Security-Minded Verification of Cooperative Awareness Messages

Marie Farrell; Matthew  Bradbury; Rafael C. Cardoso; Michael Fisher; Louise A. Dennis; Clare Dixon; Al Tariq  Sheik; Yuan Hu; Carsten Maple

doi:10.1109/TDSC.2023.3345543

Security-Minded Verification of Cooperative Awareness Messages

Marie Farrell, Matthew Bradbury, Rafael C. Cardoso, Michael Fisher, Louise A. Dennis, Clare Dixon, Al Tariq Sheik, Yuan Hu, Carsten Maple

Autonomy and Verification

Research output: Contribution to journal › Article › peer-review

Abstract

Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification effort
on those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.

Original language	English
Pages (from-to)	4048 - 4065
Journal	IEEE Transactions on Dependable and Secure Computing
Volume	21
Issue number	4
DOIs	https://doi.org/10.1109/TDSC.2023.3345543
Publication status	Published - 21 Dec 2023

Keywords

Verification
Security
Safety
Threat Modelling
Connected Autonomous Vehicles
Cooperative Awareness Messages
Threat modeling
Protocols
Runtime
Computer crime
Monitoring

Access to Document

10.1109/TDSC.2023.3345543Licence: CC BY

Cite this

@article{7659bed0c4c041a186a4c3cd1d1e3f0c,

title = "Security-Minded Verification of Cooperative Awareness Messages",

abstract = "Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification efforton those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.",

keywords = "Verification, Security, Safety, Threat Modelling, Connected Autonomous Vehicles, Cooperative Awareness Messages, Threat modeling, Protocols, Runtime, Computer crime, Monitoring",

author = "Marie Farrell and Matthew Bradbury and Cardoso, {Rafael C.} and Michael Fisher and Dennis, {Louise A.} and Clare Dixon and Sheik, {Al Tariq} and Yuan Hu and Carsten Maple",

year = "2023",

month = dec,

day = "21",

doi = "10.1109/TDSC.2023.3345543",

language = "English",

volume = "21",

pages = "4048 -- 4065",

journal = "IEEE Transactions on Dependable and Secure Computing",

issn = "1941-0018",

publisher = "IEEE",

number = "4",

}

TY - JOUR

T1 - Security-Minded Verification of Cooperative Awareness Messages

AU - Farrell, Marie

AU - Bradbury, Matthew

AU - Cardoso, Rafael C.

AU - Fisher, Michael

AU - Dennis, Louise A.

AU - Dixon, Clare

AU - Sheik, Al Tariq

AU - Hu, Yuan

AU - Maple, Carsten

PY - 2023/12/21

Y1 - 2023/12/21

N2 - Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification efforton those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.

AB - Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification efforton those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.

KW - Verification

KW - Security

KW - Safety

KW - Threat Modelling

KW - Connected Autonomous Vehicles

KW - Cooperative Awareness Messages

KW - Threat modeling

KW - Protocols

KW - Runtime

KW - Computer crime

KW - Monitoring

U2 - 10.1109/TDSC.2023.3345543

DO - 10.1109/TDSC.2023.3345543

M3 - Article

SN - 1941-0018

VL - 21

SP - 4048

EP - 4065

JO - IEEE Transactions on Dependable and Secure Computing

JF - IEEE Transactions on Dependable and Secure Computing

IS - 4

ER -

Security-Minded Verification of Cooperative Awareness Messages

Abstract

Keywords

Access to Document

Fingerprint

Cite this