Browse Publications Technical Papers 11-04-01-0001
2021-04-29

Security Threat Modeling and Automated Analysis for System Design 11-04-01-0001

This also appears in SAE International Journal of Transportation Cybersecurity and Privacy-V130-11EJ

Despite more and more rigorous defense mechanisms in place for cyber-physical systems, cybercriminals are increasingly attacking systems for benefits using a variety of means including malware, phishing, ransomware, and denial of service. Cyberattacks could not only cause significant economic loss but also disastrous consequences for individuals and organizations. Therefore, it is advantageous to detect and fix potential cyber vulnerabilities before the system is fielded. To this end, this article presents a language, VERDICT, and a novel framework, Cyber Vulnerability Analysis Framework (CyVAF) to (i) define cyber threats and mitigation defenses based on system properties, (ii) detect cyber vulnerabilities of system architecture automatically, and also (iii) suggest mitigation defenses. VERDICT is developed as an annex to the Architecture Analysis and Design Language (AADL) but can also be used independently. It enables users to define customized cyber threats and defenses, as well as from known libraries such as Common Attack Pattern Enumeration and Classification (CAPEC) and National Institute of Standards and Technology Recommended Security Controls for Federal Information Systems and Organizations (NIST 800-53). CyVAF translates a core fragment of AADL model annotated with properties along with VERDICT threats to Alloy specifications, leverages Alloy Analyzer to check whether components of the system are susceptible to threats and suggest defenses. In this article, we describe the language—VERDICT—and the translation mappings in the framework and demonstrate the capability and effectiveness of CyVAF using an unmanned aerial vehicle (UAV) example.

SAE MOBILUS

Subscribers can view annotate, and download all of SAE's content. Learn More »

Access SAE MOBILUS »

Members save up to 19% off list price.
Login to see discount.
We also recommend:
JOURNAL ARTICLE

Self-Driving Car Safety Quantification via Component-Level Analysis

12-04-01-0004

View Details

JOURNAL ARTICLE

Assessing the Safety of Environment Perception in Automated Driving Vehicles

09-08-01-0004

View Details

STANDARD

JAUS Core Service Set with ASCII Files

AS5710_ASCII

View Details

X