The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Similar documents
Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Achieving safe, certified, multicore avionics systems with Separation Kernel Hypervisors

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Operating System Security

Automotive Anomaly Monitors and Threat Analysis in the Cloud

How to protect Automotive systems with ARM Security Architecture

Open Source in Automotive Infotainment

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

Using a Certified Hypervisor to Secure V2X communication

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Security and Performance Benefits of Virtualization

Car Hacking for Ethical Hackers

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Securing the future of mobility

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

10 th AUTOSAR Open Conference

Presentation's title

Back To The Future: A Radical Insecure Design of KVM on ARM

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

CSE543 - Computer and Network Security Module: Virtualization

CSE Computer Security

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Safety and Security for Automotive using Microkernel Technology

CSE543 - Computer and Network Security Module: Virtualization

Interaction between AUTOSAR and non-autosar Systems on top of a Hypervisor

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Virtual Machine Security

Linux in the connected car platform

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Live Demo: A New Hardware- Based Approach to Secure the Internet of Things

A HIGH ASSURANCE WIRELESS COMPUTING SYSTEM (HAWCS ) ARCHITECTURE FOR SOFTWARE DEFINED RADIOS AND WIRELESS MOBILE PLATFORMS

How to Introduce Virtualization in AGL? Objectives, Plans and Targets for AGL EG-VIRT

An Experimental Analysis of the SAE J1939 Standard

IT-Security Challenges in the Internet of Things. Christian Graffer Product Manager Endian

*NSTAC Report to the President on the Internet of Things.

CSE543 - Computer and Network Security Module: Virtualization

Today s Topics. u Thread implementation. l Non-preemptive versus preemptive threads. l Kernel vs. user threads

Components & Characteristics of an Embedded System Embedded Operating System Application Areas of Embedded d Systems. Embedded System Components

OPERATING SYSTEMS Chapter 13 Virtual Machines. CS3502 Spring 2017

Countermeasures against Cyber-attacks

10 Steps to Virtualization

13W-AutoSPIN Automotive Cybersecurity

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

AGL Reference Hardware Specification Document

Applying MILS to multicore avionics systems

Cyber-physical intrusion detection on a robotic vehicle

Hypervisor Market Overview. Franz Walkembach. for GENIVI AMM, April 19 th, 2018 (Munich) SYSGO AG Public

Christoph Schmittner, Zhendong Ma, Paul Smith

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Designing Security & Trust into Connected Devices

Security Concerns in Automotive Systems. James Martin

Secure Software Update for ITS Communication Devices in ITU-T Standardization

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

Introduction to Adaptive AUTOSAR. Dheeraj Sharma July 27, 2017

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Symantec Endpoint Protection Family Feature Comparison

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Computer Architecture Background

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives

CIS 5373 Systems Security

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Commercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory

New ARMv8-R technology for real-time control in safetyrelated

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

Car hacks 2018 (BMW, Audi) for the "not so hands-on"

Building Trust in the Internet of Things

Mentor Automotive Save Energy with Embedded Software! Andrew Patterson Presented to CENEX 14 th September 2016

Virtualization. Dr. Yingwu Zhu

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

SentinelOne Technical Brief

10 th AUTOSAR Open Conference

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Autorama, Connecting Your Car to

Hacker Academy UK. Black Suits, White Hats!

Hacking Exposed Wireless: Wireless Security Secrets & Colutions Ebooks Free

Cybersecurity in Government

Designing Security & Trust into Connected Devices

CSC 5930/9010 Cloud S & P: Virtualization

Experimental Security Assessment of BMW Cars: A Summary Report

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

How Security Mechanisms Can Protect Cars Against Hackers. Christoph Dietachmayr, CIS Solution Manager EB USA Techday, Dec.

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Operating system hardening

ARM processors driving automotive innovation

New Approaches to Connected Device Security

GREEN HILLS SOFTWARE: EAL6+ SECURITY FOR MISSION CRITICAL APPLICATIONS

The Internet of Things. Steven M. Bellovin November 24,

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Virtualization. Pradipta De

Hardening Attack Vectors to cars by Fuzzing

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

SentinelOne Technical Brief

(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.

Chapter 5 C. Virtual machines

Transcription:

The Remote Exploitation of Unaltered Passenger Vehicles Revisited 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Today s hot topic A few years ago, Lynx presentations at events such as this centred on why connected car security is important And then http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ https://electrek.co/2016/09/27/tesla-releases-more-details-on-the-chinese-hack-and-the-subsequent-fix/ 2

How was the Jeep hacked? From Miller & Valasek s paper Remote Exploitation of an Unaltered Passenger Vehicle : Remote Attack Surface The following table is a list of the potential entry points for an attacker. While many people only think of these items in terms of technology, someone with an attacker s mindset considers every piece of technology that interacts with the outside world a potential entry point. In order to access the security critical systems, the hackers needed an entry point, and a vulnerability to get access from that entry point 3

How was the Jeep hacked? From Miller & Valasek s paper Remote Exploitation of an Unaltered Passenger Vehicle : there are no CAN bus architectural restrictions, such as the steering being on a physically separate bus. If we can send messages from the head unit, we should be able to send them to every ECU on the CAN bus. 4

Why Separation? Suppose we want a heart pacemaker to be able to report any irregularities back to a medical specialist The primary aim here is to separate the safe and unsafe sides of the network, and to tightly control communication between them Separation is key! 5

Separation through Hardware Separation of these different domains can be achieved in several different ways This Tesla example shows how separation is achieved through hardware in the Model S 6

So how was the Tesla hacked? https://electrek.co/2016/09/27/tesla-releases-more-details-on-the-chinesehack-and-the-subsequent-fix/ This Keen Laboratories hack was the second publicised attack on a Tesla Infotainment system accessed via a vulnerability in the WebKit based browser, and manipulated via a malicious Wi-Fi hotspot Access to the instrument cluster via vulnerabilities in its Linux OS allowed activation of doors, windows, and wipers but provided no access to the safety critical braking system That required them to replace the gateway software with their own.perhaps using a privilege escalation vulnerability highlighted by Rogers and Mahaffey in the earlier attack? https://iotsecurityfoundation.org/is-the-tesla-model-s-robust-against-hackers/ https://www.wired.com/2015/08/researchers -hacked-model-s-teslas-already/ 7

Separation is no silver bullet! As the Tesla example illustrates, separation alone is no guarantee of impenetrability But it is a key component in the defence of Cyber-Physical Vehicle Systems against an ever increasing number of threat vectors 8

Industrial Internet Security Framework Unlike our simplistic heart pacemaker example, the Industrial Internet Consortium s IISF highlights 15 Endpoint Vulnerabilities to be protected http://www.iiconsortium.org/iisf.htm 9

SAE J3061 While SAE J3061 make a similar, more industry specific point https://nmi.org.uk/wp-content/uploads/2016/06/4_sae-j3061-and-friends-for-nmi-jun-16.pdf 10

Cost effective separation Hardware separation is an expensive solution Hypervisors are widely held aloft as the cost effective alternative to provide separation in software But Hypervisor functionality is not the key factor 11

How safe is the separator? the separation mechanism is! Because this is a critical component, it is imperative that it be secure as possible 12

Protecting against Remote Exploitation If a vehicle is to be optimally protected, the attack surface exposed to would-be aggressors needs to be minimised. For example: Separate high ASIL systems from those of lower criticality Separate the TCP/IP stack away from the vulnerability of the gateway s OS If they are to truly be separated rather than conjoined, we also need to minimize the resources and hence the attack surface - shared between these entities 13

Typical Hypervisor Architecture Apps Services Guest OSs Monolithic Kernel CPU Scheduler API Application Access Control VM Monitor Virtual I/O Policy Resource Mgmt Interrupt Handler I/O Stack Exception Handler Device Drivers - Storage, Network, Graphics 14 Separate the TCP/IP stack away from the vulnerability of the gateway s OS Shared Resources = Large Attack Surface Applying Least Privilege principles addresses that

Separation Kernel Architecture Guest OSs Services Apps API API Application Access Control Virtual I/O Policy VM Monitor Drivers I/O Stack Separation Kernel CPU Scheduler Resource Mgmt Exception Handler Interrupt Handler 15

Trusted Computing Base (TCB) Still a Separation kernel NOT a cut down RTOS! 17

Separation Kernel based Distributed Vehicle Secure Update Gateway V2x Gateway Entertainment Gateway Firmware Server VM App Server App Server LSA. connect Tunneled Virtual Networks Network Gateway VM AUTOSAR VM V-NIC V-Disk LynxOS V2x VM V-NIC V-Disk V-NIC Linux VM V-Disk LSA.store Disk Manager VM Encrypted Disk Partitions VM Image VM Image VM Image 18

Separation Kernel and Virtualization Separation is a useful tool in the quest to design secure Cyber-Physical Vehicle Systems Separation in software is far more cost effective than separation in hardware For that separation to be optimal, the separation mechanism needs to present a minimal attack surface to the would-be hacker The combination of a least-privilege separation kernel hypervisor and a modern multi-core processor represents state-of-the-art separation in software 19

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback