Research in automotive security and privacy is keeping on as the leaves turn brown. We have two interesting research from Chalmers to share this time. If you find them interesting, please do not hesitate to contact the authors for a deeper discussion.
Security Requirements and Classification of Security Mechanisms
Presented by Thomas Rosenstatter
Models to classify security in the automotive domain have been proposed by various researchers. First, a threat or attack tree analysis and risk assessment is performed, which results in security levels associated to the identified threats or attacks. These security levels are further used in the design and development to indicate the required security demands.
Proposed security models for the automotive domain do not further provide methods to map these security levels to generic security requirements nor security mechanisms. We continue at the point of having a threat analysis in place and propose an appropriate representation of security levels and a method to map them to generic security requirements, mechanisms and design rules. A review of safety and security standards from other areas as well as suggested security models for the automotive domain is the base for our proposed framework. Classifying security demands is more complex, as we have to deal with an attacker who intentionally wants to gain access to the network of the vehicle to alter its behaviour or access private information while safety deals with random faults. For this and other reasons, we propose to represent security as a vector describing the security demands for each security attribute, which is represented as an element of this vector.
Please contact Thomas Rosenstatter for more information.
Security Software and System Design
Presented by Katja Tuma
Architectural threat analysis is routinely performed in the automotive industry to analyse and strengthen the system security. The state-of-the-art techniques, such as STRIDE, aim towards achieving full coverage of threats but often suffer from the so-called threat explosion problem. Our experience with industrial partners shows frustration with the uncertainty and length of threat analysis methods. This is in line with the results obtained by our recent empirical study.
In the talk, we showed the research directions towards speeding up the discovery of threats with a large impact. Our approach is based on enriching the architectural model with security-relevant information, permitting informed decisions about model abstractions. The additional security relevant information includes information about assets (security objectives and priorities, asset source and target elements), communication channels, domain properties (what is indisputably true about the system) and domain assumptions (what is expected to be true about the system) as well as forward assumptions about mitigations (i.e. are mitigations possible on transport, application layer or is architectural refactoring needed). The enriched model is used during architecture abstraction, for which informal guidelines are presented in the publication. Furthermore, we attempt to reduce effort during the analysis. For instance, it may be useful to turn forward assumptions into domain properties (especially in case of a standard mitigation strategy) and focus the analysis elsewhere in the architecture, gradually reducing the time it takes to analyse the entire system. We are currently working on validating our work in the industrial setting.
Please contact Katja Tuma for more information.
