CPDY: Extending the Dolev-Yao Attacker with Physical-Layer Interactions

  • Marco Rocchetto
  • Nils Ole TippenhauerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10009)


We propose extensions to the Dolev-Yao attacker model to make it suitable for arguments about security of Cyber-Physical Systems. The Dolev-Yao attacker model uses a set of rules to define potential actions by an attacker with respect to messages (i.e. information) exchanged between parties during a protocol execution. As the traditional Dolev-Yao model considers only information (exchanged over a channel controlled by the attacker), the model cannot directly be used to argue about the security of cyber-physical systems where physical-layer interactions are possible. Our Dolev-Yao extension, called Cyber-Physical Dolev-Yao (CPDY), allows additional orthogonal interaction channels between the parties. In particular, such orthogonal channels can be used to model physical-layer mechanical, chemical, or electrical interactions between components. In addition, we discuss the inclusion of physical properties such as location or distance in the rule set. We present an example set of additional rules for the Dolev-Yao attacker, using those we are able to formally discover physical attacks that previously could only be found by empirical methods or detailed physical process models.


Encryption Scheme Security Analysis Security Protocol Horn Clause Attack Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported by the National Research Foundation of Singapore under grant NRF2014NCR-NCR001-40.


  1. 1.
    Adepu, S., Mathur, A.: An investigation into the response of a water treatment system into cyber attacks. In: IEEE Symposium on High Assurance Systems Engineering (HASE) (2015)Google Scholar
  2. 2.
    Antonioli, D., Tippenhauer, N.O., MiniCPS: a toolkit for security research on CPS networks. In: Proceedings of Workshop on Cyber-Physical Systems Security & Privay (SPC-CPS), co-located with CCS, October 2015Google Scholar
  3. 3.
    Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Armando, A., Compagna, L.: SATMC: a SAT-based model checker for security protocols. In: Alferes, J.J., Leite, J. (eds.) JELIA 2004. LNCS (LNAI), vol. 3229, pp. 730–733. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    AVANTSSAR. Deliverable 5.3: AVANTSSAR Library of validated problem cases (2010).
  6. 6.
    Basin, D., Capkun, S., Schaller, P., Schmidt, B.: Formal reasoning about physical properties of security protocols. Trans. Inf. Syst. Secur. (TISSEC) 14(2), 16 (2011)Google Scholar
  7. 7.
    Basin, D., Cremers, C., Meadows, C.: Model checking security protocols. In: Handbook of Model Checking (2011)Google Scholar
  8. 8.
    Basin, D., Mödersheim, S., Viganò, L.: OFMC: a symbolic model checker for security protocols. J. Inf. Secur. 4(3), 181–208 (2005)CrossRefGoogle Scholar
  9. 9.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Computer Security Foundation Workshop (CSFW). IEEE (2001)Google Scholar
  10. 10.
    Buchler, M., Hossen, K., Mihancea, P., Minea, M., Groz, R., Oriat, C.: Model inference and security testing in the spacios project. In: IEEE Conference on Software Maintenance, Reengineering and Reverse Engineering (CSMR-WCRE) (2014)Google Scholar
  11. 11.
    Camenisch, J., Mödersheim, S., Sommer, D.: A formal model of identity mixer. In: Kowalewski, S., Roveri, M. (eds.) FMICS 2010. LNCS, vol. 6371, pp. 198–214. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Cárdenas, A.A., Amin, S.M., Sinopoli, B., Giani, A., Perrig, A., Sastry, S.S.: Challenges for securing cyber physical systems. In: Workshop on Future Directions in Cyber-physical Systems Security. DHS, July 2009Google Scholar
  13. 13.
    Cárdenas, A.A., Roosta, T., Sastry, S.: Rethinking security properties, threat models, and the design space in sensor networks: a case study in scada systems. Ad Hoc Netw. 7(8), 1434–1447 (2009)CrossRefGoogle Scholar
  14. 14.
    Choi, Y.: From NuSMV to SPIN: experiences with model checking flight guidance systems. Formal Methods Syst. Des. 30(3), 199–216 (2007)CrossRefzbMATHGoogle Scholar
  15. 15.
    Cortier, V., Delaune, S., Lafourcade, P.: A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur. 14(1), 1–43 (2006)CrossRefGoogle Scholar
  16. 16.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(2), 198–207 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (ADVISE). In: Proceedings of Conference on Quantitative Evaluation of Systems, QEST (2011)Google Scholar
  19. 19.
    Mathur, A., Tippenhauer, N.O.: A water treatment testbed for research and training on ICS security. In: Proceedings of Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), April 2016Google Scholar
  20. 20.
    Mo, Y., Kim, T.-H., Brancik, K., Dickinson, D., Lee, H., Perrig, A., Sinopoli, B.: Cyber-physical security of a smart grid infrastructure. Proc. IEEE 100(1), 195–209 (2012)CrossRefGoogle Scholar
  21. 21.
    Morris, T., Srivastava, A., Reaves, B., Gao, W., Pavurapu, K., Reddi, R.: A control system testbed to validate critical infrastructure protection concepts. J. Crit. Infrastruct. Prot. 4(2), 88–103 (2011)CrossRefGoogle Scholar
  22. 22.
    Reaves, B., Morris, T.: An open virtual testbed for industrial control system security research. J. Inf. Secur. 11(4), 215–229 (2012)CrossRefGoogle Scholar
  23. 23.
    Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  24. 24.
    Rocchetto, M., Tippenhauer, N.O.: CPDY (Cyber-Physical Dolev-Yao) (2016).
  25. 25.
    Rocchetto, M., Viganò, L., Volpe, M., Vedove, G.D.: Using interpolation for the verification of security protocols. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 99–114. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  26. 26.
    Schaller, P., Schmidt, B., Basin, D.A., Capkun, S.: Modeling and verifying physical properties of security protocols for wireless networks. In: Computer Security Foundations Symposium (CSF), pp. 109–123 (2009)Google Scholar
  27. 27.
    Schmidt, B., Sasse, R., Cremers, C., Basin, D.A.: Automated verification of group key agreement protocols. In: Symposium on Security and Privacy (S&P), pp. 179–194 (2014)Google Scholar
  28. 28.
    Schmidt, M., Lipson, H.: Distilling free-form natural laws from experimental data. Science 324(5923), 81–85 (2009)CrossRefGoogle Scholar
  29. 29.
    SPaCIoS. Deliverable 3.3.2: Methodology and technology forvulnerability-driven security testing (final version) (2014).
  30. 30.
    Steinmetzer, D., Schulz, M., Hollick, M.: Lockpicking physical layer key exchange: weak adversary models invite the thief. In: Proceedings of ACM Conference Wireless Security (WiSeC) (2015)Google Scholar
  31. 31.
    Taormina, R., Galelli, S., Tippenhauer, N.O., Salomons, E., Ostfeld, A.: Simulation of cyber-physical attacks on water distribution systems with EPANET. In: Proceedings of Singapore Cyber Security R&D Conference (SG-CRC), January 2016Google Scholar
  32. 32.
    Turuani, M.: The CL-Atse protocol analyser. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 277–286. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  33. 33.
    Urbina, D., Giraldo, J., Tippenhauer, N.O., Cardenas, A.: Attacking fieldbus communications in ICS: applications to the SWaT testbed. In: Proceedings of Singapore Cyber Security R&D Conference (SG-CRC), January 2016Google Scholar
  34. 34.
    Viganò, L.: The spacios project: secure provision and consumption in the internet of services. In: Software Testing, Verification and Validation (ICST), pp. 497–498. IEEE (2013)Google Scholar
  35. 35.
    Vigo, R.: The cyber-physical attacker. In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP Workshops 2012. LNCS, vol. 7613, pp. 347–356. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  36. 36.
    von Oheimb, D.: The high-level protocol specification language HLPSL developed in the EU project AVISPA. In: Proceedings of APPSEM 2005 workshop, pp. 1–17 (2005)Google Scholar
  37. 37.
    von Oheimb, D., Mödersheim, S.: ASLan++ — a formal security specification language for distributed systems. In: Aichernig, B.K., Boer, F.S., Bonsangue, M.M. (eds.) Formal Methods for Components and Objects. LNCS, vol. 6957, pp. 1–22. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  38. 38.
    Weinberger, S.: Computer security: is this the start of cyberwarfare? Nature 174, 142–145 (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.SnTUniversity of LuxembourgEsch-sur-AlzetteLuxembourg
  2. 2.ISTDSingapore University of Technology and DesignSingaporeSingapore

Personalised recommendations