AutoSAR Typical Threat Analysis and SM

Thanks [Samuel WENG]Cybersecurity, RAMS investigator一: AutoSAR典型架构只有如下图示中的部分架构内容会被分析

此处部分,总共26个威胁会被列举。Threat(s) Not Associated With an Interaction:1. Nonstandard threat to describe user specific conditions[State: Not Started]  [Priority: High]Category:User-definedDescription:Justification:<no mitigation provided>2. Nonstandard threat to describe user specific conditions[State: Not Started]  [Priority: High]Category:User-definedDescription:Justification:<no mitigation provided>Interaction: Call

3. Spoofing of Source Data Store Application[State: Not Started]  [Priority: High]Category:SpoofingDescription:Application may be spoofed by an attacker and this may lead to incorrect data delivered to CAL. Consider using a standard authentication mechanism to identify the source data store.Justification:<no mitigation provided>4. Potential Data Repudiation by CAL[State: Not Started]  [Priority: High]Category:RepudiationDescription:CAL claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Justification:<no mitigation provided>5. Weak Access Control for a Resource[State: Not Started]  [Priority: High]Category:Information DisclosureDescription:Improper data protection of Application can allow an attacker to read information not intended for disclosure. Review authorization settings.Justification:<no mitigation provided>6. Potential Process Crash or Stop for CAL[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:CAL crashes, halts, stops or runs slowly; in all cases violating an availability metric.Justification:<no mitigation provided>7. Data Flow Call Is Potentially Interrupted[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent interrupts data flowing across a trust boundary in either direction.Justification:<no mitigation provided>8. Data Store Inaccessible[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent prevents access to a data store on the other side of the trust boundary.Justification:<no mitigation provided>9. CAL May be Subject to Elevation of Privilege Using Remote Code Execution[State: Not Started]  [Priority: High]Category:Elevation Of PrivilegeDescription:Application may be able to remotely execute code for CAL.Justification:<no mitigation provided>10. Elevation by Changing the Execution Flow in CAL[State: Not Started]  [Priority: High]Category:Elevation Of PrivilegeDescription:An attacker may pass data into CAL in order to change the flow of program execution within CAL to the attacker's choosing.Justification:<no mitigation provided>Interaction: Communication

11. Spoofing of Source Data Store CSM[State: Not Started]  [Priority: High]Category:SpoofingDescription:CSM may be spoofed by an attacker and this may lead to incorrect data delivered to SHE Driver. Consider using a standard authentication mechanism to identify the source data store.Justification:<no mitigation provided>12. Spoofing of Destination Data Store SHE Driver[State: Not Started]  [Priority: High]Category:SpoofingDescription:SHE Driver may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SHE Driver. Consider using a standard authentication mechanism to identify the destination data store.Justification:<no mitigation provided>13. Data Store Denies SHE Driver Potentially Writing Data[State: Not Started]  [Priority: High]Category:RepudiationDescription:SHE Driver claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Justification:<no mitigation provided>14. Data Flow Communication Is Potentially Interrupted[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent interrupts data flowing across a trust boundary in either direction.Justification:<no mitigation provided>15. Data Store Inaccessible[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent prevents access to a data store on the other side of the trust boundary.Justification:<no mitigation provided>Interaction: Interlink

16. Data Store Inaccessible[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent prevents access to a data store on the other side of the trust boundary.Justification:<no mitigation provided>17. Data Flow Interlink Is Potentially Interrupted[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent interrupts data flowing across a trust boundary in either direction.Justification:<no mitigation provided>18. Data Store Denies Application Potentially Writing Data[State: Not Started]  [Priority: High]Category:RepudiationDescription:Application claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Justification:<no mitigation provided>19. Spoofing of Destination Data Store Application[State: Not Started]  [Priority: High]Category:SpoofingDescription:Application may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Application. Consider using a standard authentication mechanism to identify the destination data store.Justification:<no mitigation provided>20. Spoofing of Source Data Store CSM[State: Not Started]  [Priority: High]Category:SpoofingDescription:CSM may be spoofed by an attacker and this may lead to incorrect data delivered to Application. Consider using a standard authentication mechanism to identify the source data store.Justification:<no mitigation provided>21. Nonstandard threat to describe user specific conditions[State: Not Started]  [Priority: High]Category:User-definedDescription:Justification:<no mitigation provided>Interaction: Triggering signal

22. Spoofing of Source Data Store SHE Driver[State: Not Started]  [Priority: High]Category:SpoofingDescription:SHE Driver may be spoofed by an attacker and this may lead to incorrect data delivered to SHE. Consider using a standard authentication mechanism to identify the source data store.Justification:<no mitigation provided>23. Spoofing of Destination Data Store SHE[State: Not Started]  [Priority: High]Category:SpoofingDescription:SHE may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SHE. Consider using a standard authentication mechanism to identify the destination data store.Justification:<no mitigation provided>24. Data Store Denies SHE Potentially Writing Data[State: Not Started]  [Priority: High]Category:RepudiationDescription:SHE claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Justification:<no mitigation provided>25. Data Flow Triggering signal Is Potentially Interrupted[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent interrupts data flowing across a trust boundary in either direction.Justification:<no mitigation provided>26. Data Store Inaccessible[State: Not Started]  [Priority: High]Category:Denial Of ServiceDescription:An external agent prevents access to a data store on the other side of the trust boundary.Justification:<no mitigation provided>二: 威胁对应的安全需求列举Threat IDContextCybersecurity requirement001Nonstandard threat to describe user specific conditionAsset:tbdDamage Scenario:tbdDescription:tbdJustification:tbd002Nonstandard threat to describe user specific conditionstbd003Spoofing of Source Data Store ApplicationAsset:call from application to CALDamage scenario:Wrong calling or wrong execution from applicationJustification:using a standard authentication mechanism to identify the source data store.Real Practise:CAL Basic cryptography can be in support, Hash plus MAC can be in effect004Potential Data Repudiation by CALAsset:Received data from application to CALDamage scenario:CAL claims that it did not receive data from a source outside the trust boundary.Justification:Consider using logging or auditing to record the source, time, and summary of the received data.Using SymEncryptService or timer add up in the message for counter/005Weak Access Control for a ResourcAsset:Application dataDamage scenario:Improper data protection of Application can allow an attacker to read information not intended for disclosure.Justification:Review authorization settings.Best practise:Access right whitelist application006Potential Process Crash or Stop for CALAsset:CAL availabilityDamage scenario:CAL crashes, halts, stops or runs slowly;Justification:AutoSAR shall send out diagnosis trouble code and reset, record abnormal behavior logs if CAL suffer from damage scenarios007Data Flow Call Is Potentially InterruptedAsset:Accessibility of data stored in the trust boundary around CALDamage scenario:Unavailability of access to data near CAL008Data Store InaccessibleAsset:Accessibility of data stored in the trust boundary around CALDamage scenario:Unavailability of access to data near CAJustification:Authorization mechanism based on assymmetric cryptography009CAL May be Subject to Elevation of Privilege Using Remote Code ExecutionAsset:Code in CALDamage scenario:Unauthorization right access to CAL dataJustification:Visit access right authentication mechanism urgently needed010Elevation by Changing the Execution Flow in CAAsset:Code in CALDamage scenario:Unauthorization right access to CAL dataJustification:Visit access right authentication mechanism urgently neede011Spoofing of Source Data Store CSMAsset:Data storing in CSMDamage Scenario:Erroneous data sent to SHE driver from CSMJustification:Secoc will be used to authenticate messages, or key + MAC will be used ensuring communication012Spoofing of Destination Data Store SHE DriveNot Applicable013Data Store Denies SHE Driver Potentially Writing DataNot Applicable014Data Flow Communication Is Potentially InterruptedNot Applicable015Data Store InaccessibleNot Applicable016Data Store InaccessibleAsset:data store in CSMDamage scenario:Service halt, application cannot access CSMJustification:Sending diagnostic trouble code and reset017Data Flow Interlink Is Potentially InterruptedAsset:Data in interlinkDamage scenario:Erroneous links or messages between application and CSMJustification:Key and MAC can be used to authenticate the message018Data Store Denies Application Potentially Writing DataAsset:data in applicationDamage scenario:Application denies writing dataJustification:Consider using logging or auditing to record the source, time, and summary of the received data.019Spoofing of Destination Data Store ApplicationAsset:data writing to destination application modulesDamage scenario:Undesired destination for data writingJustification:Standard authentication mechanisms to identify the writing destination, based on storing ID020Spoofing of Source Data Store CSMAsset:CSMDamage scenario:Erroneous CSM data to applicationJustification:Consider using a standard authentication mechanism to identify the source data store.MAC and symmetric key used021Nonstandard threat to describe user specific conditionstbd022Spoofing of Source Data Store SHE DriverSHE driver no such threat023Spoofing of Destination Data Store SHESHE using the authentication mechanism enough for this threat024Data Store Denies SHE Potentially Writing DataAsset:SHEdamage scenario:SHE claims that it did not write data received from an entity on the other side of the trust boundaryJustification:Consider using logging or auditing to record the source, time, and summary of the received data.025Data Flow Triggering signal Is Potentially InterruptedAsset:triggering signalsDamage scenario:An external agent interrupts data flowing across a trust boundary in either direction.Justification:logging, DTC sent out, and then reset or stop the operating for checking026Data Store InaccessibleAsset:SHE dataDamage:An external agent prevents access to a data store on the other side of the trust boundary in SHESHE:HSM or SHE neededThanks for your reading!

(0)

相关推荐