Abstract
Cyber security has been an important issue for control systems, however, there may be a shortage of security experts in the near future. Most of security engineering methods focus only at high-level such as architectures, and do not consider the availability of the control system. In addition, it is often difficult use them without security expertise. In this paper, the author proposed a novel method for solving this problem. The method automatically identifies vulnerabilities in a source code using a formal and static method (type-checking), and fixes them by installing security functions accordingly. Since this approach is entirely automated, it can be seamlessly used by regular engineers, i.e. without security expertise. The authors implemented the method and experimentally investigated its effectiveness on a simple example including the characteristics typical of communicating control systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Evans, D., Larochelle, D.: Improving security using extensible lightweight static analysis. IEEE Softw. 19(1), 42–51 (2002)
Fekade, B., Maksymyuk, T., Kyryk, M., Jo, M.: Probabilistic recovery of incomplete sensed data in IoT. IEEE Internet Things 5(4), 2282–2292 (2017)
Jürjens, J.: UMLsec: extending UML for secure systems development. In: International Conference on the Unified Modeling Language, pp. 412–425. Springer (2002)
Livshits, B., Chong, S.: Towards fully automatic placement of security sanitizers and declassifiers. ACM SIGPLAN Not. 48, 385–398 (2013)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: UML 2002 - The Unified Modeling Language, pp. 426–441 (2002)
McAfee: Hacking the skills shortage: a study of the international shortage in cybersecurity skills. https://www.mcafee.com/content/dam/enterprise/en-us/assets/reports/rp-hackingskills-shortage.pdf
Microsoft: Microsoft Threat Modeling Tool - Microsoft Docs. https://docs.microsoft.com/ja-jp/azure/security/azure-security-threat-modeling-tool
MITRE Corporation: CWE - Common Weakness Enumeration. http://cwe.mitre.org/index.html
Moro, N., Heydemann, K., Encrenaz, E., Robisson, B.: Formal verification of a software countermeasure against instruction skip attacks. J. Cryptogr. Eng. 4(3), 145–156 (2014)
Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: NDSS, vol. 5, pp. 3–4. Citeseer (2005)
OpenSSL Software Foundation: Cryptography and SSL/TLS - OpenSSL. https://www.openssl.org/docs/manmaster/man3/EVP EncryptInit.html
Pedroza, G., Apvrille, L., Knorreck, D.: AVATAR: a SysML environment for the formal verification of safety and security properties. In: 2011 11th Annual International Conference on New Technologies of Distributed Systems, pp. 1–10. IEEE (2011)
Poirier, C., Kriaa, S., Pebay-Peyroula, F., Mraidha, C., Zille, V.: A tool for I & C system architecture design: the French connexion cluster. In: International Symposium on Future I & C for Nuclear Power Plants/International Symposium on Symbiotic Nuclear Power Systems 2014, pp. 1–7 (2014)
Sadeghi, A.-R., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6. IEEE (2015)
Subbrao, M.: Are Static Application Security Testing (SAST) Tools Glorified Grep? https://www.synopsys.com/content/dam/synopsys/sig-assets/ebooks/are-sast-toolsglorified-grep.pdf
The Clang Team: Introduction to the Clang AST - Clang 9 documentation. https://clang.llvm.org/docs/IntroductionToTheClangAST.html
Zeng, W., Chow, M.-Y.: Optimal tradeoff between performance and security in networked control systems based on coevolutionary algorithms. IEEE Trans. Ind. Electron. 59(7), 3016–3025 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Hinatsu, S., Shimizu, K., Ueda, T., Boyer, B., Mentré, D. (2020). Automatic Vulnerability Identification and Security Installation with Type Checking for Source Code. In: Barolli, L., Nishino, H., Enokido, T., Takizawa, M. (eds) Advances in Networked-based Information Systems. NBiS - 2019 2019. Advances in Intelligent Systems and Computing, vol 1036. Springer, Cham. https://doi.org/10.1007/978-3-030-29029-0_27
Download citation
DOI: https://doi.org/10.1007/978-3-030-29029-0_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29028-3
Online ISBN: 978-3-030-29029-0
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)