System-Security Co-design Saurabh Amin and Janos Sztipanovits
Page 2
Functional Layers in FORCES
5/28/2014
security levels (DLM)
control modalities
risk assessment
performance cost
(re)-config. cmd
op. settings
hypothesis sets
events
actuation
commands sensed
data
Page 3
System-Reliability Co-Design
5/28/2014
(Before FORCES)
Page 4
Interdependencies due to
Network induced risks
DDOS, deception attacks
Wide use of COTS ICT components
Correlated bugs & failure points
Expect increased interdependencies
Observation: Suboptimal incentives to invest in security due to
Public good nature (Varian, 2002)
Information deficiencies (Teneketzis)
Property right deficiencies and high enforcement costs (Schwartz)
How to jointly model control and incentives in co-design process:
System-Security Co-Design
5/28/2014
Page 5
Manufacturers
Consumers / Users
Average / regular users
System operators
Specialists
Hackers – users, whose objectives differ from legit users’ objectives
Government(s)
Whose Incentives Matter in Co-Design?
5/28/2014
Economic literature focuses on manufacturer and operator incentives, but does not consider constraints imposed by closed-loop control.
ICT$/$SCADA$vendors$
ISPs$/Network$managers$$
A8ackers$/$Malicious$users$
Page 6
Interdependence for Network Control Systems (NCS)
5/28/2014
Page 7
Game with Interdependent Security
5/28/2014
Page 8
Individual optima (Nash eq) and Social optima => Implications for reconfiguration and co-design?
5/28/2014
Open loop stable NCS
Open loop unstable NCS
Page 9
Reconfiguration is Essential for Resilient Control
5/28/2014
security levels (DLM)
control modalities
risk assessment
performance cost
(re)-config. cmd
op. settings
hypothesis sets
events
actuation
commands sensed
data
Page 10
Change modes of operation of Detection and Regulation
- Diagnosis, Response and Reconfiguration forms a supervisory control mechanism – used in hierarchical control approaches (e.g. Pappas, Tabuada)
Re-synthesize implementation architecture
- Provide interface for changing required security policies
- Provide models of information flows required to be implemented
- Provide models for security and performance characteristics of communication links and computing devices
- Provide precise specification for the reconfiguration space
- Develop methods for remapping the information architecture to the implementation architecture subject to functional, performance, timing and security constraints
Objectives of Reconfiguration
5/28/2014
Page 11
Co-design Problem
5/28/2014
System Dynamics
Software Component Architecture
Deployment Architecture
Controller Design
System-Level Design
Deployment Design
System-Security Codesign
Page 12
System – Security Co-design
5/28/2014
Modelica SL-SF
Component Model Discrete Time Semantics
Logical Time Semantics ESMOL
Integrity Constraints Confidentiality Constranits
Discrete Event Semantics TLM
Security Labels Timing Property Modeling
Platform Architecture
Componentization
SW Component – Processor SW Component – Device
Data- Memory Information flow – Channel
Deployed System Architecture Synthesis
Information Flow Model Refinement
{Security Levels} (EI) (integrity/confidentiality – DLM) (restrictions on Information Flow)
{Control modalities} (EI)
Software Component Architecture
Component Code
WCET WCCT Analysis
Automatic Code Generation
System Dynamics (RC)
LET
SW Timing Model
SystemC Discrete Event Semantics
Implementation Model
Platform Information Flow Model Extraction
LET WCET
WCCT
System Timing Model
Implemented Dynamics
Platform
Investment (EI)
Page 13
Tool Integration Framework: OpenMETA Tool Suite
5/28/2014
Master Interpreter
Components Designs Design Spaces
Test Benches Parametric
Explorations
PET/PCC Generator
Modelica CAD CFD FEA
Blast Ballistics
Formal Verif.
. . .
.py files .mo .cmd
.xml .cmd
.xml .cmd
.mo .json .cmd
. . .
Analysis and Execution Framework
Job Manager (client application)
Local VehicleForge Jenkins
Project Analyzer – Dashboard (offline or online; runs in a web browser)
Remote
used used used used
File system and/or on VehicleForge .mat .json
.stp .asm .xml .json
.stp .asm .xml .json
.xml .json
. . . .csv .json
Dymola
Open Modelica
Creo OpenFO
AM Nastran
SwRI tools
QR HybridSa
l
. . . OpenMDAO
Perform analysis
Composition Framework
Component Generator
Design Generator
.ACM files .ADM files
Multimodeling Framework Modeling &
Model- Synthesis
CyPhy Generators
Execution runtime
Results storage
Visualization of results
Page 14
Master Interpreter
Tool Architecture
5/28/2014
Dynamics (Modelica) SW Architecture (ESMOL) Platform (SystemC)
Policies (DLM) Timing (DE) Deployment
Control Model Library / Plant Model Library Platform Model Library Policy Library
Modeling & Model Integration
FORMULA
Z3
Timing Verification/ Scheduling
Simulation Integration
C2WT/DETER
Simulation Synthesis
Multimodeling Framework
Analysis and Execution
Framework
RC2FOR Translator
.4ml
Timing Spec. Extr.
.xxx
C2WT Gen.
.c2w
RC2FOR Translator
.4ml
Composition Framework