System-Security Co-design Saurabh Amin and Janos Sztipanovits

Page 2

Functional Layers in FORCES

5/28/2014

security levels (DLM)

control modalities

risk assessment

performance cost

(re)-config. cmd

op. settings

hypothesis sets

events

actuation

commands sensed

data

Page 3

System-Reliability Co-Design

5/28/2014

(Before FORCES)

Page 4

Interdependencies due to

Network induced risks

DDOS, deception attacks

Wide use of COTS ICT components

Correlated bugs & failure points

Expect increased interdependencies

Observation: Suboptimal incentives to invest in security due to

Public good nature (Varian, 2002)

Information deficiencies (Teneketzis)

Property right deficiencies and high enforcement costs (Schwartz)

How to jointly model control and incentives in co-design process:

System-Security Co-Design

5/28/2014

Page 5

Manufacturers

Consumers / Users

Average / regular users

System operators

Specialists

Hackers – users, whose objectives differ from legit users’ objectives

Government(s)

Whose Incentives Matter in Co-Design?

5/28/2014

Economic literature focuses on manufacturer and operator incentives, but does not consider constraints imposed by closed-loop control.

ICT$/$SCADA$vendors$

ISPs$/Network$managers$$

A8ackers$/$Malicious$users$

Page 6

Interdependence for Network Control Systems (NCS)

5/28/2014

Page 7

Game with Interdependent Security

5/28/2014

Page 8

Individual optima (Nash eq) and Social optima => Implications for reconfiguration and co-design?

5/28/2014

Open loop stable NCS

Open loop unstable NCS

Page 9

Reconfiguration is Essential for Resilient Control

5/28/2014

security levels (DLM)

control modalities

risk assessment

performance cost

(re)-config. cmd

op. settings

hypothesis sets

events

actuation

commands sensed

data

Page 10

Change modes of operation of Detection and Regulation

- Diagnosis, Response and Reconfiguration forms a supervisory control mechanism – used in hierarchical control approaches (e.g. Pappas, Tabuada)

Re-synthesize implementation architecture

- Provide interface for changing required security policies

- Provide models of information flows required to be implemented

- Provide models for security and performance characteristics of communication links and computing devices

- Provide precise specification for the reconfiguration space

- Develop methods for remapping the information architecture to the implementation architecture subject to functional, performance, timing and security constraints

Objectives of Reconfiguration

5/28/2014

Page 11

Co-design Problem

5/28/2014

System Dynamics

Software Component Architecture

Deployment Architecture

Controller Design

System-Level Design

Deployment Design

System-Security Codesign

Page 12

System – Security Co-design

5/28/2014

Modelica SL-SF

Component Model Discrete Time Semantics

Logical Time Semantics ESMOL

Integrity Constraints Confidentiality Constranits

Discrete Event Semantics TLM

Security Labels Timing Property Modeling

Platform Architecture

Componentization

SW Component – Processor SW Component – Device

Data- Memory Information flow – Channel

Deployed System Architecture Synthesis

Information Flow Model Refinement

{Security Levels} (EI) (integrity/confidentiality – DLM) (restrictions on Information Flow)

{Control modalities} (EI)

Software Component Architecture

Component Code

WCET WCCT Analysis

Automatic Code Generation

System Dynamics (RC)

LET

SW Timing Model

SystemC Discrete Event Semantics

Implementation Model

Platform Information Flow Model Extraction

LET WCET

WCCT

System Timing Model

Implemented Dynamics

Platform

Investment (EI)

Page 13

Tool Integration Framework: OpenMETA Tool Suite

5/28/2014

Master Interpreter

Components Designs Design Spaces

Test Benches Parametric

Explorations

PET/PCC Generator

Modelica CAD CFD FEA

Blast Ballistics

Formal Verif.

. . .

.py files .mo .cmd

.xml .cmd

.xml .cmd

.mo .json .cmd

. . .

Analysis and Execution Framework

Job Manager (client application)

Local VehicleForge Jenkins

Project Analyzer – Dashboard (offline or online; runs in a web browser)

Remote

used used used used

File system and/or on VehicleForge .mat .json

.stp .asm .xml .json

.stp .asm .xml .json

.xml .json

. . . .csv .json

Dymola

Open Modelica

Creo OpenFO

AM Nastran

SwRI tools

QR HybridSa

l

. . . OpenMDAO

Perform analysis

Composition Framework

Component Generator

Design Generator

.ACM files .ADM files

Multimodeling Framework Modeling &

Model- Synthesis

CyPhy Generators

Execution runtime

Results storage

Visualization of results

Page 14

Master Interpreter

Tool Architecture

5/28/2014

Dynamics (Modelica) SW Architecture (ESMOL) Platform (SystemC)

Policies (DLM) Timing (DE) Deployment

Control Model Library / Plant Model Library Platform Model Library Policy Library

Modeling & Model Integration

FORMULA

Z3

Timing Verification/ Scheduling

Simulation Integration

C2WT/DETER

Simulation Synthesis

Multimodeling Framework

Analysis and Execution

Framework

RC2FOR Translator

.4ml

Timing Spec. Extr.

.xxx

C2WT Gen.

.c2w

RC2FOR Translator

.4ml

Composition Framework