A Multiple Security Domain Model of a Drive-By-Wire System
Traditional security models partition the security universe into two distinct and completely separate worlds: us and them. This partition is absolute and complete. More complex situations are most commonly treated as sets of increasingly more secure domains. This view is too simplistic for cyber-physical systems. Absolute divisions are conceptually clean, but they do not reflect the real world. Security partitions often overlap, frequently provide for the high level to have complete access to the low level, and are more complex than an impervious wall. We present a model that handles situations where the security domains are complex or the threat space is ill defined. To demonstrate our method, we examine a 'drive by wire' system from both the traditional view and in light of the modern reality. This paper examines the system from the viewpoint of the driver with special emphasis on the driver's inability to determine who, or what, is actually in control of the automobile during critical situations.
G. W. Howser and B. M. McMillin, "A Multiple Security Domain Model of a Drive-By-Wire System," Proceedings of the 37th International Computer Software and Applications Conference (2013, Kyoto, Japan), pp. 369-374, IEEE Computer Society, Jul 2013.
The definitive version is available at https://doi.org/10.1109/COMPSAC.2013.62
IEEE 37th Annual Computer Software and Applications Conference, COMPSAC 2013 (2013: Jul. 22-26, Kyoto, Japan)
Keywords and Phrases
Cyber-physical systems; Drive-by-wire systems; Information flow security; Modal logic; Nondeducibility; Security models
International Standard Book Number (ISBN)
International Standard Serial Number (ISSN)
Article - Conference proceedings
© 2013 IEEE Computer Society, All rights reserved.