Applying the Isabelle Insider framework to airplane security

https://doi.org/10.1016/j.scico.2021.102623Get rights and content

Highlights

  • The Isabelle Infrastructure framework models and verifies security specifications.

  • Temporal logic CTL proves logical properties in the framework detecting attack paths.

  • A methodology for policy invalidation and refinement reveals missing assumptions.

  • A comparative NuSMV model implements variations of concrete airplane policies.

  • Isabelle's expressive Higher Order Logic allows generalizing over arbitrary policies.

Abstract

Avionics is one of the fields in which verification methods have been pioneered and brought about a new level of reliability to systems used in safety-critical environments. Tragedies, like the 2015 insider attack on a German airplane, in which all 150 people on board died, show that safety and security crucially depend not only on the well-functioning of systems but also on the way humans interact with the systems. Policies are a way to describe how humans should behave in their interactions with technical systems. Formal reasoning about such policies requires integrating the human factor into the verification process. In this paper, we report on our work on using logical modelling and analysis of infrastructure models and policies with actors to scrutinize security policies in the presence of insiders. An insider is a user of a system who behaves like an attacker abusing privileges thereby bypassing security controls. We model insider attacks on airplanes in the Isabelle Insider framework. This application motivates the use of an extension of the framework with Kripke structures and the temporal logic CTL to enable reasoning on dynamic system states. Furthermore, we illustrate that Isabelle modelling and invariant reasoning reveal subtle security assumptions. This results in a methodology for the development of policies that satisfy stated properties. To contrast our approach to model checking, we provide an additional comparative analysis.

Introduction

Airplanes offer a very safe way of travelling. Accidents and terror attacks are extremely rare. We believe that one reason for this is that scrutiny and rigorous verification including formal methods are routinely applied in most technical developments as well as for organizational measures of airplanes. After the 2001-09-11 attacks stringent measures were taken and have been to the day of writing successful. The most recent major incident was an insider attack in which the copilot of Germanwings Flight 9525 on 2015-03-24 hijacked the aircraft by locking out the captain, who had left the cockpit, and subsequently brought the aircraft to a crash in which all 150 persons on board died. As a consequence, airlines introduced a two-person rule that a pilot must never be on their own in the cockpit. The two-person rule has been rescinded in 2017 only two years after it was introduced. The 2015-03-24 incident shows that insider attacks are an important issue. Despite their common use in other parts of avionics, formal methods are not commonly applied to airplane policies including human actors which is necessary to analyze insider threats. Therefore, we investigate whether recent advancements in formal modelling and analysis of insider threats may produce advancements. The Isabelle Insider framework [1] is an instantiation of the interactive theorem prover Isabelle using its expressive Higher Order Logic (HOL) to provide a theory for formalizing infrastructures with actors and policies including insiders to prove security properties fully formally with computer support. Experimenting with this Insider framework on real case studies, motivated earlier work [2] of applying the existing Isabelle Insider framework to verify airplane policies in the presence of insider attacks. This earlier work has revealed some major challenges for the Isabelle Insider framework that we want to address in the current work:

  • Since the policies are dealing with actors and their possibilities of moving within the infrastructure, for example an airplane, a fixed association of actors with locations, roles, and credentials in the model must be extended to enable representing dynamic change.

  • We need to integrate dedicated logics into the framework enabling the expression of security and safety guarantees over the dynamically changing infrastructure state. We need to express global validity of logical properties of policies over all reachable states; for example, we want to express “for all states reachable from an acceptable initial state, a suicidal copilot cannot crash the plane.”

In the current paper, we provide solutions to these challenges and demonstrate them on the airplane case study by the following two contributions.

  • State transitions as well as rules for expressing changes to the state of infrastructures including locations, actors, their roles, credentials and behaviours are provided by Kripke structures. This allows modelling state change and state transition.

  • Temporal logic CTL is provided within the framework to formalize and prove logical properties. This enables (a) detecting attack paths through the graph of infrastructure state evolution and (b) from there identifying additional security assumptions that when met guarantee that the attack is not possible any more on any path.

In the process of realizing these extensions to the Isabelle Insider framework and testing them on the airplane application other contributions emerged:
  • We identify an improved methodology for policy invalidation and model refinement. It consists of attempting to prove global security properties in the Isabelle Insider framework showing potential attacks and moreover revealing missing assumptions that may then be added as additional locale assumptions in the model refinement step.

  • Moreover, in order to show the relation to other approaches to verification, most notably model checking, we present a comparative model and verification [3] in the NuSMV model checker [4]. We formalize various different implementations of policies.

  • To show the surplus gained by using the Isabelle Insider framework rather than NuSMV we then proceed by generalizing our main result to arbitrary policies which can be done only in a powerful system such as Isabelle.

After discussing related work in Section 2, we present in Section 3 a retrospective of the development of safety and security regulations for airplanes. We then present the existing Isabelle Insider framework in Section 4. Next, we use this framework to model an airplane scenario including an insider attacker. We first present our methodology for applying the Isabelle Insider framework as an opening to Section 5, which also provides an overview of the following technical sections. We integrate Kripke structures into the model and express and interactively prove central security properties using the branching time temporal logic CTL (Section 5). Section 6 presents the analysis of those properties on the airplane scenario showing how the framework can be used to scrutinize the security policies and thereby reveal existing loopholes within their formal specifications. Section 7 introduces an alternative verification of the airplane scenario using model checking with NuSMV. It also shows how the main result can be generalized in Isabelle to arbitrary policies to illustrate what can be done here that cannot be done using model checking. Section 8 concludes.

The full Isabelle sources [5] as well as the NuSMV code [3] are available online. In order to give an impression of the kind of formalization the most important definitions and theorems can be found in Appendix A.

Section snippets

Related work

In this section, we present some related work from the field of insider threats and work in which reasoning approaches similar to the one applied in our work are applied. Furthermore we discuss work related to the verification in avionics.

Malicious insiders are defined by Glasser and Lindauer as follows: “[…] insiders are current or former employees or trusted partners of an organization who abuse their authorized access to an organization's networks, systems, and/or data.” [6]. Insider threats

Development of airplane safety and security

On 2001-09-11, four terrorist attacks took place in the USA, two on the two towers of the World Trade Center, one on the Pentagon, and in a fourth attack the airplane crashed when passengers tried to overcome the hijackers.3 Before these

Isabelle Insider framework

Before we formalize the airplane scenario in section 5, we give first a brief introduction to Isabelle in this section; describe the Isabelle Insider framework with infrastructures, policies, actors, and insiders; and describe how Kripke Structures and CTL are modelled.

Formalizing the airplane scenario

In this section, we present a methodology for the modelling and analysis of insider threats illustrating it in detail on the airplane case study. Before we embark on the case study we first present the methodology which serves as a section overview simultaneously.

Analysis of safety and security properties

In this section we first introduce a Kripke structure to model state transitions in the airplane scenario. Then we formalize the two-person rule and look how this rule is related to the property that the airplane is not in danger with respect to an insider attack. We show that an additional assumption is necessary to prove this property.

Model checking and generalizing over policies

In this section, we consider an alternative approach to formalizing and verifying the airplane case study using a model checker. We then show how the formalization in the Isabelle Insider framework demonstrated in this paper can be generalized over policies. This additional work serves to illustrate the surplus gained by using the heavier Isabelle approach.

Discussion and conclusions

In this section, we briefly discuss limitations and approaches to developing airplane policies, summarize the contributions of the paper, and present some concluding remarks.

CRediT authorship contribution statement

F. Kammüller: Drafting of manuscript, Critical revision. M. Kerber: Drafting of manuscript, Critical revision.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (42)

  • M. Kamali et al.

    Formal verification of autonomous vehicle platooning

    Sci. Comput. Program.

    (2017)
  • F. Kammüller et al.

    Modeling and verification of insider threats using logical analysis

    Special Issue on Insider Threats to Information Security, Digital Espionage, and Counter Intelligence

    IEEE Syst. J.

    (2017)
  • F. Kammüller et al.

    Investigating airplane safety and security against insider threats using logical modeling

  • M. Kerber et al.

    NuSMV formalisation of airplane scenarios with two-person-in-cockpit policies

  • A. Cimatti et al.

    NuSMV: a new symbolic model checker

  • F. Kammüller

    IsabelleInsider – insider framework based on Kripke structures and CTL with example of airplane attack

  • J. Glasser et al.

    Bridging the gap: a pragmatic approach to generating insider threat data

  • M. Bishop et al.

    Insider threat identification by process analysis

  • M. Bishop et al.

    Inside the insider threat (introduction)

  • D.M. Cappelli et al.

    The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

    (2012)
  • F.L. Greitzer et al.

    Analysis of unintentional insider threats deriving from social engineering exploits

  • E.T. Axelrad et al.

    A Bayesian network model for predicting insider threats

  • J.R.C. Nurse et al.

    Understanding insider threat: a framework for characterising attacks

  • Y. Moy et al.

    Testing or formal verification: Do-178c alternatives and industrial experience

    IEEE Softw.

    (2013)
  • C. O'Halloran

    Automated verification of code automatically generated from Simulink

    Autom. Softw. Eng.

    (2013)
  • M.O. Khan et al.

    Model-Based Verification and Validation of Spacecraft Avionics

    (2012)
  • D. v. Oheimb et al.

    Security architecture and formal analysis of an airplane software distribution system

  • G. Luettgen et al.

    Analyzing mode confusion via model checking

  • C. Munoz et al.

    Modeling and verification of an air traffic concept of operations

  • C. Munoz et al.

    Formal analysis of the operational concept for the small aircraft transportation system

  • F. Kammüller et al.

    Invalidating policies using structural information

  • Cited by (8)

    View all citing articles on Scopus
    View full text