Resilient Safety-Critical Systems through Run-time Risk Assessment, Isolation, and Recovery (RESURREC)

通过运行时风险评估、隔离和恢复 (RESURREC) 实现弹性安全关键系统

• 批准号: 503329135
• 负责人: Professor Dr. Stefan Katzenbeisser
• 金额: --
• 依托单位: Lehrstuhl für Technische Informatik
• 依托单位国家: 德国
• 项目类别: Priority Programmes
• 资助国家: 德国
• 项目状态: 未结题
• 来源: https://gepris.dfg.de/gepris/projekt/503329135?language=en
• 关键词: Resilient; Safety; Critical; Systems; through

Attacks on safety-critical systems such as autonomous vehicles can have serious consequences, such as financial damage or even danger to life and limb. Through successful attacks on assets (e.g., software applications, control units, cryptographic keys, or messages), an attacker can cause damage directly or indirectly (by extending the attack from one asset to another). Classical safety measures such as Fault Detection, Isolation, and Recovery (FDIR) only protect against errors and not against targeted attacks. For example, an attacker could manipulate a component that is responsible for the isolation of a faulty component and for switching to a redundant instance. FDIR must therefore be extended to include suitable security measures. In particular, in addition to errors, it must be possible to detect and respond to attacks. To achieve resilience, mechanisms for isolation and recovery must be protected against manipulation as well. Furthermore, once an attack has been detected, a suitable response has to be selected at run-time of the system; this decision needs to be based on a risk computation and needs to take the specifics of the safety-critical system into consideration. In this proposal, we propose a project to advance attack detection, run-time risk assessment, isolation, and recovery to increase the resilience of safety-critical systems. The main focus lies on the last three aspects, as there are already several approaches for Intrusion Detection Systems (IDS) in safety-critical systems, while risk assessment, isolation and recovery have received much less attention. As application domain, we consider an autonomous vehicle, as it is a distributed and complex safety-critical system, consisting of several networked components, such as control units, sensors and actuators, with software applications running on them. For risk assessment, we investigate new methods to assess risk based on the dependencies between assets. Approaches for isolation and recovery known from the safety context are supplemented by security measures. We investigate how the zero trust paradigm can be applied to safety-critical systems. For this, we investigate, among other things, novel authentication mechanisms, access and usage control systems, and secure service-oriented architectures. Our developed solutions will be prototypically implemented and evaluated.

对自动驾驶汽车等安全关键系统的攻击可能会造成严重后果，例如经济损失，甚至危及生命和肢体。通过对资产的成功攻击（例如，软件应用程序、控制单元、加密密钥或消息），攻击者可以直接或间接地（通过将攻击从一个资产扩展到另一个资产）造成损害。故障检测、隔离和恢复（Fault Detection，Isolation，and Recovery，FRESH）等传统安全措施只能防止错误，而不能防止针对性攻击。例如，攻击者可以操纵负责隔离故障组件和切换到冗余实例的组件。因此，必须扩大限制，以包括适当的安全措施。特别是，除了错误之外，还必须能够检测和响应攻击。为了实现复原力，还必须保护隔离和恢复机制免受操纵。此外，一旦检测到攻击，就必须在系统运行时选择合适的响应;这个决定需要基于风险计算，并且需要考虑安全关键系统的具体情况。 在本提案中，我们提出了一个项目，以推进攻击检测，运行时风险评估，隔离和恢复，以提高安全关键系统的弹性。主要的焦点在于后三个方面，因为已经有几种方法用于安全关键系统中的入侵检测系统（IDS），而风险评估，隔离和恢复受到的关注要少得多。作为应用领域，我们考虑自动驾驶汽车，因为它是一个分布式和复杂的安全关键系统，包括几个网络组件，如控制单元，传感器和执行器，与软件应用程序在它们上运行。对于风险评估，我们研究了基于资产之间的依赖关系来评估风险的新方法。安全措施补充了安全背景下已知的隔离和恢复方法。我们研究如何零信任范式可以应用到安全关键系统。为此，我们调查，除其他事项外，新的认证机制，访问和使用控制系统，安全的面向服务的架构。我们开发的解决方案将进行原型实施和评估。