We propose a holistic methodology for designing automotivesystems that consider security a central concern at every design stage.During the concept design, we model the system architecture and definethe security attributes of its components. We perform threat analysis onthe system model to identify structural security issues. From that analysis,we derive attack trees that define recipes describing steps to successfullyattack the system's assets and propose threat prevention measures.The attack tree allows us to derive a verification and validation (V&V)plan, which prioritizes the testing effort. In particular, we advocate usinglearning for testing approaches for the black-box components. It consistsof inferring a finite state model of the black-box component from its executiontraces. This model can then be used to generate new relevanttests, model check it against requirements, and compare two differentimplementations of the same protocol. We illustrate the methodologywith an automotive infotainment system example. Using the advocated approach, we could also document unexpected and potentially criticalbehavior in our example systems.

翻译：我们提出一种整体性的方法论，用于设计在各个设计阶段都将安全作为核心关注的汽车系统。在概念设计阶段，我们对系统架构进行建模，并定义其组件的安全属性。我们对系统模型进行威胁分析，以识别结构性安全问题。基于该分析，我们推导出攻击树，该攻击树定义了成功攻击系统资产所需步骤的配方，并提出威胁预防措施。攻击树使我们能够推导出验证与确认（V&V）计划，该计划优先安排测试工作。具体而言，我们提倡对黑盒组件采用基于学习的测试方法。该方法包括从其执行轨迹中推断出黑盒组件的有限状态模型。该模型随后可用于生成新的相关测试，对照需求进行模型检查，并比较同一协议的两种不同实现。我们以一个汽车信息娱乐系统为例来说明该方法。通过采用所提倡的方法，我们还能够记录所示例系统中意外且可能关键的行为。