Fazeldehkordi 2019 Security and Privacy Functionalitie
Fazeldehkordi 2019 Security and Privacy Functionalitie
Fazeldehkordi 2019 Security and Privacy Functionalitie
2021
© Elahe Fazeldehkordi, 2021
ISSN 1501-7710
i
Abstract
ii
Dedication
This thesis is dedicated to my beloved family and my fiancee for their
endless support, encouragement, patience, and love in my life and their
belief in my dreams.
Acknowledgements
This thesis would have been impossible without the support and
mentoring of my main supervisor Olaf Owe. I would like to express my
deep gratitude to him for his priceless time and help whenever I needed.
I am grateful for his continuous encouragement, inspiration, patient
guidance, fruitful discussions, constructive and constant cooperations, and
optimism throughout this work, and for all the knowledge I have learned
from him. I am also grateful for his great friendship and for teaching me
various things of life. I would like to express my special thanks to my co-
supervisor Josef Noll for his great help and support, critical suggestions,
patient guidance, and active collaboration in various papers. I would also
like to thank Martin Steffen for his constructive and useful feedbacks,
comments, discussions, interesting lectures, and for all his help whenever
I needed. I would like to thank my graduate committee members, Jüri
Vain, Svetlana Boudko, and Paal Engelstad for their great feedbacks, help,
and encouragement. I also thank Toktam Ramezanifarkhani and Christian
Johansen for their feedbacks and guidance during this research.
I would like to thank everybody involved in the IOTSEC project, in
particular I thank Habtamu Abie for his great help, support, encourage-
ment, and constructive feedbacks. I am grateful for all the great assistance
and facilities provided by the administration staff and the technical sup-
port at the Department of Technology Systems and the Department of
Informatics, University of Oslo. My thanks also go to all researchers and
professors who have crossed my path as friends and colleagues over the
years, in particular Jüri Vain.
I am grateful to my family and my fiancee. Words cannot express
how grateful I am to them. They have always encouraged and supported
me in pursuing my dreams with their love and patience, and they have
always been with me despite the distance. Finally, I would like to thank
my friend Mona for her company during these years.
This work was supported by the IOTSEC project. Additional funding
was provided by the Department of Technology Systems, SCOTT and
ConSeRNS projects.
v
Contents
Abstract i
Dedication iii
Contents vii
List of Figures xi
Part I Overview 1
1 Introduction 3
1.1 Background and Motivation . . . . . . . . . . . . 4
1.2 Research Questions . . . . . . . . . . . . . . . . 12
1.3 Methodology . . . . . . . . . . . . . . . . . . . . 13
1.4 Structure of the Thesis . . . . . . . . . . . . . . . 14
2 Theoretical Background 17
2.1 Object-Oriented Systems . . . . . . . . . . . . . 17
2.2 Concurrent Object-Oriented Systems . . . . . . . 19
2.3 Creol/ABS Language . . . . . . . . . . . . . . . 27
2.4 Formal Verification and Specification . . . . . . . 29
vii
Contents
4.1 Conclusions . . . . . . . . . . . . . . . . . . . . 49
4.2 Future Work . . . . . . . . . . . . . . . . . . . . 54
Bibliography 57
Bibliography 95
Bibliography 117
viii
Contents
Bibliography 145
Bibliography 199
ix
List of Figures
1.1 An illustration of the system development life cycle . . 5
xi
List of Figures
7.8 The graph and call/comp sets for the original version of
the program . . . . . . . . . . . . . . . . . . . . . . . . 137
7.9 The graph and call/comp sets for the modified version of
the program . . . . . . . . . . . . . . . . . . . . . . . . 137
7.10 Flooding by unbounded creation of innocent clients
targeting the same server . . . . . . . . . . . . . . . . 139
7.11 Static detection of flooding using unbounded creation . 139
xii
List of Tables
5.1 Security classes . . . . . . . . . . . . . . . . . . . . . . 80
5.2 Exposure . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.3 Security and privacy challenge comparison of scenario 1
and 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.4 Security class of the sensor . . . . . . . . . . . . . . . . 91
5.5 Security class of the pacemaker security controller . . . 91
5.6 Security class of the mobile phone . . . . . . . . . . . . 91
xiii
Part I
Overview
1
CHAPTER 1
Introduction
The modern society is critically depending on information systems,
in particular distributed systems and the Internet of Things (IoT). A
distributed system is a system that consists of components placed on
different networked computers which communicate concurrently by
passing messages to each other. Examples of distributed systems include
computer networks like the Internet, aircraft control systems, distributed
information processing systems like banking systems, mobile phones,
etc. The Internet of Things (IoT) consists of different distributed systems
and is considered one of the most important areas of future technology, it
has received massive attention from a wide variety of industries. IoT is
made from a variety of things or objects – like sensors, mobile phones,
television, refrigerators, actuators, etc. – that are able to interact with
each other and cooperate with their neighbours through the Internet to
reach a common goal using unique addressing schemes.
The aim of IoT is to provide an advanced mode of communication
among the various systems and devices, and also to facilitate the
interaction between humans and the virtual world. With this aim, IoT
plays a significant role in the modern society and has applications in
almost all fields including healthcare systems, automobile, industrial
appliances, sports, homes, entertainments, environmental monitoring, etc.
Services provided by IoT applications offer great benefits for human’s life,
but they can come with a huge price with respect to people’s privacy and
security protection. IoT devices have already outnumbered the number
of people at a computerized workplaces. As a result of this expansion,
and as these things are connecting to the Internet, and generate, process,
and exchange huge amounts of security-critical and privacy-sensitive
information, therefore they are attractive targets of various attacks [21,
29, 41, 47, 54, 55, 57, 61, 62, 63, 75, 76, 77, 83, 86]. The same attack
may be used on a large number of (identical) devices.
What makes the IoT different from the traditional Internet is the
absence of human role. IoT offers complex systems that can sense
the external environment and make decisions with no need of human
3
1. Introduction
4
Background and Motivation
5
1. Introduction
6
Background and Motivation
7
1. Introduction
8
Background and Motivation
9
1. Introduction
distributed languages. The latter approach also has the advantage that
one can define the language and its semantics so that it is amenable to
semantical analysis and verification. Additionally, this approach makes
program reasoning (i.e., proof) simple and powerful.
10
Research Questions
can also have more appropriate program structure, while some problems
and problem domains are better-suited for representation as concurrent
tasks or processes.
Standard models of object interaction do not address the specific chal-
lenges of distributed computation. Object interaction based on method
calls is usually synchronous. However, synchronous communication in a
distributed setting, causes undesired and uncontrolled waiting, and possi-
bly deadlocks. Asynchronous message passing provides better control
and efficiency, although it does not provide the structure and discipline
inherent in method calls.
The active object paradigm [13, 91, 92] has evolved from the
actor model [3] and object orientation. In this paradigm each object is
concurrent and autonomous, with its virtual processor, and all interaction
is through method invocations and replies, thus supporting two-way
interaction rather than one-way interaction as in the case of the actor
model. Therefore at most, one process is active on an object at a time,
and method executions are decoupled from method invocations using
underlying asynchronous message passing. Active object languages have
mechanisms for efficient method interaction without active waiting, by
means of the future concept or suspension.
The active object paradigm provides a natural way of modeling
distributed systems in general, and IoT systems in particular, because it
covers the fundamental aspects of IoT systems such as distribution of
concurrent, autonomous units communicating by message passing, where
each unit can run on a device with limited processing power and limited
storage [48].
Each IoT device is modeled as one active object. If a single IoT device
has several concurrent activities, such a device could be modeled by a
group of active objects, using the concept of object groups as suggested
and formalized in [12, 22, 50]. Such an object group can be seen as a
single object for the environment. The modeling of different kinds of IoT
networks, including wireless networks, can be modeled as in [52].
11
1. Introduction
new security and privacy challenges arise when designing these systems.
These challenges demand a need to look for comprehensive and more
precise approaches that can provide higher levels of security, privacy, and
trust from the design phase in these systems. For example, new taxonomy
frameworks that organize all aspects of security and privacy baselines,
guidelines, and recommendations, or the need to formally verify these
systems at the software level. Therefore, this thesis is seeking solutions
to the following main goal:
The main objective is a broad area of research that requires a more defined
focus. Therefore, we focus on two aspects of the design phase. First, the
early design phase, where the architecture of a system is being developed,
considering the setting of IoT systems. Second, the late phase of the
design, where models, in particular executable models and prototypes
are designed, considering IoT systems and also the more general setting
of distributed systems. Having enough information at the architectural
design phase and using graphical notations make it easier to understand
the system components and their specifications for the modeling phase.
These give two subgoals:
To achieve the first subgoal, this thesis will address the following specific
research questions:
RQ1: What are the security and privacy functionalities for IoT systems
relevant at the early design phase?
12
Methodology
RQ3: How can the functionality framework help to improve security and
privacy of IoT systems at the early design phase?
To achieve the second subgoal, this thesis will address the following
specific research questions:
RQ6: How can we improve the security, privacy and trust levels of
distributed systems using a methodology at the late design phase?
RQ7: How can we use formal verification and specification for the
behavior of models of distributed systems?
1.3 Methodology
This thesis consists of several publications that describe our research
results achieved in the direction of answering the above questions.
Besides, the methodology we are looking for should meet the following
requirements:
13
1. Introduction
14
CHAPTER 2
Theoretical Background
In this chapter we discuss some basic concepts of object-oriented and
concurrent object-oriented modeling languages and then position the
Creol/ABS modeling languages [48, 51] in this context. For this purpose,
Sections 2.1 and 2.2 introduce object-oriented languages, and concurrent
object-oriented languages, respectively. The presentation in Sections
2.1 and 2.2 is inspired by [6, 60]. Section 2.3 introduces specifically
the Creol/ABS languages, which supports the active object modeling
paradigm.
To build a reliable software system, it is important to develop
techniques which facilitate verification about the behavior of the program
code. For this purpose, we organize the discussion in Section 2.4 by
first considering formal logical systems and programming logic, then
discussing formal verification approaches including Hoare logic and static
program analysis.
15
2. Theoretical Background
16
Concurrent Object-Oriented Systems
• Multiple and repeated inheritance: a class can have more than one
parent and can inherit from another class in more than one way.
17
2. Theoretical Background
18
Concurrent Object-Oriented Systems
19
2. Theoretical Background
20
Concurrent Object-Oriented Systems
the process that services the call and then back to the caller instead
of sending information through one-way communication channels in
message passing. One-way communication channels need a large number
of channels for the two-way information flow between clients and servers
that they need two explicit message interactions through two different
message channels. In addition, every client needs a different reply channel.
Also, in both RPC and rendezvous, the execution of call delays the caller
until the called operation is executed and any result is returned as in
synchronous message passing.
The difference between RPC and rendezvous is in the way of servicing
the invocations of operations. RPC declares a procedure for every
operation and provides a new process to handle every call, the caller
and procedure body may be on different machines that’s why it is called
remote procedure call. In contrast, rendezvous uses an existing process
to handle calls (rendezvous is sometimes called extended rendezvous).
21
2. Theoretical Background
22
Concurrent Object-Oriented Systems
In the active object model, there are three types of message passing: past,
now, and future.
23
2. Theoretical Background
The future object behaves like a queue and the contents of the queue can
be checked or removed by the object O. The concurrency of a system
increases by future message passing.
One of the important difference between the active object model and
actor model is that in the active object model, an object in the waiting
mode can accept a message which is not necessarily at the head of the
message queue, however an actor in the actor model can only accepts a
message that is at the head of the message queue. Moreover, now type and
future type message passing are not supported in the actor model. Hence,
when an actor A sends a message to a target actor T and expects a result
from T must terminate its current activity before being able to receive the
response from actor T , like any other incoming messages arriving to A.
In addition, this necessity of the termination of actor A’s current activity
24
Creol/ABS Language
25
2. Theoretical Background
in the type system. ABS has a notion of object groups (cogs), which is
similar to the one in JCoBox [80], it generalizes the concurrency model of
Creol from single concurrent objects to concurrent object groups sharing
the same processor.
In ABS, the communication mechanism of Creol [48] for remote
communication has been used, it is based on asynchronous method
calls using first-class futures [14]. Another feature of the ABS and
Creol communication mechanism is their use of cooperative scheduling
between asynchronous called methods. However, in ABS this is lifted
from the level of objects to the level of concurrent object groups.
Cooperative scheduling is a mechanism, allowing passive waiting which
means there will be a process queue holding all suspended processes of a
given object, the executing process of an object can be suspended so that
a required result from another process of the queue of the object can be
provided. The type system in ABS is similar to the one in Featherweight
Java [46], a core calculus for Java. Featherweight Java is class-based with
single inheritance, with subtyping as a reflexive and transitive closure of
the subclass relation. Both Creol and ABS distinguishes between classes
and types. In Creol asynchronous calls and interfaces are combined with
multiple class inheritance, choice operators, and a notion of cointerface
at the interface level in order to accommodate type-safe calls backs to
callers [49]. The cointerface is the interface of the caller, through which
the callee can make calls back to the caller. In this case the cointerface
will ensure type correctness of these call-backs. Creol introduces a
suspension mechanisms, which is also used in ABS. A process (or a
method execution) may suspend while waiting for a result to arrive or
condition to be satisfied. Suspension releases the processor of the object
using a process queue to store suspended processes, allowing the object
to continue with other (enabled) processes. Process release (suspension)
points allow non-blocking waiting.
The language version that we consider in this thesis is inspired by
both Creol and ABS and we refer to it by Creol/ABS. It ignores some
of the features in ABS (like cogs) and supports some features that ABS
does not support (inheritance, cointerfaces). Our work is mainly using
local futures, rather than shared futures.
For the setting of IoT and distributed systems, local futures (in
particular method-local ones) are suitable since they can be deleted by
each object as soon as they are no longer needed so there is no future to
26
Formal Verification and Specification
27
2. Theoretical Background
28
Formal Verification and Specification
{P } S {Q}
29
2. Theoretical Background
2.4.3.1 Logic
Logic in general is the study of principles of reasoning and a subject of
study in multiple disciplines like philosophy, mathematics, and computer
science. We only consider formal logic, in which a formal language and
a formal system represent logical truths and logical methods of reasoning.
A formal language is a set of well-formed-formulas specified syntactically
by a set of symbols and a set of rules for the formation of formulas. A
formal system as explained earlier in this section consists of a formal
language and a deductive apparatus. A deductive apparatus, also called a
deductive system consists of a set of axioms and a set of inference rules
that can be used to derive theorems of the system.
First-order predicate logic. An example of deductive system is
first order predicate logic also known as first-order logic consists of
a countable sets of symbols for constants, functions, and predicates,
variables, and a set of standard Boolean connectives (·, ‚, ∆, ©) and
quantifiers (÷, ’). This distinguishes first-order logic from propositional
logic, in which quantifiers or relations are not used. In Floyd-Hoare [34,
45] assertional methods also typically first-order predicate assertions are
used. Most of the approaches that have used first-order logic actually
draw upon the Hoare-style verification techniques for software.
Boyer-Moore computational logic. This logic is a restricted form
of first-order logic. Boyer-Moore [16] introduced a quantifier-free first-
order logic with equality. In this logic, terms composed of variables and
function applications. Constants are demonstrated as functions without
arguments. Logical connectives, like not, and, or are defined in terms of
primitive logical constants true, f alse, and the primitive connective if .
Equality is in the form of a function equal and axioms that characterize it.
Through the Shell Principle, a user can introduce inductively constructed
object type (characterized by a set of axioms). According to the shell
principle, all type definitions should be accompanied by specification of
a recognizer function, a constructor function, and an accessor function
30
Formal Verification and Specification
for that object type. A user can also introduce axioms defining new
functions. These axioms have to satisfy the Principle of Definition, to
avoid inconsistencies causing by their addition. Using this principle, one
can make sure that all new functions are defined either non-recursively
in case of pre-defined functions, or there exists a well-founded ordering
on some measure of the arguments that reduces with every recursive call
in case of recursive definitions. In this logic, standard rules of inference
used for propositional logic and the principle of induction, which is based
on the same well-founded ordering used by the definition axioms, have
been used for reasoning.
The Boyer-Moore theorem prover equips an automated facility for
generating proofs in the described logic above. The process of proof
generation though, is not totally automatic, and the user might need to
assist the theorem prover for setting up intermediate lemmas and helpful
definitions. The basic theory used in the system (logic plus theorem
prover) is including: axiomatize natural numbers, negative integers, lists
and character strings, also commands are provided for adding shells,
defining new functions and proving theorems. This system is an effective
tool that has a number of applications in different areas [17], due to the
strong mathematical foundation and heuristics built into the system.
31
2. Theoretical Background
32
Formal Verification and Specification
time there are a branching set of possibilities into the future, it is called
Branching Time (Temporal) Logic (BTTL) [31].
Extended temporal logic (ETL). The original work on ETL was first
suggested by Wolper [87]. He showed that in propositional version of
LTL (called PTL), a property like even(p) is not expressible. Therefore,
he proposed to add new operators corresponding to right-linear grammars
to temporal logic. To interpret grammars as operators, he established a
correspondence between words generated by a grammar and sequences.
The basic idea is that if there is a word w (finite or infinite) over a finite
alphabet ‡ and an assignment of formulas to every letter of ‡, a sequence
satisfies the word w for the given assignment if for all i, the formula
associated with the letter appearing in the ith position of the word w is
true in the ith state of the sequence. Later, the original work on ETL was
generalized by Wolper, Vardi, and Sistla [88].
Mu-Calculus. This is another extension framework of the temporal
logic context for extending expressiveness that in addition to the usual
predicate logic operators, provides operators for denoting fixed points of
predicate transformers (functions from relations to relations) [20].
33
2. Theoretical Background
34
Formal Verification and Specification
35
2. Theoretical Background
36
Formal Verification and Specification
37
2. Theoretical Background
38
CHAPTER 3
Summary of Research Papers and
Contributions
This chapter presents research contributions of the thesis, summarizing
four research papers. The chapter then returns to the research questions
formulated in Section 1.2 and discusses them in connection with the
contributions of this thesis. The full content of the papers appears in Part
II, as in their original publications, but reformatted to fit the structure of
this thesis.
We first recall the research questions documented in Section 1.2:
RQ1: What are the security and privacy functionalities for IoT systems
relevant at the early design phase?
RQ3: How can the functionality framework help to improve security and
privacy of IoT systems at the early design phase?
RQ6: How can we improve the security, privacy and trust levels of
distributed systems using a methodology at the late design phase?
RQ7: How can we use formal verification and specification for the
behavior of models of distributed systems?
The following sections give a summary of each paper and explain how
the paper answers above research question(s).
39
3. Summary of Research Papers and Contributions
3.1 Paper 1
40
Paper 2
3.2 Paper 2
3.3 Paper 3
41
3. Summary of Research Papers and Contributions
3.4 Paper 4
42
Paper 4
43
3. Summary of Research Papers and Contributions
and privacy. The paper illustrates the approach on a typical smart contract
example, namely an auction system. The contract implementation has
been verified and various improvements with respect to added safety,
security, and privacy have been shown.
The approach may be combined with the notion of dynamic and
concurrent object groups [25]. This allows a contract provider to appear
as a single object to the outside while internally consisting of a number
of cooperating concurrent objects.
A history objects can provide runtime checking of specified behavioral
properties of the contracts. The framework allows runtime roll-backs,
since the transaction history gives sufficient information to rerun a
contract provider and stop at the last state before the execution of method
that results in error. Reasoning about simple error recovery has been
considered here.
This paper addresses RQ4 by showing examples of modeling smart
contracts using a high level language based on active object paradigm.
Also, this paper achieves aspects of RQ6 by demonstrating that how this
modeling framework of smart contracts can support the main advantages
of smart contracts based on blockchain, including trust, immutability, and
transparency at the programming level and without use of blockchain.
Besides, this modeling framework offers better privacy control using the
notion of history objects. So it would be less expensive to implement
compared with smart contracts built on blockchain that are costly with
respect to time, resources, and power consumption. Furthermore, the
paper explains that the approach can be combined with the blockchain
technology in order to improve the overall trust level on insecure
platforms. Moreover, RQ7 has been achieved in this paper by developing
an imperative language for contracts, an executable functional language
for writing smart contract specifications, and a theory for class-wise
verification, with support of privacy, security, and model checking of
contract specifications.
44
Additional Publications
thesis. These papers are related to the goal of this thesis or correspond to
shorter and/or preliminary versions of the work reported in this thesis.
45
3. Summary of Research Papers and Contributions
46
CHAPTER 4
Conclusions and Future Work
4.1 Conclusions
The main goal of this thesis is to improve security and privacy of IoT
and distributed systems during the design phase. From this goal, two
subgoals are identified that resulted in seven research questions presented
in Section 1.2. This thesis has contributed to presenting four research
papers which address the research questions and the related subgoals.
The focus of this thesis is on two aspects of the design phase. First,
the early design phase, where the architecture of a system is being
developed, considering the setting of IoT systems. Second, the late design
phase, where models, in particular executable models and prototypes are
designed, considering IoT systems and also the more general setting of
distributed systems. Having sufficient information at the architectural
design phase and using graphical notations make it easier to understand
the system components and their specifications for the modeling phase.
The methodology proposed in this thesis meets the requirements
stated in Section 1.3. We now revisit these requirements and their
rationale:
47
4. Conclusions and Future Work
RQ1: What are the security and privacy functionalities for IoT
systems relevant at the early design phase?
48
Conclusions
49
4. Conclusions and Future Work
RQ6: How can we improve the security, privacy and trust levels of
distributed systems using a methodology at the late design phase?
50
Conclusions
4.1.1 Limitations
Our focus has been on the design phase of the system development life
cycle, which means that planning, requirement analysis, implementation,
and testing phases have not been considered. We have only considered
two parts of the design phase, namely the early design phase, where
the architecture of a system is being developed, and the late design
phase – by means of executable modeling of systems using the active
object concurrency model. However, the modeling paradigm considered
allows high level implementation, prototyping, testing, as well as program
analysis, at the abstraction level of the model.
We have considered only some approaches and some security
problems. In the early design phase, we have only considered simple
51
4. Conclusions and Future Work
52
Future Work
53
Bibliography
[1] 27000, I. Information technology — Security techniques — Infor-
mation security management systems — Overview and vocabu-
lary (fourth edition). ISO/IEC 2016. 2016.
[2] 27001, I. INTERNATIONAL STANDARD ISO/IEC 27001 Infor-
mation technology—Security techniques —Information security
management systems —Requirements. ISO/IEC 2013. 2013.
[3] Agha, G. Actors: A Model of Concurrent Computation in Dis-
tributed Systems. Cambridge, MA, USA: MIT Press, 1986.
[4] Ahrendt, W., Pace, G. J., and Schneider, G. “Smart contracts:
a killer application for deductive source code verification”. In:
Principled Software Development. Springer, 2018, pp. 1–18.
[5] Allen, J. F. and Ferguson, G. “Actions and events in interval
temporal logic”. In: Journal of Logic and Computation vol. 4,
no. 5 (1994), pp. 531–579.
[6] Andrews, G. R. Foundations of multithreaded, parallel, and
distributed programming. Vol. 11. Addison-Wesley Reading, 2000.
[7] Armstrong, J. et al. “Concurrent programming in ERLANG”. In:
(1993).
[8] Baier, C. and Katoen, J.-P. Principles of model checking. MIT
press, 2008.
[9] Baker, H. and Hewitt, C. “Laws for communicating parallel
processes”. In: MIT Artificial Intelligence Laboratory (1977).
[10] Beydeda, S., Book, M., Gruhn, V., et al. Model-driven software
development. Vol. 15. Heidelberg: Springer, 2005.
[11] BITAG. Internet of Things (IoT) Security and Privacy Recom-
mendations. https : / / www . bitag . org / documents / BITAG _
Report_- _Internet_of_Things_(IoT)_Security_and_Privacy_
Recommendations.pdf. 2016.
55
Bibliography
56
Bibliography
57
Bibliography
58
Bibliography
59
Bibliography
60
Bibliography
61
Bibliography
62
Bibliography
63
Part II
Scientific Contributions
65
CHAPTER 5
Security and Privacy
Paper 1:
Functionalities in IoT
Abstract
5.1 Introduction
Internet of Things (IoT) represents the concept of information flow
among different kinds of embedded computing devices interconnected
through the internet. The aim of IoT is to provide an advanced mode
67
5. Paper 1: Security and Privacy Functionalities in IoT
68
Introduction
69
5. Paper 1: Security and Privacy Functionalities in IoT
experts. Our framework is easy to follow, even for non-experts. The case
study shows that by following our guidelines, one can detect security
problems and get help in avoiding them.
The remainder of this paper is structured as follows: Section II
explains IoT-related standards and guidelines. Section III provides related
work. Section IV introduces the IoT security and privacy functionality
framework. Section V explains the security classification method. Section
VI describes the pacemaker case study, and Section VII concludes the
paper.
70
Related Work
71
5. Paper 1: Security and Privacy Functionalities in IoT
72
Framework Explanation
73
5. Paper 1: Security and Privacy Functionalities in IoT
74
Framework Explanation
75
5. Paper 1: Security and Privacy Functionalities in IoT
76
Framework Explanation
77
5. Paper 1: Security and Privacy Functionalities in IoT
78
Security Classification
79
5. Paper 1: Security and Privacy Functionalities in IoT
80
Pacemaker Case Study
and P5 the highest protection level), exposure will be in the lowest level
(E1), therefore resulting in the highest security class. And the way
we can provide the highest protection level is by applying an effective
and appropriate set of security and privacy functionality criteria in a
particular device, for instance, use of multi-factor authentication instead
of just passwords or PINs for authentication. Adequate and proper sets
of security and privacy functionality criteria used in the case study have
been taken from our framework.
81
5. Paper 1: Security and Privacy Functionalities in IoT
82
Pacemaker Case Study
83
5. Paper 1: Security and Privacy Functionalities in IoT
84
Pacemaker Case Study
The final discussion of the security class of the pacemaker system depends
on the scenario chosen and the other components involved. We next
consider the mobile phone.
Mobile phone. In our case study, a mobile phone is used in the com-
munication between the pacemaker and the healthcare provider/doctor.
Security in this mobile phone is then important in order to send correct
data to/from the pacemaker controller. Hacking or tampering into this
mobile phone can result in sending wrong data from the pacemaker to the
doctor, something that could result in wrong decisions from the doctor,
or possibly sending inappropriate shocks to the patient’s heart.
Therefore, it is important to secure the mobile phone properly.
However, the security class of the mobile phone is only considered class
B, since mobile phones are inherently not of the highest security class
85
5. Paper 1: Security and Privacy Functionalities in IoT
and have a number of possibilities for attacks due to high exposure. For
instance, because of all the applications and browsers on the device, as
well as software developed by third parties. Therefore, both the impact
of attack as well as the connectivity are in a higher level for the mobile
phone compared to the pacemaker. Hence the security class of the mobile
phone is lower than the security class of the pacemaker security controller.
We consider C4 in the mobile phone connected to the doctor.
According to Tables 6.2 and 6.1, we might have protection levels 2, 3, or
4 to obtain security class B, however since mobile phones naturally have
moderate impact of attacks as discussed above, we should use protection
level 4 in order to reach security class B. So based on that the following
set of relevant security and privacy functionality criteria are selected
to ensure that the mobile phone has a sufficiently high protection level,
following the functionality framework and the OWASP guidelines for
securing mobile phones [20]:
• Secure data storage: Failure in having secure data storage can result
in data loss, extraction of sensitive data using malware, modified
apps or forensic tools, identity theft, fraud, reputation damage,
material loss or external policy violations.
• Proper platform usage: Misuse of a platform feature or failure to
use platform security controls fall under this category. Android
intents, platform permissions, misuse of TouchID, Keychains, or
other security controls which are part of the operating system could
86
Pacemaker Case Study
87
5. Paper 1: Security and Privacy Functionalities in IoT
88
Pacemaker Case Study
more secure to do the security controls directly in the pacemaker, and use
the mobile phone just as a gateway to transfer the information. However,
this will require additional computational power and battery capacity.
Another issue is whether we can do all the security controls inside
the computerized generator of the pacemaker - or consider a security
controller as a separate unit out of the body with a close and secure
connection to the pacemaker.
We therefore define two scenarios: In scenario 1 (see Figure. 6.1),
the security controls for the pacemaker are done inside the computerized
generator of the pacemaker, and in scenario 2 (see Figure. 6.2), a separate
security controller unit makes the security controls of the pacemaker,
such that this unit is outside the body with a close and secure connection
to the pacemaker. In scenario 1, we would need computational power
inside the body, needing more storage, stronger CPU, much more battery
capacity and so on. This is not desirable since it might increase the
potential necessary surgeries in order to change the battery, maintain, or
update the pacemaker. Moreover, we might not be able to consider some
of the security and privacy functionalities in order to avoid increasing
CPU usage, which results in even more battery usage.
Therefore, we might want to have a pacemaker with a simple sensor
89
5. Paper 1: Security and Privacy Functionalities in IoT
inside the body and a security controller out of the body, say in the pocket
or at home very close to the pacemaker. Here, it is essential that the
security controller be close to the pacemaker, since the pacemaker must
have very weak signals, limited interactions and computations, to avoid
using too much battery power and resulting battery changes. So, all the
security and battery-intensive controls would be done in the external
security controller, which can have a stronger and easily rechargeable
battery. The controller can maintain the device in case of any problem,
update or troubleshoot its computer system, or even increase the level
of protection by adding more security and privacy functionalities or
appropriate software at any time because of easy access.
According to all the security considerations in scenario 2, we can
then have a better security class in the pacemaker security controller:
In Table 6.3 we summarize all the security and privacy challenges in
the sensor, pacemaker, and mobile phone connected to the doctor, and
compare the severity of these security and privacy challenges in scenarios
1 and 2. This table determines the impact. The challenges considered in
the table are found by following the functionality framework, for each
device, in a top-down manner and in each case determining the problems
that may occur. The further we break down the problems according to
the functionality framework, the easier it is to find the specific challenges
for the given device.
In the following, we see that the severity of the security and privacy
challenges in the sensor and pacemaker has been reduced from very high
in the worst case to low. Hence, the impact of attacks is reduced from
catastrophic to minor.
Discussion. The pacemaker in scenario 1 is a complex device because
all security controls are done inside the computerized generator of the
pacemaker. The security controller is very close to the sensor, the signals
received by the sensor from the pacemaker are very frequent. Interference
is possible and that can have negative effect on correct heartbeat capturing.
However, by transferring the security controller outside of the body this
effect would be low (still there are some frequencies from devices close
by such as mobile phones that can affect the sensor) resulting in more
precise heartbeat capturing. As mentioned earlier in the heart rate sensor,
there are low possibilities of data and private information breaches in
both scenarios.
In the pacemaker in scenario 1, because of the complexity of the sys-
90
Pacemaker Case Study
tem and having all the security controls inside the computerized generator
of the pacemaker, we need higher CPU and memory consumption and
then battery usage would be very high, while in scenario 2 this prob-
lem would decrease to very low. In scenario 1, because of difficulties
in accessing the pacemaker and its security controller on time (in case
of maintenance, update, troubleshooting or installing new software/e-
quipment, also not being able to apply all the necessary criteria with
high protection level in order to avoid high battery usage), the level of
the security and privacy functionality criteria as well as the level of the
protection is low.
Therefore the vulnerability of the pacemaker and sensor against
attacks compromising the device (that can cause changing battery saving
controls so draining the battery more quickly, changing pacemaker shock
settings, tampering of transferred information from/to the pacemaker, data
and private information breaches, transparency of GDPR compliance,
risk of long-term storage of private information) is high; however, this
problems decrease to very low when we change to scenario 2, due to
easier access to the security controller out of the body.
By compromising the mobile phone connected to the doctor, the
problems listed in the last part of Table 6.3 may occur. In both scenarios,
we have considered high level of protection for the mobile phone by
91
5. Paper 1: Security and Privacy Functionalities in IoT
92
Conclusion
5.7 Conclusion
The expansion of IoT in the last decade has resulted in several security and
privacy issues and attacks against things and people. Unfortunately, the
security and privacy functionalities to combat these attacks are not well-
recognized in the domain of IoT. This paper summarizes and categorizes
IoT security and privacy functionalities, and as the main contribution,
the paper presents a new taxonomy framework that organizes the related
standards in this area. The proposed framework is oriented towards
practical application. We have demonstrated the application of this
framework in combination with the security classification method using a
case study about pacemakers. Our case study is quite generic and reveals
general issues that can be found in other case studies.
The security class of a system is based on two factors: exposure
and impact of possible attacks. The exposure is a consequence of the
protection level of the system and its connectivity. A lower exposure level
means a lower attack surface. Therefore, by reducing the exposure level
of a system we can have a more secure system. A higher protection level
in a system or lower connectivity can result in lower exposure. At the
same time, lower impact of attacks on a system raises the security class
93
5. Paper 1: Security and Privacy Functionalities in IoT
94
Bibliography
[1] 27000, I. Information technology — Security techniques — Infor-
mation security management systems — Overview and vocabu-
lary (fourth edition). ISO/IEC 2016. 2016.
[2] 27001, I. INTERNATIONAL STANDARD ISO/IEC 27001 Infor-
mation technology—Security techniques —Information security
management systems —Requirements. ISO/IEC 2013. 2013.
[3] Alqassem, I. and Svetinovic, D. “A taxonomy of security and
privacy requirements for the Internet of Things (IoT)”. In: 2014
IEEE Intern. Conf. on Industrial Engineering and Engineering
Management (IEEM). IEEE. 2014, pp. 1244–1248.
[4] ANSSI. Classification Method and Key Measures. 2014.
[5] Babar, S. et al. “Proposed security model and threat taxonomy for
the Internet of Things (IoT)”. In: Intern. Conf. on Network Security
and Applications. Springer. 2010, pp. 420–429.
[6] BITAG. Internet of Things (IoT) Security and Privacy Recom-
mendations. https : / / www . bitag . org / documents / BITAG _
Report_- _Internet_of_Things_(IoT)_Security_and_Privacy_
Recommendations.pdf. 2016.
[7] Boulos, P. et al. “Pacemakers: a survey on development history,
cyber-security threats and countermeasures”. In: Int. J. Innov. Stud.
Sci. Eng. Technol vol. 2, no. 8 (2016).
[8] Future-proofing the Connected World: 13 Steps to Developing
Secure IoT Products. https://downloads.cloudsecurityalliance.org/
assets/research/internet-of-things/future-proofing-the-connected-
world.pdf. 2016.
[9] Dadourian, M. Heart alert: Pacemakers can be hacked. 2018.
[10] ENISA. Baseline Security Recommendations for IoT in the context
of Critical Information Infrastructures. European Union Agency
for Network and Inf. Sec. 2017.
95
Bibliography
96
Bibliography
97
CHAPTER 6
Security and Privacy in IoT
Paper 2:
Systems: A Case Study of Healthcare
Products
Abstract
99
6. Paper 2: A Case Study of Healthcare Products
6.1 Introduction
100
Introduction
the general data protection regulation (GDPR), which regulates who can
access private data, how and for what purpose, based on consent of the
data subject [11]. We then categorized and integrated these guidelines
and requirements in a uniform style, and embedded them in a graphical
representation by means of diagrams. Having a comprehensive view and
taxonomy of security and privacy requirements and functionalities in IoT
is a prerequisite for architecting optimal security solutions, designing,
and developing secure and privacy-aware IoT systems.
In this paper, we explore how the framework can facilitate the process
of improving IoT security and privacy, in combination with the security
classification method suggested in [4, 26]. Through the development of
this framework, together with the security classes, extensive attention has
been given to the requirements and limitations for securing IoT systems.
The security classification of a system will lead to better understanding
of the value of security and promote the extra cost of securing a system.
An IoT system includes different kinds of devices, and protecting all of
these devices at a same level is costly. It is economically impossible to
employ all the security protection mechanisms for all the devices in a
system. Dividing security into different classifications is necessary in
order to secure IoT systems to an appropriate level.
To give an understanding of how the framework can help to improve
security and privacy in practice, we give a comprehensive discussion
on the details of two scenarios in a case study of healthcare products,
compare security and privacy challenges of the two scenarios, and then
show how to soften these challenges using security classifications and
functionalities of our previous framework. One of the most attractive
application areas of IoT is health care [16, 21]. Medical applications like
remote health monitoring, fitness programs, chronic diseases, elderly care,
compliance with treatment and medication at home and by healthcare
providers, are some of the important potential applications that IoT can
bring. IoT-based healthcare services can help to reduce costs, increase the
quality of life, and enrich the user’s experience. Therefore, in this paper
we demonstrate the framework on a case study concerning healthcare
products.
The remainder of this paper is structured as follows: Section 2
provides related work. Section 3 gives a background about the security
classification method. Section 4 describes the pacemaker case study, and
Section 5 concludes the paper.
101
6. Paper 2: A Case Study of Healthcare Products
102
Security Classification
103
6. Paper 2: A Case Study of Healthcare Products
104
Pacemaker Case Study
taken from our framework in [12], which is based on the most relevant
standards: ENISA [10], OWASP [19], Industrial Internet Consortium [25],
Cloud Security Alliance[8], and Broadband Internet Technical Advisory
Group [6], as well as security and privacy guidelines from ISO [1, 2],
ENISA [11], and NIST [24].
105
6. Paper 2: A Case Study of Healthcare Products
use the general criteria given in the functionality framework, select and
discuss the parts relevant for each device.
Pacemaker security controller. Beside threatening patients’ lives,
malicious attackers can get access to patients’ medical records through a
pacemakers [9, 29], or track a patient’s location. In addition, malicious
software can be run on pacemakers and cause security and privacy breaks.
Therefore, any security or functional weakness can result in a security
failure. Like any device that uses remote technology, pacemakers are
also vulnerable against cyber attacks, and hackers can break into the
pacemaker itself, the back-end systems or the communication between
the pacemaker and its surrounding. By breaking into a pacemaker, an
attacker can send strong shock signals, disturb the pacemaker setting
or heart functions, or disturb them from working properly. One simple
example of hacking into a pacemaker is to change the setting from battery-
saving "sleep" mode to "standby" mode, and this can quickly drain the
battery, which is normally supposed to last for years. Hence, security in
this kind of device is crucial and should have the highest (best) security
class, meaning security class A.
We consider Connectivity 2 (explained in Section. 6.3) in the
pacemaker security controller, since it is only connected to the pacemaker.
We define below the protection levels which are relevant <for the
pacemaker security controller:
• Protection level 1 (P1): includes Secure authentication, Securing
Software/Firmware, Secure Communication, and Human Interface
Security. For authentication we consider: requiring passwords,
option to change the default username and password. For
communication we consider: data authenticity to enable reliable
exchanges from data emission to data reception. For securing
software/firmware we consider: update capability for some of
the system devices and applications, transmitting the files using
encryption.
• Protection level 2 (P2): includes P1 and in addition, for authenti-
cation: requiring strong passwords, securing password recovery
mechanisms, making sure that default passwords and even default
usernames are changed during the initial setup, and that weak, null
or blank passwords are not allowed. For communication: verifying
any interconnections, discover, identify and verify/authenticate the
devices connected to the network before trust can be established,
106
Pacemaker Case Study
and preserve their integrity for reliable solutions and services, pre-
vent unauthorised connections to it or other devices the product
is connected to, at all protocol levels, providing communication
security using state-of-the-art mechanisms, standardising security
protocols, such as TLS for encryption. For securing software/-
firmware: encrypting update files for some of the applications.
• Protection level 3 (P3): includes P2 and in addition, for authentica-
tion: having options to force password expiration after a specific
period, and to change the default username and password, making
sure that the password recovery or reset mechanism are robust
and do not supply an attacker with information indicating a valid
account. The same should apply to key update and recovery mech-
anisms. For communication: data authenticity to enable reliable
exchanges from data emission to data reception.
• Protection level 4 (P4): includes P3 and in addition, for authentica-
tion: implementing two-Factor Authentication (2FA), making sure
that default passwords and even default usernames are changed
during the initial setup. For communication: signing the data when-
ever and wherever it is captured and stored, making intentional
connections, disabling specific ports and/or network connections
for selective connectivity. For securing software/firmware: capabil-
ity of quick updates when vulnerabilities are discovered for some
of the system devices and applications, and offering an automatic
firmware update.
• Protection level 5 (P5): includes P4. In addition, for authentication:
using Multi-Factor Authentication (MFA) (considering biomet-
rics for authentication), considering Certificate-Less Authenticated
Encryption (CLAE) and User Managed Access (UMA). For com-
munication: rate limiting – controlling the traffic sent or received
by a network to reduce the risk of automated attacks. For securing
software/firmware: update capability for all system devices and
applications, capability of quick updates when vulnerabilities are
discovered for all system devices and applications, encrypting up-
date files for all applications, signing update files and validating by
the device before installing, securing update servers, having ability
to implement scheduled updates, having backward compatibility of
firmware updates.
According to Tables 6.1 and 6.2, protection level 4 or 5 are needed
107
6. Paper 2: A Case Study of Healthcare Products
108
Pacemaker Case Study
Mobile phone. In our case study, a mobile phone is used in the com-
munication between the pacemaker and the healthcare provider/doctor.
Security in this mobile phone is then important in order to send correct
data to/from the pacemaker controller. Hacking or tampering into this
mobile phone can result in sending wrong data from the pacemaker to the
doctor, something that could result in wrong decisions from the doctor,
or possibly sending inappropriate shocks to the patient’s heart.
Therefore, it is important to secure the mobile phone properly.
However, the security class of the mobile phone/computer device is only
considered class B, since mobile phones are inherently not of the highest
security class and have a number of possibilities for attacks due to high
exposure. For instance, because of all the applications and browsers on
the device, as well as software developed by third parties. Therefore, both
the impact of attack as well as the connectivity are in a higher level for the
mobile phone compared to the pacemaker. Hence the security class of the
mobile phone is lower than the security class of the pacemaker security
controller. We consider C4 in the mobile phone connected to the doctor,
and based on that the following set of relevant security functionality
criteria are selected to ensure that the mobile phone has a high protection
level, following the functionality framework of [12] and the OWASP
guidelines for securing mobile phones [20]:
109
6. Paper 2: A Case Study of Healthcare Products
110
Pacemaker Case Study
DES.
• Code tampering: When an application is on the device, the code
and data resources are also available there. An attacker can modify
the code through either malicious apps in third party app stores
or trick the user via phishing attacks and install the app on the
device. Code tampering could result in revenue loss due to piracy,
reputational damage, unauthorized new features, identity theft or
fraud.
• Secure data storage: Failure in having secure data storage can result
in data loss, extraction of sensitive data using malware, modified
apps or forensic tools, identity theft, fraud, reputation damage,
material loss or external policy violations.
• Proper platform usage: Misuse of a platform feature or failure to
use platform security controls fall under this category. Android
intents, platform permissions, misuse of TouchID, Keychains, or
other security controls which are part of the operating system could
be included. To prevent the attacks in this category, secure coding
and configuration practices must be applied on the server side of
the application.
• Data privacy: are as discussed above for the pacemaker.
We next consider the protection levels of ISA99, and select the relevant
criteria from the functionality framework, and adjust them for the case of
the mobile phone connected to the doctor. These are defined below:
111
6. Paper 2: A Case Study of Healthcare Products
112
Pacemaker Case Study
113
6. Paper 2: A Case Study of Healthcare Products
privacy challenges in the sensor and pacemaker has been reduced from
very high in the worst case to low. Hence, the impact of attacks is reduced
from catastrophic to minor.
6.5 Discussion
The pacemaker in scenario 1 is a complex device because all security
controls are done inside the computerized generator of the pacemaker.
The security controller is very close to the sensor, the signals received
by the sensor from the pacemaker are very frequent. Interference is
possible and that can have negative effect on correct heartbeat capturing.
However, by transferring the security controller outside of the body this
effect would be low (still there are some frequencies from devices close
by such as mobile phones that can affect the sensor) resulting in more
precise heartbeat capturing. As mentioned earlier in the heart rate sensor,
there are low possibilities of data and private information breaches in
both scenarios.
In the pacemaker in scenario 1, because of the complexity of the sys-
tem and having all the security controls inside the computerized generator
114
Discussion
115
6. Paper 2: A Case Study of Healthcare Products
computer system.
In the sensor, as explained above, we have connectivity C1, and
protection level P1, therefore exposure is E4 (see Table 6.4), and because
of very high problem severity, the impact of attacks is Catastrophic,
resulting in security Class F in this device.By changing from scenario
1 to 2, the severity of the security and privacy challenges has reduced
from very high to low, therefore the impact of attacks is reduced from
Catastrophic to Minor, and consequently, the security class has improved
from Class F to Class C.
In the pacemaker, we have connectivity C2, and protection level P5,
however in scenario 1, the severity of security and privacy challenges have
affect on the protection level, which falls to level 3, therefore exposure
is E2 (see Table 6.5), and because of very high security and privacy
challenge severity, the impact of attacks is Catastrophic, then we have
security Class D in this device. By changing from scenario 1 to 2, the
severity of the security and privacy challenges has reduced from very high
to very low, therefore the impact of attacks has reduced from Catastrophic
to Insignificant, and consequently, the security class has improved from
Class D to A.
And, in the mobile phone connected to the doctor, we have
connectivity C4, and protection level P4, therefore the exposure is E2
(see Table 6.6), and the security is Class B in both scenarios.
By considering security and privacy challenges, as well as the effect
of these challenges on the protection level of each device and the whole
system, and also their affect on the impact of attacks, we have changed
scenario 1 to 2, and were able to improve the security class in the sensor
and pacemaker security controller from class F to C, and class D to
A, respectively. Hence the security of the overall system has improved
significantly.
6.6 Conclusion
The expansion of IoT in the last decade has resulted in several security
and privacy vulnerabilities and attacks against IoT devices and people.
Unfortunately, the security and privacy functionalities to combat these
attacks are not well-recognized in the domain of IoT. We previously
presented a new taxonomy framework that addresses all of the IoT
116
Conclusion
Acknowledgment
This work has been supported by the research project IoTSec, Security in
IoT for Smart Grids, with number 248113/O70 part of the IKTPLUSS
program funded by the Research Council of Norway. It is also supported
by the SCOTT project (www.scott-project.eu), funded by the Electronic
Component Systems of the European Leadership Joint Undertaking under
grant agreement No 737422, with support from the EU H2020 research
and innovation programme.
117
Bibliography
[1] 27000, I. Information technology — Security techniques — Infor-
mation security management systems — Overview and vocabu-
lary (fourth edition). ISO/IEC 2016. 2016.
[2] 27001, I. INTERNATIONAL STANDARD ISO/IEC 27001 Infor-
mation technology—Security techniques —Information security
management systems —Requirements. ISO/IEC 2013. 2013.
[3] Alqassem, I. and Svetinovic, D. “A taxonomy of security and
privacy requirements for the Internet of Things (IoT)”. In: 2014
IEEE Intern. Conf. on Industrial Engineering and Engineering
Management (IEEM). IEEE. 2014, pp. 1244–1248.
[4] ANSSI. Classification Method and Key Measures. 2014.
[5] Babar, S. et al. “Proposed security model and threat taxonomy for
the Internet of Things (IoT)”. In: Intern. Conf. on Network Security
and Applications. Springer. 2010, pp. 420–429.
[6] BITAG. Internet of Things (IoT) Security and Privacy Recom-
mendations. https : / / www . bitag . org / documents / BITAG _
Report_- _Internet_of_Things_(IoT)_Security_and_Privacy_
Recommendations.pdf. 2016.
[7] Boulos, P. et al. “Pacemakers: a survey on development history,
cyber-security threats and countermeasures”. In: Int. J. Innov. Stud.
Sci. Eng. Technol vol. 2, no. 8 (2016).
[8] Future-proofing the Connected World: 13 Steps to Developing
Secure IoT Products. https://downloads.cloudsecurityalliance.org/
assets/research/internet-of-things/future-proofing-the-connected-
world.pdf. 2016.
[9] Dadourian, M. Heart alert: Pacemakers can be hacked. 2018.
[10] ENISA. Baseline Security Recommendations for IoT in the context
of Critical Information Infrastructures. European Union Agency
for Network and Inf. Sec. 2017.
119
Bibliography
120
Bibliography
121
CHAPTER 7
A Language-Based Approach to
Paper 3:
Prevent DDoS Attacks in Distributed
Financial Agent Systems
Abstract
7.1 Introduction
Today distributed and service-oriented systems form critical parts of
123
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
124
Introduction
Figure 7.1: Distributed communication (s-obj stands for server object and c-obj
for consumer object)
125
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
7.2 Overview
In distributed system communication there is an underlying distributed
object system as shown in Figure. 7.1. In such a distributed system,
classes such as server or client classes would be instantiated by objects,
and communication is established in the form of method calls, usually
wrapped in XML or other forms. Therefore, communication in a
distributed system is implemented by method calls between objects. If
there is a possibility of flood of requests to the service provider (S-
Obj) from the consumer object(s) (C-Obj) in this figure, a DoS attack is
probable.
126
Overview
Static attack detection and prevention. For any set of methods that
call the same target method, a call cycle could be harmful. The methods
might belong to the same or different objects with the same or different
interfaces. In the case of normal blocking calls, where the caller is
blocking while waiting for the response, making a flood of requests also
means receiving a flood of responses. And thus in the case of OTO, it may
cause a self DoS for the attacker. With the possibility of non-blocking
calls in a distributed setting, it is more cost-beneficial for an OTO attacker
to launch a DoS, because then undesirable blocking by the attacker is
127
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
128
Related Work
loops and recursive calls. Compared to our work the SAFER approach
is oriented toward detecting server attacks from within the server code,
whereas our approach is mainly targeting server attacks from an external
attacker, or a combination of external agents. An attacker needs to
understand the code of the server in order to find weaknesses that can be
triggered by specific inputs. In contrast, our approach is detecting attacks
caused by coordination of several agents and/or servers in a distributed
setting.
Another work that detects resource attacks from within the server
code is presented by Qie et al. [15]. In their toolkit, they check for
possible “rule” violations at runtime. This work is complementary to
ours, since our work is oriented toward static detection. Gulavani and
Gulwani [7] describe a precise numerical abstract domain. This domain
can be used to prove the termination of a large class of programs and
also to estimate valuable information such as timing bounds. In order to
make linear numerical abstract domains more precise, they make use of
two domain lifting operations: One operation depends on the principle of
expression abstraction. This describes a set of expressions and determines
their semantics by use of a selection of directed inference rules. It works
by picking up an abstract domain and a group of expressions, such that
their semantics are described by a group of rewrite rules, in order to
construct a more precise abstract domain. The second domain constructor
operation picks up a linear arithmetic abstract domain and constructs a
new arithmetic domain that is able to represent linear relations through
introduction of max expressions. Another approach to estimate worst-case
complexity is presented by Colon and Sipma [4]. These approaches [4, 7],
in which the complexity of loops and recursive calls has been estimated
using structural analysis, are widely complementary to our work.
Zheng and Myers [21] propose a framework for using static informa-
tion flow analysis in order to specify and enforce end-to-end availability
policies in programs. They extend the decentralized label model to
include security policies for availability. This work presents a simple
language with fine-grained information security policies described by
type annotations. In addition, this language has a security type system
to reason about end-to-end availability policies. Various examples have
been discussed, in which abuse of an availability policy can represent
denial of service attacks.
In a work by Meadows [13], a formal analysis has been developed in
129
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
order to apply the maximum benefit of tools and approaches that have
already been used to strengthen protocols against denial of service attack.
This analysis has been done at the protocol specification level. Also,
different ways in which existing cryptographic protocol analysis tools
can be modified for the purpose of operating in this formal framework,
have been demonstrated. In contrast, we do a detailed static analysis
of source code both inside and outside a server. The class of software
vulnerabilities that we can detect is more complicated than what appears
just at the network-protocol specifications level. Moreover, vulnerable
sections of the source code have been identified in our work.
The current work shows how the static analysis method for detection
of flooding can be used for detection of DoS and DDoS attacks. This
general idea was also outlined by the same authors in an extended
workshop abstract [16]. Moreover we here discuss why this is particularly
harmful in the financial sector, where both economic assets and customer
trust are at risk. Furthermore we simplify and adapt the static analysis
method of [14] to the setting of financial service systems, extending it
to detect many-to-one attacks involving unbounded creation of objects
(as demonstrated in example 7.10), as well as hidden attacks, neither of
which were detected by the original method of [14].
130
Our Framework for Active Object Systems
131
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
132
Static Analysis to Prevent Attacks
133
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
1. Make separate control flow graphs (CFGs) for each method. Include
a node for each call, get, await, new (for object creation), if and while
statement, as well as an initial starting and a final return node.
2. Add call edges from call nodes to the start node of a copy of the
called method. In case the call is recursive, simply add a call edge to
the existing start node.
3. Identify any cycles in the resulting graph (including all copies of the
CFGs).
4. Assign a unique label to each call node, and assign this label to the
start and return node of the corresponding copy of the method CFG.
5. Make put edges from the return nodes to the corresponding get/await
nodes. This requires static flow analysis, possibly with over-
approximation of put edges.
134
Static Analysis to Prevent Attacks
Consider a cycle C in the control flow graph G resulting from Figure. 7.3:
2. From the entry point to the cycle, follow all flow and call edges in
a depth-first traversal of G and mark the nodes as weakly-reachable
(WR), strongly-reachable (SR), or neither, as defined in Def. 7.5.3.
Figure 7.4: Algorithm for detecting flooding by means of calls and comps sets
in a given cycle
given cycle C.
Weakly reachable (WR) nodes are those that are on the cycle or reachable
from the cycle by following a flow edge or a call edge.
A node is strongly reachable (SR) if it is in the given cycle or is
reachable from an SR node without entering an if/while node nor passing
a wait node (get/await) outside the cycle, unless the return node of the
corresponding call is strongly reachable. A return node is SR if there
is a SR get/await node on the same future. And a node is SR if all its
predecessor nodes are SR.
We consider two versions of SR, the optimistic, where we follow call
edges (as indicated above), and the pessimistic, where we follow a call
edge n only when the call is known to complete, i.e., when n œ SR
before following the call edge. (As above we follow flow and put edges
without restrictions.)
The optimistic version is used to find unbounded flooding under the
assumption of favorable scheduling, i.e., strong flooding. The pessimistic
version is used to detect unbounded flooding without this assumption, i.e.,
weak flooding. Detection of strong flooding implies detection of weak
flooding, but with less precise details about which calls that possibly may
cause flooding. If there is a call causing weak flooding wrt. a given cycle,
135
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
pessimistic detection will report this call or a call leading to this call.
If there is a call causing strong flooding for a given cycle C, optimistic
detection will report this call. Our notions of optimistic and pessimistic
reachability cover a wider class of nodes than in [14]. The soundness
of [14] can be generalized to our setting.
136
Examples of Possible DoS/DDoS Attacks
requiring the actual newsletter to have arrived, from the Proxy (as shown
by the statements ns:=get fut; myCustomers!signal(ns) in the original
publish method) to the Customer (i.e., news:=get fut in the modified
Customer.signal method). This change in the program causes flooding of
customers.
Service.produce asynchronously calls Producer.detectNews (Pd), line 5 of Fig-
ure. 7.6
Service.produce asynchronously calls Proxy.publish (Xb), line 5 of Fig-
ure. 7.6
Proxy.publish asynchronously calls Customer.signal (Cs), line 6 of Fig-
ure. 7.7
Proxy.publish asynchronously calls Service.produce (Sp) line 6 of Figure. 7.7
137
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
138
Examples of Possible DoS/DDoS Attacks
We then say that the cycle is flooding. The flooding cycle identified
above is harmless provided the customers are able to process their signal
calls as fast as the cycle iterations. The programmer will be warned
by our algorithm about each possible flooding, and should determine
whether it is a real problem.
In contrast, the modified program version (Figure. 7.7) does not wait
in Proxy.publish (doing ns:=get fut) until the newsletter is produced.
Instead the future is directly passed to another asynchronous call
(myCustomers!signal(f ut)) in line 6 of Figure. 7.7 through the method
Proxy.publish, this removes any progress dependency between the cycle
producing the Producer.detectNews and Customer.signal calls and the
processing of those calls. The completion of the Producer.detectNews and
Customer.signal calls does not only depend on the speed of code execution,
but depend on the rate of newsletter items arrivals. Practically, this
flooding cycle generates a number of unprocessed calls that quickly
grows to system limits.
Applying the algorithm to the example. Following [14], the call and
comps sets for the two publish/subscribe versions are shown in Figures
7.8 and 7.9. Method names are abbreviated with two letters as indicated
above, letting Ng abbreviate method getNews of interface NewsProducerI.
There are two cycles in Figure. 7.8, i.e., cycle A and B. We have a
flooding on the call to Customer.signal (Cs) in both cycles. However, this
flooding does not reflect an actual flooding since the Customer objects
139
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
Sp
cycle A
calls = {1,2,3,4,5}
comps = {1,2,3,5}
Pd:1 Pd
cycle B
calls = {4,6} Ng:3 Ng
Xp:2
comps = {1,6}
cycle B
start
Cs:4
call/get/ Cs
await
Sp:5 Xp:6
put
put:2 put:6 put:4
Figure 7.8: The graph and call/comp sets for the original version of the
program (Figure. 7.6)
Sp
cycle A:
calls = {1,2,4,5}
Pd
comps = {2,5}
Pd:1
cycle B: Ng:3 Ng
calls = {4,6} Xp:2
comps = {6}
get:3 await
call edge put:5
Xp
flow edge put:1
cycle A put:3
Figure 7.9: The graph and call/comp sets for the modified version of the
program (Figure. 7.7)
easily keep up with the calls since the amount of work required by
the Customer to complete a signal call is trivial. The execution rate
is restricted with respect to the actual arrival of new items from the
NewsProducer (by the blocking call in the proxies), and therefore, the
rate of produced asynchronous calls to Customer.signal by this cycle
is limited. Thus this is an example of weak flooding that is harmless.
140
Examples of Possible DoS/DDoS Attacks
class Attacker(ServerI s) {
{this!run(); } // initialization
Void run() { ClientI c := new Client(); c!connect(s);
this!run() } // terminate and make recursive call
}
class Client() implements ClientI{
Nat connect(ServerI s){
Nat n := s.register();
// blocking call, so a single client will not cause flooding
return n }
}
class Server(DataBase db) implements ServerI{ {...} // Initialization
Nat register(){Nat n :=0;
if okcheck(caller) then Bool ok := db.open();
if ok then n:=db.add(caller);
db.query(...); db.close() fi fi; return n }
// register requires time and resources
... }
141
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
142
Examples of Possible DoS/DDoS Attacks
The run call has a call edge to the flow graph of connect (call 1), and
connect has a call edge to the flow graph of register (call 2). The call to
register waits for completion of register since it is a blocking call, and the
database calls (call 3) made by register wait for the completion of these
database calls. The code for the database is not given, and therefore the
analysis will be worst-case by considering the termination of such calls
non-reachable (unless indirectly found strongly reachable). The control
flow graph is given in Figure. 7.11. The set of weakly reachable call
nodes of the cycle, i.e., calls, are {1, 2, 3} with optimistic detection, and
{1} with pessimistic detection. And the set of strongly reachable calls,
i.e., comps, is empty in both cases. This gives that the set of potentially
flooding calls, given by calls ≠ comps, is {1} (c.connect) with pessimistic
detection and {1, 2, 3} with optimistic detection. However, in this case,
call 1 does not reflect a real flooding since each call is on a separate
object, but call 2 (s.register) and call 3 (the db calls) do. We detect strong
flooding. The example may be improved by using suspending calls (using
await) on the database operations.
143
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
call is reported an not the harmful one. Another weakness is that the
attack would not be discovered when removing the connect call from the
attacker class and instead letting the register call be caused by the init
method of class Client. (In this case the method parameter s should be
transferred as a class parameter.) The reason for this is that indirect calls
due to object generation are ignored (since by assumption there cannot
be unboundedly many such calls). To compensate these weaknesses, we
make two modifications wrt. [14], described below:
First, we modify the static analysis by viewing a new C statement
as a special kind of a call statement with its own associated call number
and a call edge to a copy of the init code of class C, which again may
have further calls, treated as usual. More precisely, we treat new C as a
simple call statement (like new!C(classparameters) except that the new
object is not known before the call) since the new statement does not wait
for the init to complete. This allows us to see the generation of objects
and to follow all implicit calls from the initialization code. Thus we can
detect instantiation flooding attacks depending on call indirectly caused
by object initialization. We may assume that an initialization cannot
generate flooding in itself since each initialization is on a new object.
Thus the call numbers associated with object creation can be included
in comps. Furthermore, one more call on a new object cannot generate
flooding on this object (unless in a cycle after the object creation). The
same goes for a finite number of calls on a new object, if it can be detected
statically that all these calls have the same new object as callee. These
calls can also be included in comps. In the example of Figure. 7.10, we
detect that the call c!connect is to the new Client object, and this call will
then not be reported with the improved static detection.
Secondly, since implicit calls are important in DDoS attacks, we
follow all call edges in the calculation of WR nodes, even in the
pessimistic version. The resulting improved static detection method
can then also detect the hidden attacker in all versions of the instantiation
example, as shown below. Since the improved static detection method
depends on static detection of same callee, we briefly discuss how to
incorporate this: Two calls in the same method activation have the same
callee if the callee is the same variable, and it is either
144
Conclusion
7.7 Conclusion
In this paper we have considered denial of service attacks, formulated in a
high-level imperative language based on concurrent objects communicat-
145
7. Paper 3: A Language-Based Approach to Prevent DDoS Attacks
146
Conclusion
147
Bibliography
[1] Ashford, W. DDoS is most common cyber attack on financial
institutions. https://www.computerweekly.com/news/4500272230/
DDoS-is-most-common-cyber-attack-on-financial-institutions/.
2016.
[2] Boer, F. D. et al. “A Survey of Active Object Languages”. In: ACM
Comput. Surv. vol. 50, no. 5 (Oct. 2017), pp. 1–39.
[3] Chang, R. et al. “Inputs of coma: Static detection of denial-of-
service vulnerabilities”. In: 2009 22nd IEEE Computer Security
Foundations Symposium. IEEE. 2009, pp. 186–199.
[4] Colón, M. and Sipma, H. “Synthesis of Linear Ranking Functions”.
In: Proceedings of the 7th International Conference on Tools and
Algorithms for the Construction and Analysis of Systems. TACAS
2001. London, UK, UK: Springer-Verlag, 2001, pp. 67–81.
[5] Din, C. C. and Owe, O. “A sound and complete reasoning
system for asynchronous communication with shared futures”.
In: J. Logical and Alg. Methods in Prog. vol. 83, no. 5 (2014),
pp. 360–383.
[6] Douligeris, C. and Mitrokotsa, A. “DDoS Attacks and Defense
Mechanisms: Classification and State-Of-The-Art”. In: Computer
Networks vol. 44, no. 5 (2004), pp. 643–666.
[7] Gulavani, B. S. and Gulwani, S. “A numerical abstract domain
based on expression abstraction and max operator with application
in timing analysis”. In: International Conference on Computer
Aided Verification. Springer. 2008, pp. 370–384.
[8] Jensen, M., Gruschka, N., and Herkenhöner, R. “A survey of
attacks on web services”. In: Computer Science-Research and
Development vol. 24, no. 4 (2009), p. 185.
[9] Johnsen, E. B. and Owe, O. “An asynchronous communication
model for distributed concurrent objects”. In: Software & Systems
Modeling vol. 6, no. 1 (2007), pp. 39–58.
149
Bibliography
150
Bibliography
151