A formal model and risk assessment method for security-critical real-time embedded systems

Risk assessment at the early stage of software development can effectively reduce potential security flaws in the software, thus reduce the cost of testing and maintenance. However, there are very few standardized risk assessment methods toward the design models of security-critical RTESs (real-time embedded systems). This paper defines a formal model called OMR (Object-Message-Role) using Z notation for the security-critical RTESs. Comparing with the existing models for RTESs, OMR is able to specify both the functional and security aspects of the system as an integrated model, which directly provides the input for risk assessment. A risk assessment method RAMES (risk assessment method for embedded systems) based on OMR is then proposed. RAMES is complianced with the risk management process standardized by ISO 31000. To perform the risk analysis in RAMES, an algorithm RAOMR is designed based on the analysis of the message flows and security constraints in OMR. The illustration of a case study shows that RAMES is able to evaluate the risk level of the system model, and locate the high-risky objects and messages.