A security-focused engineering process for systems of embedded components

Quantified Score

Visualization

Abstract

Development of systems based on embedded components is a challenging task because of the distributed, reactive and real-time nature of such systems. From a security point of view, it is essential to take into account that frequently embedded devices are basically system components owned by a certain entity, used as part of systems owned by other entities and operated in a potentially hostile environment. Currently, a security engineering process for systems with embedded components that takes these considerations into account does not exist. Although many individual mechanisms to solve specific security problems are already available, the integration of these mechanisms in order to form a coherent system that can satisfy more complex security requirements is not trivial. This paper presents a process, which aims to support embedded systems developers in considering security aspects in the overall engineering process. Particularly, the process provides means to identify and manage security properties and requirements. This security engineering process supports the representation of security aspects and mechanisms in a comprehensive and coherent modeling framework based on the UML metamodel. The process key characteristics are that (i) it's suited to the specific needs of systems with embedded components; (ii) it supports the developers in making sound security design decisions; (iii) it encourages the separation of responsibilities between security experts and system designers; and (iv) it integrates reusable security-focused models of embedded components. The main aspect to highlight in the process is that it's directed by security properties. We believe that the best approach is to base requirements on the positive expression of properties, as opposed to the negative expression by means of threats and attacks.