We propose a holistic methodology for designing automotivesystems that consider security a central concern at every design stage.During the concept design, we model the system architecture and definethe security attributes of its components. We perform threat analysis onthe system model to identify structural security issues. From that analysis,we derive attack trees that define recipes describing steps to successfullyattack the system's assets and propose threat prevention measures.The attack tree allows us to derive a verification and validation (V&V)plan, which prioritizes the testing effort. In particular, we advocate usinglearning for testing approaches for the black-box components. It consistsof inferring a finite state model of the black-box component from its executiontraces. This model can then be used to generate new relevanttests, model check it against requirements, and compare two differentimplementations of the same protocol. We illustrate the methodologywith an automotive infotainment system example. Using the advocated approach, we could also document unexpected and potentially criticalbehavior in our example systems.

翻译：---- 我们提出了一种全面的方法来设计汽车系统，考虑到安全是每个设计阶段的核心问题。在概念设计阶段，我们建立系统架构模型，并定义了其组件的安全属性。我们对系统模型进行威胁分析，以识别结构性安全问题。从这个分析中，我们得出攻击树，定义了描述成功攻击系统资产的步骤，并提出了防范威胁的措施。攻击树使我们能够推导出验证和验证（V＆V）计划，该计划优先考虑测试的工作量。特别地，我们主张使用黑盒组件的学习测试方法。它由从其执行跟踪中推断出黑盒组件的有限状态模型组成。然后可以使用该模型来生成新的相关测试，针对要求进行模型检查，并比较同一协议的两个不同实现。我们用一个汽车信息娱乐系统示例说明了这种方法。使用这种方法，我们还可以记录我们示例系统中的意外和可能严重的行为。