Abstract
The Internet of Things (IoT) is deeply changing our society. Daily we use smart devices that automatically collect, aggregate and exchange data about our lives. These data are often pivotal when they are used e.g. to train learning algorithms, to control cyber-physical systems, and to guide administrators to take crucial decisions. As a consequence, security attacks on devices can cause severe damages on IoT systems that take care of essential services, such as delivering power, water, transport, and so on. The difficulty of preventing intrusions or attacks is magnified by the big amount of devices and components IoT systems are composed of. Therefore, it is crucial to identify the most critical components in a network of devices and to understand their level of vulnerability, so as to detect where it is better to intervene for improving security. In this paper, we start from the modelling language IoT-LySa and from the results of Control Flow Analysis that statically predict the manipulation of data and their possible trajectories. On this basis, we aim at deriving possible graphs of how data move and which are their dependencies. These graphs can be analysed, by exploiting some security metrics - among which those introduced by Barrere, Hankin et al. - offering system administrators different estimates of the security level of their systems.
Partially supported by Università di Pisa PRA_2018_66 DECLWARE: Metodologie dichiarative per la progettazione e il deployment di applicazioni and by MIUR project PRIN 2017FTXR7S IT MATTERS (Methods and Tools for Trustworthy Smart Systems).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Barrère, M., Hankin, C., Nicolaou, N., Eliades, D.G., Parisini, T.: Identifying security-critical cyber-physical components in industrial control systems. CoRR abs/1905.04796 (2019). http://arxiv.org/abs/1905.04796
Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Nielson, H.R.: Static validation of security protocols. J. Comput. Secur. 13(3), 347–390 (2005)
Bodei, C., Degano, P., Ferrari, G.L., Galletta, L.: A step towards checking security in IoT. In: Proceedings of ICE 2016. EPTCS, vol. 223, pp. 128–142 (2016)
Bodei, C., Degano, P., Ferrari, G.-L., Galletta, L.: Where do your IoT ingredients come from? In: Lluch Lafuente, A., Proença, J. (eds.) COORDINATION 2016. LNCS, vol. 9686, pp. 35–50. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39519-7_3
Bodei, C., Degano, P., Galletta, L., Salvatori, F.: Linguistic mechanisms for context-aware security. In: Ciobanu, G., Méry, D. (eds.) ICTAC 2014. LNCS, vol. 8687, pp. 61–79. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10882-7_5
Bodei, C., Degano, P., Galletta, L., Salvatori, F.: Context-aware security: linguistic mechanisms and static analysis. J. Comput. Secur. 24(4), 427–477 (2016)
Bodei, C., Galletta, L.: Tracking data trajectories in IoT. In: Mori, P., Furnell, S., Camp, O. (eds.) Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP2019). ScitePress (2019)
Bodei, C., Galletta, L.: Tracking sensitive and untrustworthy data in IoT. In: Proceedings of the First Italian Conference on Cybersecurity (ITASEC 2017), vol. 1816, pp. 38–52. CEUR (2017)
Bodei, C., Degano, P., Ferrari, G.L., Galletta, L.: Tracing where IoT data are collected and aggregated. Log. Methods Comput. Sci. 13(3), 1–38 (2017)
Bodei, C., Degano, P., Ferrari, G.-L., Galletta, L.: Revealing the trajectories of KLAIM tuples, statically. In: Boreale, M., Corradini, F., Loreti, M., Pugliese, R. (eds.) Models, Languages, and Tools for Concurrent and Distributed Programming. LNCS, vol. 11665, pp. 437–454. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21485-2_24
Degano, P., Ferrari, G.L., Galletta, L.: A two-component language for COP. In: Proceedings of 6th International Workshop on Context-Oriented Programming, COP@ECOOP 2014, pp. 6:1–6:7. ACM (2014)
Degano, P., Ferrari, G.L., Galletta, L.: A two-component language for adaptation: design, semantics, and program analysis. IEEE Trans. Softw. Eng. 42(6), 505–529 (2016)
Gao, H., Bodei, C., Degano, P.: A formal analysis of complex type flaw attacks on security protocols. In: Meseguer, J., Roşu, G. (eds.) AMAST 2008. LNCS, vol. 5140, pp. 167–183. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79980-1_14
Gao, H., Bodei, C., Degano, P., Riis Nielson, H.: A formal analysis for capturing replay attacks in cryptographic protocols. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 150–165. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76929-3_15
Herlihy, M.: Wait-free synchronization. ACM Trans. Program. Lang. Syst. 13(1), 124–149 (1991)
Lanese, I., Bedogni, L., Felice, M.D.: Internet of Things: a process calculus approach. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing. SAC 2013, pp. 1339–1346. ACM (2013)
Lanotte, R., Merro, M.: A semantic theory of the Internet of Things. In: Lluch Lafuente, A., Proença, J. (eds.) COORDINATION 2016. LNCS, vol. 9686, pp. 157–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39519-7_10
Lanotte, R., Merro, M.: A semantic theory of the Internet of Things. Inf. Comput. 259(1), 72–101 (2018)
Lanotte, R., Merro, M., Muradore, R., Viganò, L.: A formal approach to cyber-physical attacks. In: 30th IEEE Computer Security Foundations Symposium, pp. 436–450. IEEE Computer Society (2017)
Nicolaou, N., Eliades, D.G., Panayiotou, C.G., Polycarpou, M.M.: Reducing vulnerability to cyber-physical attacks in water distribution networks. In: 2018 International Workshop on Cyber-Physical Systems for Smart Water Networks, CySWater@CPSWeek, pp. 16–19. IEEE Computer Society (2018)
Nielson, H.R., Nielson, F., Vigo, R.: A calculus for quality. In: Păsăreanu, C.S., Salaün, G. (eds.) FACS 2012. LNCS, vol. 7684, pp. 188–204. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35861-6_12
Nielson, H.R., Nielson, F., Vigo, R.: A calculus of quality for robustness against unreliable communication. J. Log. Algebraic Methods Program. 84(5), 611–639 (2015)
Schneier, B.: Attack trees. Dr Dobb’s J. 24(12), 436–450 (1999)
Zillner, T.: ZigBee Exploited (2015). https://www.blackhat.com/docs/us-15/materials/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly-wp.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Operational Semantics of IoT-LySa
Our reduction semantics is based on the following Structural congruence \(\equiv \) on nodes and node components. It is standard except for rule (4) that equates a multi-output with no receivers and the inactive process, and for the fact that inactive components of a node are all coalesced.
The two-level reduction relation \(\rightarrow \) is defined as the least relation on nodes and its components satisfying the set of inference rules in Tables 2 and 5. For the sake of simplicity, we use one relation. We assume the standard denotational interpretation \([\![E]\!]_\varSigma \) for evaluating terms.
The first two semantic rules implement the (atomic) asynchronous update of shared variables inside nodes, by using the standard notation \(\varSigma \{-/-\}\). According to (S-store), the \(i^{th}\) sensor uploads the value v, gathered from the environment, into its store location i. According to (Asgm), a control process updates the variable x with the value of E. The rules for conditional (Cond1) and (Cond2) are as expected. The rule (Act) says that the actuator performs the action \(\gamma \). Similarly, for the rules (Int) for internal actions for representing activities we are not interested in. The communication rules (Ev-out), (Multi-com), (A-com1) and (A-com2) that drive asynchronous multi-communications and communication with actuators are discussed in Sect. 3. The rule (Decr) tries to decrypt the result \( \{v_1,\cdots , v_r\}_{k}\) of the evaluation of E with the key \(k_0\), and matches it against the pattern \(\{E'_1,\cdots ,E'_j ;x_{j+1},\cdots ,x_r\}_{k_0}\). As for communication, when this match succeeds the variables after the semicolon “;” are assigned to values resulting from the decryption. The last rules propagate reductions across parallel composition ((ParN) and (ParB)) and nodes (Node), while (CongrY) is the standard reduction rule for congruence for nodes and node components.
Control Flow Analysis of IoT-LySa
Our CFA is specified in a logical form through a set of inference rules expressing the validity of the analysis results, where the function \(\lfloor - \rfloor _d\) to cut all the terms with a depth greater than a given threshold d, with the special abstract values \(\top ^{b}\), is defined as follows.
The result or estimate of our CFA is a tuple \((\widehat{\varSigma },\kappa ,\varTheta ,T,\alpha )\) (a pair \((\widehat{\varSigma }, \varTheta )\) when analysing a term) that satisfies the judgements defined by the axioms and rules of Tables 6, 3 and 7.
We do not comment the clauses discussed in Sect. 4. The judgement \((\widehat{\varSigma },\varTheta ) \models _{_{\ell }} {M^a}\), defined by the rules in Table 6, requires that \(\varTheta (\ell )(a)\) includes all the abstract values \(\hat{v}\) associated to \(M^a\). In the case of sensor identifiers, \(i^a\) and values \(v^a\) must be included in \(\varTheta (\ell )(a)\). In the case of sensor identifier also the micro-trajectory \((S_i,\ell )\) must be included in T(a). The rule for analysing compound terms requires that the components are in turn analysed. The penultimate rule deals with the application of an r-ary encryption. To do that (i) it analyses each term \(M^{a_i}_i\), and (ii) for each r-tuple of values \((\hat{v}_1,\cdots ,\hat{v}_r)\) in \(\varTheta (\ell )(a_1)\times \cdots \times \varTheta (\ell )(a_r)\), it requires that the abstract structured value \(\{\hat{v}_1,\cdots ,\hat{v}_r\}_{k_0}^{a}\), cut at depth d, belongs to \(\varTheta (\ell )(a)\). The special abstract value \(\top ^{a}\) will end up in \(\varTheta (\ell )(a)\) if the depth of the term exceeds d. The last rule is for the application of an r-ary function f. Also in this case, (i) it analyses each term \(M^{a_i}_i\), and (ii) for all r-tuples of values \((\hat{v}_1,\cdots ,\hat{v}_r)\) in \(\varTheta (\ell )(a_1)\times \cdots \times \varTheta (\ell )(a_r)\), it requires that the composed abstract value \(f(\hat{v}_1,\cdots ,\hat{v}_r)^a\) belongs to \(\varTheta (\ell )(a)\).
The judgements for nodes with the form \((\widehat{\varSigma }, \kappa , \varTheta ,T,\alpha ) \models {{N}}\) are defined by the rules in Table 7. The rules for the inactive node and for parallel composition are standard. The rule for a single node \(\ell :[B]\) requires that its internal components B are in turn analysed; in this case we the use rules with judgements \((\widehat{\varSigma }, \kappa ,\varTheta ,T, \alpha ) \models _{_{\ell }}{B}\), where \(\ell \) is the label of the enclosing node. The rule connecting actual stores \(\varSigma \) with abstract ones \(\widehat{\varSigma }\) requires the locations of sensors to contain the corresponding abstract values. The rule for sensors is trivial, because we are only interested in the users of their values.
The rules for processes require to analyse the immediate sub-processes. The rule for decryption is similar to the one for communication: it also requires that the keys coincide. The rule for assignment requires that all the values \(\hat{v}\) in the estimate \(\varTheta (\ell )(a)\) for \(M^a\) belong to \(\widehat{\varSigma }_{_\ell }(x)\). The rules for the inactive process, for parallel composition, and for iteration are standard (we assume that each iteration variable h is uniquely bound to the body P).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Bodei, C., Degano, P., Ferrari, GL., Galletta, L. (2020). Security Metrics at Work on the Things in IoT Systems. In: Di Pierro, A., Malacaria, P., Nagarajan, R. (eds) From Lambda Calculus to Cybersecurity Through Program Analysis. Lecture Notes in Computer Science(), vol 12065. Springer, Cham. https://doi.org/10.1007/978-3-030-41103-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-41103-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41102-2
Online ISBN: 978-3-030-41103-9
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)