Chapter 2: Automotive Security Engineering

Automotive Security
Summer Term 2019
Dr. Rahamatullah Khondoker
Contents

 Introduction to Threat Modeling

 Threat Modeling Strategies

 Finding Possible Threats

 Managing and Handling Threats and Risks

 Summary

Automotive Security, SS19, R. Khondoker 2

Introduction to Threat Modeling

Automotive Security, SS19, R. Khondoker 3

Security Basics for Threat Modeling
 Vulnerability: A weakness in the system which could allow an attacker
to compromise security goals such as Confidentiality, Integrity,
Availability

 Threat: A possible danger to exploit vulnerabilities in a system

 Risk: A likelihood and impact of a possible threat

 Asset: Anything that has value to stakeholders (stakeholder wants to

protect and attacker wants to get it)

Automotive Security, SS19, R. Khondoker 4

Ways to Find Security Issues

 Static Analysis of Code

 Dynamic Testing Techniques such as Fuzzing

 Pen Testing

 Bug Reports after Release

 Threat Modeling

Automotive Security, SS19, R. Khondoker 5

Threat Modeling

 A process of identifying, enumerating, and prioritizing potential threats of a

Target of Evaluation (ToE). A ToE can be an asset or a set of assets.

 An attacker point of view is necessary

 Answer to questions, for example,

 What are potential threats?
 What are most relevant threats?

Automotive Security, SS19, R. Khondoker 6

Threat Modeling Strategies

Automotive Security, SS19, R. Khondoker 7

Focus for Threat Modeling

Focusing on Focusing on Focusing on

Assets Attackers Software

• Things attackers want • Implementing Attacker • Software-centric models

• Things you want to Centric Modeling are models that focus on
protect • Where Attacker Can the software being built
• Stepping stones to Help you or a system being
either of these • Perspective on Attacker deployed.
Centric Modeling • Threat Modeling
Different Types of
Software

Automotive Security, SS19, R. Khondoker 8

Modeling Strategies

 Whiteboard Diagrams

 Brainstorming

 Structured Formal Digrams (Next Slide)

 Mathemetical Representations of Codes

Automotive Security, SS19, R. Khondoker

Structured Formal Diagrams

 Data Flow Diagrams

 UML Diagrams

 Swim Lane Diagrams

 State Diagrams
Swim Lane Diagram State Machine Diagram

Automotive Security, SS19, R. Khondoker 10

Data Flow Diagram

Automotive Security, SS19, R. Khondoker 11

Finding Possible Threats

Automotive Security, SS19, R. Khondoker 12

Finding Possible Threats

 STRIDE

 Attack Trees

 Attack Libraries

 Privacy Tools

Automotive Security, SS19, R. Khondoker 13

STRIDE

The STRIDE is an approach to threat modeling by Microsoft.

Threat Security Properties

Spoofing Authentication
Tampering Integrity
Repudiation Nonrepudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization

Automotive Security, SS19, R. Khondoker

14
 STRIDE

Spoofing

Tampering Threat: Spoofing

Property: Authentication
Repudiation Definition: Attackers pretend to be someone else
Example: Pretending to be a student of h-da
Information Disclosure

Denial of Service

Elvation of Privilege

Automotive Security, SS19, R. Khondoker 15

 STRIDE

Spoofing

Tampering Threat: Tampering

Property: Integrity
Repudiation
Definition: Attackers change data in transit or in a
data store
Information Disclosure
Example: Tampering is modifying data, typically on
disk, network, memory
Denial of Service

Elvation of Privilege

Automotive Security, SS19, R. Khondoker 16

 STRIDE

Spoofing

Tampering Threat: Repudiation

Property: Non-Repudiation
Repudiation
Definition: Attackers perform actions that cannot be
traced
Information Disclosure
Example: „I didn‘t send that email,“ „I didn‘t modify
that file,“ „I certainly didn‘t visit that Web
Denial of Service site, dear!“

Elvation of Privilege

Automotive Security, SS19, R. Khondoker 17

 STRIDE

Spoofing

Tampering
Threat: Information Disclosure
Property: Confidentiality
Repudiation
Definition: Exposing information to someone not
Information authorized to see it
Disclosure Example: Allowing someone to read the windows OS
source code, publishing a list of customers
Denial of Service to a web site

Elvation of Privilege

Automotive Security, SS19, R. Khondoker 18

 STRIDE

Spoofing

Tampering Threat: Denial of Service

Property: Availability
Repudiation Definition: Normal operation of a system is interrupted
or is made unavailable to authorized users
Information Disclosure Example: Crashing Windows or a Web site,
overloading by sending many packets and
Denial of Service absorbing resources such as seconds of
CPU time, routing packets into a black
hole
Elvation of Privilege

Automotive Security, SS19, R. Khondoker 19

 STRIDE

Spoofing

Tampering Threat: Elevation of Privileges (EoP)

Property: Authentication
Repudiation
Definition: Attackers perform actions that they are not
authorized to perform
Information Disclosure
Example: Allowing a remote Internet user to run
command, getting rights from a „Limited
Denial of Service User“ to „Admin“
Elevation of
Privileges

Automotive Security, SS19, R. Khondoker 20

Attack Tree

An Attack Tree represents attacks against

a system / an asset in a tree structure Open Car Lock

OR
 Root node is a threat
With a Key Without a Key

 Sub-nodes are attacks to realize a OR

OR
threat

 Attacks may be re-used in other trees Stealing Robbing Relaying Breaking

Automotive Security, SS19, R. Khondoker 21

 Attack Libraries

 The libraries are constructed to track and organize threats

 They can be useful to those new to security or threat modeling

 For examples: CWE, CAPEC and the OWASP Top Ten

Automotive Security, SS19, R. Khondoker 22

 Privacy Tools

 A collection of tools for finding

privacy threats

 For example: Solove's

taxonomy of privacy harms

Automotive Security, SS19, R. Khondoker 23

Managing and Handling Threats

Automotive Security, SS19, R. Khondoker 24

Managing Threats

Management of threat modeling is necessary, for example, for

 planning a threat modeling project in a product /project life cycle

 recording the threats
 reviewing / iterating the process

Starting the
Threat
Planning Implementing Iteration
Modeling
Project

Automotive Security, SS19, R. Khondoker 25

Defensive Tactics and Technologies

 Addressing every threat that is found

 Defensive tools can be used to address the threats

 Recommendation: to use standard, well-tested

features or products

Automotive Security, SS19, R. Khondoker 26

Risk Handling

 Risk = Probability x
Impact Accepting
Risks

 Probability: Potential Transfering Avoiding

Risks Risks
attack probability
Ignoring
Risks

 Impact: Potential Adressing

Risks
damage when the
attack happens

Automotive Security, SS19, R. Khondoker 27

Risk Handling

Transfer To transfer risk to another entity including customer, insurances

Accept To accept the risk due to certain reasons such as cost, lack of manpower

Mitigate Mitigating risk by applying certain defensive tactics and technologies

Ignore Risk can be ignored due to certain reasons, however, not recommended

Avoid To avoid the risk by eliminating the factors that generate the risk

Automotive Security, SS19, R. Khondoker 28

Validating that Threats Are Addressed

 Testing is required to verify the

implementation of the mitigated
threats/risks

 Verification can be done using

 Security Testing
 Threat-Model-Driven Testing

Automotive Security, SS19, R. Khondoker 29

Threat Modeling Tools

 Tools assist threat modeling in a number of ways:

creating better models, or create models more fluidly

remembering to engage in various steps

Tools help in

providing assistance performing those steps

checking the threat model for completeness

creating a threat model document

creating actionable output from a threat model

Automotive Security, SS19, R. Khondoker 30

Threat Modeling Tools

Commercial Open Source Generally Useful

Tools Tools Tools
• Corporate • Trike • Whiteboards
Threat Modeller • Seamonster • Office Suites
• Little Jil • Elevations of • Bug Tracking
• Microsoft SDL Privilege Systems
Threat Modeling
Tool

Automotive Security, SS19, R. Khondoker 31

Threat Modeling in Technologies

Automotive Security, SS19, R. Khondoker 32

Requirements Cookbook

 Lays out a set of pre-defined security requirements to reuse

 Can be updated based on the need of a project

Automotive Security, SS19, R. Khondoker 33

 Summary

Automotive Security, SS19, R. Khondoker 34

Summary

 Threat modeling is used to find security threats and risks in an asset

(system or sub-system)

 Using a model means abstracting away a lot of details to provide a look at

a bigger picture, rather than the code itself

 Enables to find issues in early stages of the product life cycle

 Needs to be interated and reviewed in a frequent basis

Automotive Security, SS19, R. Khondoker 35

 Literature

Automotive Security, SS19, R. Khondoker 36

Literatures

[1] Adam Shostack, Threat Modeling, Designing for Security, John

Wiley & Sons, 2014

[2] Introduction to Microsoft Threat Modeling,

https://people.eecs.berkeley.edu/~daw/teaching/cs261-
f12/hws/Introduction_to_Threat_Modeling.pdf, Accessed: 22.02.2019

Automotive Security, SS19, R. Khondoker 37