Software distribution to target devices like factory controllers, medical instruments, vehicles or airplanes is increasingly performed electronically over insecure networks. Such software often implements vital functionality, and so the software distribution process can be highly critical, both from the safety and the security perspective. In this paper, we introduce a novel software distribution system architecture with a generic core component, such that the overall software transport from the supplier to the target device is an interaction of several instances of this core component communicating over insecure networks. The main advantage of this architecture is reduction of development and certification costs. The second contribution of this paper describes the validation and verification of the proposed system. We use a mix of formal methods, more precisely the AVISPA tool, and the Common Criteria (CC) methodology, to achieve high confidence in the security of the software distribution system at moderate costs.
[1]
Radha Poovendran,et al.
Electronic Distribution of Airplane Software and the Impact of Information Security on Airplane Safety
,
2007,
SAFECOMP.
[2]
Bruno Blanchet,et al.
From Secrecy to Authenticity in Security Protocols
,
2002,
SAS.
[3]
Flemming Nielson,et al.
Static validation of security protocols
,
2005,
J. Comput. Secur..
[4]
David Clark,et al.
Safety and Security Analysis of Object-Oriented Models
,
2002,
SAFECOMP.
[5]
Danny Dolev,et al.
On the security of public key protocols
,
1981,
22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).
[6]
Sebastian Mödersheim,et al.
The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications
,
2005,
CAV.