SysML models and model transformation for security

The security flaws of embedded systems have become very valuable targets for cyber criminals. SysML-Sec has been introduced to target the security of these systems during their development stages. However, assessing resistance to attacks during these stages requires efficiently capturing the system's behavior and formally proving security properties from those behaviors. This paper thus proposes (i) novel SysML block and state machine diagrams enhanced to better capture security features, and (ii) a model-to-Proverif transformation. ProVerif is a toolkit first released for the formal analysis of security protocol, but it can be used more generally to assess confidentiality and authenticity properties. This paper demonstrates the soundness of our approach using a complex asymmetric key distribution protocol.

[1]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2008, Reliab. Eng. Syst. Saf..

[2]  Ludovic Apvrille,et al.  SysML-Sec: A model driven approach for designing safe and secure systems , 2015, 2015 3rd International Conference on Model-Driven Engineering and Software Development (MODELSWARD).

[3]  Jing Hu,et al.  An Extended UML Method for the Verification of Security Protocols , 2014, 2014 19th International Conference on Engineering of Complex Computer Systems.

[4]  John C. Mitchell,et al.  Multiset rewriting and the complexity of bounded security protocols , 2004, J. Comput. Secur..

[5]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[6]  Wang Yi,et al.  Timed Automata: Semantics, Algorithms and Tools , 2003, Lectures on Concurrency and Petri Nets.

[7]  Mohy Mahmoud,et al.  A Rigorous Methodology for Security Architecture Modeling and Verification , 2009 .

[8]  Karsten Sohr,et al.  A first step towards formal verification of security policy properties for RBAC , 2004, Fourth International Conference onQuality Software, 2004. QSIC 2004. Proceedings..

[9]  Antonio Maña,et al.  Towards Formal Specification of Abstract Security Properties , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[10]  Denis Trek,et al.  Research: Formal language for security services base modelling and analysis , 1995 .

[11]  Marie-Jeanne Toussaint,et al.  A New Method for Analyzing the Security of Cryptographic Protocols , 1993, IEEE J. Sel. Areas Commun..

[12]  Denis Trcek,et al.  Formal language for security services base modelling and analysis , 1995, Comput. Commun..

[13]  Jan Jürjens Developing Secure Embedded Systems: Pitfalls and How to Avoid Them , 2007, 29th International Conference on Software Engineering (ICSE'07 Companion).