Formalizing Attack Tree on Security Object for MySANi in Legal Metrology
Abstract
:1. Introduction
2. Related Works
2.1. Security Evaluation in Legal Metrology
2.2. Attack Tree
3. Research Methodology
3.1. Finite State Transition
3.2. Formalizing Attack Tree
3.3. Attack Tree Correctness Property
4. Malaysian NAWI Software Inspection for Computer
- Printed certificate/hard copy certificate (HC) information;
- Certificate–software pairing is correct;
- Legally relevant (LR) part of the software is intact.
4.1. Security Object
- Transformed polynomial checksum for ȻKA;
- Plain checksum ČLR for LR module which are recorded inside the SCP.
4.2. Process Workflow
4.3. Polynomial Transformation
5. Modelling Attack Scenario for MySANI
5.1. Attack Simulation
5.2. Security Object State Modelling
5.2.1. State Transition Modelling
- z1 is the same as z0 but QF is in the form of a separate file that needs to be identified by the attacker. The Q = Q+ state transition occurs;
- z2 is the same as z0 but QF is successfully owned by the attacker. The Q = Qg state transition occurs;
- z3 is the same as z2 but the attacker managed to obtain the KA public key from the QF element. The PKey = AcG state transition occurs;
- z4 is the same as z3 but this time the attacker managed to open the SCP by decrypting the SCE using KA. The ScP = Op state transition occurs;
- the z5 is the same as the z4 but the attacker generates a fake key pair that matches the original public key configuration. The following PKey = AcF variable change occurs;
- z6 is the same as z5 but the attacker amended SCP to SCP′. The ScP = Oe variable values are changed;
- z7 is the same as z6 but the attacker encrypted SCP′ using fake private key. The ScP = Oc values are changed;
- z8 is the same as z7 except at this point the attacker successfully cracked the Ť algorithm, TpRev = tt;
- And finally, z9 is the same last state as the z8 but the attacker reformed the QF with fake elements Q = Qt.
5.2.2. Attack Tree Formal Modelling
T2 = (⟨ι2,γ2⟩), SAND)(⟨ι21,γ21⟩, ⟨ι22, γ22⟩, ⟨ι23,γ23⟩);
T3 = (⟨ι3, γ3⟩), SAND)(⟨ι31, γ31⟩,⟨ι32, γ32⟩,⟨ι33, γ33⟩, ⟨ι34, γ34 ⟩).
- The original situation is where the attacker does not yet have a QF, does not have a public key, is not able to access plaintext soft certificates, and did not successfully crack the Ť algorithm.ι:= (Q = Q−) ˄ (PKey = NaC) ˄ (ScP = Uo) ˄ (TpRev = ff);
- The ultimate goal for the attacker is to be able to amend the plaintext soft certificate, possess a fake key pair, re-encrypt using a fake private key, and put a fake public key back in the amended QF.γ:= (Q = Qt) ˄ (PKey = AcF) ˄ (ScP = Oe);
- Atomic target ⟨ι1, γ1⟩: In the original state, the attacker does not yet have QF and needs to identify a QF as the target first. The goal is to have the QF in the form of individual file. Assuming ⊤ represents an empty configuration, therefore:ι1:= ⊤ and γ1:= (Q = Qg);
- Atomic goals ⟨ι11, γ11⟩: QF is embedded in the ME and the attacker must first extract it into a single file. Therefore:ι11:= (Q = Q−) and γ11 = γ1;
- Atomic goals ⟨ι12, γ12⟩: QF is available as an individual file. The attacker needs to identify the location of the QF file. Therefore:ι12:= (Q = Q+) and γ12:= (Q = Qg);
- Atomic goal ⟨ι2, γ2⟩: The attacker aims to modify the SCP in the QF. Therefore:ι2:= (Q = Qg) ∧ (PKey = AcG) ∧ (ScP = Uo) ∧ (TpRev = ff) and γ2:= γ;
- Atomic goal ⟨ι21, γ21⟩: Attacker obtains KA. Therefore:ι21:= (Q = Qg) ∧ (PKey = NaC) and γ21:= (PKey = AcG);
- Atomic goal ⟨ι22, γ22⟩: Attacker decrypts SCE using KA. Therefore:ι22:= γ21 and γ22:= (ScP = Op);
- Atomic goal ⟨ι23, γ23⟩: Attacker modifies the contents of the SCP. Therefore:ι23:= γ22 and γ23:= (ScP = Oe);
- Atomic goal ⟨ι3, γ3⟩: The attacker aims to reconstruct the QF using modified plaintext data and fake keys. Therefore:ι3:= (PKey = AcF) ∧ (ScP = Oe) ∧ (TpRev = ff) and γ3:= γ;
- Atomic goal ⟨ι31, γ31⟩: Attacker generates fake KP′. Therefore:ι31:= ⊤ and γ31:= (PKey = AcF);
- Atomic goals ⟨ι32, γ32⟩: The attacker encrypts the SCP′ by using fake key KP′. Therefore:ι32:= (PKey = AcF) ∧ (ScP = Oe) and γ32:= (ScP = Oc);
- Atomic goals ⟨ι33, γ33⟩: Attack polynomial transformations based on KP′ and SCP. Therefore:ι33:= (TpRev = ff) and γ33:= (TpRev = tt);
- Finally, the atomic goal ⟨ι34, γ34⟩: The attacker reconstructs all elements into a false QF. Therefore: ι34:= (PKey = AcF) ∧ (ScP = Oe) ∧ (TpRev = tt) and γ34:= γ3.
5.3. Formal Analysis and Discussion
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- O’Brien, M.T.; Schuh, J.C.L.; Wancket, L.M.; Cramer, S.D.; Funk, K.A.; Jackson, N.D.; Kannan, K.; Keane, K.; Nyska, A.; Rousselle, S.D.; et al. Scientific and Regulatory Policy Committee Points to Consider for Medical Device Implant Site Evaluation in Nonclinical Studies. Toxicol. Pathol. 2022, 50, 512–530. [Google Scholar] [CrossRef] [PubMed]
- Doe, J.; Van de Wetering, R.; Honyenuga, B.; Versendaal, J. Eco-system oriented instrument for measuring firm technology adoption. In Proceedings of the 19th International Conference on Electronic Busines, Newcastle Upon Tyne, UK, 8–12 December 2019. [Google Scholar]
- Ghazvini, A.; Shukur, Z. Review of information security guidelines for awareness training program in healthcare industry. In Proceedings of the 2017 6th International Conference on Electrical Engineering and Informatics (ICEEI), Langkawi, Malaysia, 25–27 November 2017; pp. 1–6. [Google Scholar]
- Schwemer, S.F. Article 17 at the Intersection of EU Copyright Law and Platform Regulation. Nord. Intellect. Prop. Law Rev. 2020, 1, 400–435. [Google Scholar]
- Said, I.O.; Shukur, Z.; Bin Ibrahim, M.A. A certification criteria for software of measuring instruments based on Malaysian environment. In Proceedings of the 2017 6th International Conference on Electrical Engineering and Informatics (ICEEI), Langkawi, Malaysia, 25–27 November 2017; pp. 1–5. [Google Scholar]
- Sahlabadi, M.; Muniyandi, R.C.; Shukur, Z.; Qamar, F. Lightweight Software Architecture Evaluation for Industry: A Comprehensive Review. Sensors 2022, 22, 1252. [Google Scholar] [CrossRef] [PubMed]
- Verdon, D.; McGraw, G. Risk analysis in software design. IEEE Secur. Priv. 2004, 2, 79–84. [Google Scholar] [CrossRef]
- Talabis, M.; Martin, J. Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis; Newnes: Boston, MA, USA, 2012. [Google Scholar]
- Esche, M.; Thiel, F. P7.4—Incorporating a measure for attacker motivation into software risk assessment for measuring instruments in legal metrology. In Proceedings of the 18th GMA/ITG-Fachtagung Sensoren und Messsysteme 2016, Nuremberg, Germany, 10–11 May 2016; Volume 1, pp. 735–742. Available online: https://www.ama-science.org/proceedings/details/2436 (accessed on 10 January 2023).
- Esche, M.; Toro, F.; Thiel, F. Representation of attacker motivation in software risk assessment using attack probability trees. In Proceedings of the 2017 Federated Conference on Computer Science and Information Systems (FedCSIS), Prague, Czech Republic, 3–6 September 2017; pp. 763–771. [Google Scholar]
- Meng, B.; Larraz, D.; Siu, K.; Moitra, A.; Interrante, J.; Smith, W.; Paul, S.; Prince, D.; Herencia-Zapana, H.; Arif, M.; et al. VERDICT: A Language and Framework for Engineering Cyber Resilient and Safe System. Systems 2021, 9, 18. [Google Scholar] [CrossRef]
- Audinot, M.; Pinchinat, S.; Kordy, B. Guided design of attack trees: A system-based approach. In Proceedings of the 2018 IEEE 31st Computer Security Foundations Symposium (CSF), Oxford, UK, 9–12 July 2018; pp. 61–75. [Google Scholar]
- Pinchinat, S.; Acher, M.; Vojtisek, D. ATSyRa: An integrated environment for synthesizing attack trees. In Proceedings of the International Workshop on Graphical Models for Security, Verona, Italy, 13 July 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 97–101. [Google Scholar]
- Pieters, W.; Hadziosmanovic, D.; Lenin, A.; Montoya, L.; Willemson, J. TREsPASS: Plug-and-play attacker profiles for security risk analysis. IEEE Secur. Priv. Poster Abstr. 2014, 1, 1–2. [Google Scholar]
- Kordy, B.; Kordy, P.; Mauw, S.; Schweitzer, P. ADTool: Security analysis with attack–defense trees. In Proceedings of the International conference on quantitative evaluation of systems, Buenos Aires, Argentina, 27–30 August 2013; pp. 173–176. [Google Scholar]
- Kordy, B.; Mauw, S.; Melissen, M.; Schweitzer, P. Attack–defense trees and two-player binary zero-sum extensive form games are equivalent. In Proceedings of the International Conference on Decision and Game Theory for Security, Berlin, Germany, 22–23 November 2010; pp. 245–256. [Google Scholar]
- Mauw, S.; Oostdijk, M. Foundations of attack trees. In Proceedings of the International Conference on Information Security and Cryptology, Seoul, Republic of Korea, 1–2 December 2005; pp. 186–198. [Google Scholar]
- Scala, N.M.; Goethals, P.L.; Dehlinger, J.; Mezgebe, Y.; Jilcha, B.; Bloomquist, I. Evaluating mail-based security for electoral processes using attack trees. Risk Anal. 2022, 42, 2327–2343. [Google Scholar] [CrossRef]
- Audinot, M.; Pinchinat, S.; Kordy, B. Is my attack tree correct? In Proceedings of the European Symposium on Research in Computer Security, Oslo, Norway, 11–15 September 2017; Springer: Berlin/Heidelberg, Germany, 2017; pp. 83–102. [Google Scholar]
- Schiele, N.D.; Gadyatskaya, O. A Novel Approach for Attack Tree to Attack Graph Transformation. In Proceedings of the International Conference on Risks and Security of Internet and Systems, Sousse, Tunisia, 7–9 December 2022; pp. 74–90. [Google Scholar]
- Yu, L.; Chen, K.; Chang, Y.; Chen, A.; Yin, Q.; Zhang, H. A New Correlation Model of IoT Attack Based on Attack Tree. In Proceedings of the 2021 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), Calgary, AB, Canada, 25–28 October 2021; pp. 930–935. [Google Scholar]
- Manaf, M.R.A.; Nawi, A.M.; Tauhid, N.M.; Othman, H.; Rahman, M.R.A.; Yusoff, H.M.; Safian, N.; Ng, P.Y.; Manaf, Z.A.; Kadir, N.B.A.; et al. Prevalence of metabolic syndrome and its associated risk factors among staffs in a Malaysian public university. Sci. Rep. 2021, 11, 1–11. [Google Scholar] [CrossRef] [PubMed]
- Ibrahim, M.A.; Shukur, Z.; Zainal, N.; Marzuki, N.; Zakaria, O.; Yusof, M.M. Legalizing Software For Measuring Instruments: A Proposed Plan For Malaysian Case Study. Asia-Pac. J. Inf. Technol. Multimed. 2018, 9, 99–109. [Google Scholar] [CrossRef]
- Ibrahim, M.A.; Marzuki, N.; Shukur, Z.; Zainal, N. A Proposed Plan in Legalising Software for Measuring Instruments in Malaysia. In Proceedings of the 2018 Cyber Resilience Conference (CRC), Putrajaya, Malaysia, 13–15 November 2018; pp. 1–4. [Google Scholar]
- Berk, R.A. Predictive Policing, and Risk Assessment for Law Enforcement. Annu. Rev. Criminol. 2021, 4, 37. [Google Scholar] [CrossRef]
- Ahmed, F.; Straub, J. Initial Work on the Development of a Hardware-Based Gradient Descent Trained Expert System. Systems 2022, 10, 160. [Google Scholar] [CrossRef]
- Wang, J.; Han, Z.; Peng, C.; Wu, D. Preliminary study of parameter optimizations toward a lab-designed acoustic-based volume measuring system for weights. Measurement 2022, 197, 111244. [Google Scholar] [CrossRef]
- Brown, C.; Elo, T.; Hovhannisyan, K.; Hutzschenreuter, D.; Kuosmanen, P.; Maennel, O.; Mustapaa, T.; Nikander, P.; Wiedenhoefer, T. Infrastructure for Digital Calibration Certificates. In Proceedings of the 2020 IEEE International Workshop on Metrology for Industry 4.0 & IoT, Roma, Italy, 3–5 June 2020; pp. 485–489. [Google Scholar]
Notation | Description |
---|---|
Prop | Set of propositions |
ι | Initial configuration |
γ | Final configuration |
Տ | State transition system |
S | Finite transition set |
s | Element/state |
ℕ | A set of natural numbers |
λ: Prop→2S | Labelling function |
Π, ρ | Path |
υ | Attack vector |
T | Attack tree |
α | Set of attributes |
Ɽ | Risk scoring |
⟨ιn,γn⟩ | Leaf/goal |
OP | Operator |
Description | Esche | Audinot |
---|---|---|
Tree Model | generic | formal |
Refinement | OR, AND | OR, AND, SAND |
Node Name | informal, ordinary text-based | formal notation ⟨ι, γ⟩ |
Node Description | action-based | state-based |
Design validation | unavailable | finite state transition |
Symbol | Attribute |
---|---|
Du | time required |
Ex | expertise |
Kn | knowledge required |
Wn | windows of opportunity |
Eq | equipment required |
Component | Description |
---|---|
SCE | Ciphertext of SCP |
KA | Public Key (RSA) |
ȻKA | Checksum of KA which undergone polynomial transformation Ť |
Field | Description |
---|---|
Certificate owner | Name of approval |
Approval number | Approval number |
Approval mode | Mode of approval (full/conditional) |
Date of approval | Effective date of approval |
Validity period | The duration of approval validity |
Software name | The official software name |
LR module | List of LR module |
Field | Description |
---|---|
υt | Attacker wants to fake the QF without any trace. |
υ1 | Attacker wants to obtain the QF. |
υ11 | The attacker extracts QF which is embedded inside the ME and tries to rebuild it into a single file. |
υ12 | Attacker tries to obtain the QF which is already in a single file form. |
υ2 | Attacker tries to amend the SCP information inside the QF. |
υ21 | Attacker tries to obtain the KA which is part of elements in QF. |
υ22 | Attacker decrypts the SCP using KA. |
υ23 | Attacker amends the information inside SCP into SCP′. |
υ3 | Attacker reorganize, reform the QF into fake QF′. |
υ31 | Attacker generates fake KP′. |
υ32 | Attacker encrypts the SCP′ using KP′. |
υ33 | Attacker tries to obtain the Ť algorithm and recalculate the transformed polynomial based on SCP′ and KA′. |
υ34 | The attacker reforms and rebuilds the QF’ again using fake components. |
Variable | z0 | z1 | z2 | z3 | z4 | z5 | z6 | z7 | z8 | z9 |
---|---|---|---|---|---|---|---|---|---|---|
Q | Q− | Q+ | Qg | Qg | Qg | Qg | Qg | Qg | Qg | Qt |
PKey | NaC | NaC | NaC | AcG | AcG | AcG | AcF | AcF | AcF | AcF |
ScP | Uo | Uo | Uo | Uo | Op | Oe | Oe | Oc | Oc | Oc |
TpRev | ff | ff | ff | ff | Ff | ff | ff | ff | tt | tt |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Ibrahim, M.A.; Qamar, F.; Shukur, Z.; Zainal, N.; Marzuki, N.; Siregar, M.U. Formalizing Attack Tree on Security Object for MySANi in Legal Metrology. Systems 2023, 11, 49. https://doi.org/10.3390/systems11010049
Ibrahim MA, Qamar F, Shukur Z, Zainal N, Marzuki N, Siregar MU. Formalizing Attack Tree on Security Object for MySANi in Legal Metrology. Systems. 2023; 11(1):49. https://doi.org/10.3390/systems11010049
Chicago/Turabian StyleIbrahim, Muhammad Azwan, Faizan Qamar, Zarina Shukur, Nasharuddin Zainal, Nazri Marzuki, and Maria Ulfah Siregar. 2023. "Formalizing Attack Tree on Security Object for MySANi in Legal Metrology" Systems 11, no. 1: 49. https://doi.org/10.3390/systems11010049
APA StyleIbrahim, M. A., Qamar, F., Shukur, Z., Zainal, N., Marzuki, N., & Siregar, M. U. (2023). Formalizing Attack Tree on Security Object for MySANi in Legal Metrology. Systems, 11(1), 49. https://doi.org/10.3390/systems11010049