Centre of Excellence on Cryptology
Indian Statistical Institute, Kolkata
Birla Institute of Technology, Mesra, Kolkata Campus
M/s. HP India Sales Pvt. Ltd.
Advanced System Lab, DRDO, Hyderabad
risk in practice: The CORAS approach to model-driven risk
Bjørnar Solhaug, PhD, Research scientist, SINTEF ICT,
P.O. Box 124 Blindern, N-0314 Oslo, Norway
Length: 3 hours
The term “risk” is known from many fields. On an almost daily
basis we face references to “contractual risk”, “economic risk”,
“operational risk”, “environmental risk”, “health risk”,
“political risk”, “legal risk”, “security risk”, and so forth.
In order to identify and assess risks we may conduct risk
analyses. The exact nature of an analysis, however, varies
considerably depending on the nature of the risks we address. We
may classify risk analysis approaches into two main categories:
offensive (balancing potential gain against risk of loss) and
defensive (protecting what is already there).
In order to defend something, it is important to know exactly
what we are defending. This motivates asset-driven risk
analysis, in other words risk analysis where the assets of the
target (the tings of value) are identified as early as possible
and where the rest of the analysis is driven by these assets. In
order to analyse something, it is necessary to have a clear
picture of what this something is. Understanding the structure
and behaviour of the target of analysis is therefore important.
However, understanding and modelling the target is only one
aspect the modelling in a risk analysis; modelling what can go
wrong is even more important. In fact, this is what risk
analysis is all about. We then talk about risk modelling and
model-driven risk analysis.
In this tutorial we present CORAS, which is an asset-driven,
defensive approach to risk analysis. For risk analysis in
practice, there is a need for well-defined methods, techniques
and practical guidelines for how to do this. This is exactly
what CORAS provides. The CORAS approach is a self-contained risk
analysis methodology and the first to be truly model-driven in
the sense that modelling is an integrated part in every part of
the process. This means that target models and threat and risk
models are applied in all phases of the risk analysis for
visualization, communication and documentation of risk
information, and are the main driver of the risk analysis
process. The methodology is described in detail in the book
Model-Driven Risk Analysis: The CORAS Approach, and has been
validated through application in a large number of full-scale
The CORAS approach consists of three main components: 1) The
CORAS language, which is a language tailor-made for modelling
risk in a precise and rigorous, yet intuitive and easily
understandable manner. 2) The CORAS method, which provides
detailed guidelines for how to conduct the various stages of a
risk analysis in practice. 3) The CORAS tool, which is a
modelling tool for editing models in the CORAS language. In
addition to presenting the basics of risk analysis and the CORAS
approach, we also give a presentation of more advanced use of
risk models expressed in the CORAS language.
• Give the audience an introduction to the basics of risk
• Introduce the audience to model-driven risk analysis.
• Provide the audience with an overview of the CORAS method.
• Provide the audience with an understanding of risk modelling
through basic and advanced use of the CORAS language.
The intended audience is anyone with an interest in software
engineering, security and risk management. The tutorial should
be suitable both for persons new to risk analysis, as well as
people familiar with risk analysis that are interested in the
model-driven approach. No prior knowledge is required, but a
general knowledge of software engineering and some interest in
information security are recommended.
Outline of tutorial:
• Introduction to risk analysis
Relation to risk management
The ISO 31000 risk
• Introduction to the CORAS approach
What is model-driven risk
The CORAS risk modelling
The use of modelling in
risk analysis in practice
• Example-driven walk-though of the CORAS method
Establishing the context
Risk identification using
Risk estimation using
Risk evaluation using risk
Risk treatment using
• Advanced use of risk models
evolving target of analysis
Modelling and analysing
changing and evolving risks
Short biography of presenter:
is employed as a research scientist at SINTEF ICT.
He received his PhD in information science from the University
of Bergen in 2009. His research interests include methods and
languages for the modelling and analysis of systems with respect
to security, risk and trust. He is one of the designers of the
CORAS approach and has strong background in risk analysis.
Gyrd Brændeland, Atle Refsdal, Ketil Stølen. Modular analysis
and modelling of risk scenarios with dependencies. Journal of
Systems and Software, 83: 1995-2013, Elsevier, 2010.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen. Evolution in
relation to risk and trust management. Computer,
43(5):49-55, IEEE Computer Society, May 2010.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen. Model-driven
risk analysis. The CORAS approach. Springer, 2011.
Atle Refsdal, Ketil Stølen.
Employing key indicators to provide a dynamic risk picture with
a notion of confidence. Trust Management III. Third IFIP WG
11.11 International Conference (IFIPTM 2009), pages 215-233,
Title: Security and
Privacy aspects of Smartphones and Tablets
Assistant Research Professor
School of Computing, Informatics and Decision Systems
Arizona State University
Tempe, AZ 85287-8809
The past few
years have seen an unprecedented market penetration of
smartphones and similar class of mobile devices such as tablets
(pads) and portable media players. Their computing and
networking capabilities parallel that of traditional PCs only a
few years older. In addition, they are equipped with a suite of
sensors (such as GPS, light, acoustic, acceleration, proximity)
and carry a lot more private information about the user. While
some of these devices have Internet connectivity only in Wi-Fi
hotspots, the vast majority avail ubiquitous connectivity
through carrier supported 3G/4G data services. As a result, they
are fast becoming the prime target for malware developers.
This tutorial is
intended for students, academics and industry professionals, who
are either interested in research in mobile computing platform
security, aspiring to be mobile app developer, or simply worried
about the safety of integrating the latest mobile gadget into
own personal lifestyle. The only prerequisite is knowledge of
fundamentals of programming, operating systems and IP networks.
In the tutorial, we
will take a look at the nature of attacks on smartphones and
range of malware as identified by the research community. With a
focus on the Android platform and a comparative look at others,
we will try to understand the security architectures of this
class of mobile devices and explore how vulnerabilities are
abused. Finally we will discuss a range of solutions including
antivirus, app market control, carrier imposed enforcements,
application sandboxing, and cloudsourcing.
Amiya Bhattacharya is
an Assistant Research Professor in the School of Computing,
Informatics, and Decision Systems Engineering at Arizona State
University. Prior to joining ASU, he was an Assistant Professor
in the Department of Computer Science at New Mexico State
University. He received his Ph.D. from The University of Texas
at Arlington in 2002, where he was a recipient of the Texas
Telecommunication Engineering Consortium Fellowship and the 2002
Outstanding Doctoral Research Award. He received his B.Tech. and
M.Tech. from Indian Institute of Technology–Kharagpur in 1987
and 1989 respectively, and his M.S. from University of
California–San Diego in 1991, and all in Computer Science and
Engineering. His research interests spans several aspects in the
area of mobile and pervasive computing, including systems and
network security, wireless infrastructure and ad-hoc networks,
embedded networked sensing, and cyber-physical systems.
Methodology in Cryptography and Information Security
Sourav Sen Gupta
Researcher, Centre of Excellence in Cryptology
Indian Staistical Institute, Kolkata – 700 108, India
According to Wikipedia, “Research can be defined as the search
for knowledge, or as any systematic investigation, with an open
mind, to establish novel facts, usually using a scientific
method.” Research in cryptography and information security,
thriving over the last few decades in India and abroad, has not
been an exception either. With the increasing number of
conferences and workshops on cryptology and information security
held each year, and in view of the large volume of research
papers submitted and reviewed in the process, familiarity with
the scientific methodologies of research has become imperative
for anyone who wants to contribute towards these two fields.
This tutorial is targeted towards students, professionals,
teachers and researchers who are either already in an early
stage of their research career, or look forward to become active
members of the community in cryptography and information
In this tutorial, we will take a look at an aggregated opinion
about research and the associated scientific methodologies from
a number of active members in the community. The format of the
tutorial will be more biased towards a healthy debate and
discussion, where the speaker and the audience can freely
interact about various issues that a budding researcher faces in
cryptography and information security. The discussion will cover
topics like motivation, problem-finding, solving techniques,
scientific writing of a paper or a research article, submission
procedure and ethics, reviewing a paper, collaborative work, and
finally, presentation of a paper or a poster.
Sourav Sen Gupta is a Researcher at the Centre of Excellence in
Cryptology, ISI Kolkata, working towards his PhD with Prof.
Subhamoy Maitra. He received his M.Math. degree from Dept. of
Pure Mathematics, University of Waterloo, Canada in 2008, and
spent a year as a Doctoral Candidate at the Dept. of
Mathematics, University of Washington, Seattle, USA with Prof.
Neal Koblitz before joining Indian Statistical Institute,
Kolkata in 2009. He received his B.E.Tel.E. (Hons.) degree in
Electronics and Telecommunication Engineering from Jadavpur
University, Kolkata, India in 2006. As a PhD student at the
Cryptology Research Group of Indian Statistical Institute, he
has worked on a number of projects ranging from public-key
cryptanalysis, symmetric key analysis and construction, and
hardware implementation of stream ciphers. In 2011, he has spent
a summer at RWTH Aachen, learning high-level hardware synthesis
and applying it towards high performance cryptographic designs.
Sourav has received many fellowships and awards during his
academic career, has presented research papers at international
cryptology conferences like FSE, Indocrypt, Africacrypt and
IWSEC, and has delivered invited talks and tutorials at national
Title: Hardware Trojans: Challenges and Emerging
Dr. Rajat Subhra Chakraborty
Dept. of Computer Science and Engineering
Indian Institute of Technology Kharagpur
Kharagpur, India – 721302
Economic reasons dictate the widespread
participation of external agents in modern design and
manufacture of integrated circuits (ICs), which decreases the
control that the IC design houses used to traditionally have
over their own designs. In this scenario, malicious,
hard-to-detect circuit modifications made during the design or
manufacturing steps, commonly known as “Hardware Trojans”, have
emerged as a major security concern. This issue raises the
question of ensuring Trust in an integrated circuit, and whether
the entire design and manufacturing flow can be certified to be
secure. A satisfactory answer to this question is of paramount
importance in gaining trust about the result of the information
processing carried out by the systems of which the ICs are a
part. In this tutorial, we would explore this unique challenge
and solution for them in the domain of hardware security. We
would study pertinent threats and their models, and would
explore solutions to them from different perspectives such as
circuit design, CAD, circuit testing, etc. This tutorial would
bring forward the imminent need to develop and deploy a “Design
for Security” methodology that considers security as a
fundamental metric for ICs, besides traditional metrics such as
power, area and performance.
(in alphabetical order) Design for security, hardware
obfuscation, hardware Trojans, logic testing, side-channel
analysis for Trojan detection.
This tutorial is targeted towards
participants from both industry and academia who are interested
in diverse aspects of hardware security. Participants working in
the Defense or related industry would find this tutorial
The pre-requisite for this tutorial is a general
interest in topics related to security in the domains of
Electronics and Computer Science. Familiarity with prevalent
practices of ASIC/FPGA design flow will be a bonus. Any
mathematical background required to understand some of the
topics would be developed during the lectures.
Detailed Tutorial Program
A design can be tampered in an untrusted fabrication
facility by the insertion of malicious circuitry that triggers a
malfunction under very rare conditions. Such malicious
circuitry, referred to as a Hardware Trojan, can activate
in-field, post-deployment, and affect normal circuit operation,
potentially with catastrophic consequences in critical
application areas and public infrastructure. Such malicious
circuitry can also be inserted by CAD automation tools obtained
from untrusted third party vendors. Several unexplained military
mishaps around the world in recent years are suspected to be the
result of undetected hardware Trojans in the electronic systems.
In this tutorial, we would explore the operating models and
models of hardware Trojans, and detection/prevention techniques
for them. The following are the main sub-topics:
• Threats from hardware Trojans:
motivations for studying them [1, 4, 5, 18, 22].
• Hardware Trojan models:
Hardware Trojan nomenclature based on
structure and operational modes [4, 6, 18, 22, 23].
• Trojan detection and prevention techniques:
Large variation in
the sizes and operating modes of hardware Trojans makes it
difficult to design a “golden bullet” technique that can be
useful in detecting all types of hardware Trojans. The two main
classes of detection techniques that have been proposed depend
either on side-channel testing or logic testing. As will be
shown, these two classes of test techniques are complementary to
each other. While the side-channel testing based techniques are
more suitable for detecting relatively larger Trojans of
arbitrary functional complexity, the logic testing based Trojan
detection techniques are more suitable for detecting ultra-small
Trojans of relatively simple functionality. Design techniques
based on obfuscation have also been proposed to make Trojan
insertion difficult or to make their detection easier. The main
idea is to use obfuscation to prevent an adversary from
detecting the true rare logic values at the internal nodes of
the circuit. If the adversary is unable to do so, it can be
shown an inserted Trojan either becomes benign or becomes more
easily detectable. Other design techniques use special inserted
circuitry or special bus structures to resist inserted Trojans
[2-3, 7-8, 9-17, 19-21].
List of Tutorial Material (to be provided to attendees):
Handouts of presentations.
1. DARPA, “TRUST in Integrated Circuits (TIC) - Proposer
2. D. Du, S. Narasimhan, R. S. Chakraborty and S. Bhunia,
“Self-referencing: a scalable side-channel approach for hardware
Trojan detection,” Proceedings of the Workshop on Cryptographic
Hardware and Embedded Systems (CHES), 2010.
3. S. Narasimhan, R. S. Chakraborty, D. Du, S. Paul, F. Wolff,
C. Papachristou and S. Bhunia, “Multiple-parameter side-channel
analysis: a non-invasive hardware Trojan detection approach,”
Proceedings of the International Workshop on Hardware-oriented
Security and Trust (HOST), 2010.
4. R. S. Chakraborty, S. Narasimhan and S. Bhunia, “Hardware
Trojan: threats and emerging solutions (invited paper),”
Proceedings of the International High Level Design Validation
and Test Workshop (HLDVT), pp. 166–171, 2009.
5. S. Adee, “The hunt for the kill switch,” IEEE Spectrum, vol.
45, pp. 34–39, May 2008.
6. L. Lin, W. Burleson, and C. Parr, “MOLES: Malicious off-chip
leakage enabled by side-channels,” Proceedings of the
International Conference on CAD (ICCAD), pp. 117–122, 2009.
7. R. S. Chakraborty and S. Bhunia, “Security against hardware
Trojan through a novel application of design obfuscation,”
Proceedings of the International Conference on CAD (ICCAD), pp.
8. R. S. Chakraborty, F. Wolff, S. Paul, C. Papachristou and S.
Bhunia, “MERO: a statistical approach for hardware Trojan
detection using logic testing,” Proceedings of the Workshop on
Cryptographic Hardware and Embedded Systems (CHES), pp. 396–410,
9. Pomeranz and S. M. Reddy, “A measure of quality for
n-detection test sets,” IEEE Transactions on Computers, vol. 53,
no. 11, pp. 1497–1503, 2004.
10. R. S. Chakraborty, S. Paul and S. Bhunia, “On-demand
transparency for improving hardware Trojan detectability,”
Proceedings of the International Workshop on Hardware-oriented
Security and Trust (HOST), pp. 48–50, 2008.
11. F. Wolff, C. Papachristou, S. Bhunia, and R. S. Chakraborty,
“Towards Trojan-free trusted ICs: problem analysis and detection
scheme,” Proceedings of the Conference on Design, Automation and
Test in Europe (DATE), pp. 1362–1365, 2008.
12. D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B.
Sunar, “Trojan detection using IC fingerprinting,” Proceedings
of the Symposium on Security and Privacy (SP), pp. 296–310,
13. R. M. Rad, X. Wang, M. Tehranipoor, and J. Plusquellic,
“Power supply signal calibration techniques for improving
detection resolution to hardware Trojans,” Proceedings of the
International Conference on CAD (ICCAD), pp. 632–639, 2008.14.
M. Banga and M. S. Hsiao, “A region based approach for the
identification of hardware Trojans,” Proceedings of the
International Workshop on Hardware-oriented Security and Trust
(HOST), pp. 40–47, 2008.
15. Y. Jin and Y. Makris, “Hardware Trojan detection using path
delay fingerprint,” Proceedings of the International Workshop on
Hardware-oriented Security and Trust (HOST), pp. 51–57, 2008.
16. L.-W. Kim, J. D. Villasenor, and C. K. Koc, “A
Trojan-resistant system-on-chip bus architecture,” Proceedings
of Military Communications Conference (MILCOM), pp. 1-6, 2009.
17. S. Narasimhan, X. Wang, D. Du, R. S. Chakraborty and S.
Bhunia, “Hardware Trojan Detection Using Temporal
Self-Referencing”, International Symposium on Hardware-oriented
Security and Trust (HOST) 2011 (to appear).
18. M. Tehranipoor and F. Koushanfar, “A Survey of Hardware
Trojan Taxonomy and Detection”, IEEE Design and test of
Computers, vol. 27, no. 1, pp. 10-25, Jan.-Feb. 2010.
19. J. Aarestad, D. Acharyya, R. Rad and J. Plusquellic,
“Detecting Trojans through leakage current analysis using
multiple supply pad IDDQs”, IEEE Transactions on Information
Forensics and Security, vol. 5, no. 4, pp. 893-904, Dec. 2010.
20. F. Koushanfar and A Mirhoseini, “A unified framework for
multimodal submodular integrated circuits Trojan detection”,
IEEE Transactions on Information Forensics and Security, vol. 6,
no. 1, pp. 162-174, Mar. 2011.
21. R. Rad, J. Plusquellic and M. Tehranipoor, “A sensitivity
analysis of power signal methods for detecting hardware Trojans
under real process and environmental conditions”, IEEE
Transactions on VLSI, vol. 18, no. 12, pp. 1735—1744, Dec. 2010.
22. R. Karri, J. Rajendran, K. Rosenfeld and M. Tehranipoor,
“Trustworthy hardware: identifying and classifying hardware
Trojans”, Computer, vol. 43, no. 10, pp. 39--46, Oct. 2010.
23. Sk. S. Ali, R. S. Chakraborty, D. Mukhopadhyay and S. Bhunia,
"Multi-level Attack: an Emerging Threat Model for Cryptographic
Hardware", Proceedings of DATE 2011, Grenoble, France.
Dr. Rajat Subhra Chakraborty is an Assistant Professor in
the Computer Science and Engineering Department of IIT Kharagpur.
He received his Ph.D. degree in Computer Engineering from Case
Western Reserve University (Cleveland, Ohio, USA) in 2010 and a
B.E. (Hons.) degree in Electronics and Telecommunication
Engineering from Jadavpur University in 2005. From 2005-2006, he
worked as a CAD Software Engineer at National Semiconductor in
Bangalore, and in Fall 2007, he was a co-op at Advanced Micro
Devices (AMD) in Sunnyvale, California. As a graduate student,
he has received multiple student awards from IEEE and ACM, and
an annual award for academic excellence from
Case Western Reserve University in 2009. Part of his Ph.D.
research work has been the subject of a U.S. patent filed by
Case Western Reserve University in 2009. His research interest
includes hardware security, including design methodology for
hardware IP/IC protection, hardware Trojan detection/prevention
through design and testing, attacks on hardware implementation
of cryptographic algorithms, and reversible watermarking for
digital content protection. He has close to 25 publications in
international journals and conferences of repute, (including
IEEE TCAD, IEEE TCAS-I, ACM TETCS, IET CDT, ICCAD, DATE, CHES,
VTS, VLSID, ISQED, HOST etc.), and has presented his research
work at many of these conferences. He has delivered a tutorials
on Hardware Security at the IEEE VLSI Design Conference (VLSID),
Chennai, India, 2011, and IEEE International Workshop on
Information Forensics and Security (WIFS), Foz do Iguacu,
Brazil, 2011 (forthcoming). He has acted as a reviewer for
multiple international conferences and journals. He is the
co-author of one book on hardware security (forthcoming).