HEAVENS – HEAling Vulnerabilities to ENhance Software Security and Safety Dnr 2012-04625 Document Title Security models Document Type Deliverable Document Number D2 Aljoscha Lautenbach, [email protected], Chalmers Document Responsible Mafijul Islam, [email protected], Volvo AB Document Version 2.0 Document Status Released (March 18, 2016) Dissemination Level Public Last Change March 18, 2016 Project Acronym HEAVENS Project Title HEAling Vulnerabilities to ENhance Software Security and Safety Research Program Vinnova/FFI (Fordonsutveckling/Vehicle Development), Sweden Diary Number 2012-04625 Project Duration April 2013 – March 2016 Project Coordinator Mats Olsson, [email protected] , Volvo AB © 2016 The HEAVENS Consortium HEAVENS (Dnr 2012-04625) Deliverable D2 Security models This page is intentionally left blank © 2016 The HEAVENS Consortium 2(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models Executive Summary This deliverable (D2 Security models, Release 2, Version 2.0) presents the results and achievements of work package WP2 (Security models) of the HEAVENS project. The goal of this deliverable is to present a systematic approach of deriving security requirements for the automotive Electrical and/or Electronic (E/E) systems. It suggests an adaption of generic security engineering process for the automotive domain. The deliverable presents state-of-the-art threat analysis and risk assessment methodologies, processes, frameworks and tools, considering various industrial domains, for example, IT security, telecommunications, software engineering and defense. It presents the results obtained from performing a critical review of the state-of-the-art threat analysis and risk assessment in the context of the automotive industry. Based on this, a new security model − HEAVENS security model − for the automotive industry is proposed to facilitate deriving security requirements for the automotive E/E systems. The model includes methods, processes and tool support with focus on threat analysis and risk assessment aspects of security engineering process. Then, this deliverable presents the results obtained from a proof-of-concept implementation and evaluation of the proposed HEAVENS security model by using a couple of automotive use cases. This deliverable also discusses the HEAVENS security model in the context of existing standards, for example, ISO 26262 for functional safety and Common Criteria for IT Security Evaluation. © 2016 The HEAVENS Consortium 3(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models This page is intentionally left blank © 2016 The HEAVENS Consortium 4(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models Contributors Editors Affiliation Email Aljoscha Lautenbach Chalmers [email protected] Mafijul Islam ATR, GTT, Volvo AB [email protected] Contributors Affiliation Email Mafijul Islam ATR, GTT, Volvo AB Christian Sandberg ATR, GTT, Volvo AB Andreas Bokesand VE, GTT, Volvo AB Tomas Olovsson Chalmers Pierre Kleberger Chalmers Aljoscha Lautenbach Chalmers Andrew Söderberg-Rivkin Chalmers/Volvo AB Sathya Prakash Kadhirvelan Chalmers/Volvo AB Anders Hansson SECTRA AB Henrik Broberg Volvo Car Corporation (VCC) HEAVENS Consortium © 2016 The HEAVENS Consortium 5(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models This page is intentionally left blank © 2016 The HEAVENS Consortium 6(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models Document Change History Version Date Contributor Description 0.1 May 09, 2014 Aljoscha Lautenbach First draft of “D2 Security models” created. 1.0 Sep 29, 2014 Mafijul Islam Version 1.0, Release 1 of D2. 2.0 Feb 23, 2016 Christian Sandberg Moved material from D3.1 to this document. Draft version 2.0 Mar 18, 2016 Mafijul Islam Updated with comments and references. Released version © 2016 The HEAVENS Consortium 7(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models This page is intentionally left blank © 2016 The HEAVENS Consortium 8(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models Table of Contents Executive Summary ................................................................................................................................. 3 Contributors ............................................................................................................................................. 5 Document Change History ...................................................................................................................... 7 Table of Contents .................................................................................................................................... 9 List of Figures ........................................................................................................................................ 13 List of Tables ......................................................................................................................................... 15 List of Abbreviations .............................................................................................................................. 17 1. Introduction .................................................................................................................................... 19 1.1 Background .............................................................................................................................. 19 1.2 Objective ................................................................................................................................... 19 1.3 Scope and limitation ................................................................................................................. 19 1.4 Relation to other project activities ............................................................................................ 20 1.5 Document outline ...................................................................................................................... 21 2. Approaches to security modeling ................................................................................................... 23 2.1 What is security? ...................................................................................................................... 23 2.1.1 Security attributes ........................................................................................................................................... 24 2.1.2 Security objectives .......................................................................................................................................... 26 2.2 Security and safety engineering ............................................................................................... 27 2.3 Security modeling ..................................................................................................................... 31 2.4 Security metrics ........................................................................................................................ 31 3. Threat modeling and risk assessment – processes, methods and tools ....................................... 33 3.1 Concepts, frameworks and processes ..................................................................................... 33 3.1.1 Generic system security engineering .............................................................................................................. 33 3.1.2 Microsoft − threat modeling and security development lifecycle ...................................................................... 34 3.1.3 Trike ............................................................................................................................................................... 35 3.1.4 OCTAVE ......................................................................................................................................................... 36 3.1.5 Miscellaneous models ..................................................................................................................................... 37 3.2 Methods and models for threat analysis and risk assessment ................................................. 38 3.2.1 CIA model ....................................................................................................................................................... 39 3.2.2 Microsoft – STRIDE and DREAD .................................................................................................................... 39 3.2.3 CVSS model ................................................................................................................................................... 40 3.2.4 OWASP model ................................................................................................................................................ 41 © 2016 The HEAVENS Consortium 9(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models 3.2.5 EVITA model .................................................................................................................................................. 42 3.2.6 Threat, Vulnerability, and Risk Analysis (TVRA) .............................................................................................. 42 3.2.7 SECTRA model .............................................................................................................................................. 44 3.3 Tool support .............................................................................................................................