Security Weaknesses Detection by Symbolic Analysis of Scenarios

Remotely-communicating software-based systems are tightly present in modern industrial society and securing their complex architecture is recognized as crucial. In particular, the perspectives to reinforce their security by monitoring are promising. However, monitoring schemes still face challenges as the presence of untrusted components seems unavoidable. Specially, since untrusted components may be placed in unsupervised areas, making them ideal targets for attackers. In this work, we propose a framework intended to support designers during systems conception. The approach mainly relies upon Security Watchdogs committed to detect and signal distrustful activity. A model-based framework is introduced to ease attacks descriptions upon scenarios in the form of UML sequence diagrams. The scenarios endowed with predefined attack patterns are analyzed using models transformations and symbolic techniques. By doing so, the effectiveness of watchdogs is confronted against attacks and the results can be used to reinforce the overall security of the system. The applicability of the proposed method is also shown by means of a Smart Grid case study.

[1]  Andy Evans,et al.  Evaluating Security Properties of Architectures in Unpredictable Environments: A Case for Cloud , 2011, 2011 Ninth Working IEEE/IFIP Conference on Software Architecture.

[2]  Betty H. C. Cheng,et al.  Using Security Patterns to Model and Analyze Security Requirements , 2012 .

[3]  Manachai Toahchoodee,et al.  Verification and Trade-Off Analysis of Security Properties in UML System Models , 2010, IEEE Transactions on Software Engineering.

[4]  Dianfu Ma,et al.  Embedded real-time system modeling and analysis using AADL , 2010, 2010 International Conference on Networking and Information Technology.

[5]  Kurt Stenzel,et al.  Generating formal specifications for security-critical applications - A model-driven approach , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[6]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[7]  Ana R. Cavalli,et al.  Hit-or-Jump: An algorithm for embedded testing with applications to IN services , 1999, FORTE.

[8]  Maritta Heisel,et al.  A UML Profile for Requirements Analysis of Dependable Software , 2010, SAFECOMP.

[9]  Christophe Gaston,et al.  Incremental Symbolic Conformance Testing from UML MARTE Sequence Diagrams: Railway Use Case , 2012, 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering.

[10]  John Grundy,et al.  Automated software architecture security risk analysis using formalized signatures , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[11]  Mohamed Ariff Ameedeen,et al.  A Model Driven Approach to Represent Sequence Diagrams as Free Choice Petri Nets , 2008, 2008 12th International IEEE Enterprise Distributed Object Computing Conference.

[12]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[13]  Keqin Li,et al.  Model-Checking Driven Security Testing of Web-Based Applications , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[14]  Stephen Gilmore,et al.  Automatic Translation of UML Sequence Diagrams into PEPA Models , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[15]  James C. King,et al.  A new approach to program testing , 1974, Programming Methodology.

[16]  Sujeet Shenoi,et al.  Attack taxonomies for the Modbus protocols , 2008, Int. J. Crit. Infrastructure Prot..

[17]  Sjouke Mauw,et al.  Message Sequence Chart (MSC) , 1996 .

[18]  Alexander Pretschner,et al.  Security Mutants for Property-Based Testing , 2011, TAP@TOOLS.

[19]  Gabriel Pedroza,et al.  Assisting the Design of Secured Applications for Embedded Systems. (Conception Assistée des Logiciels Sécurisés pour les Systèmes Embarqués) , 2013 .

[20]  Gabriel Pedroza,et al.  Designing Sequence Diagram Models for Robustness to Attacks , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops.

[21]  David Servat,et al.  Eliciting Unitary Constraints from Timed Sequence Diagram with Symbolic Techniques: Application to Testing , 2011, 2011 18th Asia-Pacific Software Engineering Conference.

[22]  Donald P. Ryan,et al.  Papyrus , 1988, The Biblical Archaeologist.

[23]  S. Massoud Amin,et al.  Smart Grid: Overview, Issues and Opportunities. Advances and Challenges in Sensing, Modeling, Simulation, Optimization and Control , 2011, Eur. J. Control.

[24]  Yang Liu,et al.  Distributed Network and System Monitoring for Securing Cyber-Physical Infrastructure , 2012 .

[25]  Ruth Breu,et al.  Security Testing by Telling TestStories , 2010, Modellierung.

[26]  Yang Xiao,et al.  A survey of communication/networking in Smart Grids , 2012, Future Gener. Comput. Syst..