## V-Research

Research & Development for Cybersecurity Engineering

#### The Etiology of Cybersecurity

#### The Science Club

knowledgezero@v-research.it

Dissemination level: Public Confidentiality level: Public

ECCN: NSR

https://www.v-research.it

#### **Agenda**

- 1. The problem in the Method
- 2. Cybersecurity Hypothesis
- 3. Risk Assessment Prototype

#### **Necessary Cybersecurity Requirements**



**Jacob Nielsen** (usability expert)

Usability suffers if users only get a row of bullets when they type their password.

Password Masking doesn't even increase security but cost you business due to login failures

**Bruce Schneier** (security expert)

[June 26, 2009] "I agree with this" Epic flame-war [July 3, 2009] "So was I wrong? Maybe. Okay, probably"

So, is this secure? More secure?

#### **Necessary Cybersecurity Requirements**



Jacob Nielsen (usability expert)

Usability suffers if users only get a row of bullets when they type their password.

Password Masking doesn't even increase security but cost you business due to login failures

**Bruce Schneier** (security expert)

[June 26, 2009] "I agree with this"

Epic flame-war

[July 3, 2009] "So was I wrong? Maybe. Okay, probably"

So, is this secure? More secure?

Is there a propriety P of a system S such that S is a secure system?

What is P? Confidentiality?
Confidentiality=security?
(it's tautological - it does what it does)
Security is something else





Unfalsifiability of security claims

Cormac Herley<sup>a,1</sup>

<sup>o</sup>Microsoft Research, Redmond, WA 9805.

There is an inherent asymmetry in computer security: Things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We show that this implies that claims of necessary

Theory Reality Vulnerability Weaknesses System Cybersecurity under **Errors** attack **Induction from Experience** 

#### V-Research



If a triangle has two angles equal to one another the sides subtending the equal angles will also be equal to one another.



#### We Are Aware of Cybersecurity Theories

[8] Blanchet, Pointcheval. Automated Security Proofs with Sequences of Games. Advances in Cryptology. 2006



#### **Agenda**

- 1. The problem in the Method
- 2. Cybersecurity Hypothesis
- 3. Risk Assessment Prototype

#### **Cybersecurity Hypothesis**

**1. Claim**: insecurity is generated by attacks

**2. Claim**: attacks are (caused) made possible by errors

**3. Def**: security is achieved when no attacks are possible

**4. Hyp**: a *theory on system errors* should predict insecurity

**5. Challenge**: how can we define a theory of errors?

**6. First step**: start from a theory of systems

Errors [CWE?]

Weak System [CWE]

Vulnerable System [CVE]

System under attack [CAPEC]

Causality

#### What is a system?



<u>European Conference on Multi-Agent Systems</u> <u>International Conference on Agreement Technologie</u>

EUMAS 2016, AT 2016: Multi-Agent Systems and Agreement Technologies pp 261-276 | Cite as

A Topological Categorization of Agents for the Definition of Attack States in Multi-agent Systems



[23]

[24]

#### **ABF-Framework for System Design**



#### V-Research

#### **Cybersecurity Weakness Prediction (RIDI-Hypothesis)**

#### There exist **3 categories of weaknesses**:

- B/F errors in *behaviors* (functional architecture)
- A/F errors in *communications* (channels)
- A/B errors in *translations* (ports)



|        |      |        | device |
|--------|------|--------|--------|
| 1011:A | nort | 1011:B |        |
| LHS    | port | RHS    |        |

|         | RCC<br>Calculus | LHS | RHS                                        |
|---------|-----------------|-----|--------------------------------------------|
| nominal | EQ              | X   | y = x                                      |
| replace | DR              | X   | $y \neq x$                                 |
| insert  | PP              | X   | $y = x \cdot x'$                           |
| delete  | PPi             | X   | $y \subset x$                              |
| inject  | РО              | X   | $y = x' \cdot y', x' \subset x, y' \neq x$ |



There are other (similar) weaknesses:
Selective drop
Selective drop+insert

#### V-Research

| From Errors to Architectural Weaknesses                                                                       |                                                                                 |                                                                                                                                                                                                                  | RCC<br>Calculus   | R1 | R2                                         |  |  |  |
|---------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------|----|--------------------------------------------|--|--|--|
|                                                                                                               |                                                                                 | nominal                                                                                                                                                                                                          | EQ                | X  | y = x                                      |  |  |  |
| Block-to                                                                                                      | -Block Port-to-Port                                                             | replace                                                                                                                                                                                                          | DR                | X  | $y \neq x$                                 |  |  |  |
| Functional                                                                                                    | Ports Channels                                                                  | insert                                                                                                                                                                                                           | PP                | X  | $y = x \cdot x'$                           |  |  |  |
| Architecture                                                                                                  |                                                                                 | delete                                                                                                                                                                                                           | PPi               | X  | $y \subset x$                              |  |  |  |
|                                                                                                               | Requirements                                                                    | inject                                                                                                                                                                                                           | PO                | X  | $y = x' \cdot y', x' \subset x, y' \neq x$ |  |  |  |
| <b>Quantity</b> : Data Flow between The input and output of: Channels(A,A); Ports(B,A); FunctionalBlocks(B,B) |                                                                                 | <b>Quality</b> : Requirements (Facts) over Channel(A,F); Behavior(B,F)                                                                                                                                           |                   |    |                                            |  |  |  |
| EQ                                                                                                            | Expected, Nominal                                                               | Expecte                                                                                                                                                                                                          | Expected, Nominal |    |                                            |  |  |  |
| DR                                                                                                            | drops all the inputs and inserts new malicious data                             | the component never performs/carries the expected behavior/information                                                                                                                                           |                   |    |                                            |  |  |  |
| PP                                                                                                            | selectively <mark>drops</mark> inputs                                           | part of the expected outputs are not generated in response to the correct inputs                                                                                                                                 |                   |    |                                            |  |  |  |
| PPi                                                                                                           | forwards all the inputs but <b>crafts</b> and <b>inserts</b> new malicious data | the components correctly performs/carries the expected behavior/information when the correct inputs are provided but is subject to input injections                                                              |                   |    |                                            |  |  |  |
| РО                                                                                                            | selectively <mark>drops</mark> inputs and <mark>inserts</mark> new data         | Byzantine behavior - occasionally outputs the expected output given the correct inputs. Not all the inputs are handled properly, nor all the expected outputs are always generated when correct inputs are given |                   |    |                                            |  |  |  |

#### **Cybersecurity Quantitative Evaluation**



This allows us to precisely measure security risks
We have a metric for security

#### Cybersecurity Abstract Attacks – Not-so-easy Next Steps



#### **Agenda**

- 1. The problem in the Method
- 2. Cybersecurity Hypothesis
- 3. Risk Assessment Prototype

#### **Automated Cybersecurity Risk Assessment**

#### 1. System Engineering





## 2. Automated Threat Scenario Generation & Reasoning



## 3. Automated Risk Estimation & Mitigation Suggestions

## 4. on-the-fly Risk Reduction Based on Mitigation

| В            | C                           | D                          | E                                                                                                                           | F      |
|--------------|-----------------------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------|--------|
| Agent        | Component                   | Comp. Type                 | Weakness                                                                                                                    | Status |
| sensorBoard  | sensorWireRHS               | inputport                  | selectively drops inputs and inserts new malicious data                                                                     | open   |
| root         | sensorWireLHS2sensorWireRHS | channel                    | selectively drops inputs and inserts new malicious data                                                                     | open   |
| sensorInTank | sensorWireLHS               | outputport                 | selectively drops inputs and inserts new malicious data                                                                     | open   |
|              |                             |                            | the component has a Byzantine behavior where occasionally outputs the expected output given the correct inputs. Not all the |        |
|              | 52 RISK                     |                            | 16777216 ays generated                                                                                                      |        |
| sensorInTank | 53 The total risk is the to | otal number of configurati | ons of the system                                                                                                           | open   |

#### **Risk Assessment Prototype**

## **Complete** Prediction of Cybersecurity Flaws Without Databases of Known Attacks!

| Agent         | Component    | Component Type   | Potential Architectural Weakness                                                                                                                                                                                                          | Weakness ID | Weight | Status    | Assignee    |
|---------------|--------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|--------|-----------|-------------|
|               | ATMsharedkey | Functional Block | the component has a Byzantine behavior where occasionally outputs the expected output given the correct inputs. Not all the inputs are handled properly, nor all the expected outputs are always generated when correct inputs are given. | W001        | 1      | mitigated | Mario Rossi |
|               |              |                  | part of the expected outputs are not generated in response to the correct inputs                                                                                                                                                          | W002        | 1      | mitigated | Mario Rossi |
| ATMcontroller |              |                  | the components correctly performs the<br>expected behavior when the correct inputs<br>are provided but is subject to input injections                                                                                                     | W003        | 1      | open      |             |
|               |              |                  | the component never performs the expected behavior                                                                                                                                                                                        | W004        | 1      | open      |             |
|               | Cameraln     | Input Port       | alters incoming messages producing malicious<br>requests for the connected input socket or<br>functional block                                                                                                                            | W005        | 4      | open      |             |
|               |              |                  | appends new requests to the incoming messages                                                                                                                                                                                             | W006        | 4      | open      |             |
|               |              |                  | selectively drops some of the incoming messages                                                                                                                                                                                           | W007        | 4      | open      |             |
|               |              |                  | drops all the incoming messages and substitute them with new malicious ones                                                                                                                                                               | W008        | 4      | open      |             |
|               |              | Input Socket     | the component correctly translates some of<br>the incoming requests to the functional<br>architecture. Not all the incoming requests<br>are properly translated, nor all the expected<br>requests are always produced.                    | W009        | 1      | open      |             |
|               |              |                  | part of the generated requests are not generated in response to the correct inputs                                                                                                                                                        | W010        | 1      | open      |             |
|               |              |                  | the components correctly generate the incoming requests when the correct inputs are                                                                                                                                                       | W011        | 1      | open      |             |
|               |              | RISK             |                                                                                                                                                                                                                                           |             |        | 10        | 6777216     |

The total risk is the total number of insecure configurations of the system

Automated Risk Assessment



**Architecture** 

V-Research

**Asset Diagram** 

# THANK YOU Q&A