On engineering secure software for cyber-physical systems in practice

Abstract

Cyber-physical system (CPS) seamlessly integrates computational and physical resources to form intelligent systems. Such CPSs are often used to control physical objects using real-time feedback loops through computation and communication. Some of the CPSs are used for safety-critical operations, such as autonomous driving, and must be secure. Commonly, threat modeling of such systems is based on the given system’s architecture. However, as the components and interactions among the components of a CPS change, the architecture of the given CPS changes over time, making the threat model of the CPS rapidly obsolete–i.e., incomplete and invalid threat model. This thesis aims to study the threat modeling practices of CPSs in the industry and explore the possibility of automating the threat modeling process. First, we interviewed software security practitioners on their current practices to ensure secure-code changes. Unexpectedly, we found that the practitioners commonly use security code analysis and testing tools in their development process. However, they often do not perform threat modeling of their software. Second, we interviewed threat modeling practitioners on their practices of threat modeling of CPS. We found in this study that the practitioners perform threat modeling of their CPS products on demand, and the outcome could become obsolete quickly due to the frequent changes to the systems. In addition, we found that they have limited confidence in the threat models that they obtain using the classic threat modeling methods, and they use their experience to address the limitations. Next, we proposed a semi-automated process for threats identification of a given CPS. We applied the method on Apollo Auto, open-source software for autonomous driving. The architecture recovery of the software was not successful given the large size of the software, which prevents us from validating the approach. To improve the security of CPS, we propose to develop new threat modeling approaches for CPSs, develop a threat knowledge repository, and develop efficient architecture recovery methods that could be used to recover the architecture of real-world software.