{R_{C}, A, K_{BA}, \{K_{BA}, B\}_{K_{AS}}\}_{K_{BS}}$   
4.  $C_{A} \to B : \{R_{C}, A, K_{BA}, \{K_{BA}, B\}_{K_{AS}}\}_{K_{BS}}$   
5.  $B \to C_{A} : \{R_{B}\}_{R_{C}}$   
6.  $C_{A} \to B : \{R_{B} - 1\}_{R_{C}}$ 

From that attack, *req1* can be proved as non-satisfied.

イロト イポト イヨト イヨト

TURTLE Case study: Needham-Schoreder



# **Class Diagram**



TURTLE Case study: Needham-Schoreder



# Activity Diagram of Alice



TURTLE Case study: Needham-Schoreder



# Activity Diagram of Attacker



TURTLE Case study: Needham-Schoreder



# Formal Verification with CADP

## Verification approach

- Generate a Reachability Graph using CADP
- Minimize of the reachability graph
- Search for traces containing the attackOK and attackKO actions



TURTLE Case study: Needham-Schoreder



# Formal Verification with UPPAAL

## Verification approach

- Select actions of interest on the UML model
- Automatically invoke UPPAAL
- Search the accessibility and liveness of selected actions

## Network can be probed

Reachability of: Action state (attackKO) -> property is NOT satisfied

Reachability of: Action state (attackOK) -> property is satisfied

Reachability of: Action state (dataKO) -> property is NOT satisfied

Reachability of: Action state (dataOK) -> property is satisfied

Liveness of: Action state (attackKO) -> property is NOT satisfied

Liveness of: Action state (attackOK) -> property is NOT satisfied

Liveness of: Action state (dataKO) -> property is NOT satisfied

Liveness of: Action state (dataOK) -> property is NOT satisfied

TURTLE Case study: Needham-Schoreder



# Formal Verification with UPPAAL (Cont.)

#### Network cannot be probed

Reachability of: Action state (attackKO) -> property is NOT satisfied

Reachability of: Action state (attackOK) -> property is NOT satisfied

Reachability of: Action state (dataKO) -> property is NOT satisfied

Reachability of: Action state (dataOK) -> property is satisfied

Liveness of: Action state (attackKO) -> property is NOT satisfied

Liveness of: Action state (attackOK) -> property is NOT satisfied

Liveness of: Action state (dataKO) -> property is NOT satisfied

Liveness of: Action state (dataOK) -> property is satisfied

#### Network is always probed

Reachability of: Action state (attackKO) -> property is NOT satisfied

Reachability of: Action state (attackOK) -> property is satisfied

Reachability of: Action state (dataKO) -> property is NOT satisfied

Reachability of: Action state (dataOK) -> property is NOT satisfied

Liveness of: Action state (attackKO) -> property is NOT satisfied

Liveness of: Action state (attackOK) -> property is satisfied

Liveness of: Action state (dataKO) -> property is NOT satisfied

Liveness of: Action state (dataOK) -> property is NOT satisfied

Ludovic Apvrille

Architecture / Protocols / Attacsk

33 of 37





Introduction

Performance analysis

Attack analysis

Outlook

イロン イヨン イヨン イヨン



## Results

Fully integrated environment for the design and verification of embedded systems

- Based on UML / SysML, open-source toolkit (TTool)
- Formal proof can address
  - Safety and security properties
    - Proofs achieved on authenticity, confidentiality, freshness
  - Functional and non functional properties

## Recall on methodological stages

- Requirement capture (SysML, DIPLODOCUS)
  - Attack trees, definition and organization of requirements
- Performance analysis (DIPLODOCUS)
- Attack analysis, magnified view approach (TURTLE)



# A Few Industrial Case Studies with TTool

- MPEG coders and decoders (Texas Instruments)
- LTE (Freescale)
- Partitioning in vehicle embedded systems, formal proof of security properties (EVITA project)
- Many other systems!







⇒ >



## To Go Further ...



#### TTool

- ► Type *TTool UML* under google
- And click on the I am lucky button!

## DIPLODOCUS, TURTLE

- DIPLODOCUS UML
- TURTLE UML