[0037] In order to make the above objectives, features, and advantages of the present application more obvious and understandable, the following describes the embodiments of the present application in further detail with reference to the accompanying drawings and specific implementations.
[0038] In terms of AADL model conversion, in order to reduce the semantic difference before and after the model conversion and improve the accuracy of security analysis, it is very important to select the appropriate AADL subset and target model.
[0039] At present, such as Altarica, SAML, smartIflow, etc. can support FLM and FEM at the same time, can fully model the safety system failure situation, and obtain accurate safety analysis results.
[0040] smartIflow has: a moderate level of abstraction, can analyze security requirements through methods such as model checking, and the amount of calculation is not too large; supports two-way connection modeling, closer to reality (such as describing the interaction between software components and hardware components in AADL ); Can expand the design model, easier to combine with AADL; FLM/FEM hybrid, safety system fault description is more complete; its semantics are similar to AADL, easy to convert, its model checking tool can generate multiple counterexamples. Therefore, the present invention chooses smartIflow as the target model of AADL.
[0041] figure 2 Shows a flowchart of a security analysis method based on smartIflow's AADL model according to an embodiment of the present application. Such as figure 2 Said, the safety analysis method includes:
[0042] S1: According to system requirements and design documents, use AADL to establish the system architecture model, error model, and behavior model; where the AADL architecture model, error model, and behavior model are combined to obtain system component error information and AADL security model of behavioral information. Among them, the AADL security model is a hierarchical model.
[0043] S2: Combine the error model and the behavior model of the component in the system into the component model, which represents the change in the behavior of the component when the component fails.
[0044] image 3 A flowchart of an example of step S2 according to an embodiment of the present application is shown. Such as image 3 As shown, for each component, the method of combining the error model and behavior model of the component in the system into the component model includes:
[0045] S21: Combine the error state of the error model and the state of the behavior model.
[0046] In an example, the state indicating the normal behavior of the component in the error model is mapped with the state in the behavior model, where the state in the behavior model may include initial, complete, final and their combined states; The component error state in the error model is added to the behavior model.
[0047] S22: Associate the error event or incoming error of the error model with the state transition behavior condition in the behavior model.
[0048] In an example, if the error event or incoming error is related to the state transition trigger in the behavior model, the error event or incoming error is expressed as the state transition trigger in the behavior model, and the corresponding explicitly The behavior in the behavior model represents the transition condition from the normal state to the newly added error state in the behavior model.
[0049] If the error event or incoming error has nothing to do with the state transition trigger in the behavior model or the correlation is not obvious, the error event is used as the transition condition from the normal state to the newly added error state in the behavior model, and it is not displayed. The formula corresponds to the behavior in the behavior model.
[0050] S23: According to the error event and the incoming error, the state transition of the error model is triggered, the state transition of the error model represents the state transition in the behavior model, and the outgoing error in the error model It is expressed as the action during state transition in the behavior model.
[0051] In an example, for the error event in the error model and the state transition or error propagation of the error model triggered by the incoming error, the state transition of the error model is expressed as the normal state in the behavior model to the newly added error state The condition of the conversion is the behavior and error event representing the incoming error (step S22). For outgoing errors in the error model, the transition from the error state to the error outgoing port is expressed as an action associated with the error state in the behavior model.
[0052] S24: Reserve the error event attribute description of the error model in the component model.
[0053] S3: Convert the component model to a smartIflow model, and analyze the security of the system.
[0054] In an example, converting the component model into a smartIflow model may include:
[0055] Each component of the AADL security model can be converted into a class in smartIflow, the data sub-component of each component can be converted into a variable variable of the class in smartIflow, and other types of sub-components can be converted into Components in the smartIflow class. section. The ports of each system component of the AADL architecture model are represented as ports in the class in smartIflow.
[0056] The states and variables in the component model can be converted into the variables of the class in smartIflow, for example, the states and variables in the component model of the combined AADL security model can be converted into the variables in smartIflow. Among them, the state can be expressed as a variable, and the value can be each state in the AADL security model; the variable can be directly converted into a variable variable of the smartIflow class. If the AADL security model includes AADL mode conversion, the mode can be converted into a variable whose value is each mode in the AADL security model.
[0057] The connection relationship between each system component of the AADL architecture model can be converted into behavior in smartIflow; the error events of the error model can be converted into events in the smartIflow class; the component model can be converted The transitions between the normal states of the AADL are expressed as transitions in smartIflow; the transitions between the error states in the component model can be expressed as the event trigger condition EventHandler in smartIflow. If the AADL security model involves mode transitions, you can The mode conversion process is also converted to EventHandler, and its event is a mode conversion trigger.
[0058] S4: According to the system requirements and design documents, describe the security attributes that the system needs to meet, and input the smartIflow model and security attribute descriptions into the smartIflow security analysis platform, and the model detector provided by the platform can verify the The security attribute of the system obtains the security analysis result of the system.
[0059] The security analysis method of the AADL model based on smartIflow of the present disclosure uses AADL to establish a system architecture model, error model, and behavior model according to system requirements and design documents; the error model and behavior model of components in the combined system are component models, which represent The change of component behavior when the component fails; the component model is converted into a smartIflow model to analyze the security of the system component; the security attribute description of the system is calculated according to the system requirements and design documents, and the smartIflow model and security The attribute description is input to the smartIflow security analysis platform to verify the security attributes of the system and obtain the security analysis results of the system. It can describe the behavior of the components in the system more comprehensively and the safety analysis result of the system is more accurate, which is beneficial to improve the design of the system based on the safety analysis result of the system.
[0060] The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use this application. Various modifications to these embodiments will be obvious to those skilled in the art, and the general principles defined in this document can be implemented in other embodiments without departing from the spirit or scope of the application. Therefore, this application will not be limited to the embodiments shown in this text, but should conform to the widest scope consistent with the principles and novel features disclosed in this text.
