SaSeVAL: A Safety/Security-Aware Approach for Validation of Safety-Critical Systems

TL;DR

SaSeVAL is a systematic approach that combines threat identification and safety-security analysis to derive attack scenarios for validating the safety of autonomous vehicles under security threats.

Contribution

It introduces a comprehensive method for safety validation of autonomous vehicles by explicitly linking threats, attacks, and safety goals using threat and safety-security analysis.

Findings

Successfully applied to vehicle communication use case

Ensures safety goals are covered by security testing

Identifies high-impact attack scenarios in traffic situations

Abstract

Increasing communication and self-driving capabilities for road vehicles lead to threats imposed by attackers. Especially attacks leading to safety violations have to be identified to address them by appropriate measures. The impact of an attack depends on the threat exploited, potential countermeasures and the traffic situation. In order to identify such attacks and to use them for testing, we propose the systematic approach SaSeVAL for deriving attacks of autonomous vehicles. SaSeVAL is based on threats identification and safety-security analysis. The impact of automotive use cases to attacks is considered. The threat identification considers the attack interface of vehicles and classifies threat scenarios according to threat types, which are then mapped to attack types. The safety-security analysis identifies the necessary requirements which have to be tested based on the architecture of the system under test. lt determines which safety impact a security violation may have, and in which traffic situations the highest impact is expected. Finally, the results of threat identification and safety-security analysis are used to describe attacks. The goal of SaSeVAL is to achieve safety validation of the vehicle w.r.t. security concerns. lt traces safety goals to threats and to attacks explicitly. Hence, the coverage of safety concerns by security testing is assured. Two use cases of vehicle communication and autonomous driving are investigated to prove the applicability of the approach.