Abstract The modelling and verification of systems security is an open research topic whose complexity and importance needs, in our view, the use of formal and non-formal methods. This paper addresses the modelling of security using misuse cases and the automatic verification of survivability properties using model checking. The survivability of a system characterises its capacity to fulfil its mission (promptly) in the presence of attacks, failures, or accidents, as defined by Ellison. The original contributions of this paper are a methodology and its tool support, through a framework called surreal . The methodology starts from a misuse case specification enriched with UML profile annotations and obtains, as a by-product, a survivability assessment model (SAM). Using predefined queries the survivability properties are proved in the SAM. A total of fourteen properties have been formulated and also implemented in surreal , which encompasses tools to model the security specification, to create the SAM and to prove the properties. Finally, the paper validates the methodology and the framework using a cyber-physical system (CPS) case study, in the automotive field.

中文翻译：

---

生存性属性的安全建模和形式验证：在网络物理系统中的应用

摘要 系统安全的建模和验证是一个开放的研究课题，在我们看来，其复杂性和重要性需要使用形式化和非形式化的方法。本文讨论了使用误用案例的安全建模和使用模型检查的生存性属性的自动验证。正如埃里森所定义的那样，系统的生存能力表征了它在出现攻击、故障或事故时（及时）完成其任务的能力。本文的最初贡献是一种方法论及其工具支持，通过一个名为 surreal 的框架。该方法从使用 UML 配置文件注释丰富的误用案例规范开始，并获得作为副产品的生存性评估模型 (SAM)。使用预定义的查询，可生存性属性在 SAM 中得到证明。总共有 14 个属性被制定并在 surreal 中实现，其中包含用于对安全规范建模、创建 SAM 和证明属性的工具。最后，本文使用汽车领域的网络物理系统 (CPS) 案例研究验证了该方法和框架。