10 research outputs found
Using A One-Class Compound Classifier To Detect In-Vehicle Network Attacks
The Controller Area Network (CAN) in vehicles provides serial communication between electronic control units that manage en- gine, transmission, steering and braking. Researchers have recently demonstrated the vulnerability of the network to cyber-attacks which can manipulate the operation of the vehicle and compromise its safety. Some proposals for CAN intrusion detection systems, that identify attacks by detecting packet anomalies, have drawn on one-class classi cation, whereby the system builds a decision surface based on a large number of normal instances. The one-class approach is discussed in this paper, together with initial results and observations from implementing a classi er new to this eld. The Compound Classier has been used in image processing and medical analysis, and holds advantages that could be relevant to CAN intrusion detection.<br/
Security Evaluation of a Dedicated Short Range Communications (DSRC) Application
Applications using dedicated short-range communication (DSRC) are being developed to prevent automobile accidents. Many DSRC implementations, applications and network stacks are not mature. They have not been adequately tested and verified. This study illustrates security evaluation of a DSRC wireless application in vehicular environments (DSRC/WAVE) protocol implementation. We set up a simulation of a working road safety unit (RSU) on real DSRC devices. Our experiments work on the Cohda testbed with DSRC application wsm-channel. We extended the functionality of wsm-channel, an implementation of WAVE short message protocol (WSMP) for broadcasting GPS data in vehicular communications, to broadcast car information and RSU instructions. Next we performed Denial of Service attacks to determine how few packets need to be dropped to cause automobile crashes. Hidden Markov Models (HMM) are constructed using sniffed side channel information, since operational packets would be encrypted. The inferred HMM tracks the protocol status over time. Simulation experiments test the HMM predictions showing that we were able to drop necessary packets using side channels. The attack simulation following timing side-channel worked best to drop necessary packets with 2.5 % false positive rate (FPR) while the attack following size worked with 9.5% FPR
JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing
Fuzzing is a well-established technique in the software domain to uncover
bugs and vulnerabilities. Yet, applications of fuzzing for security
vulnerabilities in hardware systems are scarce, as principal reasons are
requirements for design information access (HDL source code). Moreover,
observation of internal hardware state during runtime is typically an
ineffective information source, as its documentation is often not publicly
available. In addition, such observation during runtime is also inefficient due
to bandwidth-limited analysis interfaces (JTAG, and minimal introspection of
internal modules). In this work, we investigate fuzzing for 7-Series and
UltraScale(+) FPGA configuration engines, the control plane governing the
(secure) bitstream configuration within the FPGA. Our goal is to examine the
effectiveness of fuzzing to analyze and document the opaque inner workings of
FPGA configuration engines, with a primary emphasis on identifying security
vulnerabilities. Using only the publicly available chip and dispersed
documentation, we first design and implement ConFuzz, an advanced FPGA
configuration engine fuzzing and rapid prototyping framework. Based on our
detailed understanding of the bitstream file format, we then systematically
define 3 novel key fuzzing strategies for Xilinx configuration engines.
Moreover, our strategies are executed through mutational structure-aware
fuzzers and incorporate various novel custom-tailored, FPGA-specific
optimizations. Our evaluation reveals previously undocumented behavior within
the configuration engine, including critical findings such as system crashes
leading to unresponsive states of the FPGA. In addition, our investigations not
only lead to the rediscovery of the starbleed attack but also uncover JustSTART
(CVE-2023-20570), capable of circumventing RSA authentication for Xilinx
UltraScale(+). Note that we also discuss countermeasures
In-Vehicle Data Communication with CAN &Security Monitoring: A Review
Automobiles are now being created with more electronic components for efficient functioning such as Anti Lock Braking system, Adaptive Cruise Control, Traction control system, Airbag, Power Steering etc. managed by networked controllers that include hundreds of ECUs (electronic control units) that can coordinate, control, and monitor loads of internal vehicle components. Each component, such as ABS, TCS (Traction control system), tire pressure monitoring system and telematics system, may communicate with nearby components over the CAN (Controller Area Network) bus, establishing an in-vehicle communication network. These modern automobile system networks intended for safety with minimal consideration for security have drawn the attention of researchers for providing security in CAN. The Paper reviews the behavior and vulnerabilities of CAN within an in-vehicle network including various attacks possible in CAN along with the proposed solutions in the literature with extensive survey on a security promising approach named as IDS (Intrusion detection system)
JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing
Fuzzing is a well-established technique in the software domain to uncover bugs and vulnerabilities. Yet, applications of fuzzing for security vulnerabilities in hardware systems are scarce, as principal reasons are requirements for design information access, i.e., HDL source code. Moreover, observation of internal hardware state during runtime is typically an ineffective information source, as its documentation is often not publicly available. In addition, such observation during runtime is also inefficient due to bandwidth-limited analysis interfaces, i.e., JTAG, and minimal introspection of hardware-internal modules.
In this work, we investigate fuzzing for Xilinx 7-Series and UltraScale(+) FPGA configuration engines, the control plane governing the (secure) bitstream configuration within the FPGA. Our goal is to examine the effectiveness of fuzzing to analyze and document the opaque inner workings of FPGA configuration engines, with a primary emphasis on identifying security vulnerabilities. Using only the publicly available hardware chip and dispersed documentation, we first design and implement ConFuzz, an advanced FPGA configuration engine fuzzing and rapid prototyping framework. Based on our detailed understanding of the bitstream file format, we then systematically define 3 novel key fuzzing strategies for Xilinx FPGA configuration engines. Moreover, our strategies are executed through mutational structure-aware fuzzers and incorporate various novel custom-tailored, FPGA-specific optimizations to reduce search space. Our evaluation reveals previously undocumented behavior within the configuration engine, including critical findings such as system crashes leading to unresponsive states of the whole FPGA. In addition, our investigations not only lead to the rediscovery of the recent starbleed attack but also uncover a novel unpatchable vulnerability, denoted as JustSTART (CVE-2023-20570), capable of circumventing RSA authentication for Xilinx UltraScale(+). Note that we also discuss effective countermeasures by secure FPGA settings to prevent aforementioned attacks
Recommended from our members
Application-Layer Anomaly Detection Leveraging Time-Series Physical Semantics in CAN-FD Vehicle Networks
Data Availability Statement:
The data presented in this study are available on request from the corresponding author. The data are not publicly available due to the need for confidentiality of application layer protocols for car companies.The Controller Area Network with Flexible Data-Rate (CAN-FD) bus is the predominant in-vehicle network protocol, responsible for transmitting crucial application semantic signals. Due to the absence of security measures, CAN-FD is vulnerable to numerous cyber threats, particularly those altering its authentic physical values. This paper introduces Physical Semantics-Enhanced Anomaly Detection (PSEAD) for CAN-FD networks. Our framework effectively extracts and standardizes the genuine physical meaning features present in the message data fields. The implementation involves a Long Short-Term Memory (LSTM) network augmented with a self-attention mechanism, thereby enabling the unsupervised capture of temporal information within high-dimensional data. Consequently, this approach fully exploits contextual information within the physical meaning features. In contrast to the non-physical semantics-aware whole frame combination detection method, our approach is more adept at harnessing the physical significance inherent in each segment of the message. This enhancement results in improved accuracy and interpretability of anomaly detection. Experimental results demonstrate that our method achieves a mere 0.64% misclassification rate for challenging-to-detect replay attacks and zero misclassifications for DoS, fuzzing, and spoofing attacks. The accuracy has been enhanced by over 4% in comparison to existing methods that rely on byte-level data field characterization at the data link layer.National Natural Science Foundation of China under Grants 52202494 and 52202495
A wavelet-based intrusion detection system for controller area network (can).
Samie, Mohammad - Associate SupervisorController Area Network (CAN), designed in the early 1980s, is the most widely
used in-vehicle communication protocol. The CAN protocol has various features
to provide highly reliable communication between the nodes. Some of these
features are the arbitration process to provide fixed priority scheduling, error
confinement mechanism to eliminate faulty nodes, and message form check
along with cyclic redundancy checksum to identify transmission faults. It also has
differential voltage architecture on twisted two-wire, eliminating electrical and
magnetic noise. Although these features make the CAN a perfect solution for the
real-time cyber-physical structure of vehicles, the protocol lacks basic security
measures like encryption and authentication; therefore, vehicles are vulnerable
to cyber-attacks. Due to increased automation and connectivity, the attack
surface rises over time. This research aims to detect CAN bus attacks by
proposing WINDS, a wavelet-based intrusion detection system. The WINDS
analyses the network traffic behaviour by binary classification in the time-scale
domain to identify potential attack instances anomalies. As there is no standard
testing methodology, a part of this research constitutes a comprehensive testing
framework and generation of benchmarking dataset. Finally, WINDS is tested
according to the framework and its competitiveness with state-of-the-art solutions
is presented.PhD in Transport System
Cyber Security and Critical Infrastructures
This book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles: an editorial explaining current challenges, innovative solutions, real-world experiences including critical infrastructure, 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems, and a review of cloud, edge computing, and fog's security and privacy issues