The SAFERtec project Introducing a Security Assurance Framework

The SAFERtec project Introducing a Security Assurance Framework

The SAFERtec project Introducing a Security Assurance Framework for Connected Vehicles 12th March 2019 Sammy Haddad, Oppida Security assurance for connected vehicles Motivation: Connected Vehicles integrate a large set of 3rd party components and applications Numerous interfaces and an increased surface are exposed attack Focus on V2I To what extent are we sure that the involved the requirements for Quantification of assurance is costly (and complex)!

technology meets Typically relies on generic frameworks not accounting-for the connected-vehicleecosystem details 12 December 2018 TRUESSEC.eu Symposium, Lille, France 2 Consortium and SAFERtec scope A consortium of high complementarity and distinct roles Project facts Start date: January 2017 Duration: 36 months Budget: 3.81 MEuros WP2 Attack modeling and vulnerability analysis on the most challenging V2I use-cases WP3 Design of an agile assurance framework

WP4 Realization of the use-cases with prototype vehicle and 3rd party software & hardware WP5 Verification of the frameworks accuracy WP6 Transforming the framework into an online toolkit 12 December 2018 TRUESSEC.eu Symposium, Lille, France 3 WORK IN THE COURSE OF TIME.. January 2018 March 2018 June

2018 September 2018 December 2018 No w March 2019 . Modeling of V2I use-cases Use-cases, attack modeling, risk analysis & security controls Development of the connected-vehicle system Prototype vehicle with 3rd party HW/SW connected to infrastructure Design of a Security Assurance Framework Considerably Enhance the most credible security assurance framework Evaluation of the framework just started

Under two general V2I instances we study: Optimal driving-speed advice Real-time traffic-hazard information Priority request in intersection-crossing 12 December 2018 TRUESSEC.eu Symposium, Lille, France 4 WP2 - Use Cases The Optimal Driving Speed Advice Provision of real-time traffic-hazard information Priority request in intersection-crossing (Only vehicle to R-ITS) The optimal driving speed advice Provision of Real-Time Traffic Information (TJA: Traffic-Jam ahead) Personalised provision of driving-advices 05 December 2018

SAFERtec, Period 1 Review meeting, Brussels 5 Vehicle Bench (integration to be finalized) 12 December 2018 TRUESSEC.eu Symposium, Lille, France 6 WP3 Assurance framework from CARSEM (ISE IRT systemX) 05 December 2018 SAFERtec, Period 1 Review meeting, Brussels 7 WP3 - to SAFERtec assurance framework enhancements to the most credible security assurance approach so-far (CC) 12 December 2018

TRUESSEC.eu Symposium, Lille, France 8 WP3 The framework Definition of the Assurance Framework. Baseline will be the Common Criteria (CC) Enhancement of the CARSEM approach proposed by IRT systemX ISE project Extends CC with novel features. Dedicated risk analysis method To design systems and security targets Produce CC evidences Definition of PPs Standards data base Definition of functional and security tests At component and system level Definition of metrics and KPIs for system evaluation WP3 Foreseen Innovation

Enhance product and system evaluation Define global/ local requirements for system and its elements Extend CC to include Privacy and Safety/Reliability targets Define knowledge base specific to ITS Threats Security Requirements Tests Propose tools to optimize assurance evaluation

Propose system evaluation metrics and operational KPSIs 22 November 2017 SAFERtec, Interim Review meeting, Athens 10 Modular PPs presentation Protection profile overview Base Protection Profile Sensor Monitor Module Vehicule control (HMI) Module Communication unit protocol control module Protection Profile definition tradeoffs Strict definition of HW/SW Generic description and architecture Not applicable for systems that

diverge from the PP Incomplete security assessment SAFERtec ToE: is a very complicated systems. consist of many heterogeneous components HW/SW. 5 December 2018 SAFERtec, Period 1 Review meeting, Brussels 12 ToE based on ETSI TVRA Driver Notifications V-ITS-S V-ITS-S Vehicle ITS G5 Same as V2I MODEM

Driver Interface External Devices CAN / in vehicle ethernet WiFi Vehicle System Control Communication Protocol Control V-ITS-S Application ITS G5 802.11p to R-ITS-S V-ITS-S MODEM

Communication Protocol Control Data from R-ITS-S LDM Sensor Data Driving Data Local Car Data Service Control (HW) (OS) V-ITS-S modem Service Profil e (app status) Communicatio n Protocol Control

Sensor Monitor Shared HW components CAN In-Vehicle Sensors 3 G / 4 G Legacy Cellular C-ITS-S Protection profile overview Modular-Protection Profiles consists of: Base Protection Profile protection profile used as a basis to build a

Protection Profile configuration Protection Profile module implementation-independent statement of security needs for a TOE type complementary to one or more Base Protection Profiles. Protection Profile configuration protection profile composed of base Protection Profiles and Protection Profile modules. A PP-configuration results from the combination of at least one PP-module with its base PPs, without any additional content. PP-configurations are security statements that cover specific needs of groups of users, consumers, organizations, etc. Any PPconfiguration can be used exactly as a standard Protection Profile. Protection profile overview AIRBUS ICCS UPRC Base Protection Profile V-ITS-S as a Single Hardware/Software Stack Base Protection Profile V-ITS-S with Independent Components Base Protection Profile Target of Evaluation overview : V-ITS-S Base Service Control

V-ITS-S Base application V-ITS-S Base Storage Space Base Protection Profile: The Application (Asset) All software components and processes that evaluate and process ITS data Initiate communications with other ITS stations Depending on the application functionality. ITS Application may contain several ITS applications jointly operating on the same ITS-S (SFRs for each Application). Information exchange is enabled through the service control assets that manages all interactions. SAFERtec use cases ITS Applications : Green Light Optimal Speed Advisory. Priority Request for emergency vehicle. Traffic Jam Ahead Warning.

Personalized provision of driving advices. Generally, it may include any of the Day 1 ITS services. Base Protection Profile Databases (Asset) Local Dynamic Map Local Vehicle Information Sensor data from vehicle sensors and modules Cooperative ITS data and information extracted from the received messages Warnings, signage and signal phases. Data from the cloud or the internet that may be used for route planning or driving/travel assistance. Base Protection Profile Databases (Asset) Local Dynamic Map Local Vehicle Information Identification data (Vehicle Identification Number, license plate) Manufacturer and model ids, inventory of components on the vehicle, known physical damages, service and maintenance status Private information for the driver/vehicle owner

Name, address, contact details, toll subscriber identity, credit card number etc. Base Protection Profile Service Control (Asset) (1) Service control: all elements managing inter-process communications between assets without altering the content of communications. Hypervisor (the V-ITS-S OS) Data Broker Producer Consumer 5 December 2018 SAFERtec, Period 1 Review meeting, Brussels 22 Base Protection Profile Service Control (Asset) Possibly several hardware or software. Mechanisms for interprocess and interasset communication &

data storage, resource allocation and middleware-OS that enables and monitors ITS procedures. All protocols (from network to application) in the IVN (InterVehicle Network) that manage info exchange without intervening in the ITS content or functionality. All hardware components that enable asset communication and data storage. HSM Comm Unit Producer SENSOR Monitor 2 Producer Producer Web API

Network Rings (ETH and CAN) ITS APPLICATION 2 SENSOR Monitor 1 Consumer Data Broker Storage 1 Storage 2 Shared computing units Hypervisor Internal computing unit busses Producer Consumer ITS APPLICATION 1 Computing Unit Green indicates Service Control Components Base Protection Profile Protocol Control (Module) a.k.a. Communication Unit

Comparable to C2C V2X GW HW/SW that implement the communication stack Does not enforce a specific standard (could be used for ITSG5 or and LTEV2X). 3G/4G modems also included If both modes are supported, two Communication Unit modules should be defined (seamless integration of 5G). 5 December 2018 SAFERtec, Period 1 Review meeting, Brussels 24 Base Protection Profile Protocol Control (Module) (2) The Antenna(s) and the RF hardware (for 5.9GHz for V2X and 1.8/2.1/2.6 GHz for 4G). The modem hardware. The software implementing the ITS radio/protocol stack. Scheduling and congestion control. (e.g. ITS-G5, the DCC) The software performing system and link adaptation. The software performing misbehavior detection in PHY

5 December 2018 SAFERtec, Period 1 Review meeting, Brussels 25 Base Protection Profile Sensor Monitor (Module) A sensor source of info (through measurement) of environmental quantity or a vehicle state. The sensor firmware that provides low-level control for the sensor hardware. The sensor driver Sensor local data, including log and configuration data. Different vehicles may contain different implementations of sensor monitor GNSS data Vehicle telematics including speed, acceleration, steering angle, bearing, braking force etc. Tire tread state, amount of fuel remaining etc. Human input received from a proper user interface.

Radar measurements and other ITS-relevant data not through cooperative ITS. 5 December 2018 SAFERtec, Period 1 Review meeting, Brussels 26 Base Protection Profile Vehicle System Control (Module) For Day 1 applications, passive Vehicle System Control assets are required. Vehicle System Control = HMI HMI components include: A computing unit The software that implements the HMI. Video display/adapter (usually touch-screen). Audio adapter for audio notifications, warnings. 5 December 2018 SAFERtec, Period 1 Review meeting, Brussels

27 Base PP (service control application and databases) Base Protection Profile Service control : Threats Label Threat An attacker is positioned on a communications channel or elsewhere on the network infrastructure. T.SC_NETWORK_ATTACK Attackers may engage in communications with applications and services running on or part of the OS with the intent of compromise. Engagement may consist of altering existing legitimate communications. An attacker is positioned on a communications channel or elsewhere on the network infrastructure. T.SC_NETWORK_EAVESDROP Attackers may monitor and gain access to data exchanged between applications and services that are OS running on or part of the OS. threats An attacker may compromise applications running on the OS. The compromised application may provide T.SC_LOCAL_ATTACK maliciously formatted input to the OS through a variety of channels including unprivileged system calls and messaging via the file system. An attacker may attempt to access data on the OS while having a limited amount of time with the physical T.SC_LIMITED_PHYSICAL_ACCESS device. Sensitive information on a protected network might be disclosed resulting from ingress- or egress-based T.SC_NETWORK_DISCLOSURE

actions. Unauthorized access may be achieved to services on a protected network from outside that network, or alternately services outside a protected network from inside the protected network. If malicious external T. SC_NETWORK_ACCESS devices are able to communicate with devices on the protected network via a backdoor then those devices may be susceptible to the unauthorized disclosure of information. Network Access to services made available by a protected network might be used counter to Operational Environment threats policies. Devices located outside the protected network may attempt to conduct inappropriate T.SC_NETWORK_MISUSE activities while communicating with allowed public services. E.g. manipulation of resident tools, SQL injection, forced resets, malicious files, disguised executables, privilege escalation tools and botnets. Attacks against services inside a protected network, or indirectly by virtue of access to malicious agents from within a protected network, might lead to denial of services otherwise available within a protected network. T.SC_NETWORK_DOS Resource exhaustion may occur in the event of co-ordinate service request flooding from a small number of sources A successful modification of identification data on the CAN bus would allow an attacker to mispresent T.SC_DATA_MANIPULATION driver activities or useful information obtained from the CAN bus. CAN Bus Attackers could try to leak unencrypted data from the CAN bus to third parties who should not receive this T.SC_DATA_LEAKAGE Threats data. T.SC_SYSTEM_UNAUTHORIZED_AC Humans could try to access functions not allowed to them, to modify, delete user data or mispresent CESS

driver activities. Base Protection Profile Service control : Assumptions Name Assumptions on the TOE operational environment A.TIME_POS It is assumed that the TOE operational environment provides reliable time and position stamps. A.PLATFORM The OS relies upon a trustworthy computing platform for its execution. A.PROPER_USER The user of the OS is not willfully negligent or hostile, and uses the software in compliance with the applied enterprise security policy. At the same time, malicious software could act as the user, so requirements which confine malicious subjects are still in scope. A.PROPER_ADMIN The administrator of the OS is not careless, willfully negligent or hostile, and administers the OS within compliance of the applied enterprise security policy. A.CONNECTIONS

It is assumed that the TOE is connected to distinct networks in a manner that ensures that the TOE security policies will be enforced on all applicable network traffic flowing among the attached networks. A.PHYSICAL It is assumed that the IT environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. A.AUTHUSER Authorized users possess the necessary authorization to access at least some of the information managed by the TOE. A.MANAGE The TOE security functionality is managed by one or more competent administrators. The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the guidance documentation. A.NO_GENERAL_PU RPOSE There are no general-purpose computing capabilities (e.g., compilers or user applications) available on DBMS servers, other than those services necessary for the operation, administration, and support of the DBMS. A.PEER_FUNC_&_M GT

All remote trusted IT systems trusted by the TSF to provide TSF data or services to the TOE, or to support the TSF in the enforcement of security policy decisions are assumed to correctly implement the functionality used by the TSF consistent with the assumptions defined for this functionality and to be properly managed and operate under security policy constraints compatible with those of the TOE. A.CONNECT All connections to and from remote trusted IT systems and between separate parts of the TSF are physically or logically protected within the TOE environment to ensure the integrity and confidentiality of the data transmitted and to ensure the authenticity of the communication end points. Base Protection Profile Service control : Security Objectives Security Objectives Description Conformant OSes ensure that information exists that allows administrators to discover unintentional issues with the O.SC_ACCOUNTABILITY configuration and operation of the operating system and discover its cause. Gathering event information and immediately transmitting it to another system can also enable incident response in the event of system compromise. Conformant OSes ensure the integrity of their update packages. OSes are seldom if ever shipped without errors, and the ability to deploy patches and updates with integrity is critical to enterprise network security. Conformant OSes provide O.SC_INTEGRITY execution environment-based mitigations that increase the cost to attackers by adding complexity to the task of compromising systems. To facilitate management by users and the enterprise, conformant OSes provide consistent and supported interfaces for their security-relevant configuration and maintenance. This includes the deployment of applications and application O.SC_MANAGEMENT updates through the use of platform-supported deployment mechanisms and formats, as well as providing mechanisms for

configuration and application execution control. To address the issue of loss of confidentiality of credentials in the event of loss of physical control of the storage medium, O.SC_PROTECTED_STORA conformant OSes provide data-at-rest protection for credentials. Conformant OSes also provide access controls which GE allow users to keep their files private from other users of the same system. To address both passive (eavesdropping) and active (packet modification) network attack threats, conformant OSes provide O.SC_PROTECTED_COMM mechanisms to create trusted channels for CSP and sensitive data. Both CSP and sensitive data should not be exposed S outside of the platform. O.SC_ADMIN_ROLE The TOE will provide a mechanism (e.g. a "role") by which the actions using administrative privileges may be restricted. The TSF must be able to record defined security-relevant events (which usually include security-critical actions of users of the TOE). The information recorded for security-relevant events must contain the time and date the event happened and, O.SC_AUDIT_GENERATION if possible, the identification of the user that caused the event, and must be in sufficient detail to help the authorized user detect attempted security violations or potential misconfiguration of the TOE security features that would leave the IT assets open to compromise. The TSF must control access of subjects and/or users to named resources based on identity of the object, subject, or O.SC_DISCRETIONARY_AC user. The TSF must allow authorized users to specify for each access mode which users/subjects are allowed to access a CESS specific named object in that access mode. O.SC_I&A The TOE ensures that users are authenticated before the TOE processes any actions that require authentication. The TSF must provide all the functions and facilities necessary to support the authorized users that are responsible for the O.SC_MANAGE management of TOE security mechanisms, must allow restricting such management actions to dedicated users, and

must ensure that only such authorized users are able to access management functionality. The TOE must protect user data in accordance with its security policy, and must mediate all requests to access such O.SC_MEDIATE data. O.SC_RESIDUAL_INFORMA The TOE will ensure that any information contained in a protected resource within its scope of control is not TION inappropriately disclosed when the resource is reallocated. Base Protection Profile Application and Databases: Threats Label Threat The attacker could perform a DoS attack, either by crashing the server or T.APP_EXTREME_SOLI flooding the service, thus making the system or the server unavailable for CITATION legitimate users. A successful modification of identification data held by the TOE or incoming T.APP_DATA_MANIPUL data from other sources would allow an attacker to mispresent driver ATION activities or useful information obtained from the TOE. Attackers could try to leak data from the TOE to third parties who should not T.APP_DATA_LEAKAGE receive this data. T.APP_FIRMWARE_AP An attacker could alter the firmware to a malicious one or take root

PLICATION_ALTERATIO permissions of the device that hosts the firmware. In this way an attacker N achieves abnormal operation and handles the system resources. T.APP_FIRMWARE_AP An attacker could find an image of the system, thus extracting information PLICATION_REVERSE_ about the links of the application (e.g. packets' transaction), the default ENGINEERING passwords and the operation of the system. T.APP_SYSTEM_UNAU Humans could try to access functions not allowed to them, to modify, delete THORIZED_ACCESS user data or mispresent driver activities. Base Protection Profile Application and Databases: Assumptions Name Assumptions on the TOE operational environment A.PKI It is assumed that the TOE operational environment provides Public Key Infrastructure including but not restricted to Root (and intermediate Root) Certificate Authority (RCA), Enrolment Authority (EA), and Authorization Authority (AA). The PKI is assumed to be able to revoke EA, and AA certificates by issuing Certificate Revocation Lists (CRLs). A.HSM It is assumed that the TOE operational environment provides a V2X Hardware Security Module (HSM) for random number generation, key generation, storage, destruction, digital

signature generation, and encryption. A.TIME_POS It is assumed that the TOE operational environment provides reliable time and position stamps. A.INTEGRATION It is assumed that appropriate technical and/or organisational security measures in the phase of the integration of the TOE life cycle model guarantee the confidentiality, integrity and authenticity of the assets of the TOE A.TRUSTED_ADMI N It is assumed that the TOE Administrator is trustworthy and well-trained. A.TRUSTED_USER The TOE users are not hostile, and they do not attempt any physical tamper of the TOEs hardware subcomponents. Base Protection Profile Application and Databases: Security objectives Security Objective O.APP_SOFTWARE_INTEGRITY O.APP_INTEGIRY_OF_RECEIVED_

DATA O.APP_CONFIDENTIALITY_OF_T RANSMITTED_DATA O.APP_UNLIKABILITY_OF_TRAN SMITTED_DATA O.APP_STORED_DATA_ AVAILABILITY O.APP_STORED_DATA_CONFIDE NTIALITY O.APP_STORED_DATA_ ANONYMITY O.APP_STORED_DATA_INTEGRIT Y O.APP_AVAILABILITY_OF_RECEI VED_DATA O.APP_USER_AUTHORIZATION Description The TOE shall ensure the integrity of V-ITS software The TOE shall ensure the integrity of received data from C-ITS. The TOE shall ensure the confidentiality of transmitted data sent to C-ITS. The TOE shall ensure that all user related attributes cannot reveal the his/ her identity. The TOE must be able to ensure the availability of the stored data. The TOE must be able to satisfy the data confidentiality of the stored data. The TOE must be able to ensure the anonymity of the stored data. The TOE must be able to satisfy the data integrity of the stored data. The TOE shall ensure the availability of received data from C-ITS

The TOE shall ensure that only authorized users can use the V-ITS application and transmit data to C-ITS. O.APP_AUTHENTICITY_OF_RECE The TOE shall ensure the authenticity of the received data from C-ITS. IVED_DATA Base Protection Profile Application and Databases: SFR Class SFR Cryptographic Support FCS -FCS_TLSC_EXT.1 TLS Client Protocol -Cryptographic key management FCS_CKM.1/CAK - Cryptographic Asymmetric Key Generation -Cryptographic key management FCS_CKM.2/CKE - Cryptographic Key Establishment -Cryptographic key management FCS_CKM.3/CSK- Cryptographic Symmetric Key Generation -Cryptographic operation FCS_COP.1/ CDE - Data Encryption/Decryption -Cryptographic operation FCS_COP.2/ COH - Cryptographic Operation Hashing -Cryptographic operation FCS_COP.3/ COS - Cryptographic Operation Signing -Cryptographic operation FCS_COP.4/HMAC - Cryptographic Operation Keyed-Hash Message Authentication -Cryptographic operation - FCS_COP.1/ SDE Cryptographic Operation Stored Data Encryption and decryption -Cryptographic operation - FCS_COP.1/UDE - Cryptographic Operation User Data Encryption and Decryption

-Cryptographic operation FCS_COP.1/SDI - Cryptographic Operation Stored Data Integrity -Cryptographic operation - FCS_COP.1/ CED - Cryptographic Operation Credential Encryption/Decryption Trusted path/channels FTP -Protection of Data in Transit - FTP_DIT_EXT.1 Protection of the TSF - FDP -Stored data confidentiality - FDP_SDC_EXT.1 -Stored data integrity - FDP_SDI.1 -Stored credential confidentiality - FDP_SCC_EXT.1 Identification and authentication - FIA -Certificate Validation and Authentication - FIA_X509_EXT.1 -Anti-Exploitation Capabilities - FPT_AEX_EXT.1 Privacy - FPR -Anonymity - FPR_ANO.1 -Unlinkability - FPR_UNL.1

Recently Viewed Presentations

  • Physics 106P: Lecture 1 Notes

    Physics 106P: Lecture 1 Notes

    Steel from podium Painter homework problem. Get demo here have man stand at several places calculate force on each support. ... CCW rotation is positive ACT The picture below shows three different ways of using a wrench to loosen a...
  • Urban Transport Financing in China Transforming Transportation 2013,

    Urban Transport Financing in China Transforming Transportation 2013,

    Reform China Transport with New Fund Using national funding to catalyse urban transport. Type presentation title here. 17/01/2013. Comprehensive Mobility Plans that meet National Planning Requirements. Establishment . Urban and Provincial Mobility Observatories. for independent data collection and monitoring
  • Resource Definition Task Force Load Resources Review Feb

    Resource Definition Task Force Load Resources Review Feb

    Fast Frequency Response Responsive Reserve Service. Fast Response Regulation Service. Register as a Basic Load Resource and deployed through Verbal Dispatch Only to provide ECRS, Register as a UFR Load Resource with either a 15 cycle (FFR) or 30 cycle(UFR)...
  • Human Computer Interface

    Human Computer Interface

    Command Line Interface (CLI) A CLI displays a prompt, the user types a command on the keyboard and executes the command. The computer executes the command, providing textual output. 2. Menu Driven . Interface. The user has a list of...
  • Further Cognitive Science - Goldsmiths, University of London

    Further Cognitive Science - Goldsmiths, University of London

    Mental events are identical with physical events, and that the mental is anomalous, i.e. under their mental descriptions mental events are not regulated by strict physical laws. Hence, anomalous monism is an identity theory of mind without the reductive bridge...
  • What are your expectations of university?

    What are your expectations of university?

    Grade 12 MID-TERM marks in Semester one are not used for admission consideration to universities (Note: Colleges DO use sem.1 midterms!) Offers are based on the average of your top 6 grade 12 U/M marks - any prerequisite courses must...
  • Accounting for Receivables Chapter 7 John J. Wild

    Accounting for Receivables Chapter 7 John J. Wild

    The journal entry on April 1 is a debit to Accounts receivable and a credit to Allowance for doubtful accounts. This journal entry, just like the write-off, has no affect on the net realizable value of the receivables. The second...
  • Accreditation Site Visit: What to Expect

    Accreditation Site Visit: What to Expect

    Waveform Accreditation Site Visit: What to Expect The Basics Our Site Visit Our Site Visit Three River's Accreditation Process TRDHD Highlights Linkage to Strategic Plan Linkage to Strategic Plan Linkage to Strategic Plan Domain 12 Vision BOH Discussion Bragging Points...