Final Report Abstract

The SafeSec project aims to enhance the modeling and analysis of combined safety and security in self-adaptive systems (SAS). Traditionally, safety and security in embedded systems have been studied separately, yet their increasing interconnection in IoT environments calls for a unified approach. SafeSec addresses this need by enabling semi-automated generation of combined safety and security models, which supports risk analysis and system adaptations based on security assessments. In this project, domain-specific languages (DSLs) for dataflow and component deployment models were developed to bridge the gap between fault trees (FTs) typically used for safety analysis and attack trees (ATs) used for security analysis. Dataflow and deployment models are semi-automatically generated out of a running system. Thus, we do not rely on the source code of a system or its dependencies but try to obtain this information out of the running system by analyzing used dependencies and according to databases. For the extraction of the dataflow between components, we focus on the robot operating system (ROS), version 2, which is a common framework for the development of cyber-physical systems. For the generation of ATs, we utilize CVE databases to find vulnerabilities of used components/libraries. Simple ATs are combined to more complex attacks by exploiting the common weaknesses (CWE) and common attack patterns (CAPEC). Finally, all gathered information is integrated into an attack fault tree (AFT) annotated with probabilities based on the exploit prediction scoring system (EPSS). This tree (or a set of trees) can then be analyzed by a probabilistic model checker resulting in an estimation how likely the root hazard might occur. This information (and especially its change over time) can be used to trigger adaptations in a SAS with the goal of avoiding risky situations. We implemented this approach and evaluated it with an expert group. They rated the results as applicable in the real world and assessed the dataflow and deployment model as a relevant measure to bridge the gap between low-level security aspects and high-level safety models.

Publications

• A taxonomy of attack mechanisms in the automotive domain. Computer Standards & Interfaces, 78, 103539.
  Pekaric, Irdin; Sauerwein, Clemens; Haselwanter, Stefan & Felderer, Michael
  
• VULNERLIZER: Cross-analysis Between Vulnerabilities and Software Libraries. Proceedings of the Annual Hawaii International Conference on System Sciences. Hawaii International Conference on System Sciences.
  Pekaric, Irdin; Felderer, Michael & Steinmüller, Philipp
  
• Towards model co-evolution across self-adaptation steps for combined safety and security analysis. Proceedings of the 17th Symposium on Software Engineering for Adaptive and Self-Managing Systems, 106-112. ACM.
  Witte, Thomas; Groner, Raffaela; Raschke, Alexander; Tichy, Matthias; Pekaric, Irdin & Felderer, Michael
  
• A systematic review on security and safety of self-adaptive systems. Journal of Systems and Software, 203, 111716.
  Pekaric, Irdin; Groner, Raffaela; Witte, Thomas; Adigun, Jubril Gbolahan; Raschke, Alexander; Felderer, Michael & Tichy, Matthias
  
• Model-Based Generation of Attack-Fault Trees. Lecture Notes in Computer Science, 107-120. Springer Nature Switzerland.
  Groner, Raffaela; Witte, Thomas; Raschke, Alexander; Hirn, Sophie; Pekaric, Irdin; Frick, Markus; Tichy, Matthias & Felderer, Michael
  
• Streamlining Attack Tree Generation: A Fragment-Based Approach. Proceedings of the Annual Hawaii International Conference on System Sciences. Hawaii International Conference on System Sciences.
  Pekaric, Irdin; Frick, Markus; Adigun, Jubril Gbolahan; Groner, Raffaela; Witte, Thomas; Raschke, Alexander; Felderer, Michael & Tichy, Matthias