A Constructive DIREST Security Threat Modeling for Drone as a Service

IF 0.6 Q4 COMPUTER SCIENCE, INFORMATION SYSTEMS
Fahad E. Salamh, Umit Karabiyik, M. Rogers
{"title":"A Constructive DIREST Security Threat Modeling for Drone as a Service","authors":"Fahad E. Salamh, Umit Karabiyik, M. Rogers","doi":"10.15394/JDFSL.2021.1695","DOIUrl":null,"url":null,"abstract":"The technology used in drones is similar or identical across drone types and components, with many common risks and opportunities. The purpose of this study is to enhance the risk assessment procedures for Drone as a Service (DaaS) capabilities. STRIDE is an acronym that includes the following security risks: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges. The paper presents a modified STRIDE threat model and prioritizes its desired properties (i.e., authenticity, integrity, non-reputability, confidentiality, availability, and authorization) to generate an appropriate DaaS threat model. To this end, the proposed DIREST threat model better meets the overall security assessment needs of DaaS. Moreover, this paper discusses the security risks of drones, identifies best practices for security assessment, and proposes a novel software update mechanism for drones during their operations. We explore the best practices related to drone penetration testing, including an effective methodology to maintain the continuity of drone operations, particularly drones used for emergency, safety, and rescue operations. Moreover, this research raises awareness of DaaS and drone operation in general as well as in the forensic science community due to its focus on the importance of securely operated drones for first responders. Furthermore, we address various aspects of security concerns, including data transmission, software restrictions, and embedded system-related events. In order to propose a security assessment for drones, we incorporate digital forensics and penetration testing techniques related to drone operations. Our results show that the proposed threat model enhances the security of flying devices and provides consistency in digital forensic procedures. This work introduces modifications to the STRIDE threat model based on the current literature, drone images provided by the NIST program, and a firmware static analysis of a zino hubsan brand drone.","PeriodicalId":43224,"journal":{"name":"Journal of Digital Forensics Security and Law","volume":null,"pages":null},"PeriodicalIF":0.6000,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Digital Forensics Security and Law","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.15394/JDFSL.2021.1695","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 6

Abstract

The technology used in drones is similar or identical across drone types and components, with many common risks and opportunities. The purpose of this study is to enhance the risk assessment procedures for Drone as a Service (DaaS) capabilities. STRIDE is an acronym that includes the following security risks: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges. The paper presents a modified STRIDE threat model and prioritizes its desired properties (i.e., authenticity, integrity, non-reputability, confidentiality, availability, and authorization) to generate an appropriate DaaS threat model. To this end, the proposed DIREST threat model better meets the overall security assessment needs of DaaS. Moreover, this paper discusses the security risks of drones, identifies best practices for security assessment, and proposes a novel software update mechanism for drones during their operations. We explore the best practices related to drone penetration testing, including an effective methodology to maintain the continuity of drone operations, particularly drones used for emergency, safety, and rescue operations. Moreover, this research raises awareness of DaaS and drone operation in general as well as in the forensic science community due to its focus on the importance of securely operated drones for first responders. Furthermore, we address various aspects of security concerns, including data transmission, software restrictions, and embedded system-related events. In order to propose a security assessment for drones, we incorporate digital forensics and penetration testing techniques related to drone operations. Our results show that the proposed threat model enhances the security of flying devices and provides consistency in digital forensic procedures. This work introduces modifications to the STRIDE threat model based on the current literature, drone images provided by the NIST program, and a firmware static analysis of a zino hubsan brand drone.
无人机作为一种服务的建设性DIREST安全威胁建模
无人机中使用的技术在无人机类型和组件之间是相似或相同的,存在许多共同的风险和机会。本研究的目的是加强无人机即服务(DaaS)能力的风险评估程序。STRIDE是一个缩略词,包含以下安全风险:欺骗、篡改、拒绝、信息泄露、拒绝服务和特权提升。本文提出了一种改进的STRIDE威胁模型,并对其所需的属性(即真实性、完整性、非声誉性、机密性、可用性和授权)进行优先排序,以生成合适的DaaS威胁模型。为此,本文提出的DIREST威胁模型较好地满足了DaaS的整体安全评估需求。此外,本文还讨论了无人机的安全风险,确定了安全评估的最佳实践,并提出了一种新的无人机运行过程中的软件更新机制。我们探讨了与无人机渗透测试相关的最佳实践,包括保持无人机操作连续性的有效方法,特别是用于紧急、安全和救援行动的无人机。此外,这项研究提高了对DaaS和无人机操作以及法医科学界的认识,因为它专注于安全操作无人机对第一响应者的重要性。此外,我们还解决了安全问题的各个方面,包括数据传输、软件限制和嵌入式系统相关事件。为了提出无人机的安全评估,我们结合了与无人机操作相关的数字取证和渗透测试技术。我们的研究结果表明,提出的威胁模型提高了飞行设备的安全性,并提供了数字取证程序的一致性。这项工作介绍了基于当前文献、NIST项目提供的无人机图像以及zino hubsan品牌无人机的固件静态分析对STRIDE威胁模型的修改。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Journal of Digital Forensics Security and Law
Journal of Digital Forensics Security and Law COMPUTER SCIENCE, INFORMATION SYSTEMS-
自引率
0.00%
发文量
5
审稿时长
10 weeks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信