A STPA-based Approach for Systematic Security Analysis of In-vehicle Diagnostic and Software Update Systems

Abstract

With the continuing innovations in the safety and intelligence of automobiles, the connectivity of vehicles increases which comes with also increasing security challenges. The in-vehicle diagnostics and software update system, which is an essential part of modern vehicles that supports remote diagnostics and Over-The-Air (OTA) firmware or configuration updates, is a common attack goal in automobiles. Adversaries can inject malicious software into vehicles or steal sensitive information through in-vehicle channels. Therefore, security needs to be considered during system design. Security analysis discusses potential security issues and derives related items, like threats, risk assessment and constraints, to guide secure design. However, all security analyses of such an in-vehicle system are threats-oriented, which start from threat identification and assess risks of identified threats. In this paper, a top-down system-oriented approach is proposed on the basis of the System-Theoretic Process Analysis (STPA) approaches, which are a set of hazard analysis techniques based on the System-Theoretic Accident Model and Processes (STAMP). Since constructing control structures is an essential step in the STPA approaches, it is hard to apply STPA to systems with few control actions and a strong focus on data flows. The proposed approach extends the original STPA from the perspective of data flows and is applicable for software-intensive or data-flow-based systems. We propose an abstract system model of in-vehicle diagnostics and software update systems and use it to propose a security analysis guideline. We identify losses, hazards, insecure function behaviours and loss scenarios of this class of systems to support concrete analyses and present an example case. Comparing with other threat-oriented approaches, the STPA-based approach shifts from focusing on threats to system vulnerabilities. The former cannot be controlled by system designers, but the latter can. The proposed approach provides a new perspective for recognizing system and security issues and is efficient to prevent the system from known or even unknown threats. Furthermore, the STPA approaches have been proved to be suitable for high-level systems, like socio-technical systems, and applicable for various fields, including safety, security and privacy. As an extension of the STPA approaches, the proposed one can be well integrated into the analysis at a higher level and perform a co-analysis of vehicle systems between safety and security with a unified analysis framework.