SysML Models and Model Transformation for Security

Florian Lugou, Letitia W. Li, Ludovic Apvrille and Rab

ea Ameur-Boulifa

LTCI, CNRS, T

ecom ParisTech, Universit

e Paris-Saclay, Campus SophiaTech, 450 route des Chappes, 06410, Sophia

Antipolis, France

Keywords:

SysML-Sec, Security, Model-driven Engineering, Model Transformation, ProVerif, TTool.

Abstract:

The security ﬂaws of embedded systems have become very valuable targets for cyber criminals. SysML-Sec

has been introduced to target the security of these systems during their development stages. However, assessing

resistance to attacks during these stages requires efﬁciently capturing the system’s behavior and formally

proving security properties from those behaviors. This paper thus proposes (i) novel SysML block and state

machine diagrams enhanced to better capture security features, and (ii) a model-to-Proverif transformation.

ProVerif is a toolkit ﬁrst released for the formal analysis of security protocol, but it can be used more generally

to assess conﬁdentiality and authenticity properties. This paper demonstrates the soundness of our approach

using a complex asymmetric key distribution protocol.

1 INTRODUCTION

The growing proportion of connected embedded sys-

tems and cyber-physical systems offer more opportu-

nities for attack to cyber criminals. To cite only a few

examples of past attacks on such connected systems,

we can mention ADSL routers (Assolini, 2012), mo-

bile&smart phones (Maslennikov, 2010), avionic or

automotive systems (Hoppe et al., 2011), and smart

objects e.g. the recent vulnerability disclosed on the

Fitbit (Apvrille, 2015). Security ﬂaws have even been

disclosed on medical appliances, such as on the Hos-

pira Symbiq drug pump (ICS-CERT, 2015). Such at-

tacks also target industrial systems whose sensors are

increasingly commonly connected with vulnerable in-

formation systems, as demonstrated by the Stuxnet,

Flame, and Duqu (Maynor, 2006) attacks. The de-

pendability of such systems are targeted with varying

objectives, e.g., terrorist acts and ransomware.

System complexity in terms of code size, distri-

bution, and heterogeneity among others is a major

risk factor. One solution to better consider the risk

of these systems is to take all of their constraints

into account, including security, during their devel-

opment cycle. We previously introduced the SysML-

Sec environment to handle the design of such com-

plex systems, in terms of safety, performance, and

security (Apvrille and Roudier, 2015). SysML-Sec

addresses system development starting from require-

ments and possible attacks, taking into account soft-

ware/hardware partitioning. After the partitioning

stage, SysML-Sec also supports the design of soft-

ware components, again with safety and security in

mind. TTool is the free/open-source support tool of

SysML-Sec (Apvrille, 2003).

TTool relies on UPPAAL for safety proofs, and

on ProVerif to perform security proofs from SysML-

Sec block diagrams. However, SysML-Sec has sev-

eral strong limitations both in terms of modeling

(i.e., modeling security features), and in terms of

proofs (limitations in the models-to-proverif transfor-

mations). The paper addresses several of these lim-

itations, with new modeling and transformation ap-

proaches. In particular, we have fully formalized and

implemented the model transformation.

The next section gives the related work in terms of

modeling and proof environment for security. Section

3 presents SysML-Sec. Section 4 focuses on the mod-

eling extensions as well as on the models-to-proverif

transformations. Section 5 presents the updated ver-

sion of TTool and the validation features. Lastly, sec-

tion 6 concludes the paper.

2 RELATED WORK

Assessing security properties when designing soft-

ware components mostly relies on formal approaches.

For example, (Toussaint, 1993) proposes verifying

cryptographic protocols with a probabilistic analysis

approach. Protocols are represented as trees whose

Lugou, F., Li, L., Apvrille, L. and Ameur-Boulifa, R.

SysML Models and Model Transformation for Security.

DOI: 10.5220/0005748703310338

In Proceedings of the 4th International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2016), pages 331-338

ISBN: 978-989-758-168-7

331

nodes capture knowledge while edges are assigned

transition probabilities. Although these trees could in-

clude malicious agents in order to model attacks and

threats, security properties are nonetheless not explic-

itly represented. Moreover, for threat analysis, attacks

should be explicitly expressed and manually solved.

(Trcek and Blazic, 1995) deﬁnes a formal basic set

of security services for accomplishing security goals.

In this approach, security property analysis strongly

relies on the designer’s experience. Moreover, threat

assessment is not easily feasible.

In more recent efforts, temporal logic languages

have been used for expressing security properties.

(Drouineaud et al., 2004) introduces a ﬁrst order Lin-

ear Temporal Logic (LTL) into the Isabelle/HOL the-

orem prover, thus making it possible to model both

a system and its security properties, but unfortu-

nately leading to non-easily reusable speciﬁc mod-

els. (Ma

na and Pujol, 2008) mixes formal and in-

formal security properties, but the overall veriﬁcation

process is not completely automated, again requiring

speciﬁc skills. Analogously, the Software Architec-

ture Modeling (SAM) framework (Ali et al., 2009)

aims to bridge the gap between informal security re-

quirements and their formal representation and ver-

iﬁcation. SAM uses formal and informal security

techniques to accomplish deﬁned goals and mitigate

ﬂaws. Thus, liveness and deadlock-freedom prop-

erties can be veriﬁed on LTL models relying on the

Symbolic Model Veriﬁer (SMV). Even if SAM relies

on a well established toolkit - SMV - and considers

a threat model, the ”security properties to proof” pro-

cess is not yet automated.

UMLsec (J

urjens, 2007) is a modeling framework

aimed at deﬁning security properties of software com-

ponents and of their composition within a UML

framework. It also features a rather complete frame-

work addressing various stages of model-driven se-

cure software engineering from the speciﬁcation of

security requirements to tests, including logic-based

formal veriﬁcation regarding the composition of soft-

ware components.

More recently, (Shen et al., 2014) developed an ex-

panded UML model extending the sequence diagrams

of UML for security protocol veriﬁcation. Their

approach also included translating the model into

ProVerif for veriﬁcation of conﬁdentiality and cor-

respondance. However, our work includes state dia-

grams for the capability to model a broader range of

protocol. Basic sequence diagrams may model only

a single execution, while state diagrams may model

protocol containing if statements and loops. Further-

more, our process includes veriﬁcation of weak and

strong authenticity.

With regard to our previous publications, we pro-

pose a way to better model situations (e.g., loops) and

their models-to-proverif transformation, taking into

account the capabilities and limitations of ProVerif.

We thus manage to limit cases where the proof of

security properties would fail, without impacting the

safety proof capabilities of SysML-Sec diagrams.

3 CONTEXT

3.1 SysML-Sec

SysML-Sec connects goal-oriented descriptions of se-

curity requirements and attacks (left section of Figure

1), and the ﬁne-grained representation of assets based

on the software / hardware partitioning (right upper

section of Figure 1). SysML-Sec also supports phases

of the V-cycle after the partitioning stage (lower right

of Figure 1), and notably the design of the software-

partitioned functions. The design stage includes the

deﬁnition of security mechanisms, and the reﬁnement

of security requirements in security properties to be

proved in the design: we address this stage in the pa-

per. Veriﬁcation takes place at different engineering

phases. Simulation is mostly used at the partition-

ing stage in order to evaluate the impact of security

mechanisms in terms of performance. Formal veri-

ﬁcation intends to prove the resilience of the system

under design to threats. Testing serves a similar pur-

pose, but on the deployed implementation resulting

from the design models (Apvrille and Roudier, 2015).

A SysML-Sec design is composed of SysML

block and state machine diagrams.

SysML-Sec blocks can deﬁne a set of methods

corresponding to cryptographic algorithms, such as

encrypt(), to be able to describe security mechanisms

built upon these algorithms, e.g., cryptographic proto-

cols. Blocks can also pre-share values, a feature com-

monly needed to set up cryptographic protocols.

The formal proof of SysML-Sec designs relies

on UPPAAL (Bengtsson and Yi., 2004) and ProVerif

(Blanchet, 2009) respectively for the proof of safety

and security properties.

ProVerif is a toolkit that relies on Horn clauses

resolution for the automated analysis of security prop-

erties over cryptographic protocols, under the Dolev-

Yao model. ProVerif takes in input as a set of Horn

Clauses, or a speciﬁcation in pi-calculus together with

a set of queries. ProVerif then outputs whether each

query is satisﬁed or not. In the latter case, ProVerif

tries to identify a trace explaining how it came to the

conclusion that a query is not satisﬁed.

MODELSWARD 2016 - 4th International Conference on Model-Driven Engineering and Software Development

332

System Design

SW/HW Partitioning

Requirements

Architectural view

Mapping view

Simulation

Formal analysis

Functional view

Simulation

Formal analysis

Structural view

Behavioral view

Deployment view

Simulation

Formal analysis

Test

Attacks

Simulation

Formal analysis

Contribution

Of this paper

Figure 1: Overall SysML-Sec Methodology.

Safety proofs take into account all design el-

ements besides ones speciﬁcally deﬁned for secu-

rity purposes: security-oriented pragmas and crypto-

graphic methods that have no impact on safety prop-

erties (liveness, reachability). Similarly, the proof of

security properties abstracts away irrelevant or non

supported system details. For example, the security

proof does not require temporal information, so tem-

poral operators (after clause) are not taken into ac-

count. Other modeling elements, like loops, are ig-

nored by the translation process.

3.2 Missing Features in SysML-Sec

Design Diagrams

In the years since we ﬁrst proposed a translation from

a SysML-Sec model to ProVerif, we gathered valu-

able feedback from devoted testers. Among easily

corrected corner cases or usability bugs, some robust-

ness issues indicated more fundamental problems.

These issues were often related to a mismatch be-

tween the semantics of features in SysML-Sec and

their counterparts in ProVerif. We present some of the

most important issues that motivated us to completely

rework the translation process:

Loops. Often, users take advantage of the veriﬁcation

feature embedded in TTool in order to assess the se-

curity of a system that provides a service. For some

systems, modeling their state machines using loops

seems natural. Unfortunately, ProVerif tries to ﬂatten

the given speciﬁcation as a ﬁrst step. Using a straight-

forward translation as it was implemented, veriﬁca-

tion on a design containing loops would not terminate.

We address this signiﬁcant drawback in this paper.

Private Channels. As in ProVerif, SysML-Sec en-

ables the user to model two types of channels: private

and public. While their semantics should be the same

for ProVerif, their behaviors with respect to reacha-

bility queries differ. ProVerif considers that a mes-

sage sent should always be received. On private chan-

nels, only explicitly speciﬁed entities can read the

sent message, while on public channels, the message

can also be read by the attacker. When assessing the

reachability of an event, ProVerif tries to reconstruct

a trace and stop at the exact moment when the event

is triggered. Therefore, if the event occurs just after

a message was sent on a private channel, the message

would not yet be read. ProVerif would thus consider

the trace invalid, returning a cannot be proved result.

As we wished, in our context, to provide the ability

to prove reachability properties, modifying the private

channel representation was also an important issue we

addressed in our work.

4 EXTENDED DIAGRAMS

4.1 Design Diagrams in Depth

In TTool, the user ﬁrst builds the block diagram and

associated state diagrams as a graphical model. The

block diagram describes the architecture and compo-

nents of the system, and state diagrams associated

with blocks describe their behavior.

We present an example from the European FP7

EVITA project, which deﬁnes security architec-

ture for automotive communication systems (Kelling

et al., 2009). In this architecture, safety critical ECUs

(Electronic Control Units) are interconnected with

CAN or Flexray buses. Automotive systems are likely

to be attacked either for economic reasons (activating

optional features for free), or for criminal purposes.

The interconnection of automotive systems to infor-

mation systems (roads signs, tolls, etc.) and Internet

offers new ways to conduct attacks on those systems.

To avoid attacks and their propagation on the

ECUs, session keys are regularly distributed among

groups of related ECUs. Figure 2 presents the block

diagram of an asymmetric key distribution protocol

with entities ECU1 and ECU2. An extract of their

SysML Models and Model Transformation for Security

333

Figure 2: Block Diagram for Asymmetric Key protocol.

Figure 3: State Diagrams for ECU1 and ECU2.

state diagrams describing their communication proto-

col is shown in Figure 3. ECU1 processes the key

and sends it on a public channel, and ECU2 recieves

the message, veriﬁes the key, and uses it to send mes-

sages. The locks show veriﬁcation results to be de-

scribed in section 5.

The graphical model is translated for veriﬁcation

in ProVerif, UPPAAL, etc. A detailed formal descrip-

tion is provided in subsection 4.1.2.

4.1.1 Extending SysML-Sec with Pragmas

Not all model parameters and queries are stated

graphically within the block and state diagram. For

example, we needed the capability to declare two at-

tributes equal at the start of a session. We extended

SysML with pragmas, i.e. formal text notes regard-

ing the attributes of the system. Pragmas are classi-

ﬁed into Model Pragma or Property Pragma. Model

Pragmas provide more security-oriented semantics to

attributes of blocks, while Property Pragmas describe

security properties of block attributes or state ma-

chines. The pragmas are described in Table 1.

4.1.2 Formalization of SysML-Sec Diagrams

In an attempt to provide a reliable mathematical base

for the proofs performed by ProVerif on a SysML-

Sec design diagram, we decided to formally express

the transformations performed on the model as it is

described in TTool. This formalization will provide

understanding on both how we managed to link a gen-

eral purpose SysML diagram to a ProVerif speciﬁca-

tion that relies on Horn clauses, and where sources of

incompleteness may come from. This formalization

is also a ﬁrst step in building a mathematical proof of

equivalence for a future work.

A ﬁrst transformation translates timer-related ca-

pabilities into a set of blocks and signals. The latter

are inherently taken into account in our formalization.

Formally, let us denote D the set of SysML-Sec

diagrams; d ∈ D ::= (B,M

), where B is a set of

blocks, M

is a set of model pragmas and P

is a set

of property pragmas.

We deﬁne a block b ∈ B ::=

(A,M ,Σ,ss,E, S,O,T , L), where A is a set of

attributes, M a set of methods, Σ a set of signals, ss

a start state, E a set of end states, S a set of states,

O a set of operations, T a set of transitions and L a

labeling function that associates attributes, methods,

signals and states to their qualiﬁed name. Attributes,

methods and signals can be mapped to their matching

graphical elements in the block view, while states,

operations and transitions correspond to the state

machine of the considered block.

To each attribute a ∈ A is associated a type: a set

of concrete values that the attribute may take. We call

valuation a mapping that returns a value for each at-

tribute a ∈ A. We suppose that we are able to con-

struct patterns over A. A pattern denoted p is com-

posed of applications of methods or simple operators

(=, and, +, etc.) to elements of A.The set of patterns

over A is denoted P . We slightly extend the labeling

function L to accept well-formed patterns as input.

The operations set O is deﬁned to be a disjoint

union of sets of elementary operations:

O = O

rdm

] O

out

] O

where O

rdm

is a set of randoms operations and O

out

and O

a set of out and in actions respectively. We

encode by ν.a the randoms operations, by ¯mhpi the

out actions and by mhai the in actions with m ∈ Σ,

p ∈ P and a ∈ A.

Finally, we deﬁne a transition t ∈ T as a tuple

(i,o,g,R) where:

• i ∈ {ss} ∪ S ∪ O is the incoming node.

• o ∈ E ∪ S ∪ O is the outgoing node.

MODELSWARD 2016 - 4th International Conference on Model-Driven Engineering and Software Development

334

Table 1: Pragma Descriptions.

Pragma Description

Model Pragma

PrivatePublicKeys Two attributes of a block are set as Private Key and Public Key, respectively

InitialSessionKnowledge Listed attributes have the same value at the start of a session

InitialSystemKnowledge Listed attributes have the same value when the system starts

SecrecyAssumption Listed attributes are assumed secret. ProVerif veriﬁes this afterwards

Constant Declares a string as a possible constant value

Property Pragma

Conﬁdentiality/Secret Query the conﬁdentiality of attributes listed

Authenticity Query the weak and strong authenticity of the two attributes at given states

• g ∈ G is a guard, which is a pattern whose valu-

ation is a boolean value. An empty guard is de-

noted true: a pattern that is always evaluated to

true.

• R = (A × P )

i∈N

is a ﬁnite family of actions (pairs

attribute and pattern), indexed over N. Each tran-

sition can indeed be labeled with a set of actions

corresponding to assignments of attributes.

We only deal with well formed blocks so as to map

with the intuitive semantic of SysML diagrams. For

instance, no transition can reach the start state (ss) or

come from an end state, and multiple transitions can

only join or split at a state and not at an operation.

As we wish to use the ProVerif backend to per-

form a security proof on a SysML-Sec diagram, such

a diagram must ﬁrst be translated in order to match an

equivalent representation that ProVerif can handle.

4.2 Semantics of ProVerif

ProVerif works with two different semantics: Horn

clauses and pi-calculus. When translating from

SysML-Sec to ProVerif, we generate a pi-calculus

speciﬁcation. The generation takes advantage of the

Horn clauses semantic to model concepts, such as

loops in the state machine diagram, that are not di-

rectly supported by ProVerif.

To enable a more thorough understanding of the

proof provided by TTool, one should ﬁrst familiarize

oneself with the ProVerif proof engine. We thus try

to brieﬂy present ProVerif in this section and refer in-

terested readers to the manuals and white papers for a

better understanding.

Pi-calculus enables description of protocols in term of

processes executing in parallel and exchanging mes-

sages over channels. Processes can split to create con-

currently executing processes, and replicate to model

multiple executions (called sessions) of a given pro-

tocol. Cryptographic primitives, such as symmetric

and asymmetric encryption or hash, can be modeled

through functions that are either constructors, which

create new values, or destructors, which reduce the

number of applied constructors in an expression .

Starting from this speciﬁcation, reachability, cor-

respondence and conﬁdentiality properties can be

queried and ProVerif will present a result to the user

that is either true if the property is veriﬁed, false if

a trace that falsiﬁes the property has been found, or

cannot be proved if ProVerif failed in asserting or re-

futing the queried property. Such failures in prov-

ing properties over an unbounded number of sessions

and unbounded message space are unfortunately un-

avoidable since this problem is undecidable (Durgin

et al., 2004). Thus, sound approximations are made

by ProVerif when translating the pi-calculus speciﬁ-

cation into Horn clauses.

4.3 SysML-Sec to ProVerif Translation

Some components of the SysML-Sec diagram can be

mapped to their ProVerif counterparts quite straight-

forwardly since we borrow the attacker model and

the channel semantic from ProVerif. However, for

other components, like loops on the state machine dia-

gram or private channels, we had to carefully consider

ProVerif reasoning in order to avoid as much as possi-

ble cases where the proof would fail. In the following

sections, we will present the entire translation process

and provide more details about non-obvious features

or situations.

4.3.1 Partitions of a SysML-Sec Diagram

Since a SysML-Sec state machine diagram may con-

tain loops, we need either to unroll these loops up to

a certain limit, or to reuse the part of the translated

speciﬁcation that could be executed multiple times.

Both of these choices have been considered in static

analysis works and are strategically important, since

allowing jumps in the speciﬁcation often incurs a loss

in terms of completeness, while ﬂattening the graph

by limiting the number of repetitions affects the cor-

rectness of the proof.

SysML Models and Model Transformation for Security

335

In order to maintain the soundness guaranteed

by ProVerif, we chose not to limit the loops. As

such, the ﬁrst step in translating a SysML-Sec Dia-

gram composed of well-formed blocks to a ProVerif

speciﬁcation is to determine the initial state of ev-

ery basic block in every block. A basic block

(s,E, S,O, T ) is a sub-part of a block that can be con-

sidered atomic with only one entry point. From a

block b = (A,M ,Σ,ss,E,S ,O, T , L) ∈ B one can

construct a set of basic blocks (denoted by BB(b))

which forms a partition of the states, operations and

transitions sets.

We deﬁne Init

(b) as the set of initial states of

basic blocks. This set is a collection of all states that

have at least two different incoming transitions.

Init

(b) = {ss} ∪ {s|s ∈ S ∧ ∃(i,s,g,R) ∈ T ,

∃(i

,s,g

) ∈ T .(i,s,g,R) 6= (i

,s,g

)}

We give the construction function of basic blocks

from traversal of a SysML-Sec Diagram. This func-

tion denoted by → is speciﬁed in terms of a set of

inference rules. The construction rules of each basic

block begins from its initial state.

s ∈ Init

(b)

(s,

i ∈ {s} ∪ S ∪ O (i,o,g,R) ∈ T r T

(s,E,S,O,T ) → (s,E,S, O, T ∪ {(i,o,g,R)})

n ∈ E r E ∃(i, n, g,R) ∈ T

(s,E,S,O, T ) → (s,E ∪ {n}, S, O,T )

n ∈ S r S n /∈ Init

(b) ∃(i,n,g,R) ∈ T

(s,E,S,O, T ) → (s,E,S ∪ {n},O,T )

n ∈ O r O ∃(i,n,g,R) ∈ T

(s,E,S,O, T ) → (s,E,S, O ∪ {n},T )

A basic block is built by adding recursively all

transitions and nodes – which are not initial states –

that are in a path starting from an initial state.

4.3.2 Translating Basic Blocks

The translation function of each basic block

(s,E, S,O, T ) ∈ BB(b) is given by the function J., .K :

state, set of transitions → pi-calculus code, unfolding

the set of transitions into a ProVerif speciﬁcation. We

build the code by concatenating the generated instruc-

tions. For this we use the concatenation operator ⊕.

The translation rules are deﬁned formally in Table 2;

they are listed in the order they should be applied. Let

us brieﬂy explain the translation rules from Table 2.

Rule (a) deals with multiple outgoing transitions, it

should be applied when there are more than one out-

going transitions (|I| > 1). (b) translates guards and

( f ), (g) and (h) with operations. Finally, (i) stops

the translation algorithm. Note that (e) also stops the

translation since it deals with transition linking this

basic block to an other (more details are given in Sec-

tion 4.3.3).

When a state is followed by multiple outgoing

transitions, it can use any of them as long as the

boolean condition that guards the transition is veri-

ﬁed. From a security point of view, any trace of at-

tacks using one of these transitions is valid. This is

conceptually equivalent to letting the attacker choose

which transition to take in case of nondeterministic

transitions. We model this in rule (a) by creating

values corresponding to each transition, making them

public, and waiting for a value corresponding to the

attacker’s choice.

4.3.3 Pragmas and Basic Block Linking

Rule (e) shows how control is passed from one basic

block to the next. ProVerif supports simple process

calls by ﬂattening them, and as a result, does not ter-

minate for diagrams containing loops. Thus, instead

of directly calling basic blocks, we generate tokens

of the form tok(call L(n

),arg) and make them avail-

able to the attacker. One such token allows the at-

tacker to execute the basic block whose initial state is

∈ Init

(b), with the values of the attributes of the

block being passed as argument (arg =

[

a∈A

{L(a)}).

This token should only be used once, and only

in the right session, so we add to the token a ses-

sion identiﬁer to guarantee that the token is forged

and used in the same session, and use a nonce mech-

anism to prevent its reuse. Unfortunately, due to

ProVerif approximations – which are unavoidable –

using nonce affects the ability of ProVerif to prove

properties (mostly strong authenticity) in the presence

of loops.

5 VALIDATION IN TTool

ProVerif results are passed back to TTool as a text

ﬁle containing results. Reachable state queries are

performed for all states, while authenticity and con-

ﬁdentiality queries are performed only for attributes

listed in pragmas. Relevant results from the model

from subsection 4.1 are presented either as a list of

MODELSWARD 2016 - 4th International Conference on Model-Driven Engineering and Software Development

336

Table 2: Basic block translation rules.

Jn,TK=











i∈I

”new choice

; out choice

”

”in choice”

i∈I



”if choice=choice

then” ⊕ Jn

∪ {t



if T=T

] T

={t

∈T|t

=(n,n

)} (a)

”if L(g) then” ⊕ Jn

,T r t ∪ {(n,n

,true,R)}K if ∃ t = (n,n

,g,R) ∈ T |g 6= true (b)

”let L(a) = L(p) in” ⊕ Jn

,T r t ∪ {(n,n

,true,R

)}K if ∃ t = (n,n

,true,R) ∈ T|R = (a, p) :: R

(c)

”event enteringState (L(n

))” ⊕ Jn

,T r tK if ∃ t = (n,n

,true,

0) ∈ T |n

∈S r Init

(b) (d)

”out (chctrl, tok(call L(n

),arg)) · ” if ∃ t = (n,n

,true,

0) ∈ T |n

∈ Init

(b) (e)

with arg =

[

a∈A

{L(a)}

”new L(a)” ⊕ Jν.a,T r tK if ∃ t = (n,ν.a,true,

0) ∈ T ( f )

”out(L(m),L(p))” ⊕ J ¯mhpi, T r tK if ∃ t = (n, ¯mhpi, true,

0) ∈ T (g)

”in(L(m),L(a))” ⊕Jmhai,T r tK if ∃ t = (n,mhpi,true,

0) ∈ T (h)

” · ” Otherwise (i)

e.g. Reachable States, Non Reachable States, Conﬁ-

dential Data, Satisﬁed Authenticity . . . .

For user convenience, the text results are also con-

veyed on the block and state diagrams, as previously

shown in Figure 2 and 3.

After a ProVerif veriﬁcation, the state diagram dis-

plays the reachability of states, with red locks sig-

nifying unreachable states, and green ones signify-

ing reachable ones. The block diagram displays the

Authenticity and Conﬁdentiality veriﬁcation results,

shown on pragma as a colored split lock, the bottom

left half referring to Strong Authenticity, and the top

right half referring to Weak Authenticity. A lock half

colored green refers to satisﬁed authenticity, red to

non-satisﬁed, and grey refers to that which cannot be

proved. Attributes proven conﬁdential are displayed

with a green lock and those proven non-conﬁdential

are displayed with a red lock.

From the asymmetric key distribution described in

section 4.1, we exemplify the capabilities and limi-

tations of our translation to ProVerif. The ProVerif

veriﬁcation in Figure 2 shows that conﬁdentiality was

veriﬁed for the keys mvksk and idk1sk in both ECU1

and ECU2. Both Strong and Weak Authenticity were

proven for the two authenticity queries shown.

In the state diagrams shown in Figure 3, we con-

ﬁrm that states critical to the protocol are reachable,

and that the protocol is capable of completion. States

such as UnexpectedMsg6, which would be reachable

only due to unexpected behavior, are conﬁrmed to be

unreachable.

Next, we demonstrate that we are capable of per-

forming security veriﬁcation on state diagrams con-

taining loops. Within ECU2, we add a transition from

the last state ProtocolRunEnded back to the ﬁrst state

WaitingForMsg0 to form a loop. No other modiﬁca-

tions are made to the block or state diagrams. ECU2

is now ready to pair with any willing entity and should

use a different key for each session.

The Conﬁdentiality properties remain identical,

but the authenticity properties have changed as shown

in Figure 4. Strong Authenticity is no longer ver-

iﬁed with the loop because an attacker that would

have intercepted the whole exchange between ECU1

and ECU2 would be able to replay it to ECU2. This

could be corrected by using nonce instead of times-

tamps, which are considered constant. Our case study

presents an example validation and the changes due

to loops.

Figure 4: Asymmetric Key Distribution Protocol with Loop

Authenticity Result.

6 CONCLUSIONS

SysML-Sec targets the full development cycle of a

safe and secure embedded system. It is supported by

a user-friendly toolkit explicitly supporting safety and

security engineering, and offering formal veriﬁcation

at the push of a button. Yet, previous contributions for

the proof of security properties had strong limitations

both in terms of modeling and proof capabilities. The

paper thus proposes a fully novel approach based on

new modeling elements (pragmas) and a new model-

to-proverif transformation. The paper formalizes both

the modeling elements and the transformation. In par-

ticular, this paper shows that our approach now sup-

ports loops and private channels, and its integration

into TTool.

SysML Models and Model Transformation for Security

337

Nonetheless, translating SysML-Sec diagrams to

ProVerif still includes limitations. They depend either

on ProVerif limitations or on the new translation pro-

cess. We present them here as a warning to potential

users and as leads for potential future work.

Loops. Even though our current translation of loops

enables proof of most properties — proof of strong

authentication would sometimes fail — and gives

sound results for others, the introduction of nonces

for chaining basic blocks may in some cases cause

ProVerif to produce a cannot be proved result. We

made this compromise since loops were likely to re-

duce the completeness of the proof. A possible im-

provement would be to enable the user to manually

provide hints to help ProVerif in its proof for diagrams

containing loops.

Arithmetic. When translating the SysML-Sec dia-

gram to ProVerif we discard any arithmetic-related

operation that is performed in actions or guards. In

fact, ProVerif has no representation for arithmetic, re-

garding operations or even types like numbers. Tak-

ing these operations into account would require us to

deeply modify the ProVerif proof engine, such as in-

terfacing it with a theory solver for instance. This is

not part of our work in the foreseeable future.

Time. Even though timers are taken into account

by our current translation, SysML after clauses are

not yet handled. However, features were added to

ProVerif in order to enable modeling of phases which

could possibly be used to translate these clauses to

some extent.

Other future work include a mathematical proof of

equivalence and a design-to-executable code process

preserving security properties.

REFERENCES

Ali, Y., El-Kassas, S., and Mahmoud, M. (2009). A rig-

orous methodology for security architecture modeling

and veriﬁcation. In Proceedings of the 42nd Hawaii

International Conference on System Sciences, volume

978-0-7695-3450-3/09. IEEE.

Apvrille, A. (2015). Geek usages for your ﬁtbit ﬂex tracker

hack.lu, luxemburg, october 2015. Slides at fra-

madrive.org/index.php/s/Wk6nxAKMpVTdQl4.

Apvrille, L. (2003). TTool. ttool.telecom-paristech.fr.

Apvrille, L. and Roudier, Y. (2015). SysML-Sec: A model

driven approach for designing safe and secure sys-

tems. In 3rd International Conference on Model-

Driven Engineering and Software Development, Spe-

cial session on Security and Privacy in Model Based

Engineering, France. SCITEPRESS Digital Library.

Assolini, F. (2012). The Tale of One Thousand and One

DSL Modems, kaspersky lab.

Bengtsson, J. and Yi., W. (2004). Timed automata: Seman-

tics, algorithms and tools. In Lecture Notes on Con-

currency and Petri Nets, pages 87–124. W. Reisig and

G. Rozenberg (eds.), LNCS 3098, Springer-Verlag.

Blanchet, B. (2009). Automatic Veriﬁcation of Correspon-

dences for Security Protocols. Journal of Computer

Security, 17(4):363–434.

Drouineaud, M., Bortin, M., Torrini, P., and Sohr, K.

(2004). A ﬁrst step towards formal veriﬁcation of se-

curity policy properties for rbac. In QSIC’04, pages

60–67, Washington, DC, USA.

Durgin, N., Lincoln, P., Mitchell, J., and Scedrov, A. (2004).

Multiset rewriting and the complexity of bounded se-

curity protocols. J. Comput. Secur., 12(2):247–311.

Hoppe, T., Kiltz, S., and Dittmann, J. (2011). Security

Threats to Automotive CAN Networks - Practical Ex-

amples and Selected Short-Term Countermeasures.

Rel. Eng. & Sys. Safety, 96(1):11–25.

ICS-CERT (2015). Hospira lifecare pca infusion sys-

tem vulnerabilities, advisory (icsa-15-125-01b).

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-

01B.

urjens, J. (2007). Developing secure embedded systems:

Pitfalls and how to avoid them. In 29th International

Conference on Software Engineering (ICSE 2007),

pages 182–183. ACM.

Kelling, E., Friedewald, M., Leimbach, T., Menzel, M.,

ager, P., Seudi

e, H., and Weyl, B. (2009). Speciﬁca-

tion and Evaluation of e-Security Relevant Use cases.

Technical Report Deliverable D2.1, EVITA Project.

na, A. and Pujol, G. (2008). Towards formal speciﬁ-

cation of abstract security properties. In The Third In-

ternational Conference on Availability, Reliability and

Security, volume 0-7695-3102-4/08. IEEE.

Maslennikov, D. (2010). Russian cybercriminals on the

move: proﬁting from mobile malware. In The 20th

Virus Bulletin Internation Conference, pages 84–89,

Vancouver, Canada.

Maynor, D. (2006). Scada security and terrorism:

We’re not crying wolf! In Invited presentation

at BlackHat BH 2006. Presentation available at:

https://www.blackhat.com/presentations/bh-federal-

06/BH-Fed-06-Maynor-Graham-up.pdf, USA.

Shen, G., Li, X., Feng, R., Xu, G., Hu, J., and Feng, Z.

(2014). An extended uml method for the veriﬁca-

tion of security protocols. In Engineering of Com-

plex Computer Systems (ICECCS), 2014 19th Inter-

national Conference on, pages 19–28.

Toussaint, M. J. (1993). A New Method for Analyzing the

Security of Cryptographic Protocols. In Journal on

Selected Areas in Communications, volume 11, No. 5.

IEEE.

Trcek, D. and Blazic, B. J. (1995). Formal language for

security services base modelling and analysis. In El-

sevier Science Journal, Computer Communications,

volume Vol. 18, No. 12. Elsevier Science.

MODELSWARD 2016 - 4th International Conference on Model-Driven Engineering and Software Development

338