Security Metrics at Work on the Things in IoT Systems

Abstract

The Internet of Things (IoT) is deeply changing our society. Daily we use smart devices that automatically collect, aggregate and exchange data about our lives. These data are often pivotal when they are used e.g. to train learning algorithms, to control cyber-physical systems, and to guide administrators to take crucial decisions. As a consequence, security attacks on devices can cause severe damages on IoT systems that take care of essential services, such as delivering power, water, transport, and so on. The difficulty of preventing intrusions or attacks is magnified by the big amount of devices and components IoT systems are composed of. Therefore, it is crucial to identify the most critical components in a network of devices and to understand their level of vulnerability, so as to detect where it is better to intervene for improving security. In this paper, we start from the modelling language IoT-LySa and from the results of Control Flow Analysis that statically predict the manipulation of data and their possible trajectories. On this basis, we aim at deriving possible graphs of how data move and which are their dependencies. These graphs can be analysed, by exploiting some security metrics - among which those introduced by Barrere, Hankin et al. - offering system administrators different estimates of the security level of their systems.

Partially supported by Università di Pisa PRA_2018_66 DECLWARE: Metodologie dichiarative per la progettazione e il deployment di applicazioni and by MIUR project PRIN 2017FTXR7S IT MATTERS (Methods and Tools for Trustworthy Smart Systems).

Appendix

Operational Semantics of IoT-LySa

Our reduction semantics is based on the following Structural congruence \(\equiv \) on nodes and node components. It is standard except for rule (4) that equates a multi-output with no receivers and the inactive process, and for the fact that inactive components of a node are all coalesced.

$${\begin{array}{ll} (1) &{} ({\mathcal N}/_{\equiv }, \mid , \mathsf {0}) \text{ is } \text{ a } \text{ commutative } \text{ monoid } \\ (2) &{} ({\mathcal B}/_{\equiv }, \Vert , \mathsf {0}) \text{ is } \text{ a } \text{ commutative } \text{ monoid } \\ (3) &{}\mu \,h\,.\, X \equiv X\{\mu \,h\,.\, X/h\} \quad \text { for } X \in \{P, A, S\} \\ (4) &{} \langle \langle E_1,\cdots ,E_r \rangle \rangle : \emptyset . \ \mathsf {0}\equiv \mathsf {0}\end{array}}$$

The two-level reduction relation \(\rightarrow \) is defined as the least relation on nodes and its components satisfying the set of inference rules in Tables 2 and 5. For the sake of simplicity, we use one relation. We assume the standard denotational interpretation \([\![E]\!]_\varSigma \) for evaluating terms.

Table 5. Reduction semantics (the upper part on node components, the lower one on nodes), where \(X \in \{S, A\}\) and \(Y \in \{N, B\}\), without the rules (Ev-out), (Multi-com), (A-com1) and (A-com2), discussed in Table 2.

The first two semantic rules implement the (atomic) asynchronous update of shared variables inside nodes, by using the standard notation \(\varSigma \{-/-\}\). According to (S-store), the \(i^{th}\) sensor uploads the value v, gathered from the environment, into its store location i. According to (Asgm), a control process updates the variable x with the value of E. The rules for conditional (Cond1) and (Cond2) are as expected. The rule (Act) says that the actuator performs the action \(\gamma \). Similarly, for the rules (Int) for internal actions for representing activities we are not interested in. The communication rules (Ev-out), (Multi-com), (A-com1) and (A-com2) that drive asynchronous multi-communications and communication with actuators are discussed in Sect. 3. The rule (Decr) tries to decrypt the result \( \{v_1,\cdots , v_r\}_{k}\) of the evaluation of E with the key \(k_0\), and matches it against the pattern \(\{E'_1,\cdots ,E'_j ;x_{j+1},\cdots ,x_r\}_{k_0}\). As for communication, when this match succeeds the variables after the semicolon “;” are assigned to values resulting from the decryption. The last rules propagate reductions across parallel composition ((ParN) and (ParB)) and nodes (Node), while (CongrY) is the standard reduction rule for congruence for nodes and node components.

Control Flow Analysis of IoT-LySa

Our CFA is specified in a logical form through a set of inference rules expressing the validity of the analysis results, where the function \(\lfloor - \rfloor _d\) to cut all the terms with a depth greater than a given threshold d, with the special abstract values \(\top ^{b}\), is defined as follows.

$$ \begin{array}{llll} \lfloor \top ^{b} \rfloor _{d} = \top ^{b} \\ \lfloor v^{b} \rfloor _{d} = v^{b} \\ \lfloor \{\hat{v}_1,\cdots ,\hat{v}_r\}^{b}_{k_0} \rfloor _{0} = \top ^{b} \\ \lfloor \{\hat{v}_1,\cdots ,\hat{v}_r\}^{b}_{k_0} \rfloor _{d} = \{ \lfloor \hat{v}_1 \rfloor _{d-1},\cdots ,\lfloor \hat{v}_r \rfloor _{d-1}\}_{k_0}^{b} \\ \lfloor f(\hat{v}_1,\cdots ,\hat{v}_r) \rfloor _{d} = f(\lfloor \hat{v}_1 \rfloor _{d-1},\cdots ,\lfloor \hat{v}_r \rfloor _{d-1})^{b} \end{array} $$

Table 6. Analysis of labelled terms \((\widehat{\varSigma },\varTheta ) \models _{_{\ell }} {M^a}\).

The result or estimate of our CFA is a tuple \((\widehat{\varSigma },\kappa ,\varTheta ,T,\alpha )\) (a pair \((\widehat{\varSigma }, \varTheta )\) when analysing a term) that satisfies the judgements defined by the axioms and rules of Tables 6, 3 and 7.

Table 7. Analysis of nodes \((\widehat{\varSigma }, \kappa , \varTheta ,T,\alpha ) \models {{N}}\), and of node components \((\widehat{\varSigma }, \kappa ,\varTheta ,T, \alpha ) \models _{_{\ell }}{B}\), without the rules introduced in Table 3.

We do not comment the clauses discussed in Sect. 4. The judgement \((\widehat{\varSigma },\varTheta ) \models _{_{\ell }} {M^a}\), defined by the rules in Table 6, requires that \(\varTheta (\ell )(a)\) includes all the abstract values \(\hat{v}\) associated to \(M^a\). In the case of sensor identifiers, \(i^a\) and values \(v^a\) must be included in \(\varTheta (\ell )(a)\). In the case of sensor identifier also the micro-trajectory \((S_i,\ell )\) must be included in T(a). The rule for analysing compound terms requires that the components are in turn analysed. The penultimate rule deals with the application of an r-ary encryption. To do that (i) it analyses each term \(M^{a_i}_i\), and (ii) for each r-tuple of values \((\hat{v}_1,\cdots ,\hat{v}_r)\) in \(\varTheta (\ell )(a_1)\times \cdots \times \varTheta (\ell )(a_r)\), it requires that the abstract structured value \(\{\hat{v}_1,\cdots ,\hat{v}_r\}_{k_0}^{a}\), cut at depth d, belongs to \(\varTheta (\ell )(a)\). The special abstract value \(\top ^{a}\) will end up in \(\varTheta (\ell )(a)\) if the depth of the term exceeds d. The last rule is for the application of an r-ary function f. Also in this case, (i) it analyses each term \(M^{a_i}_i\), and (ii) for all r-tuples of values \((\hat{v}_1,\cdots ,\hat{v}_r)\) in \(\varTheta (\ell )(a_1)\times \cdots \times \varTheta (\ell )(a_r)\), it requires that the composed abstract value \(f(\hat{v}_1,\cdots ,\hat{v}_r)^a\) belongs to \(\varTheta (\ell )(a)\).

The judgements for nodes with the form \((\widehat{\varSigma }, \kappa , \varTheta ,T,\alpha ) \models {{N}}\) are defined by the rules in Table 7. The rules for the inactive node and for parallel composition are standard. The rule for a single node \(\ell :[B]\) requires that its internal components B are in turn analysed; in this case we the use rules with judgements \((\widehat{\varSigma }, \kappa ,\varTheta ,T, \alpha ) \models _{_{\ell }}{B}\), where \(\ell \) is the label of the enclosing node. The rule connecting actual stores \(\varSigma \) with abstract ones \(\widehat{\varSigma }\) requires the locations of sensors to contain the corresponding abstract values. The rule for sensors is trivial, because we are only interested in the users of their values.

The rules for processes require to analyse the immediate sub-processes. The rule for decryption is similar to the one for communication: it also requires that the keys coincide. The rule for assignment requires that all the values \(\hat{v}\) in the estimate \(\varTheta (\ell )(a)\) for \(M^a\) belong to \(\widehat{\varSigma }_{_\ell }(x)\). The rules for the inactive process, for parallel composition, and for iteration are standard (we assume that each iteration variable h is uniquely bound to the body P).