Applying the Isabelle Insider framework to airplane security
Introduction
Airplanes offer a very safe way of travelling. Accidents and terror attacks are extremely rare. We believe that one reason for this is that scrutiny and rigorous verification including formal methods are routinely applied in most technical developments as well as for organizational measures of airplanes. After the 2001-09-11 attacks stringent measures were taken and have been to the day of writing successful. The most recent major incident was an insider attack in which the copilot of Germanwings Flight 9525 on 2015-03-24 hijacked the aircraft by locking out the captain, who had left the cockpit, and subsequently brought the aircraft to a crash in which all 150 persons on board died. As a consequence, airlines introduced a two-person rule that a pilot must never be on their own in the cockpit. The two-person rule has been rescinded in 2017 only two years after it was introduced. The 2015-03-24 incident shows that insider attacks are an important issue. Despite their common use in other parts of avionics, formal methods are not commonly applied to airplane policies including human actors which is necessary to analyze insider threats. Therefore, we investigate whether recent advancements in formal modelling and analysis of insider threats may produce advancements. The Isabelle Insider framework [1] is an instantiation of the interactive theorem prover Isabelle using its expressive Higher Order Logic (HOL) to provide a theory for formalizing infrastructures with actors and policies including insiders to prove security properties fully formally with computer support. Experimenting with this Insider framework on real case studies, motivated earlier work [2] of applying the existing Isabelle Insider framework to verify airplane policies in the presence of insider attacks. This earlier work has revealed some major challenges for the Isabelle Insider framework that we want to address in the current work:
- •
Since the policies are dealing with actors and their possibilities of moving within the infrastructure, for example an airplane, a fixed association of actors with locations, roles, and credentials in the model must be extended to enable representing dynamic change.
- •
We need to integrate dedicated logics into the framework enabling the expression of security and safety guarantees over the dynamically changing infrastructure state. We need to express global validity of logical properties of policies over all reachable states; for example, we want to express “for all states reachable from an acceptable initial state, a suicidal copilot cannot crash the plane.”
In the current paper, we provide solutions to these challenges and demonstrate them on the airplane case study by the following two contributions.
- •
State transitions as well as rules for expressing changes to the state of infrastructures including locations, actors, their roles, credentials and behaviours are provided by Kripke structures. This allows modelling state change and state transition.
- •
Temporal logic CTL is provided within the framework to formalize and prove logical properties. This enables (a) detecting attack paths through the graph of infrastructure state evolution and (b) from there identifying additional security assumptions that when met guarantee that the attack is not possible any more on any path.
- •
We identify an improved methodology for policy invalidation and model refinement. It consists of attempting to prove global security properties in the Isabelle Insider framework showing potential attacks and moreover revealing missing assumptions that may then be added as additional locale assumptions in the model refinement step.
- •
Moreover, in order to show the relation to other approaches to verification, most notably model checking, we present a comparative model and verification [3] in the NuSMV model checker [4]. We formalize various different implementations of policies.
- •
To show the surplus gained by using the Isabelle Insider framework rather than NuSMV we then proceed by generalizing our main result to arbitrary policies which can be done only in a powerful system such as Isabelle.
After discussing related work in Section 2, we present in Section 3 a retrospective of the development of safety and security regulations for airplanes. We then present the existing Isabelle Insider framework in Section 4. Next, we use this framework to model an airplane scenario including an insider attacker. We first present our methodology for applying the Isabelle Insider framework as an opening to Section 5, which also provides an overview of the following technical sections. We integrate Kripke structures into the model and express and interactively prove central security properties using the branching time temporal logic CTL (Section 5). Section 6 presents the analysis of those properties on the airplane scenario showing how the framework can be used to scrutinize the security policies and thereby reveal existing loopholes within their formal specifications. Section 7 introduces an alternative verification of the airplane scenario using model checking with NuSMV. It also shows how the main result can be generalized in Isabelle to arbitrary policies to illustrate what can be done here that cannot be done using model checking. Section 8 concludes.
The full Isabelle sources [5] as well as the NuSMV code [3] are available online. In order to give an impression of the kind of formalization the most important definitions and theorems can be found in Appendix A.
Section snippets
Related work
In this section, we present some related work from the field of insider threats and work in which reasoning approaches similar to the one applied in our work are applied. Furthermore we discuss work related to the verification in avionics.
Malicious insiders are defined by Glasser and Lindauer as follows: “[…] insiders are current or former employees or trusted partners of an organization who abuse their authorized access to an organization's networks, systems, and/or data.” [6]. Insider threats
Development of airplane safety and security
On 2001-09-11, four terrorist attacks took place in the USA, two on the two towers of the World Trade Center, one on the Pentagon, and in a fourth attack the airplane crashed when passengers tried to overcome the hijackers.3 Before these
Isabelle Insider framework
Before we formalize the airplane scenario in section 5, we give first a brief introduction to Isabelle in this section; describe the Isabelle Insider framework with infrastructures, policies, actors, and insiders; and describe how Kripke Structures and CTL are modelled.
Formalizing the airplane scenario
In this section, we present a methodology for the modelling and analysis of insider threats illustrating it in detail on the airplane case study. Before we embark on the case study we first present the methodology which serves as a section overview simultaneously.
Analysis of safety and security properties
In this section we first introduce a Kripke structure to model state transitions in the airplane scenario. Then we formalize the two-person rule and look how this rule is related to the property that the airplane is not in danger with respect to an insider attack. We show that an additional assumption is necessary to prove this property.
Model checking and generalizing over policies
In this section, we consider an alternative approach to formalizing and verifying the airplane case study using a model checker. We then show how the formalization in the Isabelle Insider framework demonstrated in this paper can be generalized over policies. This additional work serves to illustrate the surplus gained by using the heavier Isabelle approach.
Discussion and conclusions
In this section, we briefly discuss limitations and approaches to developing airplane policies, summarize the contributions of the paper, and present some concluding remarks.
CRediT authorship contribution statement
F. Kammüller: Drafting of manuscript, Critical revision. M. Kerber: Drafting of manuscript, Critical revision.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (42)
- et al.
Formal verification of autonomous vehicle platooning
Sci. Comput. Program.
(2017) - et al.
Modeling and verification of insider threats using logical analysis
Special Issue on Insider Threats to Information Security, Digital Espionage, and Counter Intelligence
IEEE Syst. J.
(2017) - et al.
Investigating airplane safety and security against insider threats using logical modeling
- et al.
NuSMV formalisation of airplane scenarios with two-person-in-cockpit policies
- et al.
NuSMV: a new symbolic model checker
IsabelleInsider – insider framework based on Kripke structures and CTL with example of airplane attack
- et al.
Bridging the gap: a pragmatic approach to generating insider threat data
- et al.
Insider threat identification by process analysis
- et al.
Inside the insider threat (introduction)
- et al.
The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)
(2012)
Analysis of unintentional insider threats deriving from social engineering exploits
A Bayesian network model for predicting insider threats
Understanding insider threat: a framework for characterising attacks
Testing or formal verification: Do-178c alternatives and industrial experience
IEEE Softw.
Automated verification of code automatically generated from Simulink
Autom. Softw. Eng.
Model-Based Verification and Validation of Spacecraft Avionics
Security architecture and formal analysis of an airplane software distribution system
Analyzing mode confusion via model checking
Modeling and verification of an air traffic concept of operations
Formal analysis of the operational concept for the small aircraft transportation system
Invalidating policies using structural information
Cited by (8)
Explanation of Black Box AI for GDPR Related Privacy Using Isabelle
2023, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Integrated analysis method of functional safety and cyber security of avionics system for civil aircraft
2022, China Safety Science JournalExplanation by Automated Reasoning Using the Isabelle Infrastructure Framework
2022, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Exploring Rationality of Self Awareness in Social Networking for Logical Modeling of Unintentional Insiders
2022, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)