Diversity, Safety and Security in Embedded Systems: modelling adversary effort and supply chain risks

Gashi, I., Povyakalo, A. A. & Strigini, L. (2016). Diversity, Safety and Security in Embedded Systems: modelling adversary effort and supply chain risks. Paper presented at the Proceedings of the 12th European Dependable Computing Conference, 5th - 9th September 2016, Gothenburg, Sweden.

[img]
Preview
Text - Accepted Version
Download (468kB) | Preview

Abstract

We present quantitative considerations for the design of redundancy and diversity in embedded systems with security requirements. The potential for malicious activity against these systems have complicated requirements and design choices. New design trade-offs have arisen besides those already familiar in this area: for instance, adding redundancy may increase the attack surface of a system and thus increase overall risk. Our case study concerns protecting redundant communications between a control system and its controlled physical system. We study the effects of using: (i) different encryption keys on replicated channels, and (ii) diverse encryption schemes and implementations. We consider two attack scenarios, with adversaries having access to (i) ways of reducing the search space in attacks using random searches for keys; or (ii) hidden major flaws in some crypto algorithm or implementation. Trade-offs between the requirements of integrity and confidentiality are found, but not in all cases. Simple models give useful design insights. In this system, we find that key diversity improves integrity without impairing confidentiality – no trade-offs arise between the two – and it can substantially increase adversary effort, but it will not remedy substantial weaknesses of the crypto system. Implementation diversity does involve design trade-offs between integrity and confidentiality, which we analyse, but turns out to be generally desirable for highly critical applications of the control system considered.

Item Type: Conference or Workshop Item (Paper)
Additional Information: © © 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.”
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions: School of Informatics > Department of Computing
URI: http://openaccess.city.ac.uk/id/eprint/14978

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics