The 4th International Conference on Applied Automation and Industrial Diagnostics (ICAAID), 29-31 March 2022, Ha’il, KSA
Towards the Integration of Security and Safety
Patterns in the Design of Safety-Critical Embedded
2022 4th International Conference on Applied Automation and Industrial Diagnostics (ICAAID) | 978-1-7281-8939-0/22/$31.00 ©2022 IEEE | DOI: 10.1109/ICAAID51067.2022.9799513
Systems
Ashraf Armoush
Computer Engineering Department
An-Najah National University
Nablus, Palestine
[email protected]
Abstract—The design of safety-critical embedded systems is a
complex process that involves the reuse of proven solutions to
fulfill a set of requirements. While safety is considered as the
major requirement to be satisfied in safety-critical embedded
systems, the security attacks can affect the security as well as
the safety of these systems. Therefore, ensuring the security of
the safety-critical embedded systems is as important as ensuring
the safety requirements. The concept of design patterns, which
provides common solutions to widely recurring design problems,
have been extensively engaged in the design of the hardware and
software in many fields, including embedded systems. However,
there is an inadequacy of experience with security patterns in the
field of safety-critical embedded systems. To address this problem,
this paper proposes an approach to integrate security patterns
with safety patterns in the design of safety-critical embedded
systems. Moreover, it presents a customized representation for
security patterns to be more relevant to the common safety
patterns in the context of safety-critical embedded systems.
Index Terms—Security Pattern, Safety Pattern, Safety-Critical,
Embedded Systems
I. I NTRODUCTION
Over the last few years, embedded systems have been
widely used in many domains, including safety-critical domain
where failures could lead to serious consequences, such as
endangering human life, substantial economic loss, or exten-
sive environmental damage [11]. The complexity of safety-
critical embedded systems introduces the need for merging
well-known and proven design techniques and strategies to
fulfill the strict specifications for these systems.
The designers of safety-critical systems should address
the functional requirements which cover the functions to
be performed. Meanwhile, they have to consider the Non-
Functional Requirements (NFRs) in the design process. The
non-functional requirements, which include the quality factors
of a system as it conducts its job [20], are very important and
have become more and more difficult to achieve in the field of
safety-critical embedded systems. For long time, practitioners
in the safety-critical field have closely considered a list of
common non-functional requirements, such as adequate level
978-1-7281-8939-0/22/$31.00 ©2022 IEEE
Authorized licensed use limited to: BMS College of Engineering. Downloaded on February 17,2025 at 04:17:07 UTC from IEEE Xplore. Restrictions apply.
of safety, high reliability, availability, and low cost. However,
the security aspects of these systems are rarely addressed or
often misconstrued at the late phases of development [19].
With growing number of safety-critical applications, it has
become clear that the safety-critical embedded systems need to
access, store, and communicate sensitive information. While
the security attacks against general information systems repre-
sent a large and growing problem, the attacks against safety-
critical systems are much more severe and can have catas-
trophic effects. Therefore, ensuring the security of the safety-
critical embedded systems is as important as ensuring the
safety requirements, and both should be treated concurrently at
early phases of system development life-cycle. Unfortunately,
the designers and developers in the safety-critical domain are
lacking the experience of handling security concerns in the
design of these systems. They should be assisted by security
guidelines and a set of proven security solutions in order to
alleviate this lack of security expertise.
The concept of design patterns, which is a universal ap-
proach to describe common solutions to commonly recurring
design problems, has been widely used in many domains.
It aims to assist designers choose appropriate solution for
recurring design problems. Therefore, this concept might also
be applicable to address the growing concerns of the security
in safety-critical embedded systems.
In this paper, an approach has been proposed to integrate
the security patterns with the safety patterns in the design pro-
cess of safety-critical embedded systems. A modified pattern
representation has been introduced to facilitate the selection
of a suitable security pattern and the integration with safety
patterns. The rest of this paper is structured as follows: Section
II provides a review of the most important related work.
Section III presents the modified template representation for
security patterns. Section IV presents the proposed approach
and section V illustrates it with an example for safety and
security patterns. Finally, section VI concludes the proposed
approach and outlines possible issues for future work.
 II. R ELATED W ORK
Like all patterns, security patterns, which provide assured
security solutions to solve similar security problems, have been
widely examined on different levels and in many domains
during the last decade. E.g. a list of general security patterns
were presented in [7] to help application developers who
are not security experts to add security in their applications.
Moreover, different approaches and methodologies have been
proposed to integrate security patterns during all phases of
design process. Starting from user requirements, the security
requirements should be translated in system security require-
ment [8]. Consequently, the security patterns should be
integrated with all stages of the design life cycle. Bouaziz et
al. [4] proposed a security pattern integration approach from
the earliest phase until the generation of the software code.
The proposed solution used the UML component model as an
application domain of security patterns.
Motii et al. [15]–[17] combined the risk management and
security pattern-based system and system engineering together
to guide the picking of security patterns and to provide a
pattern classification. A model-based approach for integrating
security pattern was proposed to provide a proper solution for
component-based software architecture using UML. Similarly,
Ruiz et al. [21] presented an engineering process to integrate
security engineering into the regular UML-based system en-
gineering process for the development of security-sensitive
systems.
The growing number of existing security patterns con-
founded users in finding the most appropriate solution for
a given design security problem. Weiss et al. [24] presented
a selection method for security patterns in terms of global
requirement language. Prolog rules were used to reason about
the evaluation mechanism and show the effect of combining
different security patterns.
Occasionally, the designers feel necessity for a catalogue
or a repository of security patterns to simplify the selection
process. Hamid et la. [10] proposed a framework to associate
the model-driven paradigm and a model-based repository of
security and dependability patterns to assist the development
of trusted Resource Constrained Embedded System (RCES)
applications for different domains. On other hand, the avail-
ability of a development tool, which can be used to address
the complexity and ease the design of secure systems, is
productive [23].
Most of the aforementioned researches addressed the se-
curity issue separately from the other non-functions require-
ments, especial the safety requirement, in the design of em-
bedded systems. The state-of-the art provides some attempts,
either to modify the safety pattern to cover some security
consideration, or to integrate the selection of safety patterns
with the selection of security patterns in specific domain of
applications. Preschern et al. [18] extended existing architec-
tural safety patterns to address security aspects. A STRIDE
approach on the safety patterns to obtain relevant threats for
each pattern was proposed. The threats were structured in a
Authorized licensed use limited to: BMS College of Engineering. Downloaded on February 17,2025 at 04:17:07 UTC from IEEE Xplore. Restrictions apply.
Goal Structuring Notation diagram and a catalogue of security-
enhanced safety patterns was presented.
Amorim et al. [1], [14] concentrated on the selection and
combination of safety and security patterns in context of sys-
tem engineering. They proposed a pattern-based engineering
life cycle process that provided a systematic approach to
interlink safety and security related patterns in the automotive
domain. This research can be considered as the most related
work to our approach since it covers the safety and security
pattern in automotive domain which is a specific field of
safety-critical applications. In the same field, Cheng et al. [5]
discussed the security pattern concept in relation to automotive
systems and introduced a set of security design patterns
targeted for automotive security needs.
III. PATTERN T EMPLATE
Design Patterns, which give abstract solutions to commonly
recurring design problems, have been commonly used in the
software field after the success of the book by the Gang of Four
(GoF) [9]. Ever since, this concept has been adapted in several
domains to address many design requirements. In previous
work, we have addressed the concept of design pattern to
represent the safety requirements for safety-critical embed-
ded systems [2]. Moreover we have presented a modified
pattern representation by including fields for the side effects
and implications of the represented design pattern on safety,
reliability, modifiability, cost, and execution time [3]. Un-
fortunately, the security patterns and the possible integration
between safety and security patterns were not studied.
Recently, many security patterns have been proposed with
many pattern representations and templates [12], [13], [22],
[25]. Nevertheless, we need a modified representation for se-
curity patterns in the field of safety-critical embedded systems
to support the integration with available safety patterns.
While all pattern templates include three main parts (con-
text, problem and solution), they differ in many other parts.
In this paper, the proposed pattern template includes the
following parts:
• <Pattern Name>: A common name (Simple Phrase) to
describe and identify the pattern uniquely, and it will be
used to designate this pattern in the design process.
• <Other Names>: The other well-known names for the
given pattern, if exist.
• <Security Service>: The classification of the security
pattern based on the general security service provided by
this pattern to ensure adequate security of the system. We
follow the X.800 OSI Security Architecture which classi-
fies the security service into the following categories:
– Authentication
– Access Control
– Data Confidentiality
– Data Integrity
– Non-Repudiation
• <Abstract>: This field presents a brief description of the
pattern
 • <Context>: The common situation (domain assump-
tions) where the designer may use this pattern.
• <Problem:> This part gives a summary of the design
problem which is considered and solved by this pattern
(The security goal to be achieved)
• <Pattern Structure:> This is the main part of the
pattern, since it presents a solution to the problem under
consideration. It describes the main parts of the pattern,
the relation between these parts, and how they cooperate
to give a solution to the addressed problem.
• <Consequences and Side effects>: The implications that
can be achieved by this pattern, in addition to the side
effects, constraints, and drawbacks that crop up when the
pattern is applied.
• <Implementation>: The main points, advices, tech-
niques that should be considered during the implementa-
tion of the pattern.
• <Interface to Safety Pattern>: This part presents a well-
defined interface to disseminate the status of the security
Fig. 1. An overview of the integration process
pattern to the safety design pattern, which is responsible
for controlling the safety-critical embedded system.
• <Related Patterns>: The associated security patterns. template and then grouped according to the addressed security
And the potential to incorporate them with this one. service.
IV. I NTEGRATION OF S AFETY AND S ECURITY PATTERNS : After the completion of the three phases, two catalogues
of patterns will be constructed, one for safety patterns and
The idea behind the concept of design patterns is to support the other for security patterns. The classification of the safety
and guide designers in solving a common design problem and security patterns, as described previously, will assist the
which occurs over and over in many applications. Each pattern designer in selecting the most appropriate safety pattern that
covers a specific problem in a specific context and provides a fulfills the safety requirements, then in selecting the security
proven solution to this problem. Several safety design patterns pattern that best fit to the selected safety pattern. This process
have been collected as catalogues to improve designers ability could be conducted manually, or an automated tool will be
to select appropriate patterns for safety-critical systems. On the considered for future work.
other hand, several security patterns have been presented in the
literature to deal with security problems in general computing V. C ASE S TUDY
systems. In the proposed approach, we aim to integrate the
general security design patterns with safety patterns to provide In order to illustrate the proposed approach, the first two
a guidance in the selection of a suitable combination of safety phases are considered in the following example safety pattern.
and security patterns. The Monitor-Actuator Pattern [6] is a safety pattern that
Our approach consist of three phases as shown in Figure 1: is applicable for safety-critical systems with low-level of
In the first phase, the available safety patterns should be availability requirement and existing fail-safe state which, in
assessed in order to identify the threats and vulnerability of the case of failure, can be considered as being safe without
the patterns. This security assessment will clarify the possible risk. In many design methods, a safety procedure should be
security attacks and summarize the main security requirements conducted, in the case of failure, to reach predefined safe state.
for the available safety patterns. In the second phase, refined As shown in figure 2, the pattern consists of two channels,
versions of the safety patterns should be constructed based on main actuation and monitoring channel, that run independently
the outcome of the first phase. The modified safety patterns on heterogeneous platforms, including microcontrollers or
will include the necessary missed parts to deal with the identi- FPGAs. The main actuation channel collects the input data
fied security requirements of the original patterns. To facilitate from input sensors and provides a check on the measured
the future integration with the security patterns, the security values and the system itself to ensure the correct conducting
requirements for the safety patterns should be classified into of the required operations. The monitoring channel is used
five categories similar to the security service field presented in to track the safety of the system by performing a continuous
the proposed security pattern template. Moreover, the safety monitoring for the actuation channel. It collects the data from
patterns should also indicate the suitable safety action to be the set point source and the actuator sensors and compares
performed based on the possible disseminated outcome from it with the given set points to identify possible faults in the
the security patterns. In the last phase, all the security patterns main channel. In the case of incorrect operation, it imposes
should be represented using the proposed security pattern the main channel to enter the fail-safe state.

Authorized licensed use limited to: BMS College of Engineering. Downloaded on February 17,2025 at 04:17:07 UTC from IEEE Xplore. Restrictions apply.
 Fig. 2. The Monitor-Actuator Pattern
Based on the first phase of the proposed approach, a security
assessment and risk analysis, for the pattern under consider-
ation, were conducted. Only the security threats, that might
affect the safe operation of safety-critical embedded system,
will be covered during this phase. As it was mentioned earlier,
the patterns consists of two independent and heterogeneous
hardware channels that run in parallel to carry out the intended
functional requirements and to ensure the safe and reliable
operation of the embedded system. As a result of the security
and risk assessment for this pattern, the main threat comes
from the possible external attempts to modify the exchanged
messages between the two channels or to replay old messages,
which in turn affects the safe operation of the embedded
system. Accordingly, the main security threat in this pattern
can be classified as a weakness in the integrity as a security
service.
In the second phase of the proposed approach, the presented
pattern should be modified to introduce a refined version
to cope with the elaborated security threats from the first
phase. Therefore, figure 3 shows a refined version of the
previous pattern, where a new component is added to protect
the communicated messages between the two channels. The
new component should implement one or more safety patterns
to provide an integrity protection against the previously men-
tioned threats.
Consequently, the security patterns, which are classified as
integrity-protection patterns, are applicable to be integrated
with this safety pattern to deal with two specific problems:
message authentication and replaying problems.
To illustrate the third phase of the proposed approach, we
have selected the Data Origin Authentication Pattern, which is
one of the security patterns that can solve the aforementioned
security problem. The selected security pattern is represented
using the proposed template as follows:
• Pattern Name: Data Origin Authentication Pattern.
Authorized licensed use limited to: BMS College of Engineering. Downloaded on February 17,2025 at 04:17:07 UTC from IEEE Xplore. Restrictions apply.
• Other Names: Message Authentication Pattern.
• Security Service: Data Integrity Protection.
• Abstract: This pattern provides a solution to the data
integrity problem by using a message authentication code
which is a code that can be calculated only by the sender
or the intended recipient of the message.
• Context: Two entities exchange sensitive information
through messages using insecure communication chan-
nel (Insecure Network). In such network, attackers may
intercept messages and try to modify or replay them.
• Problem: How to establish a secure channel for the com-
municating entities so that they can exchange messages
in an authenticated manner. The messages’ data integrity
as well as their authenticity must be guaranteed in both
directions.
• Pattern Structure: The solution to the integrity problem
depends on the concept of message authentication code
(MAC), a code which is generated using a cryptographic
algorithm and a shared secret information (key) between
the sender and the recipient. The main parts of this
pattern is shown in the figure 4. The sender uses the
message to be protected and the shared key as input to the
algorithm to generate the authentication code. The MAC
is appended to the message and then sent to recipient
via insecure channel. The recipient performs a similar
computation on the received message and the secret key
to generate a MAC, then a check with received MAC
is conducted. The matching between the computed and
received codes provides an evidence that the message is
unaltered and comes from the corresponding sender.
• Consequences and Side effects: The pattern does not pro-
vide a protection against a recorded message with valid
MAC. Therefore, other technique should be integrated
with this pattern to protect against the replayed messages.
On other hand, the time overhead for computing the code
 Fig. 3. The Refined Monitor-Actuator Pattern

Fig. 4. Data Origin Authentication (Message Authentication) Pattern

for each message should be considered in choosing a fast
algorithm especially for strict real-time applications.
• Implementation:
– The main part for this pattern is the transfer algo-
rithm which can be implemented using two tech-
niques:
∗ Hash based Message Authentication Code
(HMAC): using a keyed hash function like SHA2
or SHA3.
∗ Cipher based Message Authentication Code
(CMAC): using a block cipher algorithm like
3DES or AES.
– A time stamp can be embedded into the message be-
fore computing the MAC to protect against recorded
old messages.
– Providing a shared secret key, between the sender
and the recipient, is considered as a problem in this
pattern. Therefore, many technique, for key agree-
ment and key transferring, have been presented in
the literature. Nevertheless, a pre-shared static key is
more suitable for embedded systems with hardware
implementation.
• Interface to Safety Pattern: The effect of this pattern on
the safety patterns depends on the result of comparison
between the received and the computed MAC, which can
be one of the following:
– Valid new MAC: This case indicates a normal
operation and no security violation.
– Invalid MAC: This case indicates an attempt to
attack the security of the communication channel,
which in turn affects the safety of the embedded
system. Thus, a safety action, which depends on the
safety pattern, should be conducted to force the main
actuation channel reaching its fail-safe state.
• Related Patterns: Digital Signature Pattern and IPSEC
VPN pattern.

Authorized licensed use limited to: BMS College of Engineering. Downloaded on February 17,2025 at 04:17:07 UTC from IEEE Xplore. Restrictions apply.
 VI. C ONCLUSION AND F UTURE W ORK :
In this paper, an approach has been presented to integrate
security patterns with safety patterns in the development of
safety-critical embedded systems to overcome the lack of
experience with security solutions for common problems in the
earlier stages of system design. Moreover, a security pattern
representation has been proposed to facilitate the selection
process of the suitable security pattern. The representation
provides a classification for the security design patterns ac-
cording to the security services, and a well-defined interface
to disseminate the status of the security pattern to the safety
design pattern. A sample security pattern was represented
using the proposed template to be integrated with a given
safety pattern in order to explain our proposed approach.
In the future, a catalogue of common and appropriate
security patterns will be constructed to be used with the
available catalogue of safety patterns. Furthermore, a tool
will be developed to facilitate the automated selection and
combination of consistent security and safety patterns to
maintain the security and safety requirements in context of
safety-critical embedded systems.
R EFERENCES
[1] T. Amorim, H. Martin, Z. Ma, C. Schmittner, D. Schneider, G. Macher,
B. Winkler, M. Krammer, and C. Kreiner. “Systematic pattern approach
for safety and security co-engineering in the automotive domain”. In
International Conference on Computer Safety, Reliability, and Security,
pp. 329–342. Springer, 2017.
[2] A. Armoush. Design patterns for safety-critical embedded systems. PhD
thesis, RWTH Aachen University, 2010.
[3] A. Armoush, F. Salewski, and S. Kowalewski. “Design pattern repre-
sentation for safety-critical embedded systems”. Journal of Software
Engineering and Applications, vol. 2, no. 1, p. 1, 2009.
[4] R. Bouaziz, S. Kallel, and B. Coulette. “An approach for security
patterns application in component based models”. In International Con-
ference on Computational Science and Its Applications, pp. 283–296.
Springer, 2014.
[5] B. H. Cheng, B. Doherty, N. Polanco, and M. Pasco. “Security patterns
for automotive systems.” In 2019 ACM/IEEE 22nd International Confer-
ence on Model Driven Engineering Languages and Systems Companion
(MODELS-C), pp. 54-63. IEEE, 2019.
[6] B. P. Douglass. Real-time design patterns: robust scalable architecture
for real-time systems. Addison-Wesley Professional, 2003.
[7] E. Fernandez-Buglioni. Security patterns in practice: designing secure
architectures using software patterns. John Wiley & Sons, 2013.
[8] A. Ferrante, I. Kaitovic, and J. Milosevic. “Modeling Requirements for
Security-enhanced Design of Embedded Systems.” In SECRYPT, pp.
315-320. 2014.
Authorized licensed use limited to: BMS College of Engineering. Downloaded on February 17,2025 at 04:17:07 UTC from IEEE Xplore. Restrictions apply.
[9] E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design patterns:
elements of reusable object-oriented software. Pearson Deutschland
GmbH, 1995.
[10] B. Hamid, J. Geisel, A. Ziani, J.-M. Bruel, and J. Perez. “Model-
driven engineering for trusted embedded systems based on security
and dependability patterns.” In International SDL Forum, pp. 72-90.
Springer, Berlin, Heidelberg, 2013.
[11] J. C. Knight. “Safety critical systems: challenges and directions.” In Pro-
ceedings of the 24th international conference on software engineering.,
pp. 547-550. IEEE, 2002.
[12] P. Mahendra and A. Ghazarian. “Patterns in the requirements engineer-
ing: A survey and analysis study”. WSEAS Transaction on Information
Science and Application, vol. 11, pp. 214-230, 2014.
[13] A. Maña, E. Damiani, S. Guergens, and G. Spanoudakis. “Extensions to
pattern formats for cyber physical systems.” In Proceedings of the 21st
Conference on Pattern Languages of Programs, pp. 1-8. 2014.
[14] H. Martin, Z. Ma, C. Schmittner, B.Winkler, M. Krammer, D. Schneider,
T. Amorim, G. Macher, and C. Kreiner. “Combined automotive safety
and security pattern engineering approach.” Reliability Engineering &
System Safety, vol. 198, p. 106773, 2020.
[15] A. Motii, B. Hamid, A. Lanusse, and J.-M. Bruel. “Guiding the selection
of security patterns based on security requirements and pattern classi-
fication.” In Proceedings of the 20th European Conference on Pattern
Languages of Programs, pp. 1-17. ACM, 2015.
[16] A. Motii, B. Hamid, A. Lanusse, and J.-M. Bruel. “Guiding the selection
of security patterns for real-time systems.” In 2016 21st International
Conference on Engineering of Complex Computer Systems (ICECCS),
pp. 155-164. IEEE, 2016.
[17] A. Motii, B. Hamid, A. Lanusse, and J.-M. Bruel. “Towards the
integration of security patterns in uml component-based applications.”
In PAME/VOLT@ MODELS, pp. 2-6. 2016.
[18] C. Preschern, N. Kajtazovic, and C. Kreiner. “Security analysis of safety
patterns.” In Proceedings of the 20th Conference on Pattern Languages
of Programs, pp. 1-38. 2013.
[19] S. Ravi, A. Raghunathan, P. Kocher, and S. Hattangady. “Security in em-
bedded systems: Design challenges.” ACM Transactions on Embedded
Computing Systems (TECS), vol. 3, no. 3, pp. 461-491. 2004.
[20] S. Robertson and J. Robertson. Mastering the requirements process:
Getting requirements right. Addison-wesley, 2012.
[21] J. F. Ruiz, A. Maña, and C. Rudolph. “An integrated security and systems
engineering process and modelling framework.” The Computer Journal,
vol. 58, no. 10, pp. 2328-2350. 2015.
[22] R. Slavin, J.-M. Lehker, J. Niu, and T. D. Breaux. “Managing security
requirements patterns using feature diagram hierarchies.” In 2014 IEEE
22nd International Requirements Engineering Conference (RE), pp. 193-
202. IEEE, 2014.
[23] M. Vasilevskaya, L. A. Gunawan, S. Nadjm-Tehrani, and P. Herrmann.
“Integrating security mechanisms into embedded systems by domain-
specific modelling.” Security and Communication Networks, vol. 7, no.
12, pp. 2815-2832. 2014.
[24] M. Weiss and H. Mouratidis. “Selecting security patterns that fulfill
security requirements.” In 2008 16th IEEE International Requirements
Engineering Conference, pp. 169-172. IEEE, 2008.
[25] N. Yoshioka, H. Washizaki, and K. Maruyama. “A survey on security
patterns.” Progress in informatics, vol. 5, no. 5, pp. 35-47. 2008.