Advertisement

Optimizing System Architecture Cost and Security Countermeasures

  • Sahar Berro
  • Ludovic Apvrille
  • Guillaume DucEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)

Abstract

The design of an embedded system is built on a trade-off between its performance and its cost. Nowadays, the security threats that target most of the embedded systems introduce a new factor in this trade-off: the security level of the system. So system architects must consider, during the design, the different attacks that target the system and the possible countermeasures, and their costs. In this article, we present a methodology to help designers explore different countermeasures and evaluate their impact on the cost of the architecture and the probability of success of an adversary. This methodology is based on extended and formalized Attack-Defense Trees that allow to assess the impact of countermeasures on system components and attacks. We use propagation rules to characterize a main attack from its different steps, and we formalize the trade-off between security and cost by an optimization problem between attack probability and total architecture cost.

Keywords

Attack-Defense Tree Security of embedded system Countermeasures 

Notes

Acknowledgments

This work is supported by the research chair Connected Cars and Cyber Security (C3S) [6] founded by Nokia, Renault, Thales, Valeo, Wavestone, Fondation Mines-Télécom and Télécom Paris.

References

  1. 1.
    A deep flaw in your car lets hackers shut down safety features. https://www.wired.com/story/car-hack-shut-down-safety-features/
  2. 2.
  3. 3.
  4. 4.
    OMG Systems Modeling Language (OMG SysML), V1.0. Technical report, Object Management Group (2007). http://www.omg.org/spec/SysML/1.0/PDF
  5. 5.
    A survey on the usability and practical applications of graphical security models. Comput. Sci. Rev. 26(C), 1–16 (2017).  https://doi.org/10.1016/j.cosrev.2017.09.001MathSciNetCrossRefGoogle Scholar
  6. 6.
    Research chair Connected Cars and Cyber Security (C3S) (2019). https://www.telecom-paristech.fr/c3s
  7. 7.
    Audinot, M., Pinchinat, S.: On the soundness of attack trees. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 25–38. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-46263-9_2CrossRefGoogle Scholar
  8. 8.
    Bistarelli, S., Dall’Aglio, M., Peretti, P.: Strategic games on defense trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 1–15. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-75227-1_1CrossRefGoogle Scholar
  9. 9.
    Edge, K., Dalton, G., Raines, R., Mills, R.: Using attack and protection trees to analyze threats and defenses to homeland security, pp. 1–7 (2006).  https://doi.org/10.1109/MILCOM.2006.302512
  10. 10.
    Fraile, M., Ford, M., Gadyatskaya, O., Kumar, R., Stoelinga, M., Trujillo-Rasua, R.: Using attack-defense trees to analyze threats and countermeasures in an ATM: a case study. In: Horkoff, J., Jeusfeld, M.A., Persson, A. (eds.) PoEM 2016. LNBIP, vol. 267, pp. 326–334. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-48393-1_24CrossRefGoogle Scholar
  11. 11.
    Garro, A., Tundis, A.: A model-based method for system reliability analysis (2012)Google Scholar
  12. 12.
    Ji, X., Yu, H., Fan, G., Fu, W.: Attack-defense trees based cyber security analysis for CPSs. In: 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 693–698 (2016).  https://doi.org/10.1109/SNPD.2016.7515980
  13. 13.
    Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-88873-4_8CrossRefGoogle Scholar
  14. 14.
    Jürgenson, A., Willemson, J.: Serial model for attack tree computations. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 118–128. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14423-3_9CrossRefGoogle Scholar
  15. 15.
    Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40196-1_15CrossRefzbMATHGoogle Scholar
  16. 16.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19751-2_6CrossRefGoogle Scholar
  17. 17.
    Kordy, B., Piètre-cambacédès, L., Schweitzer, P.: Dag-based attack and defense modeling: Don’t miss the forest for the attack trees. CoRR (2013)Google Scholar
  18. 18.
    Kordy, B., Wideł, W.: On quantitative analysis of attack–defense trees with repeated labels. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 325–346. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-89722-6_14CrossRefGoogle Scholar
  19. 19.
    van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society, Washington, DC, USA (2004). http://dl.acm.org/citation.cfm?id=998675.999421
  20. 20.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006).  https://doi.org/10.1007/11734727_17CrossRefGoogle Scholar
  21. 21.
    Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Sci. Coll. 23(4), 124–131 (2008). http://dl.acm.org/citation.cfm?id=1352079.1352100Google Scholar
  22. 22.
    Schneier, B.: Secrets & Lies: Digital Security in a Networked World, 1st edn. Wiley, New York (2000)Google Scholar
  23. 23.
    Steiner, M., Liggesmeyer, P.: Qualitative and quantitative analysis of CFTs taking security causes into account. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9338, pp. 109–120. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24249-1_10CrossRefGoogle Scholar
  24. 24.
    Zhou, S., Sun, Q., Jiao, J.: A safety modeling method based on SysML. In: 2014 10th International Conference on Reliability, Maintainability and Safety (ICRMS), pp. 1180–1185 (2014).  https://doi.org/10.1109/ICRMS.2014.7107390

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.LTCI, Télécom Paris, Institut Polytechnique de ParisPalaiseauFrance

Personalised recommendations