Visible to the public Multi-model run-time security analysis - October 2015Conflict Detection Enabled

Submitted by Jamie Presken on Thu, 09/17/2015 - 6:25am

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): Jurgen Pfeffer
Co-PI(s): David Garlan, Bradley Schmerl

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)

  • Composability through multiple semantic models (here, architectural, organizational, and behavioral), which provide separation of concerns, while supporting synergistic benefits through integrated analyses.
  • Scalability to large complex distributed systems using architectural models.
  • Resilient architectures through the use of adaptive models that can be used at run-time to predict, detect and repair security attacks.
  • Predictive security metrics by adapting social network-based metrics to the problem of architecture-level anomaly detection.

2) PUBLICATIONS

Ivan Ruchkin, Ashwini Rao, Dio De Niz, Sagar Chaki and David Garlan. Eliminating Inter-Domain Vulnerabilities in Cyber-PhysicalSystems: An Analysis Contracts Approach. In Proceedings of the First ACM Workshop on Cyber-Physical Systems Security and Privacy, Denver, Colorado, 16 October 2015.To appear.

Thomas J. Glazier, Javier Camara, Bradley Schmerl and David Garlan. Analyzing Resilience Properties of Different Topologies of Collective Adaptive Systems. In Proceedings of the 3rd FoCAS Workshop on the Fundamentals of Collective Adaptive Systems, Boston, MA, USA, 21 September 2015.

3) KEY HIGHLIGHTS

Designing secure cyber-physical systems (CPS) is a particularly difficult task since security vulnerabilities stem not only from traditional cybersecurity concerns, but also physical ones as well. Many of the standard methods for CPS design make strong and unverified assumptions about the trustworthiness of physical devices, such as sensors. When these assumptions are violated, subtle inter-domain vulnerabilities are introduced into the system model. In this paper we propose to use formal specification of analysis contracts to expose security assumptions and guarantees of analyses from reliability, control, and sensor security domains. We showed that this specification allows us to determine where these assumptions are violated or ignore important failure modes that open the door to malicious attacks. We demonstrated how this approach can help discover and prevent vulnerabilities in a self-driving car example.

Modern software systems are often compositions of entities that increasingly use self-adaptive capabilities to improve their behavior to achieve systematic quality goals. Self-adaptive managers for each component system attempt to provide locally optimal results, but if they cooperated and potentially coordinated their efforts it might be possible to obtain more globally optimal results. The emergent properties that result from such composition and cooperation of self-adaptive systems are not well understood, difficult to reason about, and present a key challenge in the evolution of modern software systems. For example, the effects of coordination patterns and protocols on emergent properties such as the resiliency of the collectives need to be understood when designing these systems. In this paper we propose that probabilistic model checking of stochastic multiplayer games (SMG) provides a promising approach to analyze, understand, and reason about emergent properties in collectives of adaptive systems (CAS). Probabilistic Model Checking of SMGs is a technique particularly suited to analyzing emergent properties in CAS, since SMG models capture: (i) the uncertainty and variability intrinsic to the CAS and its execution environment in the form of probabilistic and nondeterministic choices, and (ii) the competitive/cooperative aspects of the interplay among the constituent systems of the CAS. Analysis of SMGs allows us to reason about things like the worst case scenarios, which constitutes a new contribution to understanding emergent properties in CAS. We investigate the use of SMGs to show how they can be useful in analyzing the impact of communication topology for collections of fully cooperative systems defending against an external attack.

Groups: