Roberto Vigo

A Calculus for Quality

A main challenge of programming component-based software is to ensure that the components continue to behave in a reasonable manner even when communication becomes unreliable. We propose a process calculus, the Quality Calculus, for programming software components where it becomes natural to plan for default behaviour in case the ideal behaviour fails due to unreliable communication and thereby to increase the quality of service offered by the systems. The development is facilitated by a SAT-based robustness analysis to determine whether or not the code is vulnerable to unreliable communication. This is illustrated on the design of a fragment of a wireless sensor network.

Automated Generation of Attack Trees

Attack trees are widely used to represent threat scenarios in a succinct and intuitive manner, suitable for conveying security information to non-experts. The manual construction of such objects relies on the creativity and experience of specialists, and therefore it is error-prone and impracticable for large systems. Nonetheless, the automated generation of attack trees has only been explored in connection to computer networks and levering rich models, whose analysis typically leads to an exponential blow-up of the state space. We propose a static analysis approach where attack trees are automatically inferred from a process algebraic specification in a syntax-directed fashion, encompassing a great many application domains and avoiding incurring systematically an exponential explosion. Moreover, we show how the standard propositional denotation of an attack tree can be used to phrase interesting quantitative problems, that can be solved through an encoding into Satisfiability Modulo Theories. The flexibility and effectiveness of the approach is demonstrated on the study of a national-scale authentication system, whose attack tree is computed thanks to a Java implementation of the framework.

Broadcast, Denial-of-Service, and Secure Communication

A main challenge in the design of wireless-based Cyber-Physical Systems consists in balancing the need for security and the effect of broadcast communication with the limited capabilities and reliability of sensor nodes. We present a calculus of broadcasting processes that enables to reason about unsolicited messages and lacking of expected communication. Moreover, standard cryptographic mechanisms can be implemented in the calculus via term rewriting. The modelling framework is complemented by an executable specification of the semantics of the calculus in Maude, thereby facilitating solving a number of simple reachability problems.

A calculus for attribute-based communication

The notion of attribute-based communication seems promising to model and analyse systems with huge numbers of interacting components that dynamically adjust and combine their behaviour to achieve specific goals. A basic process calculus, named AbC, is introduced that has as primitive construct exactly attribute-based communication and its impact on the above mentioned kind of systems is considered. An AbC system consists of a set of parallel components each of which is equipped with a set of attributes. Communication takes place in a broadcast fashion and communication links among components are dynamically established by taking into account interdependences determined by predicates over attributes. First, the syntax and the reduction semantics of AbC are presented, then its expressiveness and effectiveness is demonstrated by modelling two scenarios from the realm of TV streaming channels. An example of how well-established process calculi could be encoded into AbC is given by considering the translation into AbC of a prototypical π-calculus process.

The cyber-physical attacker

The world of Cyber-Physical Systems ranges from industrial to national interest applications. Even though these systems are pervading our everyday life, we are still far from fully understanding their security properties. Devising a suitable attacker model is a crucial element when studying the security properties of CPSs, as a system cannot be secured without defining the threats it is subject to. In this work an attacker scenario is presented which addresses the peculiarities of a cyber-physical adversary, and we discuss how this scenario relates to other attacker models popular in the security protocol literature.

Smart grid security a Smart Meter-centric perspective

The electricity grid is a key infrastructure for our society, therefore its security is a critical public concern. This physical system is becoming more and more complex as it is coupled with a cyber layer carrying information about power usage and control instructions for intelligent appliances, leading to what is known as the Smart Grid. The development of this Cyber-Physical System introduces new security issues, thus calling for efforts in studying possible attacks and devising suitable countermeasures. In this paper, we review a generic model for the Smart Grid, and present possible attacks and countermeasures focusing on a key component of the Smart Grid: the Smart Meter.

Security Games for Cyber-Physical Systems

The development of quantitative security analyses that consider both active attackers and reactive defenders is a main challenge in the design of trustworthy Cyber-Physical Systems. We propose a game-theoretic approach where it is natural to model attackers and defenders actions explicitly, associating costs to attacks and countermeasures. Cost considerations enable to contrast different strategies on the basis of their effectiveness and efficiency, paving the way to a multi-objective notion of optimality. Moreover, the framework allows expressing the probabilistic nature of the environment and of the attack detection process. Finally, a solver is presented to compute strategies and their costs, resorting to a recent combination of strategy iteration with linear programming.

Uniform Protection for Multi-exposed Targets

Ensuring that information is protected proportionately to its value is a major challenge in the development of robust distributed systems, where code complexity and technological constraints might allow reaching a key functionality along various paths. We propose a protection analysis over the Quality Calculus that computes the combinations of data required to reach a program point and relates them to a notion of cost. In this way, we can compare the security deployed on different paths that expose the same resource. The analysis is formalised in terms of flow logic, and is implemented as an optimisation problem encoded into Satisfiability Modulo Theories, allowing us to deal with complex cost structures. The usefulness of the approach is demonstrated on the study of password recovery systems.

Toward a Threat Model for Energy-Harvesting Wireless Sensor Networks

Security is a crucial matter for Wireless Sensor Networks. With the recent introduction of Energy-Harvesting nodes, it has gained even more importance. By exploiting the ability of scavenging energy from the surrounding environment, the lifespan of a node has drastically increased. This is one of the reasons why security needs a new take in this topic. Traditional solutions may not work in this new domain. Brand new challenges and threats may arise and new solutions have to be designed. In this paper we present a first taxonomy of attacks, focusing on how they change in the energy-harvesting context compared to regular sensor networks. We also discuss existing security solutions specific for the energy harvesting world and comment on the trend that this topic may follow in the future. Finally, we draw a comparison between the cyber-physical attacker we define in our model and adversary models belonging to security protocols verification literature.

Discovering, Quantifying, and Displaying Attacks

In the design of software and cyber-physical systems, security is often perceived as a qualitative need, but can only be attained quantitatively. Especially when distributed components are involved, it is hard to predict and confront all possible attacks. A main challenge in the development of complex systems is therefore to discover attacks, quantify them to comprehend their likelihood, and communicate them to non-experts for facilitating the decision process. To address this three-sided challenge we propose a protection analysis over the Quality Calculus that (i) computes all the sets of data required by an attacker to reach a given location in a system, (ii) determines the cheapest set of such attacks for a given notion of cost, and (iii) derives an attack tree that displays the attacks graphically. The protection analysis is first developed in a qualitative setting, and then extended to quantitative settings following an approach applicable to a great many contexts. The quantitative formulation is implemented as an optimisation problem encoded into Satisfiability Modulo Theories, allowing us to deal with complex cost structures. The usefulness of the framework is demonstrated on a national-scale authentication system, studied through a Java implementation of the framework.