A Model-Based Framework for Analyzing the Security of System Architectures

Abstract

We introduce a compositional, model-based framework for modeling, visualizing and analyzing the security of system architectures. This work extends the framework we developed previously for analyzing safety [1]. With this extension, our framework can be used to analyze both safety and security, however this paper focuses on security. The major contribution of this paper is setting the terminology and methodology for building a tree for analyzing the security of a system. Defining precisely the qualitative and quantitative aspects of the tree is very important-just as fault trees are rooted in the theory of probability, we want our tree to be built on solid mathematical foundation. Based on [2] and [3], attack-defense tree is a better representation of a system over attack trees because the latter only captures attack scenarios and does not model the interaction between attacks and the defenses that could be put in place to guard against the attacks. More importantly, security of a system is constantly evolving–as better control measures are put in place, more sophisticated attacks are implemented. Therefore, modeling only attacks without considering the defenses in place is very limiting. Guided by some of the formalisms introduced in [2] [3], we extended their concepts to include guidelines and considerations from DO-326A and DO-356A so that the terminology used in the tree is relevant to the aviation industry. We reference measure theory and order theory to define functions for the quantitative aspects of the tree. We also made sure that the measures were consistent with the intuition of a security design engineer. Finally, we give an example of the modeling language and the attack-defense tree that is automatically generated.