Mukund Bhole,Wolfgang Kastner,Thilo Sauter

DOI: https://doi.org/10.1109/ETFA52439.2022.9921549

2023-06-22

Abstract:Todays industrial control systems consist of tightly coupled components allowing adversaries to exploit security attack surfaces from the information technology side, and, thus, also get access to automation devices residing at the operational technology level to compromise their safety functions. To identify these concerns, we propose a model-based testing approach which we consider a promising way to analyze the safety and security behavior of a system under test providing means to protect its components and to increase the quality and efficiency of the overall system. The structure of the underlying framework is divided into four parts, according to the critical factors in testing of operational technology environments. As a first step, this paper describes the ingredients of the envisioned framework. A system model allows to overview possible attack surfaces, while the foundations of testing and the recommendation of mitigation strategies will be based on process-specific safety and security standard procedures with the combination of existing vulnerability databases.

Software Engineering,Systems and Control

Partha Das Chowdhury,Maria Sameen,Jenny Blessing,Nicholas Boucher,Joseph Gardiner,Tom Burrows,Ross Anderson,Awais Rashid

DOI: https://doi.org/10.1002/spe.3341

2024-05-24

Software Practice and Experience

Abstract:Threat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real‐world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end‐to‐end‐encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short‐lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.

computer science, software engineering

Shuiqiao Yang,Tingmin Wu,Shigang Liu,David Nguyen,Seung Jang,Alsharif Abuadbba

2024-11-26

Abstract:Threat modeling is a crucial component of cybersecurity, particularly for industries such as banking, where the security of financial data is paramount. Traditional threat modeling approaches require expert intervention and manual effort, often leading to inefficiencies and human error. The advent of Large Language Models (LLMs) offers a promising avenue for automating these processes, enhancing both efficiency and efficacy. However, this transition is not straightforward due to three main challenges: (1) the lack of publicly available, domain-specific datasets, (2) the need for tailored models to handle complex banking system architectures, and (3) the requirement for real-time, adaptive mitigation strategies that align with compliance standards like NIST 800-53. In this paper, we introduce ThreatModeling-LLM, a novel and adaptable framework that automates threat modeling for banking systems using LLMs. ThreatModeling-LLM operates in three stages: 1) dataset creation, 2) prompt engineering and 3) model fine-tuning. We first generate a benchmark dataset using Microsoft Threat Modeling Tool (TMT). Then, we apply Chain of Thought (CoT) and Optimization by PROmpting (OPRO) on the pre-trained LLMs to optimize the initial prompt. Lastly, we fine-tune the LLM using Low-Rank Adaptation (LoRA) based on the benchmark dataset and the optimized prompt to improve the threat identification and mitigation generation capabilities of pre-trained LLMs.

Cryptography and Security,Artificial Intelligence

Vivek Nigam,Alexander Pretschner,Harald Ruess

DOI: https://doi.org/10.48550/arXiv.1810.04866

2018-10-11

Logic in Computer Science

Abstract:By exploiting the increasing surface attack of systems, cyber-attacks can cause catastrophic events, such as, remotely disable safety mechanisms. This means that in order to avoid hazards, safety and security need to be integrated, exchanging information, such as, key hazards/threats, risk evaluations, mechanisms used. This white paper describes some steps towards this integration by using models. We start by identifying some key technical challenges. Then we demonstrate how models, such as Goal Structured Notation (GSN) for safety and Attack Defense Trees (ADT) for security, can address these challenges. In particular, (1) we demonstrate how to extract in an automated fashion security relevant information from safety assessments by translating GSN-Models into ADTs; (2) We show how security results can impact the confidence of safety assessments; (3) We propose a collaborative development process where safety and security assessments are built by incrementally taking into account safety and security analysis; (4) We describe how to carry out trade-off analysis in an automated fashion, such as identifying when safety and security arguments contradict each other and how to solve such contradictions. We conclude pointing out that these are the first steps towards a wide range of techniques to support Safety and Security Engineering. As a white paper, we avoid being too technical, preferring to illustrate features by using examples and thus being more accessible.

Hui Guan,Weiru Chen,Lin Liu,Hongji Yang

DOI: https://doi.org/10.1007/978-3-642-22000-5_31

2011-01-01

Abstract:The popularity and complexity of web application present challenges to the security implementation for web engineering. Threat elicitation is an indispensable step for developers to identify the possible threats to the web applications in the early phase of software development. In this context, a novel approach is proposed to ease the threats elicitation for web application by using a defined web application classification as the sieve to sift a common threat list. The final result shows that the proposed model is a simplified and effective solution to threats elicitation to web application.

Eduardo dos Santos,Andrew Simpson,Dominik Schoop

DOI: https://doi.org/10.4204/EPTCS.271.7

2018-05-15

Abstract:Ensuring a car's internal systems are free from security vulnerabilities is of utmost importance, especially due to the relationship between security and other properties, such as safety and reliability. We provide the starting point for a model-based framework designed to support the security testing of modern cars. We use Communicating Sequential Processes (CSP) to create architectural models of the vehicle bus systems, as well as an initial set of attacks against these systems. While this contribution represents initial steps, we are mindful of the ultimate objective of generating test code to exercise the security of vehicle bus systems. We present the way forward from the models created and consider their potential integration with commercial engineering tools

Cryptography and Security,Software Engineering

Wenjun Xiong,Emeline Legrand,Oscar Åberg,Robert Lagerström

DOI: https://doi.org/10.1007/s10270-021-00898-7

2021-06-18

Abstract:Abstract Enterprise systems are growing in complexity, and the adoption of cloud and mobile services has greatly increased the attack surface. To proactively address these security issues in enterprise systems, this paper proposes a threat modeling language for enterprise security based on the MITRE Enterprise ATT&CK Matrix. It is designed using the Meta Attack Language framework and focuses on describing system assets, attack steps, defenses, and asset associations. The attack steps in the language represent adversary techniques as listed and described by MITRE. This entity-relationship model describes enterprise IT systems as a whole; by using available tools, the proposed language enables attack simulations on its system model instances. These simulations can be used to investigate security settings and architectural changes that might be implemented to secure the system more effectively. Our proposed language is tested with a number of unit and integration tests. This is visualized in the paper with two real cyber attacks modeled and simulated.

computer science, software engineering

Shaofei Huang,Christopher M. Poskitt,Lwin Khin Shar

2024-11-30

Abstract:Cybersecurity threats in automotive systems pose significant risks to safety and reliability. This article introduces a methodology integrating threat-informed dynamic security modelling with a Threat Analysis and Risk Assessment workflow. Using the example of an In-Vehicle Infotainment system, we demonstrate the methodology's application in risk management to strengthen automotive resiliency.

Cryptography and Security

Erlend Andreas Gjære,Per Håkon Meland

DOI: https://doi.org/10.48550/arXiv.1404.1984

2014-04-08

Software Engineering

Abstract:Software services are inevitably exposed to a fluctuating threat picture. Unfortunately, not all threats can be handled only with preventive measures during design and development, but also require adaptive mitigations at runtime. In this paper we describe an approach where we model composite services and threats together, which allows us to create preventive measures at design-time. At runtime, our specification also allows the service runtime environment (SRE) to receive alerts about active threats that we have not handled, and react to these automatically through adaptation of the composite service. A goal-oriented security requirements modelling tool is used to model business-level threats and analyse how they may impact goals. A process flow modelling tool, utilising Business Process Model and Notation (BPMN) and standard error boundary events, allows us to define how threats should be responded to during service execution on a technical level. Throughout the software life-cycle, we maintain threats in a centralised threat repository. Re-use of these threats extends further into monitoring alerts being distributed through a cloud-based messaging service. To demonstrate our approach in practice, we have developed a proof-of-concept service for the Air Traffic Management (ATM) domain. In addition to the design-time activities, we show how this composite service duly adapts itself when a service component is exposed to a threat at runtime.

Dongming Sun,Liang Hu,Gang Wu,Yongheng Xing,Juncheng Hu,Feng Wang

DOI: https://doi.org/10.1109/jiot.2024.3362950

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The increased utilization of Trigger-Action Programming (TAP) rules in smart homes has raised concerns regarding potential security threats in the interactions between smart digital devices/online services (DD/OS) and the physical environment. To ensure the secure use of intelligent and convenient infrastructure for users, we introduce an approach aimed at detecting potential security threats. In this paper, we propose IoT security threat models and categorize the threats into Risky DD/OS with Physical Security, Contradictory Operation of DD/OS and Environmental Impact Conflict. To effectively detect security threats, we construct an Internet of Things-Heterogeneous Information Networks (IoT-HIN) and enhance it with a knowledge base tool, transforming it into a knowledge-based IoT-HIN. We establish meta-paths to conduct analysis of events triggered by rules, and a threat detection algorithm is proposed to identify potential security threats and determine the rules leading to these threats. The proposed approach is validated using a real-world dataset, and the experimental results demonstrate its efficiency and practicality. Furthermore, a comparative analysis with similar works is conducted to highlight the superiority of our proposed approach.

computer science, information systems,telecommunications,engineering, electrical & electronic

Thorsten Tarrach,Masoud Ebrahimi,Sandra König,Christoph Schmittner,Roderick Bloem,Dejan Nickovic

DOI: https://doi.org/10.48550/arXiv.2210.03207

2022-10-07

Abstract:We propose a model-based procedure for automatically preventing security threats using formal models. We encode system models and potential threats as satisfiability modulo theory (SMT) formulas. This model allows us to ask security questions as satisfiability queries. We formulate threat prevention as an optimization problem over the same formulas. The outcome of our threat prevention procedure is a suggestion of model attribute repair that eliminates threats. Whenever threat prevention fails, we automatically explain why the threat happens. We implement our approach using the state-of-the-art Z3 SMT solver and interface it with the threat analysis tool THREATGET. We demonstrate the value of our procedure in two case studies from automotive and smart home domains, including an industrial-strength example.

Cryptography and Security,Formal Languages and Automata Theory,Logic in Computer Science

Muhammad Sabir Idrees,Yves Roudier,Ludovic Apvrille

DOI: https://doi.org/10.48550/arXiv.1410.4305

2014-10-16

Cryptography and Security

Abstract:Security attacks are hard to understand, often expressed with unfriendly and limited details, making it difficult for security experts and for security analysts to create intelligible security specifications. For instance, to explain Why (attack objective), What (i.e., system assets, goals, etc.), and How (attack method), adversary achieved his attack goals. We introduce in this paper a security attack meta-model for our SysML-Sec framework, developed to improve the threat identification and modeling through the explicit representation of security concerns with knowledge representation techniques. Our proposed meta-model enables the specification of these concerns through ontological concepts which define the semantics of the security artifacts and introduced using SysML-Sec diagrams. This meta-model also enables representing the relationships that tie several such concepts together. This representation is then used for reasoning about the knowledge introduced by system designers as well as security experts through the graphical environment of the SysML-Sec framework.

Luca Allodi,Sandro Etalle

DOI: https://doi.org/10.1145/3140368.3140372

2018-01-14

Abstract:Current threat models typically consider all possible ways an attacker can penetrate a system and assign probabilities to each path according to some metric (e.g. time-to-compromise). In this paper we discuss how this view hinders the realness of both technical (e.g. attack graphs) and strategic (e.g. game theory) approaches of current threat modeling, and propose to steer away by looking more carefully at attack characteristics and attacker environment. We use a toy threat model for ICS attacks to show how a realistic view of attack instances can emerge from a simple analysis of attack phases and attacker limitations.

Cryptography and Security,Computer Science and Game Theory

Ameerah-Muhsinah Jamil,Lotfi Ben Othmane,Altaz Valani

DOI: https://doi.org/10.1007/978-3-031-02067-4_1

2022-01-01

Abstract:AbstractTraditional Cyber-physical Systems (CPSs) were not built with cybersecurity in mind. They operated on separate Operational Technology (OT) networks. As these systems now become more integrated with Information Technology (IT) networks based on IP, they expose vulnerabilities that can be exploited by the attackers through these IT networks. The attackers can control such systems and cause behavior that jeopardizes the performance and safety measures that were originally designed into the system. In this paper, we explore the approaches to identify threats to CPSs and ensure the quality of the created threat models. The study involves interviews with eleven security experts working in several different domains. We found through these interviews that the practitioners use a combination of various threat modeling methods, approaches, and standards together when they perform threat modeling of given CPSs. Key challenges practitioners face are: they cannot transfer the threat modeling knowledge that they acquire in a cyber-physical domain to other domains, threat models of modified systems are often not updated, and the reliance on mostly peer-evaluation and quality checklists to ensure the quality of threat models. The study warns about the difficulty to develop secure CPSs and calls for research on developing practical threat modeling methods for CPSs, techniques for continuous threat modeling, and techniques to ensure the quality of threat models.

Stephen Burabari Tete

2024-06-17

Abstract:The advent of Large Language Models (LLMs) has revolutionized various applications by providing advanced natural language processing capabilities. However, this innovation introduces new cybersecurity challenges. This paper explores the threat modeling and risk analysis specifically tailored for LLM-powered applications. Focusing on potential attacks like data poisoning, prompt injection, SQL injection, jailbreaking, and compositional injection, we assess their impact on security and propose mitigation strategies. We introduce a framework combining STRIDE and DREAD methodologies for proactive threat identification and risk assessment. Furthermore, we examine the feasibility of an end-to-end threat model through a case study of a custom-built LLM-powered application. This model follows Shostack's Four Question Framework, adjusted for the unique threats LLMs present. Our goal is to propose measures that enhance the security of these powerful AI tools, thwarting attacks, and ensuring the reliability and integrity of LLM-integrated systems.

Cryptography and Security,Software Engineering

Siddhant S. Joshi,Preeti Mukherjee,Kirsten A. Davis,James C. Davis

2024-04-25

Abstract:Computing systems face diverse and substantial cybersecurity threats. To mitigate these cybersecurity threats, software engineers need to be competent in the skill of threat modeling. In industry and academia, there are many frameworks for teaching threat modeling, but our analysis of these frameworks suggests that (1) these approaches tend to be focused on component-level analysis rather than educating students to reason holistically about a system's cybersecurity, and (2) there is no rubric for assessing a student's threat modeling competency. To address these concerns, we propose using systems thinking in conjunction with popular and industry-standard threat modeling frameworks like STRIDE for teaching and assessing threat modeling competency. Prior studies suggest a holistic approach, like systems thinking, can help understand and mitigate cybersecurity threats. Thus, we developed and piloted two novel rubrics - one for assessing STRIDE threat modeling performance and the other for assessing systems thinking performance while conducting STRIDE.

Cryptography and Security,Software Engineering

Taolue Chen,Tingting Han,Florian Kammueller,Ibrahim Nemli,Christian W. Probst

DOI: https://doi.org/10.1109/cybersecpods.2016.7502350

2016-01-01

Abstract:In order to detect malicious insider attacks it is important to model and analyse infrastructures and policies of organisations and the insiders acting within them. We extend formal approaches that allow modelling such scenarios by quantitative aspects to enable a precise analysis of security designs. Our framework enables evaluating the risks of an insider attack to happen quantitatively. The framework first identifies an insider's intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking. We provide prototype tool support using Matlab for Bayesian networks and PRISM for the analysis of Markov decision processes, and validate the framework with case studies.

Ludovic Apvrille,Yves Roudier

DOI: https://doi.org/10.4204/EPTCS.148.2

2014-04-08

Abstract:We introduce SysML-Sec, a SysML-based Model-Driven Engineering environment aimed at fostering the collaboration between system designers and security experts at all methodological stages of the development of an embedded system. A central issue in the design of an embedded system is the definition of the hardware/software partitioning of the architecture of the system, which should take place as early as possible. SysML-Sec aims to extend the relevance of this analysis through the integration of security requirements and threats. In particular, we propose an agile methodology whose aim is to assess early on the impact of the security requirements and of the security mechanisms designed to satisfy them over the safety of the system. Security concerns are captured in a component-centric manner through existing SysML diagrams with only minimal extensions. After the requirements captured are derived into security and cryptographic mechanisms, security properties can be formally verified over this design. To perform the latter, model transformation techniques are implemented in the SysML-Sec toolchain in order to derive a ProVerif specification from the SysML models. An automotive firmware flashing procedure serves as a guiding example throughout our presentation.

Software Engineering,Cryptography and Security

Apurv Verma,Satyapriya Krishna,Sebastian Gehrmann,Madhavan Seshadri,Anu Pradhan,Tom Ault,Leslie Barrett,David Rabinowitz,John Doucette,NhatHai Phan

2024-07-21

Abstract:Creating secure and resilient applications with large language models (LLM) requires anticipating, adjusting to, and countering unforeseen threats. Red-teaming has emerged as a critical technique for identifying vulnerabilities in real-world LLM implementations. This paper presents a detailed threat model and provides a systematization of knowledge (SoK) of red-teaming attacks on LLMs. We develop a taxonomy of attacks based on the stages of the LLM development and deployment process and extract various insights from previous research. In addition, we compile methods for defense and practical red-teaming strategies for practitioners. By delineating prominent attack motifs and shedding light on various entry points, this paper provides a framework for improving the security and robustness of LLM-based systems.

Computation and Language,Cryptography and Security

Masoud Ebrahimi,Christoph Striessnig,Joaquim Castella Triginer,Christoph Schmittner

DOI: https://doi.org/10.48550/arXiv.2212.14435

2022-12-29

Cryptography and Security

Abstract:As a result of the ever-increasing application of cyber-physical components in the automotive industry, cybersecurity has become an urgent topic. Adapting technologies and communication protocols like Ethernet and WiFi in connected vehicles yields many attack scenarios. Consequently, ISO/SAE 21434 and UN R155 (2021) define a standard and regulatory framework for automotive cybersecurity. Both documents follow a risk management-based approach and require a threat modeling methodology for risk analysis and identification. Such a threat modeling methodology must conform to the Threat Analysis and Risk Assessment (TARA) framework of ISO/SAE 21434. Conversely, existing threat modeling methods enumerate isolated threats disregarding the vehicle's design and connections. Consequently, they neglect the role of attack paths from a vehicle's interfaces to its assets. In other words, they are missing the TARA work products, e.g., attack paths compromising assets or feasibility and impact ratings. We propose a threat modeling methodology to construct attack paths by identifying, sequencing, and connecting vulnerabilities from a valid attack surface to an asset. Initially, we transform cybersecurity guidelines to attack trees, and then we use their formal interpretations to assess the vehicle's design. This workflow yields compositional construction of attack paths along with the required TARA work products (e.g., attack paths, feasibility, and impact). More importantly, we can apply the workflow iteratively in the context of connected vehicles to ensure design conformity, privacy, and cybersecurity. Finally, to show the complexity and the importance of preemptive threat identification and risk analysis in the automotive industry, we evaluate the presented model-based approach in a connected vehicle testing platform, SPIDER.