Steven Drager

Cyber-physical specification mismatch identification with dynamic analysis

Embedded systems use increasingly complex software and are evolving into cyber-physical systems (CPS) with sophisticated interaction and coupling between physical and computational processes. Many CPS operate in safety-critical environments and have stringent certification, reliability, and correctness requirements. These systems undergo changes throughout their lifetimes, where either the software or physical hardware is updated in subsequent design iterations. One source of failure in safety-critical CPS is when there are unstated assumptions in either the physical or cyber parts of the system, and new components do not match those assumptions. In this work, we present an automated method towards identifying unstated assumptions in CPS. Dynamic specifications in the form of candidate invariants of both the software and physical components are identified using dynamic analysis (executing and/or simulating the system implementation or model thereof). A prototype tool called Hynger (for HYbrid iNvariant GEneratoR) was developed that instruments Simulink/Stateflow (SLSF) model diagrams to generate traces in the input format compatible with the Daikon invariant inference tool, which has been extensively applied to software systems. Hynger, in conjunction with Daikon, is able to detect candidate invariants of several CPS case studies. We use the running example of a DC-to-DC power converter, and demonstrate that Hynger can detect a specification mismatch where a tolerance assumed by the software is violated due to a plant change.

A Cyber Physical Systems Perspective on the Real-time and Reliable Dissemination of Information in Intelligent Transportation Systems

Timely and reliable dissemination of traffic-related information to drivers is a key property that intelligent transportation systems (ITS) should support. Numerous impediments stemming due to (a) physical factors, such as mobility and speed of vehicles, density of vehicles, characteristics of the wireless radio channel, and power and bit rate of radio transceivers, and (b) cyber issues, such as MAC layer access point associations and address resolutions (ARP), network layer addressing, routing and handoffs, and transport layer retransmissions lead to unpredictability in the timely and reliable dissemination of information to drivers. This paper presents compelling arguments in favor of new research directions in this area that are based on a cyber-physical systems (CPS) perspective. In particular, this paper makes three contributions. First, it considers a vehicle-centric perspective to survey and study the physics-and cyber-imposed impediments to the timely and reliable dissemination of information. Second, it presents a promising CPS solution to overcome a subset of the impediments discovered. Third, it outlines lessons learned indicating the need for more focused research and realistic testbeds. The evaluations

Threat modeling for security assessment in cyberphysical systems

In this paper, threat modeling issues in cyberphysical systems are discussed. First a generic model of a cyberphysical system is outlined, with an attack surface suitable for security analysis. Then, a case study of network communication in a road vehicle is presented, with its behavior modeled by a discrete time Markov chain, under the assumption that security violations can cause gradual degradation of functionality. Finally, two ways of numerical assessment of vulnerabilities are analyzed, to help better estimate probabilities of state changes in a Markov model.

Assessment of QoS adaptation capability of complex network systems

The paper formulates methods to measure the trustworthiness of a network system S under hostile environment conditions incident on S. How good is the system S in meeting the QoS expectations of applications (i.e., the QoS capability of S) is quantitatively measured - say, on a [0, 1] scale. We employ model-based assessment tools (e.g., PO-MDP) to benchmark the QoS capability by stress-testing S with artificially injected external conditions. As a case study, we describe the model-based assessment of a CDN (content distribution network). The study focuses on the placement of content caching nodes in a distribution topology for optimal performance. Security and reliability of nodes are additional factors. The extent of domain knowledge needed in the assessment tools is also highlighted, with emphasis on their reusability in different network systems.

A Framework for Measuring Security as a System Property in Cyberphysical Systems

This paper addresses the challenge of measuring security, understood as a system property, of cyberphysical systems, in the category of similar properties, such as safety and reliability. First, it attempts to define precisely what security, as a system property, really is. Then, an application context is presented, in terms of an attack surface in cyberphysical systems. Contemporary approaches related to the principles of measuring software properties are also discussed, with emphasis on building models. These concepts are illustrated in several case studies, based on previous work of the authors, to conduct experimental security measurements.

Can we measure security and how

In this paper, basic issues of measuring security as a system property are discussed. While traditional approaches to computer security metrics deal mostly with security at the enterprise or organizational level, fewer authors address security measurement at the operational level, that is, when the system is running. After reviewing some basic issues in security assessment, three possible ways of addressing the security measurement are outlined: theoretical, experimental and computational. The computational path in measuring security is pursued in more detail.

Cyber-Physical Specification Mismatches

Embedded systems use increasingly complex software and are evolving into cyber-physical systems (CPS) with sophisticated interaction and coupling between physical and computational processes. Many CPS operate in safety-critical environments and have stringent certification, reliability, and correctness requirements. These systems undergo changes throughout their lifetimes, where either the software or physical hardware is updated in subsequent design iterations. One source of failure in safety-critical CPS is when there are unstated assumptions in either the physical or cyber parts of the system, and new components do not match those assumptions. In this work, we present an automated method toward identifying unstated assumptions in CPS. Dynamic specifications in the form of candidate invariants of both the software and physical components are identified using dynamic analysis (executing and/or simulating the system implementation or model thereof). A prototype tool called Hynger (for HYbrid iNvariant GEneratoR) was developed that instruments Simulink/Stateflow (SLSF) model diagrams to generate traces in the input format compatible with the Daikon invariant inference tool, which has been extensively applied to software systems. Hynger, in conjunction with Daikon, is able to detect candidate invariants of several CPS case studies. We use the running example of a DC-to-DC power converter and demonstrate that Hynger can detect a specification mismatch where a tolerance assumed by the software is violated due to a plant change. Another case study of an automotive control system is also introduced to illustrate the power of Hynger and Daikon in automatically identifying cyber-physical specification mismatches.

SPRUCE: A web portal for the collaborative engineering of Software Intensive Systems Producibility challenge problems and solutions

Lack of widely available, well defined, DoD specific, software producibility challenge problems that drive engineering research has been a significant factor contributing to the problems with developing large, software-intensive systems for the DoD within schedule and budget. Our experience indicates that well articulated and bounded problems can spark scientific and engineering innovation in software producibility and help to bridge the gap between technology users and technology providers. This paper describes the Systems and Software Producibility Collaboration and Experimentation Environment (SPRUCE), which is an open web portal to bring together DoD software developers, users, and software engineering researchers by collaborating on specifying and solving software producibility challenge problems. We describe SPRUCEs concept of operations designed to capture challenge problems and to motivate a community to pursue solutions. We describe SPRUCEs key features, including self-organizing communities of interest (CoI), dynamically evolving challenge problems with accompanying artifacts, and built-in experimentation facilities to reproduce the problems and evaluate solution benchmarks. Finally, we demonstrate early experiences and results with representative CoIs and challenge problems.

Assessment of QoS adaptation and cyber-defense mechanisms in networked systems

The paper describes methods to evaluate the QoS capability of a networked system S operating under hostile environment conditions. We evaluate the run-time compliance of system S with the QoS prescription of applications in terms of non-functional attributes that capture the QoS behavior of S (e.g., transaction latency & drop rate in an on-line web service). We benchmark the QoS capability of S by exercising stress-tests on a simulation model of S with artificially injected environment conditions. Our model-based system assessment methods are anchored on PO-MDP frameworks that are currently advocated for network reliability and performance analysis. As case study, we describe the assessment of a CDN (content distribution network) vis-a-vis the content read latency and overhead experienced by clients. Our CDN assessment employs models of the internal algorithmic processes that strive to optimally place the content caching nodes in a distribution topology.

Modeling Resiliency and Its Essential Components for Cyberphysical Systems

This paper presents an initial approach related to modeling resiliency for cyberphysical systems. It discusses the concept and definitions of resiliency and outlines the process of building a model of resiliency. Through analogies with feedback control and fault tolerance, the Design for Resilience is addressed, where the design of the controller component of a cyberphysical system needs to account for potential safety hazards and security threats, with awareness of its internal faults and vulnerabilities. This model is validated against other approaches to modeling resilience described in the literature, followed by a discussion of the resilience metrics. The paper concludes with presenting the strategy of modeling resiliency, based on the assumption that one cannot guarantee absolute protection against attacks, or failures, but can aim at providing successful recovery after disruptions. With safety and security as essential resiliency components, an extended model is proposed involving an attacker, suggesting appropriate performance metric reflecting the distance between the normal state and the degraded state. A model-based environment Mobius, from the University of Illinois, is considered in helping to evaluate resiliency under various operational scenarios.