Security Analysis of IoT Systems Using Attack Trees

Delphine Beaulaton; Najah Ben Said; Ioana Cristescu; Salah Sadou

doi:10.1007/978-3-030-36537-0_5

International Workshop on Graphical Models for Security

GraMSec 2019: Graphical Models for Security pp 68-94 | Cite as

Security Analysis of IoT Systems Using Attack Trees

Authors
Authors and affiliations

Delphine Beaulaton
Najah Ben Said
Ioana Cristescu
Salah Sadou

Conference paper

First Online: 28 November 2019

Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)

Abstract

Attack trees are graphical representations of the different scenarios that can lead to a security failure. In combination with model checking, attack trees are useful to quantitatively analyse the security of a system. Such analysis can help in the design phase of a system to decide how and where to modify the system in order to meet some security specifications.

In this paper we propose a security-based framework for modeling IoT systems where attack trees are defined alongside the model. A malicious entity uses the attack tree to exploit the vulnerabilities of the system. Successful attacks can be rare events in the system’s execution, in which case they are hard to detect with usual model checking techniques. Hence, we use importance splitting as a statistical model checking technique for rare events. This technique requires a decomposition of an attack into sub parts, similarly to an attack tree. We argue that therefore, importance splitting is well suited, and benefits, from our modeling framework. We implemented our approach in a tool-set and verified its effectiveness by running a set of experiments over a real-word example.

Keywords

Attack tree IoT Rare events Importance splitting

This is a preview of subscription content, to check access.

Notes

Acknowledgements

We would like to thank Axel Legay for his helpfull suggestions on importance splitting, and Jean Quilbeuf for his technical help in the tool implementation.

Appendix

Counting Functions for the Operational Semantics of IoT

Definition 13

(Counting $\tau $ transitions from a state). The functions $\mathsf {count}_{\tau } :\text {State}\rightarrow \mathbb {N}$ and $\mathsf {count\_proc}_{\tau } :\text {Proc}\rightarrow \mathbb {N}$ are defined as follows:

$$\begin{aligned} \mathsf {count}_{\tau } (s|t) =&\mathsf {count}_{\tau } (s) + \mathsf {count}_{\tau } (t)\\ \mathsf {count}_{\tau } (\langle P,k\rangle ) =&\mathsf {count\_proc}_{\tau } (P)\\ \mathsf {count\_proc}_{\tau } (0) =&0\\ \mathsf {count\_proc}_{\tau } (\alpha .P) =&1 \text { if } \alpha \ne \tau \\&0 \text { if } \alpha =\tau \\ \mathsf {count\_proc}_{\tau } (\sum \alpha _i.P_i) =&1 \\ \mathsf {count\_proc}_{\tau } (P~|~Q) =&\mathsf {count\_proc}_{\tau } (P) + \mathsf {count\_proc}_{\tau } (Q). \end{aligned}$$

For counting the number of interactions, we have first to rewrite a state into a canonical form:

and where $P_i^{\text {S}} \equiv a.P$ and the action a is a send; nS is the number of processes of the form above in s. Similarly we define the rest of the processes. Note that if we cannot rewrite a state in this form then the rule ParState_Interaction cannot be applied (any internal or sum transitions have priority over the interactions). Moreover entities can only communicate with other entities, that is interactions are not defined internally to an entity. We therefore only need to count interactions between entities.

The function $\mathsf {count}_{\text {SR,LC}}$ uses an auxiliary function $\overline{\cdot }: \text {action} \rightarrow \text {action}$ which defines an action $\overline{a}$ which can synchronise with a using the rules SendReceive or LeakCollect.

Definition 14

Let $s\equiv s_S ~|~ s_R ~|~ s_L ~|~ s_C$ be a state in a canonical form. The function $\mathsf {count}_{\text {SR,LC}} :\text {State}\rightarrow \mathbb {N}$ is defined on s as follows:

$$\begin{aligned} \mathsf {count}_{\text {SR,LC}}(s_S ~|~ s_R ~|~ s_L ~|~ s_C)&= \mathsf {count}_{\text {SR}}(s_S, s_R) + \mathsf {count}_{\text {LC}}(s_L ~|~ s_C)\\ \mathsf {count}_{\text {SR}}(\langle a.P, k\rangle ~|~ s, t)&= \mathsf {count}(a, t) + \mathsf {count}_{\text {SR}}(s, t)\\ \mathsf {count}_{\text {LC}}(\langle a.P, k\rangle ~|~ s, t)&= \mathsf {count}(a, t) + \mathsf {count}_{\text {LC}}(s, t)\\ \mathsf {count}(a, \langle b.P, k\rangle ~|~ t)&= 1 + \mathsf {count}(a, t)\text { if }a=\overline{b}\\&= \mathsf {count}(a, t)\text { otherwise }\\ \end{aligned}$$

Proof of Theorem 1

Lemma 1

Any two congruent IoT states have the same transformation in $\mathcal {S}$BIP systems.

Proof

We proceed by cases on the congruence relation. First consider the congruence relation on states: For the monoid laws on |, note that the transformation results in a set of atomic components and therefore the order of states in the parallel composition does not matter. In the case where processes are congruent, we distinguish two subcases: (i) Threads in a parallel composition translate into tuples of states in the transformation of a process (Definition 9) where the order of the states does not matter; (ii) For the rest we use the fact that inside an atomic component the states that have congruent labels are identified.

Proof

(Theorem 1). Let $e_1,\cdots ,e_n$ be n entities of an IoT system $(S,L,T,s_0)$ with the initial states $\langle P_1,k_1\rangle , \cdots \langle P_n,k_n\rangle $. $\mathcal {B}_{e_i} = (P_i,V_i, N_i)$ with $N_i = (L_i, L_{i,0},$ $T_i, F_i)$, is the transformation of the current state of the entity $e_i$, for $i\le n$. Also let $V_i = V^p_i \cup V^d_i$. We write $(P,Q,\pi , q_0)$ for the semantics of $\langle \ll \rangle \varGamma (\mathcal {B}_{e_1},\cdots \mathcal {B}_{e_n})= (\varGamma ,\mathbf {V},\mathbf {N})$ with $\mathbf {N} = \mathbf {(L, L_0, T, F)}$. Lastly $\mathbf {X_{init}}$ is the initial valuation.

To construct the relation $\mathcal {R}\subseteq S\times Q$ required by the theorem, we first set some notations and constraints below. Informally, these constraints establish the relation between the processes and knowledge functions in states of S and the markings and the valuations, respectively, in states of Q.

1.

Correspondence between Processes and Markings. For a thread T let us write $m_T$ for the marking associated with T and defined as follows:
$$\begin{aligned} m_T(l) =&1 \text { if } \ell (l)= T\text { or }\ell (l) = U^\star , U= [n]T + T',&\text { for some threads }T', U\\&0 \text { otherwise}&\end{aligned}$$
where (P, V, N) and $N=(\mathcal {L},\mathcal {L}_0, \mathcal {T}, \mathcal {F})$ is obtained as in Definition 8 and where $l\in \mathcal {L}$. For a process $P = T_1 ~|~ \cdots ~|~ T_m$, let us write $m_P$ for the marking associated with P and defined as $m_{T_1}+\cdots + m_{T_m}$.
2.

Correspondence between Knowledge and the Deterministic Variables. From Definition 8 it follows that for each thread $T_j$ in a process $P_i$ we define the set $V_i^d = \{v_c ~|~ c$ is a protocol used in $T_j\}$. From Definition 9 then the set of variables of $P_i = T_1 ~|~\cdots ~|~ T_m$ is $\cup _{j\le m} V_j = \{v_c ~|~ c$ is a protocol used in $P_i\}$.

Then, if $\mathbf {X_i}$ the current valuation of entity $e_i$, we require that $\mathbf {X_i}(v_c) = k_i(c)$, for $i\le n$, $c\in C$ and $v_c\in V^d_i$. Recall that we write C for the set of protocols used in the IoT system and $k_i$ for the knowledge function of an entity $e_i$.
3.

Correspondence between Probabilistic Choices in Processes and the Random Variables. For every summation thread U in a process $P_i$, we have that there exists a random variable $v_{U}\in V^p_i$, by Definition 8. Moreover, if T a thread of $P_i$, belongs to a summation, i.e. $U = [n]T + T'$, for some threads $T', U$, then for the current valuation $\mathbf {X_i}$ we have that $\mathbf {X_i}(v_U) = T$. For a process $P = T_1 ~|~ \cdots ~|~ T_m$ we use Definition 9 and have that $V^p$ is the disjoint union of all $V^p_j$, where $V^p_j$ is the set of random variables for $T_j$, $j\le m$.

We define the following relation between the states of S and the states of Q:

Open image in new window

We show that $\mathcal {R}$ is the relation required in Theorem 1. First we have to show that $(s_0,q_0)\in \mathcal {R}$.

We use Definition 8 from which we have that $\mathcal {L}_0 = \{l_T\}$ is the initial place in the transformation of a thread T. Then, by Definition 9, $L_0 = \uplus _{j\le m} \mathcal {L}_0^j = \uplus _{j\le m} \{l_{T_j}\}$ is the initial set of places in the transformation of a process $P = T_1 ~|~\cdots ~|~ T_m$. From Definition 7 it follows that $\mathbf {L}_0 = \uplus _{i\le n} L_{0,i}$. By Definition 5 the initial marking in $q_0 = (m_0,\mathbf {X_{init}})$ is defined as $m_0(l) = 1 \iff l\in \mathbf {L}_0$ and 0 otherwise. Hence we can write $m_0 = m_{P_1} + \cdots + m_{P_n}$. This shows condition 1 of $\mathcal {R}$.

From Definition 9 we have that for each entity $e_i$, $\mathbf {X_{init}}(v_c) = k_i(c)$, for all protocols c used by $e_i$. From Definition 7 the set of variables of the composed $\mathcal {B}_{e_i}$ components is the disjoint union $V_i$, i.e. $\mathbf {V} = \uplus _{i\le n} V_i$, in particular $\mathbf {V}^d = \uplus _{i\le n} V^d_i$. Then a valuation for $\mathbf {V}$ is the disjoint composition of the individual valuations for $V_i$, from which it follows the required decomposition of $\mathbf {X_{init}}$ in $q_0 = (m_0,\mathbf {X_{init}})$. Therefore condition 2 of $\mathcal {R}$ holds. For condition 3 to hold suffices to note that there is no probabilistic choice made yet in any process and therefore there is no correspondence to show. We can take any initial valuation we want for the random variables.

Let us now suppose that $(s,q)\in \mathcal {R}$ and that $s\overset{[n]}{\underset{l}{\longrightarrow }} s'$, for some label $l\in L$, some probability n and state $q'\in Q$. We have to show that there exists $q'\in Q$ and $q\xrightarrow []{p} q'\in \pi $ with $\mathbb {P}(q\xrightarrow []{p} q') = n$ such that $(s',q')\in \mathcal {R}$. We reason by cases on the label l of the transition $s\overset{[n]}{\underset{l}{\longrightarrow }} s'$.

Let $l = SR:v$ or $l = LC:v$; then let $e_1$ and $e_2$ be the two communicating entities. Using Lemma 1 we can rewrite the transition as follows:
$$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[1/m]}{\underset{l}{\longrightarrow }} \\ s'=\langle Q_1,k'_1\rangle ~|~\langle Q_2,k'_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \end{aligned}$$
where we can decompose $P_1 \equiv _P a_1.T_1~|~ P_1'$ and $P_2 \equiv _P a_2.T_2~|~ P_2'$, $Q_1 \equiv _P T_1~|~P_1'$ and $Q_2 \equiv _P T_2~|~P_2'$, again by Lemma 1 and from the rules of Fig. 2. Here we suppose w.l.o.g. that $a_1$ and $a_2$ are the two synchronizing actions in $P_1$ and $P_2$, respectively. Also suppose w.l.o.g. that $a_1$ is a send (or a leak) and that $a_2$ is a receive (or a collect). Let c be the protocol used for the communication in case $l = SR:v$.

From $(s,q)\in \mathcal {R}$ we have that $q = (m_{P_1}+\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n})$ and that $m_{P_i} = m_{a_i.T_i} + m_{P_i'}$, for $i\le 2$. Also from condition 1 of $\mathcal {R}$, $m_{a_i.T_i} = \{l_i\}$ with either $\ell (l_i) = a_i.T_i$, or $\ell (l_i) = U_i^\star $, for some summation threads $U_1, U_2$.
- If $\ell (l_1) = a_1.T_1$ then we use the transformation of Definition 8 to show that there exists the place $l_1'\in L_1$, with $\ell (l_1') = T_1$ and the transition $t_1 = (\{l_{a_1.T_1}\}, \langle a_1,g_1 = true , f_1 \rangle , \{l_{T_1}\})$ in $\mathcal {B}_1$.
  $*$
  If $\ell (l_2) = a_2.T_2$ then as above, there exists $l_2'\in L_2$, with $\ell (l_2') = T_2$ and the transition $t_2 = (\{l_{a_2.T_2}\}, \langle a_2,g_2 = true , f_2 \rangle , \{l_{T_1}\})$ in $\mathcal {B}_2$.
  $*$
  $\ell (l_2) = U_2^\star $, with $U_2 = [n_2] a_2.T_2 + U_2'$, for some threads $U_2, U_2'$. As in the case above, from Definition 8 we have that there exists the places $l_2'\in L_2$ with $\ell (l_2') = T_2$. We also have, from condition 3 of $\mathcal {R}$ that there exists a random variable $v_{U_2}\in V_2^p$ with $\mathbf {X}(v_{U_2}) = a_2.T_2$. Moreover we have the transition $t_2 = (\{l_{U_2^\star }\}, \langle a_2, g_2 = (v_{U_2} == a_2.T_2), f_2\rangle , \{l_{T_2}\})$ in $\mathcal {B}_2$.
- the other case is similar.
Note that in all cases above, $f_i= \{v := v~|~ v\in V^d\}$ with $R_i^p = \emptyset $, $i\le n$.
Using Definition 10 we have that there exists an interaction $\gamma = (\{a_1,a_2\}, G, F)$ such that
- If $l = SR:v$ then $G = (\exists x\in v^1_c$ such that $x\in v^2_c)$ for $v^1_c\in V_1$ and $v^2_c\in V_2$.
- If $l = LC:v$ then $G= true $.
Also, $F =\{ v^2_{c'} := v^2_{c'}\cup \{v'\}~|~ \mathsf {protocol}(v') = c', v^2_{c'}\in V_2\}$ for both $l = SR:v$ and $l=LC:v$.
We now use Definition 7 and have that there exists the transition
$$\begin{aligned} \underline{T} = (\{l_1,l_2\}, \langle \gamma ,g_1 \wedge g_2 \wedge G,(f_1\sqcup f_2)\circ F\rangle , \{l_1',l_2'\})\in \mathbf {T}. \end{aligned}$$
We have to show that the guard $g=g_1 \wedge g_2 \wedge G$ holds for the current valuation $\mathbf {X}$:
- If $g_1 = (v_{U_1} == a_1.T_1)$ then $\mathbf {X}(g_1)$ holds from condition 3 of $\mathcal {R}$; otherwise $g_1 = true $. We proceed similarly for $g_2$.
- If $l=SR:v$ then $G = (\exists x\in v^1_c$ such that $x\in v^2_c)$ for $v^1_c\in V_1$ and $v^2_c\in V_2$. From condition 2 of $\mathcal {R}$ we have that $\mathbf {X}(v^i_c) = k_i(c)$, $i\le n$. Then the guard holds as it is the condition of rule SendReceive in Fig. 2. If $l=LC:v$ then $G = true $.
The transitions above are allowed to proceed by the priority order $\ll $ (see text after Definition 7) only if there is no internal transition available. This is the case as ensured by the rule ParState_Interaction in Fig. 2.

Therefore, by Definition 5, there exists the transition
$$\begin{aligned} q = (m_{P_1} + m_{P_2} +\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n}) \xrightarrow []{\gamma } q'=(m',\mathbf {X}') \end{aligned}$$
where we have to show that conditions 1-3 of $\mathcal {R}$ hold. For condition 1 we have to show that $m' = m_{Q_1}+ m_{Q_2} + \cdots m_{P_n}$. Using Definition 5 it follows that
$$\begin{aligned} m' = m - ^{\bullet } \underline{T} + \underline{T}^{\bullet } = m - \{l_1,l_2\} + \{l_1',l_2'\}. \end{aligned}$$
As $\mathbf {L}_0 = \uplus _{i\le n} L_{0,i}$, from Definition 7, it follows that
$$\begin{aligned} m' = (m_{P_1} - \{l_1\} + \{l_1'\}) + (m_{P_2} - \{l_2\} + \{l_2'\}) + \cdots + m_{P_n}. \end{aligned}$$
Using condition 1 of $\mathcal {R}$ on $m_{P_1}$ and $m_{P_2}$ we have that $m_{P_1}- \{l_1\} + \{l_1'\} = m_{Q_1}$ and similarly for $m_{Q_2}$.

Let us now show condition 2, i.e. $\mathbf {X}' = \mathbf {X_1'}\sqcup \mathbf {X_2'}\sqcup \cdots \sqcup \mathbf {X_n}$ and $\mathbf {X_i'}(v_{c'}) = k_i'(c')$, $i\le 2$. Using the function F above we have that $\mathbf {X_i'}(v_{c'}) = \mathbf {X_i}(v_{c'})\cup \{v\}$. From rules SendReceive and LeakCollect we also get that $k_i'(c') = k_i(c)\cup \{v\}$, $i\le 2$.

As $R_1^p = R_2^p = \emptyset $ condition 3 is trivial.

Lastly, the two transitions have the same probability: $|\mathsf {Enabled}(m;\mathbf {X})| = m$ by Lemma 1, and therefore $\mathbb {P}\big (q\overset{p}{\longrightarrow }q'\big ) = 1/m$.
Let $l =\tau $; let $e_1$ be the entity that triggers the internal transition. Using Lemma 1 we can rewrite the states in the transition as follows:
$$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n]}{\underset{l}{\longrightarrow }} \\ s'=\langle Q_1,k'_1\rangle ~|~\langle P_2,k_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle . \end{aligned}$$
There are two possibilities: either $P_1 \equiv _P \sum _{i\in I_1} a_i.T_i~|~ P_1'$ where $Q_1 = a_1.T_1$ w.l.o.g. or $P_1 \equiv _P \tau .T_1~|~P_1'$ with $Q_1 = T_1$. We write $U = \sum _{i\in I_1} a_i.T_i$ or $U = \tau .T_1$ depending on which of the two cases we are.

From $(s,q)\in \mathcal {R}$ we have that $q = (m_{P_1}+\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n})$ and that $m_{P_1} = \{l\} + m_{P_1'}$, $\ell (l) = U$. We use the transformation of Definition 8 to show that there exists the place $l'\in L_1$ and the transition $t = (\{l\}, \langle \tau ,g= true , f \rangle , \{l'\})$ in $\mathcal {B}_1$.
- If $U = \sum _{i\in I_1} a_i.T_i$ then $\ell (l') = U^{\star }$, $f= \{v := v~|~ v\in V_1^d\}$ and $R^p = \{v_U\}$.
- If $U = \tau .T_1$ then $\ell (l') =T_1$, $f= \{v := v~|~ v\in V_1^d\}$ and $R^p = \emptyset $.
Using Definition 10 we have that there exists an interaction $\gamma = (\{\tau \}, G= true , F)$ with $F= \{v := v~|~ v\in V_1^d\}$.

From Definition 7 there exists the transition
$$\begin{aligned} \underline{T} = (\{l\}, \langle \gamma ,g_1 \wedge G = true ,f\circ F\rangle , \{l'\})\in \mathbf {T}. \end{aligned}$$
The guard trivially holds and we obtain the transition
$$\begin{aligned} q = (m_{P_1} + +\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n}) \xrightarrow []{\gamma } q'=(m',\mathbf {X}') \end{aligned}$$
where we have to show that conditions 1-3 of $\mathcal {R}$ hold. As in the first case, condition 1 follows from $m' = m - \{l\} + \{l'\} = m_{Q_1} + \cdots m_{P_n}$. Condition 2 trivially hold as the update functions f and F are the identity and therefore $\mathbf {X_1}' = \mathbf {X_1}$. Indeed the knowledge function of $k_1$ is not modified by the rules Choice or Internal.

To show condition 3 we use Definition 8 from which we have that there exists $v_U\in V_1^p$, $v_U\sim \mu $, where $\mu (a_1.T_1) = n_1$. Then we can take $\mathbf {X'}(v_U) = a_1.T_1$. We also this argument to show that the two transitions have the same probabilities: by Lemma 1, $|\mathsf {Enabled}(m;\mathbf {X})| = m$ and therefore $\mathbb {P}\big (q\overset{p}{\longrightarrow }q'\big ) = 1/m \times n_1$.

Hereafter we prove the similarity of the IoT system to its corresponding $\mathcal {S}$BIP model. Let us suppose that $(q,s)\in \mathcal {R}$ and that $q\overset{\gamma }{\underset{}{\longrightarrow }} q'$, for a transition labelled with $\gamma $, where $q,q'\in Q$. We have to show that there is a state $s'\in S$ with $s\overset{[n]}{\underset{l}{\longrightarrow }} s'$, for some label $l\in L$, such that $(s',q')\in \mathcal {R}$. We define $s = \langle P_1,k_1\rangle ~|~ \langle P_2,k_2\rangle ~|~ \cdots ~|~\langle P_n,k_n\rangle $. Here we also reason by cases: whether the transition is an interaction between two components $\mathcal {B}_{e_1}$ and $\mathcal {B}_{e_2}$ or an internal transition.

We consider the communication is an interaction $\gamma =(\{a_1,a_2\}, G, F)$ between $\mathcal {B}_{e_1}$ and $\mathcal {B}_{e_2}$:
$$\begin{aligned} q= (m_{P_1} + m_{P_2} + \cdots m_{P_n},\mathbf {X_1}\sqcup \mathbf {X_2}\sqcup \cdots \sqcup \mathbf {X_n}) \overset{\gamma }{\underset{}{\longrightarrow }} q'= (m', \mathbf {X'}) \end{aligned}$$
As it is an interaction between two entities, from Definition 7 we have that there exists the transitions $t_i = (m_i, \langle p_i,g_i,f_i\rangle ,m_i') \in T_i$, for $i\in \{1,2\}$. From the Definition 10, $m_i= m_{P_i}$, $p_i = a_i$, $g_i= true $ and $f_i$ are the constant update functions. From $(q,s)\in \mathcal {R}$ we have that $m_{P_1}=m_{a_1.T_1}+m_{P'_1}$, $m_{P_2}=m_{a_2.T_2}+m_{P'_2}$ with $P_1= a_1.T_1 ~|~ P'_1$ and $P_2= a_2.T_2 ~|~ P'_2$. Moreover, from the Definition 5 there exists the transition
$$\begin{aligned} \underline{T} = (m_{P_1} + m_{P_2}, \langle \{a_1,a_2\},g_1 \wedge g_2 \wedge G,(f_1\sqcup f_2)\circ F\rangle , m_{Q_1} + m_{Q_2})\in \mathbf {T} \end{aligned}$$
with $m_{Q_1}=m_{T_1}+m_{P'_1}$, $m_{Q_2}=m_{T_2}+m_{P'_2}$.
We distinguish between the two types of interactions:
- $a_1 = e_1\xrightarrow [\text {v'}]{\text {c}}e_2$ and there exists $a_2\in \mathsf {Actions}$ such that $a_2 = e_2\xleftarrow {\text {c}}e_1$,
- or Open image in new window and there exists $a_2\in \mathsf {Actions}$ such that $a_2 = e_2\twoheadleftarrow e_1$
Following the Definition 10 we have the following guards:
- if $G = (\exists x\in v^1_c$ such that $x\in v^2_c)$ for $v^1_c\in V_1$ and $v^2_c\in V_2$ then $l= SR$
- if $G = true $ then $l= LC$
We can then apply the rules SendReceive or LeakCollect from Fig. 2. Hence we derive an interaction between $e_1$ and $e_2$ exists for which we have to show that conditions 1–3 of $\mathcal {R}$ hols.
$$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n]}{\underset{l}{\longrightarrow }} \\ s'=\langle Q_1,k'_1\rangle ~|~\langle Q_2,k'_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle . \end{aligned}$$
From above, it follows that $m'=m_{Q_1} + m_{Q_2} + \cdots m_{P_n}$, which is the first condition of $\mathcal {R}$.

In the interaction $\gamma $, we apply the update function $F =\{ v^2_{c'} := v^2_{c'}\cup \{v'\}~|~ \mathsf {protocol}(v') = c', v^2_{c'}\in V_2\}$ for both $l = SR:v$ and $l=LC:v$, then $\mathbf {X'_i}(v_{c'}) = \mathbf {X_i}(v_{c})\cup \{v\}$. Therefore we can write $\mathbf {X'} = \mathbf {X_1'}\sqcup \mathbf {X_2'}\cdots \mathbf {X_n}$. With the interaction $s\overset{[n]}{\underset{l}{\longrightarrow }} s'$, we apply rules SendReceive or LeakCollect from Fig. 2 where $k_i'(c') = k_i(c)\cup \{v\}$. Hence the condition 2 hols, i.e. $\mathbf {X'_i}(v_{c'})=k_i'(c')$. With the execution of the $\gamma $ interaction, the probabilistic distribution $R_1^p = R_2^p = \emptyset $, and from the SendReceive or LeakCollect from Fig. 2 is the same, then the condition 3 trivially hols. The two transitions have the same probability: $\mathbb {P}\big (q\overset{p}{\longrightarrow }q'\big ) = 1/m$ by Lemma 1, and therefore $|\mathsf {Enabled}(m;\mathbf {X})| = m$.
We consider the transition to be an internal transition $\tau $ in component $\mathcal {B}_{e_1}$. From Lemma 1 we can write the transition:
$$\begin{aligned} q= (m_{P_1} + m_{P_2} + \cdots m_{P_n},\mathbf {X_1}\sqcup \mathbf {X_2}\sqcup \cdots \sqcup \mathbf {X_n}) \overset{\gamma }{\underset{}{\longrightarrow }} q'= (m', \mathbf {X'}) \end{aligned}$$
where $s = \langle P_1,k_1\rangle ~|~ \langle P_2,k_2\rangle ~|~ \cdots ~|~\langle P_n,k_n\rangle $, from $(q,s)\in \mathcal {R}$, we distinguish two cases of transition execution:
- A probabilistic choice: $m_{P_1}=\{l\} + m_{P'_1}$ where $\ell (l)=\sum _{i\in I}[n_i] a_i.T_i$ and $P_1=\sum _{i\in I} a_i.T_i|P'_1$. From the transformation of Definition 8, the transition
  $$\begin{aligned} t=(\{l_{T}\},\langle \tau ,\text {true},f^{\star }\rangle ,\{l_{T^{\star }}\})\in T_1 \end{aligned}$$
  can be executed where $f^{\star }= (\{v := v~|~ v\in V^d\}$ and $R^p = \{v_T\})$. From relations of Fig. 2, there exists a Choice transition in IoT system such that
  $$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n_1]}{\underset{l}{\longrightarrow }}\\ s'=\langle Q_1,k'_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \end{aligned}$$
  where $Q_1=a_1.T_1$. Now we can verify if the conditions 1–3 of R holds. We have that $m_{Q_1} = \{ \ell \}^{\star }$ and $m' = m_{Q_1} + m_{P_2} + \cdots m_{P_n}$. As the update function f is the identity function the condition 2 trivially hold and the knowledge $k'_1=k_1$. To show condition 3, we note that there exists $v_{T_1}\in V_1^p$, $v_{T_1}\sim \mu $ such that $\mathbf {X'}(v_{T_1}) = a_1.T_1$. We use Definition 8 from which we have that where $\mu (a_1.T_1) = n_1$.
- An internal transition: $m_{P_1}=m_{\tau .T_1} + m_{P'_1}$ and $P_1=\tau .T_1|P'_1$. From the transformation of Definition 8, the transition $\underline{T}=(\{l_{a.T}\},\langle a,\text {true},f \rangle ,\{l_{T}\})$ can be executed where $f= (\{v := v~|~ v\in V^d\}$ and $R^p = \emptyset )$. From relations of Fig. 2, there exists an Internal transition in IoT system such that
  $$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n]}{\underset{l}{\longrightarrow }}\\ s'=\langle Q_1,k'_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \end{aligned}$$
  where $Q_1 = T_1|P'_1$. Now we can verify if the conditions 1–3 of R holds. We have that $m_{Q_1} = m_{T_1} + m_{P'_1}$ and $m' = m_{Q_1} + m_{P_2} + \cdots m_{P_n}$. As the update function f is the identity function the condition 2 trivially hold and the knowledge $k'_1=k_1$. Then $\mathbf {X'} = \mathbf {X'_1}\sqcup \mathbf {X_2}\sqcup \cdots \sqcup \mathbf {X_n}$. Likewise, since $R^p = \emptyset $ the condition 3 trivially holds.

References

1.
Basu, A., Bozga, M., Sifakis, J.: Modeling heterogeneous real-time components in BIP. In: SEFM (2006). https://doi.org/10.1109/SEFM.2006.27
2.
Beaulaton, D., et al.: A language for analyzing security of IoT systems. In: SoSE (2018). https://doi.org/10.1109/SYSOSE.2018.8428704
3.
Bensalem, S., Bozga, M., Delahaye, B., Jegourel, C., Legay, A., Nouri, A.: Statistical model checking QoS properties of systems with SBIP. In: Margaria, T., Steffen, B. (eds.) ISoLA 2012. LNCS, vol. 7609, pp. 327–341. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34026-0_25CrossRefGoogle Scholar
4.
Boyer, B., Corre, K., Legay, A., Sedwards, S.: PLASMA-lab: a flexible, distributable statistical model checking library. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 160–164. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_12CrossRefGoogle Scholar
5.
ENISA: Smart hospitals, security and resilience for smart health service and infrastructures. Technical report, ENISA (2016)Google Scholar
6.
Gadyatskaya, O., Hansen, R.R., Larsen, K.G., Legay, A., Olesen, M.C., Poulsen, D.B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) FORMATS 2016. LNCS, vol. 9884, pp. 35–50. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44878-7_3CrossRefzbMATHGoogle Scholar
7.
Dalton, G.C., Mills, R.F., Colombi, J.M., Raines, R.A.: Analyzing attack trees using generalized stochastic Petri nets. In: 2006 IEEE Information Assurance Workshop (2006). https://doi.org/10.1109/IAW.2006.1652085
8.
Jegourel, C., Legay, A., Sedwards, S.: Importance splitting for statistical model checking rare properties. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 576–591. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_38CrossRefGoogle Scholar
9.
Kordy, B., Pouly, M., Schweitzer, P.: Computational aspects of attack–defense trees. In: Bouvry, P., Kłopotek, M.A., Leprévost, F., Marciniak, M., Mykowiecka, A., Rybiński, H. (eds.) SIIS 2011. LNCS, vol. 7053, pp. 103–116. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-25261-7_8CrossRefGoogle Scholar
10.
Kumar, R., et al.: Effective analysis of attack trees: a model-driven approach. In: Russo, A., Schürr, A. (eds.) FASE 2018. LNCS, vol. 10802, pp. 56–73. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89363-1_4CrossRefGoogle Scholar
11.
TrapX LAbs: Anatomy of an attack, medjack (medical device attack). Technical report, TrapX Security Inc. (2015)Google Scholar
12.
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17CrossRefGoogle Scholar
13.
Ouchani, S.: Ensuring the functional correctness of IoT through formal modeling and verification. In: Abdelwahed, E.H., Bellatreche, L., Golfarelli, M., Méry, D., Ordonez, C. (eds.) MEDI 2018. LNCS, vol. 11163, pp. 401–417. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00856-7_27CrossRefGoogle Scholar
14.
Ruijters, E., Reijsbergen, D., de Boer, P.-T., Stoelinga, M.: Rare event simulation for dynamic fault trees. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10488, pp. 20–35. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66266-4_2CrossRefGoogle Scholar
15.
Schneier, B.: Secrets & Lies: Digital Security in a Networked World. Wiley, Hoboken (2000)Google Scholar
16.
Tidwell, T., Larson, R., Fitch, K., Hale, J.: Modeling internet attacks. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, IA (2001)Google Scholar
17.
Vanglabbeek, R., Smolka, S., Steffen, B.: Reactive, generative, and stratified models of probabilistic processes. Inf. Comput. 121 (1995). https://doi.org/10.1006/inco.1995.1123MathSciNetCrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Delphine Beaulaton
- 1
Najah Ben Said
- 3
Ioana Cristescu
- 2
Email author
Salah Sadou
- 1

1.University South Brittany, IrisaLorientFrance
2.InriaRennesFrance
3.Thales SIX-GTSPalaiseauFrance

Security Analysis of IoT Systems Using Attack Trees

Abstract

Keywords

Notes

Acknowledgements

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper