Security-Minded Verification of Cooperative Awareness Messages

Marie Farrell; Matthew Bradbury; Rafael C. Cardoso; Michael Fisher; Louise A. Dennis; Clare Dixon; Al Tariq Sheik; Hu Yuan; Carsten Maple

doi:10.1109/TDSC.2023.3345543

Security-Minded Verification of Cooperative Awareness Messages

Marie Farrell, Matthew Bradbury, Rafael C. Cardoso, Michael Fisher, Louise A. Dennis, Clare Dixon, Al Tariq Sheik, Hu Yuan, Carsten Maple

Research output: Contribution to journal › Article › peer-review

Abstract

Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification effort on those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.

Original language	English
Number of pages	18
Journal	IEEE Transactions on Dependable and Secure Computing
Early online date	21 Dec 2023
DOIs	https://doi.org/10.1109/TDSC.2023.3345543
Publication status	E-pub ahead of print - 21 Dec 2023

Bibliographical note

Work supported by the Royal Academy of Engineering and UKRI via the Trustworthy Autonomous Systems Nodes on Security [EP/V026763/1] and Verifiability[EP/V026801/2]and the FAIR-SPACE Hub[EP/R026092]

Data Availability Statement

Artefacts can be found at https://github.com/autonomy-and-verification/security-minded-verification

Keywords

Computer crime
Connected Autonomous Vehicles
Cooperative Awareness Messages
Monitoring
Protocols
Runtime
Safety
Security
Threat modeling
Threat Modelling
Verification

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1109/TDSC.2023.3345543Licence: CC BY

Cite this

@article{d2125112a5f5416d85cca48b0bd3c45f,

title = "Security-Minded Verification of Cooperative Awareness Messages",

abstract = "Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification effort on those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.",

keywords = "Computer crime, Connected Autonomous Vehicles, Cooperative Awareness Messages, Monitoring, Protocols, Runtime, Safety, Security, Threat modeling, Threat Modelling, Verification",

author = "Marie Farrell and Matthew Bradbury and Cardoso, {Rafael C.} and Michael Fisher and Dennis, {Louise A.} and Clare Dixon and Sheik, {Al Tariq} and Hu Yuan and Carsten Maple",

note = "Work supported by the Royal Academy of Engineering and UKRI via the Trustworthy Autonomous Systems Nodes on Security [EP/V026763/1] and Verifiability[EP/V026801/2]and the FAIR-SPACE Hub[EP/R026092]",

year = "2023",

month = dec,

day = "21",

doi = "10.1109/TDSC.2023.3345543",

language = "English",

journal = "IEEE Transactions on Dependable and Secure Computing",

issn = "1545-5971",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Security-Minded Verification of Cooperative Awareness Messages

AU - Farrell, Marie

AU - Bradbury, Matthew

AU - Cardoso, Rafael C.

AU - Fisher, Michael

AU - Dennis, Louise A.

AU - Dixon, Clare

AU - Sheik, Al Tariq

AU - Yuan, Hu

AU - Maple, Carsten

N1 - Work supported by the Royal Academy of Engineering and UKRI via the Trustworthy Autonomous Systems Nodes on Security [EP/V026763/1] and Verifiability[EP/V026801/2]and the FAIR-SPACE Hub[EP/R026092]

PY - 2023/12/21

Y1 - 2023/12/21

N2 - Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification effort on those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.

AB - Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification effort on those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.

KW - Computer crime

KW - Connected Autonomous Vehicles

KW - Cooperative Awareness Messages

KW - Monitoring

KW - Protocols

KW - Runtime

KW - Safety

KW - Security

KW - Threat modeling

KW - Threat Modelling

KW - Verification

UR - http://www.scopus.com/inward/record.url?scp=85181839100&partnerID=8YFLogxK

U2 - 10.1109/TDSC.2023.3345543

DO - 10.1109/TDSC.2023.3345543

M3 - Article

AN - SCOPUS:85181839100

SN - 1545-5971

JO - IEEE Transactions on Dependable and Secure Computing

JF - IEEE Transactions on Dependable and Secure Computing

ER -

Security-Minded Verification of Cooperative Awareness Messages

Abstract

Bibliographical note

Data Availability Statement

Keywords

UN SDGs

Access to Document

Other files and links

Fingerprint

Cite this