Model-Implemented Attack Injection with Pre-injection Analysis

In this method, the attacks (which are special types of faults) are injected in the model of the system under test (SUT). MATLAB and LabVIEW are examples of tools used to build such system models. This method is used to verify and validate the system’s capability to handle attacks by including analysis of the nominal behaviour of the target system or using results from previous model-implemented attack injection experiments to reduce the attack space, thereby reducing the time, cost and effort of such experiments. The attack handling includes mechanisms to detect and prevent intrusions. This type of attack injection method is used for the system’s evaluation in the early design stages.

Method Purpose Short description of the method's purpose and main benefits

Evaluate the impact of cybersecurity attacks on system security by injecting attack injection mechanisms, developed as model blocks, into simulated target system models at an early development phase. Model-implemented attack injection with pre-injection analysis allows the target system model, nominal behaviour of the target system or results from previous model-implemented attack injection (MIAI) experiments to be analysed to reduce the attack space, thereby reducing the time, cost and effort of such experiments.

Method description A detailed description of the method

Attacks can be defined as human made, intentional malicious activity to effect hardware or software from external system boundaries during the operational phase of a system [MAP1]. MIAI is a model-based test and verification framework which enables to test and evaluate the impact of cybersecurity threats by injecting attack models into the target system model in early design and development phases [MAP2].

Pre-injection analyses [MAP3] [MAP4] [MAP5] [MAP6] reduce the attack space to be able to reduce the time, cost and effort needed to perform model-implemented attack injection experiments. Pre-injection analysis is done before the attack injection experiments are performed. The results of previous attack injection experiments may also be used, often referred to as post-injection analysis. Pre-injection may analyse the model structure to incorporate techniques such as inject-on-read, inject-on-write and error space pruning of signals.

The inject-on-read technique follows the rule that faults and attacks should only target resources, such as CPU registers and memory cells immediately before they are read. This way, faults and attacks that have identical activation are grouped into the same equivalence class, thereby reducing the fault/attack space.

The inject-on-write technique is similar to the inject-on-read technique. However, for inject-on-write the faults and attacks are only injected on a resource immediately after it has been produced. This way, faults and attacks that are injected into the resource any time after it has been produced, but before it is read the first time, have identical activation and may be grouped into the same equivalence class, thereby reducing the possible fault/attack space.

In error space pruning of signals, pre-injection analysis is performed to prune faults and attacks that are equivalent to other faults and attacks, where the equivalence is determined using a static analysis of the target system structure. For example, faults injected on an input signal may be considered equivalent to faults injected on the output signal connected to the input signal if only one propagation path exists between the input and output signal.

These techniques require detailed knowledge of the target system for efficient implementation making them suitable for use with MIAI.

Method Strengths A listof the strengths of the method

MIAI is aligned with the shift-left approach where the focus of the test and verification activities are shifted towards the early design and development process to find and improve the weaknesses of the software as much as possible and as early as possible with less effort and resources.
MIAI is used for testing and verification of the cybersecurity of the simulated model of the intended software. This gives an early evaluation of the software behaviour under the presence of attacks.
MIAI gives valuable input to the design allowing the development engineers to get a holistic view of the cybersecurity bottlenecks.
MIAI can be used to evaluate the intrusion detection and handling mechanisms as well as system behaviour under the presence of attacks.
Measurements from MIAI may be useful in later V&V.

Method Limitations The limitations of the method

The MIAI is limited to the attack injection on the simulation level (simulation-based attack injection) and it is not possible to inject attacks into actual physical target systems. There are other techniques used to inject attacks on physical level such as vulnerability attack injection.
Accuracy of the attack models with respect to the actual attacks in the physical system may not be adequate.
Any change in the system design in the later stages of the product development cycle might decrease the usefulness of the measurements from the attack model and cannot be used for the comparison of the results between verification and validation stages.

Method References Bibliography references to papers about the method.

[MAP1] B. Sangchoolie, P. Folkesson, and J. Vinter, “A study of the interplay between safety and security using model-implemented fault injection,” in 2018 14th Eur. Dep. Comp. Conf. (EDCC). IEEE, 2018, pp. 41–48.
[MAP2] P. Folkesson, B. Sangchoolie, and J. Vinter, “HoliSec D3.3 - Interplay between Safety, Security and Privacy.” The HoliSec Consortium, Mar. 19, 2019.
[MAP3] J. Grinschgl, A. Krieg, C. Steger, R. Weiss, H. Bock and J. Haid, "Efficient fault emulation using automatic pre-injection memory access analysis," 2012 IEEE International SOC Conference, Niagara Falls, NY, 2012, pp. 277-282.
[MAP4] B. Sangchoolie, F. Ayatolahi, R. Johansson and J. Karlsson, "A Comparison of Inject-on-Read and Inject-on-Write in ISA-Level Fault Injection," 2015 11th European Dependable Computing Conference (EDCC), Paris, 2015, pp. 178-189.
[MAP5] Czeck, Edward W. and Daniel P. Siewiorek. “Observations on the Effects of Fault Manifestation as a Function of Workload.” IEEE Trans. Computers 41 (1992): 559-566.
[MAP6] Folkesson P., Karlsson J. (1999) Considering Workload Input Variations in Error Coverage Estimation. In: Hlavička J., Maehle E., Pataricza A. (eds) Dependable Computing — EDCC-3. EDCC 1999. Lecture Notes in Computer Science, vol 1667. Springer, Berlin, Heidelberg.

Method Dimensions

Evaluation Environment Type Type of environment where the method is applied. It can be more than one type of environment. (Dimension 1)

Evaluation Type Type of evaluation performed with that method. If a method is hybrid, more than one type can be selected. (Dimension 2)

Type of Component Under Evaluation Type of components that can be evaluated with that method. It can be more than one type. (Dimension 3)

Evaluation Stage The evaluation stage where the method is used. (Dimension 5)

Purpose of the Component Under Evaluation The type of purpose that can be evaluated by a method. It can be more than one type. (Dimension 6)

Type of Requirement Under Evaluation The type of requirements that a method is able to evaluate. It can be more than one type. (Dimension 7)

Evaluation Performance Indicator The type of evaluation criteria or KPI that a method is able to improve. It can be more than one type. (Dimension 8)

Relations

Related Methods A method could be related to other methods.

Tools A method can use zero or more tools.

Part Method A method (when it is a combination: Combination of method artefact that is a specialization of a V&V Method) could be composed of a set of V&V Methods.

Test Case or Verification and Validation activity Test Case or V&V activity performed in a Use Case. We will link to the method to the test cases where the method is used.

Standards A method can be linked with standards.

Context

Workflow

Contents

There are currently no items in this folder.