5G mobility management is dependent on a couple of complex protocols for managing handovers, based on the available network interfaces (such as Xn and N2). In our work, we focus on the 5G Xn handover procedure, as defined by the 3GPP standard. In Xn handovers, the source base station hands the user equipment (UE) over to a target base station through two different mechanisms: horizontal or vertical key derivation. To ascertain the security of these complex protocols, recent works have formally described the protocols and proved some security properties. In this work, we formulate a new property, forward security, which ensures the secrecy of future handovers following a session key exchange in one handover. Using a formal model and the Tamarin prover, we show that forward security breaks in the 5G Xn handover in presence of an untrusted base station. We also propose a solution to mitigate this counter-example with a small modification of the 3GPP Xn handover procedures based on the p erceived source base station state.

Since machine learning components are now being considered for integration in safety-critical systems, safety stakeholdersshould be able to provide convincing arguments that the systems are safe for use in realistic deployment settings. In the caseof vision-based systems, the use of tree ensembles calls for formal stability verification against a host of composite geometricperturbations that the system may encounter. Such perturbations are a combination of an affine transformation like rotation,scaling, or translation and a pixel-wise transformation like changes in lighting. However, existing verification approachesmostly target small norm-based perturbations, and do not account for composite geometric perturbations. In this work,we present a novel method to precisely define the desired stability regions for these types of perturbations. We propose afeature space modelling process that generates abstract intervals which can be passed to VoTE, an efficient formal verificationengine that is specialised for tree ensembles. Our method is implemented as an extension to VoTE by defining a new propertychecker. The applicability of the method is demonstrated by verifying classifier stability and computing metrics associatedwith stability and correctness, i.e., robustness, fragility, vulnerability, and breakage, in two case studies. In both case studies,targeted data augmentation pre-processing steps were applied for robust model training. Our results show that even modelstrained with augmented data are unable to handle these types of perturbations, thereby emphasising the need for certifiedrobust training for tree ensembles.

Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have largely appeared in the past decades. There are several anomaly detection systems that model the traffic of request-response mechanisms, where a client initiates a request to a server and the server sends back a response later. However, many modern SCADA protocols also allow server-driven traffic without a paired request, and anomaly detection for server-driven traffic has not been well-studied. This paper provides a comprehensive understanding of server-driven traffic across different protocols, such as MMS, Siemens S7, S7-plus, and IEC 60870-5-104 (IEC-104), with traffic analysis. The analysis results show that the common postulation of periodicity and correlation within SCADA traffic holds true for most of the analyzed datasets. The paper then proposes a Multivariate Correlation Anomaly Detection (MCAD) approach for server-driven traffic that presents complicated correlations among flows. The proposed approach is compared with a univariate correlation anomaly detection approach designed for SCADA and a general purpose anomaly detection approach based on neural network techniques. These approaches are tested with an IEC-104 dataset from a real power utility with injected timing perturbations resulting from a Stuxnet-like stealthy attack scenario. The detection accuracy of MCAD outperforms the compared methods and the time-to-detection performance is promising.

The term "digital twin" (DT) has become a key theme of the cyber-physical systems (CPSs) area, while remaining vaguely defined as a virtual replica of an entity. This article identifies DT characteristics essential for enhancing CPS security and discusses indicators to evaluate them.

Deciding where to handle services and tasks, as well as provisioning an adequate amount of computing resources for this handling, is a main challenge of edge computing systems. Moreover, latency-sensitive services constrain the type and location of edge devices that can provide the needed resources. When available resources are scarce there is a possibility that some resource allocation requests are denied. In this work, we propose the VioLinn system to tackle the joint problems of task placement, service placement, and edge device provisioning. Dealing with latency-sensitive services is achieved through proximityaware algorithms that ensure the tasks are handled close to the end-user. Moreover, the concept of spare edge device is introduced to handle sudden load variations in time and space without having to continuously over-provision. Several spare device selection algorithms are proposed with different cost/performance tradeoffs. Evaluations are performed both in a Kubernetes-based testbed and using simulations and show the benefit of using spare devices for handling localized load spikes with higher quality of service (QoS) and lower computing resource usage. The study of the different algorithms shows that it is possible to achieve this increase in QoS with different tradeoffs against cost and performance.

A key purpose of a Supervisory Control and Data Acquisition (SCADA) system is to enable either an on-site or remote supervisory control and monitoring of physical processes of various natures. In order for a SCADA system to operate safely and securely, a wide range of experts with diverse backgrounds must work in close rapport. It is critical to have an overall view of an entire system at a high level of abstraction which is accessible to all experts involved, and which assists with gauging and assessing risks to the system. Furthermore, a SCADA system is composed of a large number of interconnected technical and non-technical sub-elements, and it is crucial to capture the dependencies between these sub-elements for a comprehensive and rigorous risk assessment. In this paper, we present a generic configurable dependency model of a SCADA system which captures complex dependencies within a system and facilitates goal-oriented risk assessment. The model was developed by collecting and analysing the understanding of the dependencies within a SCADA system from 36 domain experts. We describe a methodology followed for developing the dependency model, present an illustrative example where the generic dependency model is configured for a SCADA system controlling water distribution, and outline an exemplary risk assessment process based on it.

Systems of today are becoming more complex; they have many levels of the control hierarchy, are software-intensive, use different networks, have increasing processing power, use a diversity of devices, and require more integration. Systems-Theoretic Process Analysis (STPA) is a technique that is being used to analyze the safety of those systems at the concept stage. For the design phase, STPA can be combined with SysML modeling activities, including simulation and formal verification of systems models to produce the control software more efficiently. However, for the design phase, when starting from the STPA analysis there is no support to elaborate the control algorithm. Building the control algorithm is one of the most difficult tasks in the design phase. We propose a method to synthesize the control algorithm for safety-critical systems from the STPA analyses and the functional requirements. Our method maps the control structure (STPA) into a block diagram (SysML), and it uses the STPA results to generate an initial state machine diagram (SysML) for automated controllers, actuators, and sensors. We use our method to generate the control algorithms for an Adaptive Cruise Control system. We evaluate the synthesized algorithms by performing model simulation and formal verification. This illustrates that our method is a systematic way to synthesize control algorithms that satisfy both safety and functional requirements.

Supervisory and Data Acquisition (SCADA) systems control and monitor modern power networks. As attacks targeting SCADA systems are increasing, significant research is conducted to defend SCADA networks including variations of anomaly detection. Due to the sensitivity of real data, many defence mechanisms have been tested only in small testbeds or emulated traffic that were designed with assumptions on how SCADA systems behave. This work provides a timing characterization of IEC-104 spontaneous traffic and compares the results from emulated traffic and real traffic to verify if the network characteristics appearing in testbeds and emulated traffic coincide with real traffic. Among three verified characteristics, two of them appear in the real dataset but in a less regular way, and one does not appear in the collected real data. The insights from these observations are discussed in terms of presumed differences between emulated and real traffic and how those differences are generated.

Complex cyber-physical systems can be difficult to analyze for resource adequacy (e.g., bandwidth and buffer size) at the concept development stage since relevant models are hard to create. During this period, details about the functions to be executed or the platforms in the architecture are partially unknown. This is especially true for Integrated Modular Avionics (IMA) systems, for which life-cycles span over several decades, with potential changes to functionality in the future. This work aims to identify abstractions for representing data exchanges among functions realized in networked IMA systems and investigates how these can be represented in formal models and analyzed with exact guarantees. Timed automata (TA) are a relevant choice for modeling since communication resource adequacy is directly related to potential network delays. We explore two alternatives in modeling with TA, a direct one representing every process using a TA template, and a more abstract one representing every computation device with a TA template. While the first approach represents process-to-process data exchanges, the modified approach reduces the state space by representing all processes currently allocated to a single computing element to obtain scalability gains. Both approaches are flexible since the templates presented can be instantiated to represent different types of network topologies and communication patterns. The instantiated TA models are used to illustrate an use case and analyzed with the UPPAAL model checker to verify that a given platform instance supports the desired system functions in terms of network bandwidth and buffer size adequacy, thereby messages reaching their final destination with freshness guarantees. Both abstraction levels are shown to be suitable for verifying the intended properties, but the more abstract one demonstrates a 67% improvement in verification time and a 66% reduction in state space during verification. The more abstract approach is also applied to a real-world example from an earlier publication, with a much larger state space and a more complex structure, to illustrate the ability to reuse the approach in multiple use cases. (C) 2021 The Authors. Published by Elsevier B.V.

n/a

Most research in the field of network intrusion detection heavily relies on datasets. Datasets in this field, however, are scarce and difficult to reproduce. To compare, evaluate, and test related work, researchers usually need the same datasets or at least datasets with similar characteristics as the ones used in related work. In this work, we present concepts and the Intrusion Detection Dataset Toolkit (ID2T) to alleviate the problem of reproducing datasets with desired characteristics to enable an accurate replication of scientific results. Intrusion Detection Dataset Toolkit (ID2T) facilitates the creation of labeled datasets by injecting synthetic attacks into background traffic. The injected synthetic attacks created by ID2T blend with the background traffic by mimicking the background traffics properties. This article has three core contributions. First, we present a comprehensive survey on intrusion detection datasets. In the survey, we propose a classification to group the negative qualities found in the datasets. Second, the architecture of ID2T is revised, improved, arid expanded in comparison to previous work. The architectural changes enable ID2T to inject recent and advanced attacks, such as the EternalBlue exploit or a peer-to-peer botnet. ID2Ts functionality provides a set of tests, known as TIDED, that helps identify potential defects in the background traffic into which attacks are injected. Third, we illustrate how ID2T is used in different use-case scenarios to replicate scientific results with the help of reproducible datasets. ID2T is open source software and is made available to the community to expand its arsenal of attacks and capabilities.

Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have increased since the appearance of Stuxnet. To defend critical infrastructures, security researchers need realistic datasets to evaluate and benchmark their defense mechanisms such as Anomaly Detection Systems (ADS). However, real-world data collected from critical infrastructures are too sensitive to share openly. Therefore, testbed datasets have become a viable option to balance the requirement of openness and realism. This study provides a data generation framework based on a virtual testbed with a commercial SCADA system and presents an openly available dataset called RICSel21, with packets in IEC-60870-5-104 protocol streams. The dataset is the result of performing 12 attacks, identifying the impact of attacks on a power management system and recording the logs of the seven successful attacks.

One of the major areas of interest for deployment of blockchains is in the supply chain sector where decentralisation combined with immutability is expected to enhance the transparency and robustness of transaction processing drastically. In this work we contribute to a feasibility study for permissioned blockchains in the context of a major international retail company. First, we characterise the types, relationships, and volumes of events that are created in the life cycle of a product from creation to ownership transfer. We use the created event model and the data from the company operations to identify the load that such an event processing system would have to manage. Then we create a prototype based on Quorum that deals with a significant subset of the events and expose the blockchain-based prototype to variations in load to identify the maximum throughput and average transaction processing time. This system can then form the basis of understanding the bottlenecks, configuration settings and platform choices needed in future potential deployment.

The edge computing paradigm comes with a promise of lower application latency compared to the cloud. Moreover, offloading user device computations to the edge enables running demanding applications on resource-constrained mobile end devices. However, there is a lack of workload models specific to edge offloading using applications as their basis.In this work, we build upon the reconfigurable open-source mixed reality (MR) framework MR-Leo as a vehicle to study resource utilisation and quality of service for a time-critical mobile application that would have to rely on the edge to be widely deployed. We perform experiments to aid estimating the resource footprint and the generated load by MR-Leo, and propose an application model and a statistical workload model for it. The idea is that such empirically-driven models can be the basis of evaluations of edge algorithms within simulation or analytical studies.A comparison with a workload model used in a recent work shows that the computational demand of MR-Leo exhibits very different characteristics from those assumed for MR applications earlier.

Recent advances in machine learning and artificial intelligence are now beingconsidered in safety-critical autonomous systems where software defects maycause severe harm to humans and the environment. Design organizations in thesedomains are currently unable to provide convincing arguments that their systemsare safe to operate when machine learning algorithms are used to implement theirsoftware.

In this paper, we present an efficient method to extract equivalence classes from decision trees and tree ensembles, and to formally verify that their input-output mappings comply with requirements. The idea is that, given that safety requirements can be traced to desirable properties on system input-output patterns, we can use positive verification outcomes in safety arguments.

This paper presents the implementation of the method in the tool VoTE (Verifier of Tree Ensembles), and evaluates its scalability on two case studies presented in current literature. We demonstrate that our method is practical for tree ensembles trained on low-dimensional data with up to 25 decision trees and tree depths of up to 20.Our work also studies the limitations of the method with high-dimensionaldata and preliminarily investigates the trade-off between large number of trees and time taken for verification.

Blockchains are increasingly studied in the context of new applications. Permissioned blockchains promise to deal with the issue of complete removal of trust, a notion that is currently the hallmark of the developed society. Before the idea is adopted in contexts where resource efficiency and fast operation is a requirement, one could legitimately ask the question: can permissioned blockchains match the performance of traditional large‐scale databases? This paper compares two popular frameworks, Hyperledger Fabric and Apache Cassandra, as representatives of permissioned blockchains and distributed databases, respectively. We compare their latency for varying workloads and network sizes. The results show that, for small systems, blockchains can start to compete with traditional databases, but also that the difference in consistency models and differences in setup can have a large impact on the resulting performance.

Reconfigurable avionics systems can tolerate faults by moving functionalities from failed components to another available system component. This paper proposes a distributed reconfigurable architecture for application migration from failed modules to working ones. The feasible system reconfiguration states are determined off-line to provide the expected configuration in foreseen situations. Model Checking is used to determine feasible configurations evaluating specific temporal properties. A case study is used to show the application of the presented approach as a proof of concept

Complex cyber-physical systems can be difficult to analyze for resource adequacy at the concept development stage since relevant models are hard to create. During this period, details about the functions to be executed or the platforms in the architecture are partially unknown. This is especially true for Integrated Modular Avionics (IMA) Systems, for which life-cycles span over several decades, with potential changes to functionality in the future. To support the engineers evaluating conceptual designs there is a need for tools that model resources of interest in an abstract manner and allow analyses of changing architectures in a modular and scalable way. This work presents a generic timed automata-based model of a networked IMA system abstracting complex networking and computational elements of an architecture, but representing the communication needs of each application function using UPPAAL templates. The proposed model is flexible and can be modified/extended to represent different types of network topologies and communication patterns. More specifically, the different components of the IMA network, Core Processing Modules, Network End-Systems, and Switches, are represented by different templates. The templates are then instantiated to represent a conceptual design, and fed into a model checker to verify that a given platform instance supports the desired system functions in terms of network bandwidth and buffer size adequacy - in particular, whether messages can reach their final destination on time. The work identifies the limits of the tool used for this evaluation, but the conceptual model can be carried over to other tools for further studies.

Considerations of safety and security in the early stage of system life cycle are essential to collect and prioritize operation needs, determine feasibility of the desired system, and identify technology gaps. Experts from many disciplines are needed to perform the safety and security analyses, ensuring that a system has the necessary attributes. Safety assessment is usually conducted in the concept stage. On the order hand, security assessment is performed in design stage usually when an initial architecture along with the logical and physical components are defined. Systems-Theoretic Process Analysis (STPA) is a new hazard analysis technique based on systems thinking and is built on top of a new causality model of accident, which stands for Systems-Theoretic Accident Model and Processes (STAMP), grounded in systems theory. STPA for Security (STPA-Sec) is an extension of STPA that proposes to include security concerns into the analysis. STPA-Sec helps identifying some hazardous control actions, causal scenarios, and casual factors; however, no emphasis is placed on security threat scenarios. In this paper we propose an ontology-based technique that extends STPA-Sec to improve identification of causal scenarios and associated casual factors, specifically those related to security. We propose an approach that assists safety and security experts conducting safety and security analyses using STPA-Sec with a supporting ontology. First, we present an ontology representing the safety and security knowledge through STPA-Sec process, and provide a tool that implements the proposed ontology. We then propose a process to capture safety and security knowledge into the proposed ontology to identify causal scenarios. We perform a preliminary evaluation of the ontology and the process using an aeronautic case study. The results show that the ontology-based approach helps systems engineers to identify more security scenarios compared to the case where they use only STPA-Sec. Furthermore, some hazardous control actions are not addressed if the systems engineer uses the basic STPA-Sec.

Recent advances in machine learning are now being considered for integration in safety-critical systems such as vehicles, medical equipment and critical infrastructure. However, organizations in these domains are currently unable to provide convincing arguments that systems integrating machine learning technologies are safe to operate in their intended environments.

In this paper, we present a formal verification method for tree ensembles that leverage an abstraction-refinement approach to counteract combinatorial explosion. We implemented the method as an extension to a tool named VoTE, and demonstrate its applicability by verifying the robustness against perturbations in random forests and gradient boosting machines in two case studies. Our abstraction-refinement based extension to VoTE improves the performance by several orders of magnitude, scaling to tree ensembles with up to 50 trees with depth 10, trained on high-dimensional data.

Dependability case, assurance case, or safety case is employed to explain why all critical hazards have been eliminated or adequately mitigated in mission-critical and safety-critical systems. Goal Structuring Notation (GSN) is the most employed graphical notation for documenting dependability cases. System Theoretic Process Analysis (STPA) is a technique, based on System Theoretic Accidents Model and Process (STAMP), to identify hazardous control actions, scenarios, and causal factors. STPA is considered a rather complex technique, but there is a growing interest in using STPA in certifications of safety-critical systems development. We investigate how STAMP and STPA can be related to use of assurance cases. This is done in a generic way by representing the STPA steps as part of the evidence and claim documentations within GSN.

Recent advances in machine learning and artificial intelligence are now being applied in safety-critical autonomous systems where software defects may cause severe harm to humans and the environment. Design organizations in these domains are currently unable to provide convincing arguments that systems using complex software implemented using machine learning algorithms are safe and correct.

In this paper, we present an efficient method to extract equivalence classes from decision trees and random forests, and to formally verify that their input/output mappings comply with requirements. We implement the method in our tool VoRF (Verifier of Random Forests), and evaluate its scalability on two case studies found in the literature. We demonstrate that our method is practical for random forests trained on low-dimensional data with up to 25 decision trees, each with a tree depth of 20. Our work also demonstrates the limitations of the method with high-dimensional data and touches upon the trade-off between large number of trees and time taken for verification.

In the emerging edge computing architecture, several types of devices have computational resources available. In order to make efficient use of those resources, deciding on which device a task should execute is of great importance. Existing works on task placement in edge computing focus on a resource supply side consisting of stationary devices only. In this paper, we consider the addition of mobile edge devices. We explore how mobile and stationary edge devices can augment the original task placement problem with a second placement problem: the placement of the mobile edge devices. We propose the ORCH framework in order to solve the joint problem in a distributed manner and evaluate it in the context of a spatially-changing load. Our implementation of the combined task and edge placement algorithms shows a normalized 83% delay-sensitive task completion rate compared to a perfect edge placement strategy.

Edge computing is a recent paradigm where computing resources are placed close to the user, at the edge of the network. This is a promising enabler for applications that are too resource-intensive to be run on an end device, but at the same time require too low latency to be run in a cloud, such as for example mixed reality (MR).

In this work, we present MR-Leo, a prototype for creating an MR-enhanced video stream. It enables offloading of the point cloud creation and graphic rendering at the edge. We study the performance of the prototype with regards to latency and throughput in five different configurations with different alternatives for the transport protocol, the video compression format and the end/edge devices used.

The evaluations show that UDP and MJPEG are good candidates for achieving acceptable latency and that the design of the communication protocol is critical for offloading video stream analysis to the edge.

Trends show that cyber attacks targeting critical infrastructures are increasing, but security research for protecting such systems are challenging. There is a gap between the somewhat simplified models researchers at universities can sustain contra the complex systems at infrastructure owners that seldom can be used for direct research. There is also a lack of common datasets for research benchmarking. This paper presents a national experimental testbed for security research within supervisory control and data acquisition systems (SCADA), accessible for both research training and experiments. The virtualized testbed has been designed and implemented with both vendor experts and security researchers to balance the goals of realism with specific research needs. It includes a real SCADA product for energy management, a number of network zones, substation nodes, and a simulated power system. This environment enables creation of scenarios similar to real world utility scenarios, attack generation, development of defence mechanisms, and perhaps just as important: generating open datasets for comparative research evaluation.

Supervisory Control and Data Acquisition (SCADA) systems operate critical infrastructures in our modern society despite their vulnerability to attacks and misuse. There are several anomaly detection systems based on the cycles of polling mechanisms used in SCADA systems, but the feasibility of anomaly detection systems based on non-polling traffic, so called spontaneous events, is not well-studied. This paper presents a novel approach to modeling the timing characteristics of spontaneous events in an IEC-60870-5-104 network and exploits the model for anomaly detection. The system is tested with a dataset from a real power utility with injected timing effects from two attack scenarios. One attack causes timing anomalies due to persistent malfunctioning in the field devices, and the other generates intermittent anomalies caused by malware on the field devices, which is considered as stealthy. The detection accuracy and timing performance are promising for all the experiments with persistent anomalies. With intermittent anomalies, we found that our approach is effective for anomalies in low-volume traffic or attacks lasting over 1 hour.

The edge computing paradigm has recently attracted research efforts coming from different application domains. However, evaluating an edge platform or algorithm is impeded by the lack of suitable benchmarks. We propose a methodology for characterizing edge workloads from different application domains. It is a first step towards defining workloads to be included in a future edge benchmarking suite. We evaluate the methodology on three use cases and find that defining a common and standard set of workloads is plausible.

STAMP (System-Theoretic Accident Model and Processes) techniques such as STPA (System- Theoretic Process Analysis) and STPA-Sec (STPA for Security) have been applied only in an adhoc manner, without the aid of tools. More recently, tools have been proposed to help the application of STPA and STPA-Sec. Most of the tools focus on user experience issues and do not cover all the aspects of STPA and STPA-Sec. Three aspects of tools are systematization, automation and analysis completeness. Systematization allows the analysis to be performed in a more disciplined way while automation allows a more time efficient analysis. Analysis’ completeness is the analysis coverage in a given domain. We identify the essential requirements supporting business and stakeholders' needs for a STAMP based tool. We propose a STAMPcompliant web application, named WebSTAMP, for STPA and STPA-Sec. WebSTAMP is intended to aid analysts throughout the analysis process in a more automated and comprehensive way, and it aims to be a collaborative tool. We illustrate how the requirements are implemented in the current version of WebSTAMP with an example of use. The results show that WebSTAMP assists analysts to conduct safety and security analyses in a more systematic, automated and comprehensive manner.

Edge computing is promoted to meet increasing performance needs of data-driven services using computational and storage resources close to the end devices at the edge of the current network. To achieve higher performance in this new paradigm, one has to consider how to combine the efficiency of resource usage at all three layers of architecture: end devices, edge devices, and the cloud. While cloud capacity is elastically extendable, end devices and edge devices are to various degrees resource-constrained. Hence, an efficient resource management is essential to make edge computing a reality. In this work, we first present terminology and architectures to characterize current works within the field of edge computing. Then, we review a wide range of recent articles and categorize relevant aspects in terms of 4 perspectives: resource type, resource management objective, resource location, and resource use. This taxonomy and the ensuing analysis are used to identify some gaps in the existing research. Among several research gaps, we found that research is less prevalent on data, storage, and energy as a resource and less extensive towards the estimation, discovery, and sharing objectives. As for resource types, the most well-studied resources are computation and communication resources. Our analysis shows that resource management at the edge requires a deeper understanding of how methods applied at different levels and geared towards different resource types interact. Specifically, the impact of mobility and collaboration schemes requiring incentives are expected to be different in edge architectures compared to the classic cloud solutions. Finally, we find that fewer works are dedicated to the study of nonfunctional properties or to quantifying the footprint of resource management techniques, including edge-specific means of migrating data and services.

With more functionality added to future safety-critical avionics systems, new platforms are required to offer the computational capacity needed. Multi-core processors offer a potential that is promising, but they also suffer from two issues that are only recently being addressed in the safety-critical contexts: lack of methods for assuring timing determinism, and higher sensitivity to permanent and transient faults due to shrinking transistor sizes. This paper reviews major contributions that assess the impact of fault tolerance on worst-case execution time of processes running on a multi-core platform. We consider the classic approach for analyzing the impact of faults in such systems, namely fault injection. The review therefore explores the area in which timing effects are studied when fault injection methods are used. We conclude that there are few works that address the intricate timing effects that appear when inter-core interferences due to simultaneous accesses of shared resources are combined with fault tolerance techniques. We assess the applicability of the methods to currently available multi-core processors used in avionics. Dark spots on the research map of the integration problem of hardware reliability and timing predictability for multi-core avionics systems are identified.

The possibility of in-store payments would further increase the potential usefulness of cryptocurrencies. However, this would require much faster transaction verification than current solutions provide (one hour for Bitcoin) since customers are likely not prepared to wait a very long time for their purchase to be accepted by a store. We propose a solution for enabling in-store payments with waiting times in the order of a few seconds, which is still compatible with the current Bitcoin protocol. The idea is based on a payment card in combination with a protocol for ensuring that losing a card does not mean losing the money on it. We analyse the required transaction verification delay and also the potentially added risks that the solution brings compared to current systems.

Supervisory Control and Data Acquisition (SCADA) systems that operate our critical infrastructures are subject to increased cyber attacks. Due to the use of request-response communication in polling, SCADA traffic exhibits stable and predictable communication patterns. This paper provides a timing-based anomaly detection system that uses the statistical attributes of the communication patterns. This system is validated with three datasets, one generated from real devices and two from emulated networks, and is shown to have a False Positive Rate (FPR) under 1.4%. The tests are performed in the context of three different attack scenarios, which involve valid messages so they cannot be detected by whitelisting mechanisms. The detection accuracy and timing performance are adequate for all the attack scenarios in request-response communications. With other interaction patterns (i.e. spontaneous communications), we found instead that 2 out of 3 attacks are detected.

The IEC-60870-5-104 (IEC-104) protocol is commonly used in Supervisory Control and Data Acquisition (SCADA) networks to operate critical infrastructures, such as power stations. As the importance of SCADA security is growing, characterization and modeling of SCADA traffic for developing defense mechanisms based on the regularity of the polling mechanism used in SCADA systems has been studied, whereas the characterization of traffic caused by non-polling mechanisms, such as spontaneous events, has not been well-studied. This paper provides a first look at how the traffic flowing between SCADA components changes over time. It proposes a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events. In 11 out of 14 tested data sequences, we see evidence of existence of underlying patterns. Next, the prediction capability of the approach, useful for devising anomaly detection mechanisms, is studied. While some data patterns enable an 80% prediction possibility, more work is needed to tune the method for higher accuracy.

Today's embedded systems demand increasing computingpower to accommodate the ever-growing software functionality.Automotive and avionic systems aim to leverage thehigh performance capabilities of multicore platforms, but arefaced with challenges with respect to temporal predictability.Multicore designers have achieved much progress onimprovement of memory-dependent performance in cachingsystems and shared memories in general. However, havingapplications running simultaneously and requesting the accessto the shared memories concurrently leads to interference.The performance unpredictability resulting from interferenceat any shared memory level may lead to violationof the timing properties in safety-critical real-time systems.In this paper, we introduce a formal analysis framework forthe schedulability and memory interference of multicore systemswith shared caches and DRAM. We build a multicoresystem model with a ne grained application behavior givenin terms of periodic preemptible tasks, described with explicitread and write access numbers for shared caches andDRAM. We also provide a method to analyze and recommendcandidates for task-to-core reallocation with the goalto nd schedulable congurations if a given system is notschedulable. Our model-based framework is realized usingUppaal and has been used to analyze a case study

A growing threat to the cyber-security of embedded safety-critical systems calls for a new look at the development methods for such systems. One alternative to address security and safety concerns jointly is to use the perspective of modeling using system theory. Systems-Theoretic Process Analysis (STPA) is a new hazard analysis technique based on an accident causality model. NIST SP 800-30 is a well-known framework that has been largely employed to aid in identifying threats event/source and vulnerabilities, determining the effectiveness security control, and evaluating the adverse impact of risks. Safety and security analyses, when performed independently, may generate conflicts of design constraints that result in an inconsistent design. This paper reports a novel integrated approach for safety analysis and security analysis of systems. In our approach, safety analysis is conducted with STPA while security analysis employs NIST SP800-30. It builds on a specification of security and safety constraints and outlines a scheme to automatically analyze and detect conflicts between and pairwise reinforcements of various constraints. Preliminary results show that the approach allows security and safety teams to perform a more efficient analysis.

Edge computing is a recent paradigm where network nodes are placed close to the end users, at the edge of the network. Efficient management of resources within this configuration is crucial due to scarcity and geographical spreading of edge resources. We begin by a brief description of the edge paradigm, the most generic edge architecture, and the terminology associated to it. Then, we propose and elaborate on a preliminary taxonomy for edge resource management, together with a substantial review of works in the area. Finally, we identify some research challenges.

A quiet revolution that impacts several sectors, ranging over transport, home automation, energy, industrial control, and health services is undergoing with addition of new networked devices leading to enhanced services. In this paper, we aim to identify information security requirements that are common over several (vertical) sectors, and in particular, ones that impact critical societal services, namely, the energy, water, and health management systems. We present the results of an interview-based study where actors in these sectors were asked about their perceptions and attitudes on the security of Internet of Things (IoT). We set these perceptions and attitudes in context through a literature review of IoT security, and relate to current challenges in this area. This paper demonstrates that despite an overall optimistic view on IoT in critical societal services, there is a lack of consensus on risks related to IoT security.

Ubiquitous connectivity and massive use of mobile applications are currently hampered by fast battery drain of mobile devices. The communication energy of a mobile device is highly inuenced by the cellular operator conguration and the communication data pattern. Although testing the functionality and eciency of an application under diverse and realistic network settings is desirable, it is currently limited at the application developer test environment. It is generally hard to mimic di erent operator (infrastructure) settings that impact battery drain. In this paper we propose a system that creates a realistic cellular network testing environment for mobile applications on top of a WiFi network. A mobile device connects via WiFi to an emulator which shapes the uplink and downlink WiFi trac using real cellular operator conguration parameters. The system provides higher test repeatability compared to live networks and can be congured to emulate diverse cellular network parameters. These parameters, which determine the energy consumption, can be changed modularly and eciently. The evaluation of the resulting trac of the emulator compared to real cellular packet races from a streaming application shows a high correlation (0.97-0.98). The work has resulted in integration of the emulator within Spotify's test environment.

Malware analysts still need to manually inspect malware samples that are considered suspicious by heuristic rules. They dissect software pieces and look for malware evidence in the code. The increasing number of malicious applications targeting Android devices raises the demand for analyzing them to find where the malcode is triggered when user interacts with them. In this paper a framework to monitor and visualize Android applications’ anomalous function calls is described. Our approach includes platform-independent application instrumentation, introducing hooks in order to trace restricted API functions used at runtime of the application. These function calls are collected at a central server where the application behavior filtering and a visualization take place. This can help Android malware analysts in visually inspecting what the application under study does, easily identifying such malicious functions.

Supervisory control and data acquisition (SCADA) systemsthat run our critical infrastructure are increasingly run withInternet-based protocols and devices for remote monitoring.The embedded nature of the components involved, and thelegacy aspects makes adding new security mechanisms in anefficient manner far from trivial. In this paper we studyan anomaly detection based approach that enables detect-ing zero-day malicious threats and benign malconfigurationsand mishaps. The approach builds on an existing platform(Bro) that lends itself to modular addition of new proto-col parsers and event handling mechanisms. As an examplewe have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector withmixed results. The detection accuracy and false positiverate, as well as real-time response was adequate for 3 ofour 4 created attacks. We also discovered some additionalwork that needs to be done to an existing protocol parser toextend its reach.

The energy consumption of a system is determined by the system component usage patterns and interactions between the coexisting entities and resources. Energy accounting plays an essential role to reveal the contribution of each entity to the total consumption and for energy management. Unfortunately, energy accounting inherits the apportionment problem of accounting in general, which does not have a general single best solution. In this paper we leverage cooperative game theory commonly used in cost allocation problems to study the energy apportionment problem, i.e., the problem of prescribing the actual energy consumption of a system to the consuming entities (e.g., applications, processes or users of the system).

We identify five relevant fairness properties for energy apportionment and present a detailed categorisation and analysis of eight previously proposed energy apportionment policies from different fields in computer and communication systems. In addition, we propose two novel energy apportionment policies based on cooperative game theory which provide strong fairness notion and a rich incentive structure. Our comparative analysis in terms of the identified five fairness properties as well as information requirement and computational complexity shows that there is a trade-off between fairness and the other evaluation criteria. We provide guidelines to select an energy apportionment policy depending on the purpose of the apportionment and the characteristics of the system.

Functional Reactive Programming (FRP) is claimed to be a good choice for event handling applications. Current object- oriented telecom applications are known to suffer from additional complexity due to event handling code. In this paper we study the maintainability of FRP programs in the tele- com domain compared to traditional object-oriented programming (OOP), with the motivation that higher maintainability increases the service quality and decreases the costs. Two implementations of the same procedure are created: one using Haskell and the reactive-banana FRP frame- work and one using C++ and the OOP paradigm. Four software experts each with over 20 years of experience and three development engineers working on a product subject to study were engaged in evaluations, based on a questionnaire involving five different aspects of maintainability. The evaluations indicate a higher maintainability profile for FRP compared with OOP. This is confirmed by a more detailed analysis of the code size. While performance was not a main criteria, a preliminary evaluation shows that the OOP prototype is 8-10 times faster than the FRP prototype in the current (non-optimised) implementations.

Finding a balance between functional and non-functional requirements and resources in embedded systems has always been a challenge. What brings this challenge into a sharper focus is that embedded devices are increasingly deployed in many networked applications, some of which will form the backbone of the critical information infrastructures on which we all depend. The Security-Enhanced Embedded system Development (SEED) process has proposed a set of tools that a bridge the two islands of expertise, the engineers specialised in embedded systems development and the security experts. This paper identifies a gap in the tool chain that links the identification of assets to be protected to the associated security risks seen from different stakeholder perspectives. The needed tool support for systematic prioritisation of identified assets, and the selection of security building blocks at design stage based on a risk picture of different stakeholders, are characterised. The ideas are illustrated in a smart metering infrastructure scenario.

Despite attractiveness of multicore processors for embedded systems, the potential performance gains need to be studied in the context of real-time task scheduling and memory interference. This paper explores performance-aware schedula-bility of multicore systems by evaluating the performance when changing scheduling policies (as design parameters). The modelbased framework we build enables analyzing the performance of multicore time-critical systems using processor-centric and memory-centric scheduling policies. The system architecture we consider consists of a set of cores with a local cache and sharing the cache level L2 and main memory (DRAM). The metrics we use to compare the performance achieved by different configurations of a system are: 1) utilization of the cores; and 2) the maximum delay per access request to shared cache and DRAM. Our framework, realized using UPPAAL, can be viewed as an engineering tool to be used during design stages to identify the scheduling policies that provide better performance for a given system while maintaining system schedulability. As a proof of concept, we analyze and compare 2 different cases studies.

Embedded devices are expected to transform the landscape of networked services in many domains, among them smart homes and smart grid systems. The reliable and optimised operation of smart grids is dependent on reliable data provided by end nodes (e.g. smart meters), and assurance of secure communication across networks. Understanding whether advanced security building blocks have a role to play in forthcoming infrastructures needs a basic understanding of each potential building block with respect to resource usage and impact on timing. In this paper we study the performance penalty of asymmetric cryptography techniques used for protection of wirelessly transmitted data in a prototype smart metering system. The prototype system is built using hardware and software components from “Open Energy Monitor” project using a wireless data link between the metering device and the data collector device. We investigate the use of the Elliptic Curve Integrated Encryption Scheme (ECIES) in two versions - with standard building blocks and with added Elliptic Curve Digital Signature Algorithm (ECDSA) support. The use of the ECDSA allows the system to achieve the non-repudiation property. We compare those cryptographic techniques with the Advanced Encryption Standard in Galois Counter Mode (AES-GCM) technique in two versions - with 128 bit and 256 bit keys. Performance is compared in terms of execution time of (1) preparing data, (2) unpacking it, and (3) roundtrip time. We then discuss the implications of the measurements, where the roundtrip time of sending one measurement ranges from 378 ms in case of AES128-GCM to 16.3 sec using ECIES with ECDSA.

Deployment of multi-core platforms in safety-critical applications requires reliable estimation of worst-case response time (WCRT) for critical processes. Determination of WCRT needs to accurately estimate and measure the interferences arising from multiple processes and multiple cores. Earlier works have proposed frameworks in which CPU, shared cache, and shared memory (DRAM) interferences can be estimated using some application and platform-dependent parameters. In this work we examine a recent work in which single core equivalent (SCE) worst case execution time is used as a basis for deriving WCRT. We describe the specific requirements in an avionics context including the sharing of memory banks by multiple processes on multiple cores, and adapt the SCE framework to account for them. We present the needed adaptations to a real-time operating system to enforce the requirements, and present a methodology for validating the theoretical WCRT through measurements on the resulting platform. The work reveals that the framework indeed creates a (pessimistic) bound on the WCRT. It also discloses that the maximum interference for memory accesses does not arise when all cores share the same memory bank.

Although a significant proportion of the mobile apps are games there has been little attention paid to their specific characteristics with respect to communication energy. In this paper we select 20 mobile games among the top 100 free Android games, and study their data patterns and communication energy use over a total of 25 hours of playing. The analysis of the energy for communication over 3G networks indicates that there is a wide variation among the games, the largest footprint being 8 times higher than the lowest one. The results also indicates both app-specific and category-specific relations between data pattern and energy use, as well as variations in CPU utilisation.

The deployment of multi-core platforms in safety-critical avionic applications is hampered by the lack of means to ensure predictability when processes running on different cores can create interference effects, affecting worst-case execution time, due to shared memory accesses. One way to restrict these interferences is to allocate a budget for different processes prior to run-time and to monitor the adherence to this budget during run-time. While earlier works in adopting this approach seem promising, they focus on application level (user mode) accesses to shared memory and not the operating system accesses. In this paper we construct experiments for studying a multi-core platform running an ARINC 653 compliant operating system, and measure the impact of both application processes and operating system (supervisor mode) activities. In particular, as opposed to earlier works that considered networking applications, we select four avionic processes that exhibit different memory access patterns, namely, a navigation process, a matrix multiplication process, a math library process and an image processing one. The benchmarking on a set of avionic-relevant application processes shows that (a) the potential interference by the operating system cannot be neglected when allocating budgets that are to be monitored at run-time, and (b) the bounds for the allowed number of memory accesses should not always be based on the maximum measured count during profiling, which would lead to overly pessimistic budgets.

Wireless networks have become more and more popular because of ease of installation, ease of access, and support of smart terminals and gadgets on the move. In the overall life cycle of providing green wireless technology, from production to operation and, finally, removal, this chapter focuses on the operation phase and summarizes insights in energy consumption of major technologies. The chapter also focuses on the edge of the network, comprising network access points (APs) and mobile user devices. It discusses particularities of most important wireless networking technologies: wireless access networks including 3G/LTE and wireless mesh networks (WMNs); wireless sensor networks (WSNs); and ad-hoc and opportunistic networks. Concerning energy efficiency, the chapter discusses challenges in access, wireless sensor, and ad-hoc and opportunistic networks.

This paper addresses quantifying security risks associated with data assets within design models of embedded systems. Attack and system behaviours are modelled as time-dependent stochastic processes. The presence of the time dimension allows accounting for dynamic aspects of potential attacks and a system: the probability of a success- ful attack changes as time progresses; and a system possesses different data assets as its execution unfolds. These models are used to quan- tify two important attributes of security: confidentiality and integrity. In particular, likelihood/consequence-based measures of confidentiality and integrity losses are proposed to characterise security risks to data assets. In our method, we consider attack and system behaviours as two sepa- rate models that are later elegantly combined for security analysis. This promotes knowledge reuse and avoids adding extra complexity in the system design process. We demonstrate the effectiveness of the proposed method and metrics on smart metering devices.