Dimitrios Serpanos - Academia.edu (original) (raw)
Uploads
Papers by Dimitrios Serpanos
ArXiv, 2016
Conventional approaches for ensuring the security of application software at run-time, through mo... more Conventional approaches for ensuring the security of application software at run-time, through monitoring, either produce (high rates of) false alarms (e.g. intrusion detection systems) or limit application performance (e.g. run-time verification). We present a runtime security monitor that detects both known and unknown cyber attacks by checking that the run-time behavior of the application is consistent with the expected behavior modeled in application specification. This is crucial because, even if the implementation is consistent with its specification, the application may still be vulnerable due to flaws in the supporting infrastructure (e.g. the language runtime system, libraries and operating system). This runtime security monitor is sound and complete, eliminating false alarms, as well as efficient, so that it does not limit runtime application performance and so that it supports real-time systems. The security monitor takes as input the application specification and the app...
Proceedings of the IEEE, 2018
Safe and Secure Cyber-Physical Systems and Internet-of-Things Systems
False data injection (FDI) attacks are malicious insertions of false data as sensor measurements ... more False data injection (FDI) attacks are malicious insertions of false data as sensor measurements in a cyber-physical system, in order to lead the system to take a wrong action. False data injection attacks do not attack the computational or network components of cyber-physical systems but the interface between the physical and the cyber part. Such attacks are powerful and can have catastrophic results. Defense against them can be achieved by limiting the attack surface through vulnerability analysis of the cyber-physical system design and by monitoring system operation in the field with monitors that observe system parameters and sensor measurements and detect abnormal operation early. In this chapter, we describe promising techniques for vulnerability analysis and dynamic monitoring, based on efficient SMT solvers and Kalman filter techniques, respectively.
2019 First International Conference on Societal Automation (SA), 2019
2019 14th International Conference on Design & Technology of Integrated Systems In Nanoscale Era (DTIS), 2019
Data leakage and disclosure to attackers is a significant problem in embedded systems, considerin... more Data leakage and disclosure to attackers is a significant problem in embedded systems, considering the ability of attackers to get physical access to the systems. We present methods to protect memory data leakage in tamper-proof embedded systems. We present methods that exploit memory supply voltage manipulation to change the memory contents, leading to an operational and reusable memory or to destroy memory cell circuitry. For the case of memory data change, we present scenaria for data change to a known state and to a random state. The data change scenaria are effective against attackers who cannot detect the existence of the protection circuitry; furthermore, original data can be calculated in the case of data change to a known state, if the attacker identifies the protection circuitry and its operation. The methods that change memory contents to a random state or destroy memory cell circuitry lead to irreversible loss of the original data. However, since the known state can be used to calculate the original data.
Embedded, Cyber-Physical, and IoT Systems, 2019
We introduce a design methodology to assure run-time security of cyber physical system (CPS) appl... more We introduce a design methodology to assure run-time security of cyber physical system (CPS) applications. The methodology has two independent, but complementary, components that employ novel approaches to design run-time monitors that detect both computational and false data cyber-attacks to assure security of CPS at run-time. Based on the executable specification of a CPS application, the first component protects CPS computations through comparison of the application execution and the application-specification execution in real-time. The second component assures safety and integrity of CPS data through vulnerability analysis of the application specification for false data injection attacks based on non-linear verification techniques. We demonstrate our approach through its application to a typical CPS example application; we demonstrate that run-time monitors employing verification techniques are effective, efficient, and readily applicable to demanding real-time critical systems.
The purpose of this work is two fold: on one hand we want to formalize the behavior of critical c... more The purpose of this work is two fold: on one hand we want to formalize the behavior of critical components of the self generating and adapting cognitive middleware AWDRAT such that the formalism not only helps to understand the semantics and technical details of the middleware but also opens an opportunity to extend the middleware to support other complex application domains of cybersecurity; on the other hand, the formalism serves as a pre-requisite for our proof of the behavioral correctness of the critical components to ensure the safety of the middleware itself. However, here we focus only on the core and critical component of the middleware, i.e. Execution Monitor which is a part of the module “Architectural Differencer” of AWDRAT. The role of the execution monitor is to identify inconsistencies between runtime observations of the target system and predictions of the System Architectural Model. Therefore, to achieve this goal, we first define the formal (denotational) semantics...
Event-driven models provide a rich basis for the analysis of IoT systems. This chapter introduces... more Event-driven models provide a rich basis for the analysis of IoT systems. This chapter introduces event-driven analysis methods that allow us to characterize key design parameters for IoT systems. After surveying related work, the chapter describes an example that motivates our work. A model of IoT networks includes communication links and hubs and a timewheel to model the temporal relationships between events. Event analysis allows us to derive characteristics of the network’s event population over time.
Safety is a critical requirement for IoT systems and services in numerous application domains, su... more Safety is a critical requirement for IoT systems and services in numerous application domains, such as health, transportation, energy, and manufacturing. Security is a prerequisite of safety, because its violation leads to unsafe systems. In this chapter, we review security technologies and challenges for IoT systems, from the device level to the application and process level.
Testing and monitoring constitute two required technologies for robust cyber-physical and IoT sys... more Testing and monitoring constitute two required technologies for robust cyber-physical and IoT systems. Testing is fundamental to the system design process as well as to its certification for meeting specified security and safety requirements. Despite availability of a tested and certified system, its operation in the field requires continuous monitoring, considering potential unanticipated or unknown attacks and failures. In this chapter, we address testing for security and especially fuzzing, for cyber-physical and IoT systems as well as run-time monitoring for safety and security. We describe an example fuzzer for the Modbus industrial protocol and an example run-time monitor for industrial applications.
Security and Quality in Cyber-Physical Systems Engineering, 2019
This chapter reviews security and engineering system safety challenges for Internet of Things (Io... more This chapter reviews security and engineering system safety challenges for Internet of Things (IoT) applications in industrial environments. On the one hand, security concerns arise from the expanding attack surface of long-running technical systems due to the increasing connectivity on all levels of the industrial automation pyramid. On the other hand, safety concerns magnify the consequences of traditional security attacks. Based on the thorough analysis of potential security and safety issues of IoT systems, the chapter surveys machine learning and deep learning (ML/DL) methods that can be applied to counter the security and safety threats that emerge in this context. In particular, the chapter explores how ML/DL methods can be leveraged in the engineering phase for designing more secure and safe IoT-enabled long-running technical systems. However, the peculiarities of IoT environments (e.g., resource-constrained devices with limited memory, energy, and computational capabilities) still represent a barrier to the adoption of these methods. Thus, this chapter also discusses the limitations of ML/DL methods for IoT security and how they might be overcome in future work by pursuing the suggested research directions.
MATEC Web of Conferences, 2018
MATEC Web of Conferences, 2018
ArXiv, 2016
Conventional approaches for ensuring the security of application software at run-time, through mo... more Conventional approaches for ensuring the security of application software at run-time, through monitoring, either produce (high rates of) false alarms (e.g. intrusion detection systems) or limit application performance (e.g. run-time verification). We present a runtime security monitor that detects both known and unknown cyber attacks by checking that the run-time behavior of the application is consistent with the expected behavior modeled in application specification. This is crucial because, even if the implementation is consistent with its specification, the application may still be vulnerable due to flaws in the supporting infrastructure (e.g. the language runtime system, libraries and operating system). This runtime security monitor is sound and complete, eliminating false alarms, as well as efficient, so that it does not limit runtime application performance and so that it supports real-time systems. The security monitor takes as input the application specification and the app...
Proceedings of the IEEE, 2018
Safe and Secure Cyber-Physical Systems and Internet-of-Things Systems
False data injection (FDI) attacks are malicious insertions of false data as sensor measurements ... more False data injection (FDI) attacks are malicious insertions of false data as sensor measurements in a cyber-physical system, in order to lead the system to take a wrong action. False data injection attacks do not attack the computational or network components of cyber-physical systems but the interface between the physical and the cyber part. Such attacks are powerful and can have catastrophic results. Defense against them can be achieved by limiting the attack surface through vulnerability analysis of the cyber-physical system design and by monitoring system operation in the field with monitors that observe system parameters and sensor measurements and detect abnormal operation early. In this chapter, we describe promising techniques for vulnerability analysis and dynamic monitoring, based on efficient SMT solvers and Kalman filter techniques, respectively.
2019 First International Conference on Societal Automation (SA), 2019
2019 14th International Conference on Design & Technology of Integrated Systems In Nanoscale Era (DTIS), 2019
Data leakage and disclosure to attackers is a significant problem in embedded systems, considerin... more Data leakage and disclosure to attackers is a significant problem in embedded systems, considering the ability of attackers to get physical access to the systems. We present methods to protect memory data leakage in tamper-proof embedded systems. We present methods that exploit memory supply voltage manipulation to change the memory contents, leading to an operational and reusable memory or to destroy memory cell circuitry. For the case of memory data change, we present scenaria for data change to a known state and to a random state. The data change scenaria are effective against attackers who cannot detect the existence of the protection circuitry; furthermore, original data can be calculated in the case of data change to a known state, if the attacker identifies the protection circuitry and its operation. The methods that change memory contents to a random state or destroy memory cell circuitry lead to irreversible loss of the original data. However, since the known state can be used to calculate the original data.
Embedded, Cyber-Physical, and IoT Systems, 2019
We introduce a design methodology to assure run-time security of cyber physical system (CPS) appl... more We introduce a design methodology to assure run-time security of cyber physical system (CPS) applications. The methodology has two independent, but complementary, components that employ novel approaches to design run-time monitors that detect both computational and false data cyber-attacks to assure security of CPS at run-time. Based on the executable specification of a CPS application, the first component protects CPS computations through comparison of the application execution and the application-specification execution in real-time. The second component assures safety and integrity of CPS data through vulnerability analysis of the application specification for false data injection attacks based on non-linear verification techniques. We demonstrate our approach through its application to a typical CPS example application; we demonstrate that run-time monitors employing verification techniques are effective, efficient, and readily applicable to demanding real-time critical systems.
The purpose of this work is two fold: on one hand we want to formalize the behavior of critical c... more The purpose of this work is two fold: on one hand we want to formalize the behavior of critical components of the self generating and adapting cognitive middleware AWDRAT such that the formalism not only helps to understand the semantics and technical details of the middleware but also opens an opportunity to extend the middleware to support other complex application domains of cybersecurity; on the other hand, the formalism serves as a pre-requisite for our proof of the behavioral correctness of the critical components to ensure the safety of the middleware itself. However, here we focus only on the core and critical component of the middleware, i.e. Execution Monitor which is a part of the module “Architectural Differencer” of AWDRAT. The role of the execution monitor is to identify inconsistencies between runtime observations of the target system and predictions of the System Architectural Model. Therefore, to achieve this goal, we first define the formal (denotational) semantics...
Event-driven models provide a rich basis for the analysis of IoT systems. This chapter introduces... more Event-driven models provide a rich basis for the analysis of IoT systems. This chapter introduces event-driven analysis methods that allow us to characterize key design parameters for IoT systems. After surveying related work, the chapter describes an example that motivates our work. A model of IoT networks includes communication links and hubs and a timewheel to model the temporal relationships between events. Event analysis allows us to derive characteristics of the network’s event population over time.
Safety is a critical requirement for IoT systems and services in numerous application domains, su... more Safety is a critical requirement for IoT systems and services in numerous application domains, such as health, transportation, energy, and manufacturing. Security is a prerequisite of safety, because its violation leads to unsafe systems. In this chapter, we review security technologies and challenges for IoT systems, from the device level to the application and process level.
Testing and monitoring constitute two required technologies for robust cyber-physical and IoT sys... more Testing and monitoring constitute two required technologies for robust cyber-physical and IoT systems. Testing is fundamental to the system design process as well as to its certification for meeting specified security and safety requirements. Despite availability of a tested and certified system, its operation in the field requires continuous monitoring, considering potential unanticipated or unknown attacks and failures. In this chapter, we address testing for security and especially fuzzing, for cyber-physical and IoT systems as well as run-time monitoring for safety and security. We describe an example fuzzer for the Modbus industrial protocol and an example run-time monitor for industrial applications.
Security and Quality in Cyber-Physical Systems Engineering, 2019
This chapter reviews security and engineering system safety challenges for Internet of Things (Io... more This chapter reviews security and engineering system safety challenges for Internet of Things (IoT) applications in industrial environments. On the one hand, security concerns arise from the expanding attack surface of long-running technical systems due to the increasing connectivity on all levels of the industrial automation pyramid. On the other hand, safety concerns magnify the consequences of traditional security attacks. Based on the thorough analysis of potential security and safety issues of IoT systems, the chapter surveys machine learning and deep learning (ML/DL) methods that can be applied to counter the security and safety threats that emerge in this context. In particular, the chapter explores how ML/DL methods can be leveraged in the engineering phase for designing more secure and safe IoT-enabled long-running technical systems. However, the peculiarities of IoT environments (e.g., resource-constrained devices with limited memory, energy, and computational capabilities) still represent a barrier to the adoption of these methods. Thus, this chapter also discusses the limitations of ML/DL methods for IoT security and how they might be overcome in future work by pursuing the suggested research directions.
MATEC Web of Conferences, 2018
MATEC Web of Conferences, 2018