A Multiple Security Domain Model of a Drive-By-Wire System


Traditional security models partition the security universe into two distinct and completely separate worlds: us and them. This partition is absolute and complete. More complex situations are most commonly treated as sets of increasingly more secure domains. This view is too simplistic for cyber-physical systems. Absolute divisions are conceptually clean, but they do not reflect the real world. Security partitions often overlap, frequently provide for the high level to have complete access to the low level, and are more complex than an impervious wall. We present a model that handles situations where the security domains are complex or the threat space is ill defined. To demonstrate our method, we examine a 'drive by wire' system from both the traditional view and in light of the modern reality. This paper examines the system from the viewpoint of the driver with special emphasis on the driver's inability to determine who, or what, is actually in control of the automobile during critical situations.

Meeting Name

IEEE 37th Annual Computer Software and Applications Conference, COMPSAC 2013 (2013: Jul. 22-26, Kyoto, Japan)


Computer Science

Keywords and Phrases

Cyber-physical systems; Drive-by-wire systems; Information flow security; Modal logic; Nondeducibility; Security models

International Standard Book Number (ISBN)


International Standard Serial Number (ISSN)


Document Type

Article - Conference proceedings

Document Version


File Type





© 2013 IEEE Computer Society, All rights reserved.