Formalising Systematic Security Evaluations Using Attack Trees for Automotive Applications

Abstract: Vehicles are insecure. To protect such systems, we must begin by identifying any weaknesses. One approach is to apply a systematic security evaluation to the system under test. In this paper we present a method for systematically generating tests based on attack trees. We formalise the attack trees as provably-equivalent process-algebraic processes, then automatically generate tests from the process-algebraic representation. Attack trees may include manual input, (and thus so will some test cases) but scriptab… Show more

“…Future steps will include adapting to other types of networks including wireless and ethernet, and also mixed networks which include networks running under different protocols. We also plan to integrate the automated attack tree generation work presented here into work on model-based security test-case generation which currently assumes the existence of the attack tree such as [3].…”

A Template-Based Method for the Generation of Attack Trees

“…Future steps will include adapting to other types of networks including wireless and ethernet, and also mixed networks which include networks running under different protocols. We also plan to integrate the automated attack tree generation work presented here into work on model-based security test-case generation which currently assumes the existence of the attack tree such as [3].…”

A Template-Based Method for the Generation of Attack Trees

“…Allied to this, attack trees are now gaining acceptance as a graphical way to define step-by-step particular attacks. Recent work confirms that an individual attack tree can be translated into a semantically equivalent CSP process [17]. This equivalence is based on an observation that a seriesparallel (SP) graph represents a set of action sequences, each action corresponding to a traverse from a source node to a sink node of the graph.…”

“…For instance, specification models may represent intended functional behaviour, define security properties or describe potential threats. Indeed, attacker models (describing attacks from threats) can be modelled as CSP processes [17]. Next, using a refinement checker, the composite system model can be verified to determine if any insecure traces (message sequences) can occur.…”

Enabling Security Checking of Automotive ECUs with Formal CSP Models

“…For example, attackers can compromise the repositories that host the software updates, as described by Kuppusamy et al in [20]. Various testing methods (for example, [2], [3], [6]- [8], [11], [12], [15], [22], [29]) and testing environments (e.g., [10], [13], [32], [35], [36]) have been proposed for the security testing of automotive systems. These testbeds and techniques have been designed primarily for discovering security flaws in vehicular networks (e.g., CAN, MOST, LIN, etc.…”

“…An initial prototype of our test-case generation tool was first introduced in [6], which has been adapted for the current study. The alterations made to the software tool include some enhancements related to input and output.…”

A Model-Based Security Testing Approach for Automotive Over-The-Air Updates