From Attack to Defense: Toward Secure In-vehicle Networks

New security breaches in vehicles are emerging due to software-driven Electronic Control Units (ECUs) and wireless connectivity of modern vehicles. These trends have introduced more remote surfaces/endpoints that an adversary can exploit and, in the worst case, use to control the vehicle remotely. Researchers have demonstrated how vulnerabilities in remote endpoints can be exploited to compromise ECUs, access in-vehicle networks, and control vehicle maneuvers. To detect and prevent such vehicle cyber attacks, researchers have also developed and proposed numerous countermeasures (e.g., Intrusion Detection Systems and message authentication schemes). However, there still remain potentially critical attacks that existing defense schemes can neither detect/prevent nor consider. Moreover, existing defense schemes lack certain functionalities (e.g., identifying the message transmitter), thus not providing strong protection for safety-critical ECUs against in-vehicle network attacks. With all such unexplored and unresolved security issues, vehicles and drivers/passengers will remain insecure. This dissertation aims to fill this gap by 1) unveiling a new important and critical vulnerability applicable to several in-vehicle networks (including the Controller Area Network (CAN), the de-facto standard protocol), 2) proposing a new Intrusion Detection System (IDS) which can detect not only those attacks that have already been demonstrated or discussed in literature, but also those that are more acute and cannot be detected by state-of-the-art IDSes, 3) designing an attacker identification scheme that provides a swift pathway for forensic, isolation, security patch, etc., and 4) investigating what an adversary can achieve while the vehicle’s ignition is off. First, we unveil a new type of Denial-of-Service (DoS) attack called the bus-off attack that, ironically, exploits the error-handling scheme of in-vehicle networks. That is, their fault-confinement mechanism — which has been considered as one of their major advantages in providing fault-tolerance and robustness — is used as an attack vector. Next, we propose a new anomaly-based IDS that detects intrusions based on the extracted fingerprints of ECUs. Such a capability overcomes the deficiency of existing IDSes and thus detects a wide range of in-vehicle network attacks, including those existing schemes cannot. Then, we propose an attacker identification scheme that provides a swift pathway for forensic, isolation, and security patch. This is achieved by fingerprinting ECUs based on CAN voltage measurements. It takes advantage of the fact that voltage outputs of each ECU are slightly different from each other due to their differences in supply voltage, ground voltage, resistance values, etc. Lastly, we propose two new attack methods called the Battery-Drain and the Denial-of-Body-control attacks through which an adversary can disable parked vehicles with the ignition off. These attacks invalidate the conventional belief that vehicle cyber attacks are feasible and thus their defenses are required only when the vehicles ignition is on.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/144125/1/ktcho_1.pd

Modeling and verifying the FlexRay physical layer protocol with reachability checking of timed automata

In this thesis, I report on the verification of the resilience of the FlexRay automotive bus protocol's physical layer protocol against glitches during message transmission and drifting clocks. This entailed modeling a significant part of this industrially used communictation protocol and the underlying hardware as well as the possible error scenarios in fine detail. Verifying such a complex model with model-checking led me to the development of data-structures and algorithms able to handle the associated complexity using only reasonable resources. This thesis presents such data-structures and algorithms for reachability checking of timed automata. It also present modeling principles enabling the construction of timed automata models that can be efficiently checked, as well as the models arrived at. Finally, it reports on the verified resilience of FlexRay's physical layer protocol against specific patterns of glitches under varying assumptions about the underlying hardware, like clock drift.In dieser Dissertation berichte ich über den Nachweis der Resilienz des Bitübertragungsprotokolls für die physikalische Schicht des FlexRay-Fahrzeugbusprotokolls gegenüber Übertragungsfehlern und Uhrenverschiebung. Dafür wurde es notwendig, einen signifikanten Teil dieses industriell genutzten Kommunikationsprotokolls mit seiner Hardwareumgebung und die möglichen Fehlerszenarien detailliert zu modellieren. Ein so komplexes Modell mittels Modellprüfung zu überprüfen führte mich zur Entwicklung von Datenstrukturen und Algorithmen, die die damit verbundene Komplexität mit vernünftigen Ressourcenanforderungen bewältigen können. Diese Dissertation stellt solche Datenstrukturen und Algorithmen zur Erreichbarkeitsprüfung gezeiteter Automaten vor. Sie stellt auch Modellierungsprinzipien vor, die es ermöglichen, Modelle in Form gezeiteter Automaten zu konstruieren, die effizient überprüft werden können, sowie die erstellten Modelle. Schließlich berichtet sie über die überprüfte Resilienz des FlexRay-Bitübertragungsprotokolls gegenüber spezifischen Übertragungsfehlermustern unter verschiedenen Annahmen über die Hardwareumgebung, wie etwa die Uhrenverschiebung.DFG: SFB/TRR 14 "AVACS - Automatische Verifikation und Analyse komplexer Systeme

Hardware Assisted Solutions for Automobile Security

In the past couple of decades, many in-vehicle features have been invented and deployed in order to make modern vehicles which not only safer and more reliable but also connected, smarter, and intelligent. Meanwhile, vehicular ad-hoc networks (VANETs) are proposed to provide communications between vehicles and road-side stations as the foundation of the intelligent transportation system to provide efficient and safe transportation. To support these updated functions, a large amount of electronic equipment has been integrated into the car system. Although these add-on functions around vehicles offer great help in driving assistance, they inevitably introduced new security vulnerabilities that threaten the safety of the on-board drivers, passengers and pedestrians. This has been demonstrated by many well-documented attacks either on the in-vehicle bus system or on the wireless vehicular network communications. In this dissertation, we design and implement several hardware-oriented solutions to the arousing security issues on vehicles. More specifically, we focus on three important and representative problems: (1) how to secure the in-vehicle Controller Area Network (CAN), (2) how to secure the communication between vehicle and outside, and (3) how to establish trust on VANETs. Current approaches based on cryptographic algorithms to secure CAN bus violate the strict timing and limited resource constraints for CAN communications. We thus emphasize on the alternate solution of intrusion detection system (IDS) in this dissertation. We explore monitoring the changes of CAN message content or the physical delay of its transmission to detect on the CAN bus. We first propose a new entropy-based IDS following the observation that all the known CAN message injection attacks need to alter the CAN identifier bit. Thus, analyzing the entropy changes of such bits can be an effective way to detect those attacks. Next, we develop a delay-based IDS to protect the CAN network by identifying the location of the compromised Electronic Control Unit (ECU) from the transmission delay difference to two terminals connected to the CAN bus. We demonstrate that both approaches can protect the integrity of the messages on CAN bus leading to a further improve the security and safety of autonomous vehicles. In the second part of this dissertation, we consider Plug-and-Secure, an industrial practice on key management for automotive CAN networks. It has been proven to be information theoretically secure. However, we discover side-channel attacks based on the physical properties of the CAN bus that can leak almost the entire secret key bits. We analyze the fundamental characteristics that lead to such attacks and propose techniques to minimize information leakage at the hardware level. Next, we extend our study from in-vehicle secure CAN communication to the communication between vehicle and outside world. We take the example of the popular GPS spoofing attack and show how we can use the rich information from CAN bus to build a cross-validation system to detect such attacks. Our approach is based on the belief that the local driving data from the in-vehicle network can be authenticated and thus trusted by secure CAN networks mechanisms. Such data can be used to cross-validate the GPS signals from the satellite which are vulnerable to spoofing attacks. We conduct driving tests on real roads to show that our proposed approach can defend both GPS spoofing attacks and location-based attacks on the VANETs. Finally, we propose a blockchain based Anonymous Reputation System (BARS) to establish a privacy-preserving trust model for VANETs. The certificate and revocation transparency is implemented efficiently with the proofs of presence and absence based on the extended blockchain technology. To prevent the broadcast of forged messages, a reputation evaluation algorithm is presented relying on both direct historical interactions of that vehicle and indirect opinions from the other vehicles. This dissertation features solutions to vehicle security problems based on hardware or physical characteristics, instead of cryptographic algorithms. We believe that given the critical timing requirement on vehicular systems and their very limited resource (such as the bandwidth on CAN bus), this will be a very promising direction to secure vehicles and vehicular network

Securing CAN-Based Cyber-Physical Systems

With the exponential growth of cyber-physical systems (CPSs), new security challenges have emerged. Various vulnerabilities, threats, attacks, and controls have been introduced for the new generation of CPS. However, there lacks a systematic review of the CPS security literature. In particular, the heterogeneity of CPS components and the diversity of CPS systems have made it difficult to study the problem with one generalized model. As the first component of this dissertation, existing research on CPS security is studied and systematized under a unified framework. Smart cars, as a CPS application, were further explored under the proposed framework and new attacks are identified and addressed. The Control Area Network (CAN bus) is a prevalent serial communication protocol adopted in industrial CPS, especially in small and large vehicles, ships, planes, and even in drones, radar systems, and submarines. Unfortunately, the CAN bus was designed without any security considerations. We then propose and demonstrate a stealthy targeted Denial of Service (DoS) attack against CAN. Experimentation shows that the attack is effective and superior to attacks of the same category due to its stealthiness and ability to avoid detection from current countermeasures. Two controls are proposed to defend against various spoofing and DoS attacks on CAN. The first one aims to minimize the attack using a mechanism called ID-Hopping so that CAN arbitration IDs are randomized so an attacker would not be able to target them. ID-Hopping raises the bar for attackers by randomizing the expected patterns in a CAN network. Such randomization hinders an attacker’s ability to launch targeted DoS attacks. Based on the evaluation on the testbed, the randomization mechanism, ID-Hopping, holds a promising solution for targeted DoS, and reverse engineering CAN IDs, and which CAN networks are most vulnerable. The second countermeasure is a novel CAN firewall that aims to prevent an attacker from launching a plethora of nontraditional attacks on CAN that existing solutions do not adequately address. The firewall is placed between a potential attacker’s node and the rest of the CAN bus. Traffic is controlled bi-directionally between the main bus and the attacker’s side so that only benign traffic can pass to the main bus. This ensures that an attacker cannot arbitrarily inject malicious traffic into the main bus. Demonstration and evaluation of the attack and firewall were conducted by a bit-level analysis, i.e., “Bit banging”, of CAN’s traffic. Results show that the firewall successfully prevents the stealthy targeted DoS attack, as well as, other recent attacks. To evaluate the proposed attack and firewall, a testbed was built that consisted of BeagleBone Black and STM32 Nucleo- 144 microcontrollers to simulate real CAN traffic. Finally, a design of an Intrusion Detection System (IDS) was proposed to complement the firewall. It utilized the proposed firewall to add situational awareness capabilities to the bus’s security posture and detect and react to attacks that might bypass the firewall based on certain rules

EdgeTDC: On the Security of Time Difference of Arrival Measurements in CAN Bus Systems

A Controller Area Network (CAN bus) is a message- based protocol for intra-vehicle communication designed mainly with robustness and safety in mind. In real-world deployments, CAN bus does not offer common security features such as message authentication. Due to the fact that automotive suppliers need to guarantee interoperability, most manufacturers rely on a decade- old standard (ISO 11898) and changing the format by introducing MACs is impractical. Research has therefore suggested to address this lack of authentication with CAN bus Intrusion Detection Systems (IDSs) that augment the bus with separate modules. IDSs attribute messages to the respective sender by measuring physical- layer features of the transmitted frame. Those features are based on timings, voltage levels, transients—and, as of recently, Time Difference of Arrival (TDoA) measurements. In this work, we show that TDoA-based approaches presented in prior art are vulnerable to novel spoofing and poisoning attacks. We describe how those proposals can be fixed and present our own method called EdgeTDC. Unlike existing methods, EdgeTDC does not rely on Analog-to-digital converters (ADCs) with high sampling rate and high dynamic range to capture the signals at sample level granularity. Our method uses time-to-digital converters (TDCs) to detect the edges and measure their timings. Despite being inexpensive to implement, TDCs offer low latency, high location precision and the ability to measure every single edge (rising and falling) in a frame. Measuring each edge makes analog sampling redundant and allows the calculation of statistics that can even detect tampering with parts of a message. Through extensive experimentation, we show that EdgeTDC can successfully thwart masquerading attacks in the CAN system of modern vehicles

Comunicações veiculares híbridas

Vehicle Communications is a promising research field, with a great potential for the development of new applications capable of improving road safety, traffic efficiency, as well as passenger comfort and infotainment. Vehicle communication technologies can be short-range, such as ETSI ITS-G5 or the 5G PC5 sidelink channel, or long-range, using the cellular network (LTE or 5G). However, none of the technologies alone can support the expected variety of applications for a large number of vehicles, nor all the temporal and spatial requirements of connected and autonomous vehicles. Thus, it is proposed the collaborative or hybrid use of short-range communications, with lower latency, and of long-range technologies, potentially with higher latency, but integrating aggregated data of wider geographic scope. In this context, this work presents a hybrid vehicle communications model, capable of providing connectivity through two Radio Access Technologies (RAT), namely, ETSI ITS-G5 and LTE, to increase the probability of message delivery and, consequently, achieving a more robust, efficient and secure vehicle communication system. The implementation of short-range communication channels is done using Raw Packet Sockets, while the cellular connection is established using the Advanced Messaging Queuing Protocol (AMQP) protocol. The main contribution of this dissertation focuses on the design, implementation and evaluation of a Hybrid Routing Sublayer, capable of isolating messages that are formed/decoded from transmission/reception processes. This layer is, therefore, capable of managing traffic coming/destined to the application layer of intelligent transport systems (ITS), adapting and passing ITS messages between the highest layers of the protocol stack and the available radio access technologies. The Hybrid Routing Sublayer also reduces the financial costs due to the use of cellular communications and increases the efficiency of the use of the available electromagnetic spectrum, by introducing a cellular link controller using a Beacon Detector, which takes informed decisions related to the need to connect to a cellular network, according to different scenarios. The experimental results prove that hybrid vehicular communications meet the requirements of cooperative intelligent transport systems, by taking advantage of the benefits of both communication technologies. When evaluated independently, the ITS-G5 technology has obvious advantages in terms of latency over the LTE technology, while the LTE technology performs better than ITS-G5, in terms of throughput and reliability.As Comunicações Veiculares são um campo de pesquisa promissor, com um grande potencial de desenvolvimento de novas aplicações capazes de melhorar a segurança nas estradas, a eficiência do tráfego, bem com o conforto e entretenimento dos passageiros. As tecnologias de comunicação veícular podem ser de curto alcance, como por exemplo ETSI ITS-G5 ou o canal PC5 do 5G, ou de longo alcance, recorrendo à rede celular (LTE ou 5G). No entanto, nenhuma das tecnologias por si só, consegue suportar a variedade expectável de aplicações para um número de veículos elevado nem tampouco todos os requisitos temporais e espaciais dos veículos conectados e autónomos. Assim, é proposto o uso colaborativo ou híbrido de comunicações de curto alcance, com latências menores, e de tecnologias de longo alcance, potencialmente com maiores latências, mas integrando dados agregados de maior abrangência geográfica. Neste contexto, este trabalho apresenta um modelo de comunicações veiculares híbrido, capaz de fornecer conectividade por meio de duas Tecnologias de Acesso por Rádio (RAT), a saber, ETSI ITS-G5 e LTE, para aumentar a probabilidade de entrega de mensagens e, consequentemente, alcançar um sistema de comunicação veicular mais robusto, eficiente e seguro. A implementação de canais de comunicação de curto alcance é feita usando Raw Packet Sockets, enquanto que a ligação celular é estabelecida usando o protocolo Advanced Messaging Queuing Protocol (AMQP). A contribuição principal desta dissertação foca-se no projeto, implementação e avaliação de uma sub camada hibrída de encaminhamento, capaz de isolar mensagens que se formam/descodificam a partir de processos de transmissão/receção. Esta camadada é, portanto, capaz de gerir o tráfego proveniente/destinado à camada de aplicação de sistemas inteligentes de transportes (ITS) adaptando e passando mensagens ITS entre as camadas mais altas da pilha protocolar e as tecnologias de acesso rádio disponíveis. A sub camada hibrída de encaminhamento também potencia uma redução dos custos financeiros devidos ao uso de comunicações celulares e aumenta a eficiência do uso do espectro electromagnético disponível, ao introduzir um múdulo controlador da ligação celular, utilizando um Beacon Detector, que toma decisões informadas relacionadas com a necessidade de uma conexão a uma rede celular, de acordo com diferentes cenários. Os resultados experimentais comprovam que as comunicações veículares híbridas cumprem os requisitos dos sistemas cooperativos de transporte inteligentes, ao tirarem partido das vantagens de ambas tecnologias de comunicação. Quando avaliadas de forma independente, constata-se que que a tecnologia ITS-G5 tem vantagens evidentes em termos de latência sobre a tecnologia LTE, enquanto que a tecnologia LTE tem melhor desempenho que a LTE, ai nível de débito e fiabilidade.Mestrado em Engenharia Eletrónica e Telecomunicaçõe

Proceedings of the Second NASA Formal Methods Symposium

This publication contains the proceedings of the Second NASA Formal Methods Symposium sponsored by the National Aeronautics and Space Administration and held in Washington D.C. April 13-15, 2010. Topics covered include: Decision Engines for Software Analysis using Satisfiability Modulo Theories Solvers; Verification and Validation of Flight-Critical Systems; Formal Methods at Intel -- An Overview; Automatic Review of Abstract State Machines by Meta Property Verification; Hardware-independent Proofs of Numerical Programs; Slice-based Formal Specification Measures -- Mapping Coupling and Cohesion Measures to Formal Z; How Formal Methods Impels Discovery: A Short History of an Air Traffic Management Project; A Machine-Checked Proof of A State-Space Construction Algorithm; Automated Assume-Guarantee Reasoning for Omega-Regular Systems and Specifications; Modeling Regular Replacement for String Constraint Solving; Using Integer Clocks to Verify the Timing-Sync Sensor Network Protocol; Can Regulatory Bodies Expect Efficient Help from Formal Methods?; Synthesis of Greedy Algorithms Using Dominance Relations; A New Method for Incremental Testing of Finite State Machines; Verification of Faulty Message Passing Systems with Continuous State Space in PVS; Phase Two Feasibility Study for Software Safety Requirements Analysis Using Model Checking; A Prototype Embedding of Bluespec System Verilog in the PVS Theorem Prover; SimCheck: An Expressive Type System for Simulink; Coverage Metrics for Requirements-Based Testing: Evaluation of Effectiveness; Software Model Checking of ARINC-653 Flight Code with MCP; Evaluation of a Guideline by Formal Modelling of Cruise Control System in Event-B; Formal Verification of Large Software Systems; Symbolic Computation of Strongly Connected Components Using Saturation; Towards the Formal Verification of a Distributed Real-Time Automotive System; Slicing AADL Specifications for Model Checking; Model Checking with Edge-valued Decision Diagrams; and Data-flow based Model Analysis

A dynamically reconfigurable hard-real-time communication protocol for embedded systems

Echtzeitkommunikation ist eine Grundanforderung für viele verteilte eingebettete Systeme. Für eine neue Klasse von Anwendungen sind jedoch nicht nur Echtzeitfähigkeit, sondern auch Flexibilität und Anpassungsfähigkeit notwendige System-Attribute. Um die Flexibilität zu erhöhen, wurde in dieser Arbeit ein neues Kommunikationsprotokoll namens TrailCable konzipiert. Es profitiert von den Eigenschaften des Earliest Deadline First Scheduling-Verfahrens, wie z. B. der optimalen Ausnutzung von Ressourcen und der Unterstützung von heterogenen Tasks. Ein Kommunikationsnetzwerk wird aufgebaut mit Hilfe von voll-Duplex-, Punkt-zu-Punkt-Verbindungen, wobei die Knoten Datenpakete weiterleiten können, um eine Multi-hop Übertragung zu gewährleisten. Es werden Methoden vorgestellt, die es erlauben, automatisch die Kommunikationsanforderungen erfüllende Echtzeit-Kanäle auf das Netzwerk abzubilden. Echtzeit-Kanäle können nur dann aktiviert werden, wenn im Voraus ein Akzeptanztest erfolgreich durchgeführt wurde. Solch eine Prüfung kann mittels eines Tools automatisch erfolgen. Alle dafür notwendigen Netzwerkinformationen werden aus XML-Dateien eingelesen. Zur Laufzeit prüft ein Mechanismus, der Bandbreitenwächter genannt wird, ob die eingelesenen Pakete mit ihrer Spezifikation übereinstimmen, damit Fehler die Echzeitfähigkeit anderer Kanäle nicht beeinträchtigen können. Zeitkritische Funktionen des Kommunikationsprotokolls, wie Scheduling, Bandbreitenwächter, Routing und Uhrsynchronisation, sind mittels dedizierter Hardware implementiert. Ein voll funktionsfähiger FPGA-basierter Prototyp wurde aufgebaut und in zahlreichen Tests evaluiert, um das Echtzeit-Verhalten des Protokolls unter realen Bedingungen zu testen und zu analysieren.Real-time communication is a basic requirement for many distributed embedded systems. However, for an emerging new class of applications not only real-time behavior but also flexibility and adaptability will become necessary system attributes. In order to increase the flexibility of real-time communication systems a new protocol called TrailCable was designed. It takes advantage of the properties of Earliest Deadline First (EDF) scheduling, which include optimal utilization bounds and the possibility to cope with heterogeneous task sets. A communication network is built with full-duplex, point-to-point links, and nodes can route packets to allow multi-hop message delivery. This work introduces methods for automatically mapping real-time channels on a given network directly from communication requirement specifications. The activation of real-time channels in the network is permitted only after a successful schedulability analysis, which can be executed automatically by a tool that checks XML-based network configuration models. At run-time, the characteristics of all incoming packets are checked against their specification by an admission control technique called bandwidth guardian, which is used to ensure that occasional faults will not impair the timeliness of other real-time channels. Time-critical functions of the communication protocol, such as scheduling, admission control, packet routing, and clock synchronization, are implemented by means of dedicated hardware. A fully operational FPGA-based prototype was built and used in different measurement experiments to validate the real-time behavior of the protocol under real conditions.Tag der Verteidigung: 02.04.2012Paderborn, Univ., Diss., 201