Threat Modeling for Security Assessment in Cyber-physical Systems

Threat Modeling for Security Assessment in Cyber-physical Systems Janusz Zalewski Florida Gulf Coast University Steven Drager & William McKeever Air Force Research Lab, Rome, NY Andrew J. Kornecki Embry-Riddle Aeronautical University Presented by A.J. Kornecki at AGH, Krakow, June 25, 2013 Based on a paper: Zalewski, J., Drager, S., McKeever, W., Kornecki A.J. "Threat Modeling for Security Assessment in Cyber-physical Systems", CSIIRW'2012, ACM 978-1-4503-1687-3/12/10, Oak Ridge, Tenn., USA, October 30 - November 1, 2012 Copyright A.J. Kornecki, 2013 page 1

Overview Introduction and Motivation How to Measure? Control and Cyber-physical Systems Threat Modeling Security Risk Assessment Experiments Conclusion Copyright A.J. Kornecki, 2013 page 2

Why Threat Modeling? System designers must first determine what threats are feasible [and then what security policies make economic sense relative to the values of resources exposed to a threat] Source: D. Kleidermacher, M. Kleidermacher, Embedded Systems Security, Newnes/Elsevier, Oxford, 2012 In case of imminent security breach: cyber-physical systems requires either reconfiguration to reacquire the needed resources automatically or a graceful degradation if they the resources are not available Source: National Research Council, Committee for Advancing Software- Intensive Systems Producibility Critical Code: Software Producibility for Defense National Academies Press, 2010 Copyright A.J. Kornecki, 2013 page 3

Intruder Knowledge High Attack Sophistication Low Network Management Diagnostics Sweepers Back Doors Disabling Audits Stealth /Advanced Scanning Techniques Denial of Service Hijacking Sessions Exploiting Known Vulnerabilities Password Cracking Self-Replicating Code Password Guessing Threat Trends STUXNET/ Flame Malicious Code Morphing WWW Attacks Automated Probes/Scans GUI Packet Spoofing Sniffers BOTS Zombies Distributed Attack Tools Attackers 1980 1985 1990 1995 2000 2005 2012 Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002, page 10. Threats become more complex as attackers proliferate Copyright A.J. Kornecki, 2013 page 4

Example: Modern Aircraft Threat Trends {courtesy of Volpe National Transportation System Center, June 2013} Copyright A.J. Kornecki, 2013 page 5 5

Aircraft Data Network (ADN) Aircraft control Flight and Embedded Control Systems AFDX Engine HUMS Airline Information Services Cabin Core EFB/Gatelink Passenger Information and Entertainment Services IFE- TBD Passenger- Owned Devices Control the Operate the Entertain the Airplane Airline Passengers Closed Private Public Entertain the Passengers {source ARINC 664, Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection} Copyright 6 A.J. Kornecki, 2013 page 6

Security Standards Guidelines & Initiatives FAA/RTCA SC-216 (Aeronautical System Security) & Eurocae WG-72 Subcommittees o DO-326: Airworthiness Security Process Specification o DO-XXX: Security Assurance and Assessment Methods for -Related Aircraft Systems o DO-YYY: Security Guidance for Instructions for Continuing Airworthiness (ICA) o FAA Advisory Circular (AC) ARINC Network Infrastructure and Security (NIS) Working Group o Best Practices (Security Catalog) o ARINC 842: Guidance for Usage of Digital Certificates ICAO Twelfth ANC: o Working Paper 122: Cyber Security For Civil Aviation (November 2012) Copyright A.J. Kornecki, 2013 page 7

Are We Preoccupied with Measurements? We are missing good (any) measures to characterize non-functional software properties related to trustworthiness (safety, security, dependability, etc.), as opposed, for example, to timing properties (responsiveness, timeliness, schedulability, predictability) But there are other means How to assess security before the system is put into operation? o Theoretical Assessment (analytical model) o Actual Experiments (measurements) o Simulation (numerical calculations) Copyright A.J. Kornecki, 2013 page 8

A Side-bar: How to Measure? NOW: Definition of a metric (meter) is the length of the path traveled by light in vacuum during a time interval of 1/299 792 458 of a second EARLIER: King Henry I is believed to decree that a yard should be: the distance from the King s nose to the end of his outstretched thumb For example: Property length Metric meter Measure device Copyright A.J. Kornecki, 2013 page 9

Classical Views of a Control System CONVENTIONAL MODERN (cyber-physical) Copyright A.J. Kornecki, 2013 page 10

Cyber-physical System Relationship between the computer/software system and its operational environment SOFTWARE SYSTEM RELIABILITY SAFETY SECURITY OPERATIONAL ENVIRONMENT Copyright A.J. Kornecki, 2013 page 11

/Security Views of a Cyber-physical System SAFETY SECURITY Copyright A.J. Kornecki, 2013 page 12

Analytical Models to Describe System Behavior Continuous: o Differential Equations Discrete: o Finite State Machines o Finite Automata o Petri Nets o Bayesian Belief Networks o Queuing Theory o Rule-based Reasoning o Markov Chains *** Copyright A.J. Kornecki, 2013 page 13

Example: Discrete-Time Markov Chains It is generally not possible to predict future states However, the statistical properties of future states can be predicted The set of all states and transition probabilities characterize completely with the Markov chain A finite-state machine can be used as a graphical representation of a Markov chain How to develop state transition probabilities? Base them on heuristic analysis of the chain More in: Kornecki, A., Stevenson, W., Zalewski, J., "Availability Assessment of Embedded Systems with Security Vulnerabilities", proceedings of 34th IEEE Software Engineering Workshop SEW 2011, Limerick, Ireland, June 20-21, 2011 Copyright A.J. Kornecki, 2013 page 14

Case Study - Security Impact Assessment A simple case study of a Cooperative Adaptive Cruise Control (CACC) Identification of vulnerabilities in incoming messages (commission, omission, corruption, flooding) Copyright A.J. Kornecki, 2013 page 15

Case Study Markov Model Markov model with Relex Reliability Studio* tool was used to assess the availability of the system with and without the security component CACC implemented as a discrete-time Markov model with three states and the transitions determined by failure rates or repair rates o Operational State (Normal) o Degraded State (Flooding, Corruption, Introduction, Deletion) o Failed State * http://www.relex.se/ Copyright A.J. Kornecki, 2013 page 16

Threats Two aspects of handling potential threats in cyberphysical systems: o Threat Modeling: A systematic exploration technique to expose any circumstance or event having the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service [IEEE 1074-2006] 1 o Threat Assessment: Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat [CNSS-4009] 2 1. IEEE Standard for Developing a Software Project Life Cycle Process http://standards.ieee.org/findstds/standard/1074-2006.html 2. National Information Assurance (IA) Glossary http://www.cnss.gov/assets/pdf/cnssi_4009.pdf Copyright A.J. Kornecki, 2013 page 17

Threat Handling Process: a Sequence of Actions 1. Understand the Adversary s View 2. Create a Model: Data Flow Diagrams 3. Determine and Investigate the Threats: a) Use STRIDE to identify/define the threats b) Use Threat Trees to assess vulnerabilities c) Use DREAD to characterize risks 4. Mitigate the Threats 5. Validate the Mitigations Copyright A.J. Kornecki, 2013 page 18

Understanding the Adversary s View Copyright A.J. Kornecki, 2013 page 19

Identify and Define Threats: STRIDE What is STRIDE? identify and define threats o Spoofing - a situation in which an attacker successfully masquerades as legitimate party o Tampering - intentional modification of data by an attacker that would make them harmful to the user o Repudiation - authentication between users that they can be confident in the authenticity of the messages (but it cannot be provided to an attacker after the event) o Information Disclosure - a situation when the user data is available to the attacker o Denial of Service - making a resource not available to its intended users due to a malicious attack o Elevation of Privilege - gaining access to resources that are normally protected from an attacker Copyright A.J. Kornecki, 2013 page 20

Threat Tree Example Root Threat Unmitigated Condition Mitigated Condition Mitigated Condition Mitigated Condition Unmitigated Condition Mitigated Condition Copyright A.J. Kornecki, 2013 page 21

Characterize Risk: DREAD What is DREAD? characterize risk o Damage Potential severity as related to equipment, resources, and environment o Reproducibility likelihood of an ability of an event to be reproduced o Exploitability likelihood to use system unethically or for malicious purpose o Affected Users severity as related to human population o Discoverability likelihood of a capacity of data/information to be found (being discoverable) Copyright A.J. Kornecki, 2013 page 22

How to Evaluate Security Risk? risk is evaluated as a product of severity of consequences and the likelihood of hazards Security risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of [CNSS-4009] : o the adverse impacts that would arise if the event occurs; and o the likelihood of occurrence We need a system for assessing the severity of computer system security vulnerabilities Examples: STRIDE Threat Library, Common Weakness Enumeration (CWE), Common Vulnerabilities/Exposures (CVE), and Copyright A.J. Kornecki, 2013 page 23

What is Common Vulnerability Scoring System? CVSS is a system for assessing the severity of computer system security vulnerabilities http://www.first.org/cvss/cvss-guide.pdf CVSS defines three groups of metrics for assessing vulnerabilities: base, temporal and environmental (however, only the base is mandatory) Copyright A.J. Kornecki, 2013 page 24

CVSS Base Impact & Exploitability Metrics The base group consists of six metrics divided into two subcategories: impact and exploitability metrics (in lieu of severity) Metrics are evaluated on a three-level non-numerical scale mapped onto numeric values (1, 2, and 3) o Impact metrics: Confidentiality, Integrity, Availability: None, Partial, Complete o Exploitability metrics: Access Vector: Local, Adjacent, Full Access Complexity: High, Medium, Low Authentication: Multiple, Single, None Copyright A.J. Kornecki, 2013 page 25

Proposed CVSS Base Scoring Formula: All six values are related with different weights by a formula, thus, producing a unique number of the base metric o BaseScore6 = = ((0.6*Impact) + (0.4*Exploitability) 1.5)*f(Impact) o Impact = = 10.41*(1-(1-Conf.Impact)*(1-Integ.Impact)*(1-Avail.Impact)) o Exploitability = = 20*Access.Vector*Access.Complexity*Authentication o f(impact) = 0 if Impact is equal to 0 = 1.176 otherwise Copyright A.J. Kornecki, 2013 page 26

How the Threat Model is Used? How the Threat Model is Used? o In Design: Code Review o In Implementation: Penetration Testing o *** In Security Assessment: Simulation Example: mapping a cyber-physical system into SDL threat modeling tool (CACC imitation) Copyright A.J. Kornecki, 2013 page 27

Microsoft SDL Threat Modeling Tool Threat Modeling Is a core element of the Microsoft Security Development Lifecycle (hence SDL) for everyday user making threat modeling easy The SDL Threat Modeling Tool enables any developer or software architect to: o Communicate about the security design of their systems o Analyze designs for security issues using a proven methodology o Suggest and manage mitigations for security issues Copyright A.J. Kornecki, 2013 page 28

Example Microsoft SDL screen-shot http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx Copyright A.J. Kornecki, 2013 page 29

Security Assessment via Simulation An actual example of a message exchange system over the CAN network has been set up The example includes two CAN nodes communicating with each other over the CAN bus, with additional Internet connectivity for both nodes The arrangement imitates part of the functionality of a larger CACC system CVE ID Publish Date Update Date Integrity Score Access Complexity Authentication Confidentiality Availability CVE-2011-4415 2008-07- 2012-05- 1.2 Remote High Not Required None None None 01 11 The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a.htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607. Copyright A.J. Kornecki, 2013 page 30

Copyright A.J. Kornecki, 2013 page 31

Copyright A.J. Kornecki, 2013 page 32

Conclusions Firm modeling process established Experimental measurement process set up Tools ready and easy to use Potential Case Studies: o CAN (Controller Area Network) o Industrial Control Systems: SCADA o Wireless Sensor Networks: Zigbee o RFID/NFC o Time-Triggered Systems Copyright A.J. Kornecki, 2013 page 33

Comments/Questions Copyright A.J. Kornecki, 2013 page 34