Systematic Classification of Attackers via Bounded Model Checking
This work addresses security verification for systems with attackers, but it is incremental as it applies known heuristics to a specific domain.
The paper tackles the problem of verifying systems under attack by using bounded model checking to generate and classify attackers based on which security requirements they can break, and it demonstrates empirical results on hardware benchmarks with heuristics to address scalability issues.
In this work, we study the problem of verification of systems in the presence of attackers using bounded model checking. Given a system and a set of security requirements, we present a methodology to generate and classify attackers, mapping them to the set of requirements that they can break. A naive approach suffers from the same shortcomings of any large model checking problem, i.e., memory shortage and exponential time. To cope with these shortcomings, we describe two sound heuristics based on cone-of-influence reduction and on learning, which we demonstrate empirically by applying our methodology to a set of hardware benchmark systems.