Embedded Automotive Systems Security:

Similar documents
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION. Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28 th March, 2018

Security Analysis of modern Automobile

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

Experimental Security Analysis of a Modern Automobile

Secure automotive on-board networks

Automotive Anomaly Monitors and Threat Analysis in the Cloud

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

A Survey of Security Threats and Protection Mechanisms in Embedded Automotive Networks

Securing the future of mobility

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Computer Security and the Internet of Things

Adversary Models. EECE 571B Computer Security. Konstantin Beznosov

Automotive Cyber Security

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Market Trends and Challenges in Vehicle Security

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

MASP Chapter on Safety and Security

Some example UW security lab projects, related to emerging technologies. Tadayoshi Kohno CSE 484, University of Washington

Securing the Autonomous Automobile

CAN Bus Risk Analysis Revisit

Cyber security mechanisms for connected vehicles

Development of Intrusion Detection System for vehicle CAN bus cyber security

Automotive Intrusion Detection Based on Constant CAN Message Frequencies Across Vehicle Driving Modes

Cross-Domain Security Issues for Connected Autonomous Vehicles

Resilient Smart Grids

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Internet of Things Toolkit for Small and Medium Businesses

Security Concerns in Automotive Systems. James Martin

How Security Mechanisms Can Protect Cars Against Hackers. Christoph Dietachmayr, CIS Solution Manager EB USA Techday, Dec.

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

Security and Privacy in Car2Car Adhoc Networks

Context-aware Automotive Intrusion Detection

Security Challenges with ITS : A law enforcement view

ARM processors driving automotive innovation

IOT FLAGSHIP PROJECT. Dr. Mario Drobics, AIT

Automotive Cybersecurity: A steep learning curve

Security and Privacy challenges in Automobile Systems

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

Field Classification, Modeling and Anomaly Detection in Unknown CAN Bus Networks

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

Secure Product Design Lifecycle for Connected Vehicles

Industry 4.0 & Transport for Digital Infrastructure

Internet of Things: Driving the Transformation

Security of Safety-Critical Devices

align security instill confidence

Cyber Security and Vehicle Diagnostics. Mark Zachos DG Technologies

Innovation policy for Industry 4.0

COOPERATIVE ITS SECURITY STANDARDIZATION AND ACTIVITIES ON EUROPEAN C ITS TRUST MODEL AND POLICY

Introduction to VANET

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Experimental Security Analysis of a Modern Automobile

The Car as an Internet-Enabled Device, or how to make Trusted Networked Cars

Vehicle Connectivity in Intelligent Transport Systems: Today and Future Prof. Dr. Ece Güran Schmidt - Middle East Technical University

Trusted Platform Modules Automotive applications and differentiation from HSM

Overview of Challenges in VANET

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

Automotive Gateway: A Key Component to Securing the Connected Car

DEx. Other initiatives, ongoing projects and applications within the strategic program Automotive Security and Privacy.

Information Security Controls Policy

Monitoring and Managing IIoT Security

Chalmers Publication Library

Prevention of Information Mis-translation by a Malicious Gateway in Connected Vehicles

CYBERSECURITY IN THE INDUSTRIAL INTERNET OF THINGS

Security Aspects of Trust Services Providers

It is advisable to refer to the publisher s version if you intend to cite from the work.

Autonomous Driving From Fail-Safe to Fail-Operational Systems

IC32E - Pre-Instructional Survey

13W-AutoSPIN Automotive Cybersecurity

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

QUARTERLY PROGRESS REPORT

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

Software Architecture for Secure ECUs. Rudolf Grave EB TechDay-June 2015

Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

University of Tartu. Research Seminar in Cryptography. Car Security. Supervisor: Dominique Unruh. Author: Tiina Turban

External Supplier Control Obligations. Cyber Security

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

Vehicle Trust Management for Connected Vehicles

Security and Privacy Issues In Smart Grid

Countermeasures against Cyber-attacks

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

M2MD Communications Gateway: fast, secure, efficient

Cyber security of automated vehicles

Short-term Linkable Group Signatures with Categorized Batch Verification

Internet of Things Security standards

Internet of Things real life cases Alex Ahlberg

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

Vehicle Safe-Mode Limp-Mode in the Service of Cyber Security

Cyber Security Technologies

Security Issues in Controller Area Networks in Automobiles

SCALABLE VEHICULAR AD-HOC NETWORKS DISTRIBUTED SOFTWARE-DEFINED NETWORKING

CIS Controls Measures and Metrics for Version 7

Cooperative ITS Corridor Joint Deployment

Introduction and Statement of the Problem

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Transcription:

The 3 rd International Workshop on Safety and Security of Intelligent Vehicles (SSIV) June 26, 2017 Embedded Automotive Systems Security: A language-based Intrusion Detection Approach Mohamed Kaâniche Ivan Studnia, Éric Alata, Youssef Laarouchi, Vincent Nicomette Ivan Studnia, Intrusion Detection for Embedded Automotive Networks - A language-based Approach, Phd, Université de Toulouse, France, 2015 (in French) - https://tel.archives-ouvertes.fr/tel-01261568

Evolution toward more intelligent vehicles Limited electronics No automation Partial electronic control More complex functionalities Driver Assistance Systems X-by-wire architectures Increasing number of sensors Higher connectivity Increasing levels of automation 2

Connected vehicles? 3

Outline Review of security threats and some existing protection mechanisms Design of an intrusion detection system for automotive embedded networks 4

An embedded automotive network Gateway ECU Electronic Control Unit (ECU) inter-ecu Communications CAN: Controller Area Network de facto standard Various network architectures 5

CAN & Security Security Properties Integrity? Confidentiality? Availability? Authenticity/Non repudiation? CRC insuffisant for security Broadcast only Easy Denial of service No authentification/logging 6

Attack goals Attack Malicious action aimed at violating one or some security properties Challenge E-tuning Theft Sabotage Privacy breach Source: [Koscher et al., 2010] 7

Attack consequences Impacts on the Driver Safety Loss of the vehicle Theft of personal data Impacts on the Manufacturer Economic impact costly maintenance recalls damage to campany reputation IP theft 8

Local attacks Attacker has direct access to the bus: Through the OBD port, Possible Actions Read data Send crafted frames Interrupt traffic Impact Knowledge Acquisition Temporary Control Permanent Control 9

Remote attacks Indirect physical access multimedia player via usb, compromized diagnostic tools Short range wireless access a few meters: Bluetooth, remote keyless entry, RFID car keys, Long range wireless access mobile communication networks: GSM/3G, web, 10

Classification of attacks Hardware Interaction Software Network Physical Attacks Range Access Impact Short Long Direct Indirect Passive Short term control Long term control 11

Classification of attacks Adaptation of CERT taxonomy to Automotive environment [Hoppe & Dittman 07] 12

Classification of Attacks Vector Description Agents #1 Attacks on global V2I/I2I communication infrastructure X, L, E #2 Attacks on local V2V communication infrastructure X, L, E #3 Attacks on in-vehicle communication infrastructure L, P #4 Attacks on vehicle computing nodes software L,P #5 Attacks on road-side units software X, P, E #6 Attacks on sensors and control-sensitive data X, L, P, E #7 Attacks on authentication mechanisms X, L, P #8 Physical-level attacks P X: External (computers on the Internet, compromised RSU) L: Local (compromised computers inside car, connected media P: Physical (compromised computers on maintenance sockets, ) E: Environment (devices interfering with physical env. properties (jammers, fake RSU Toward Safe and Autonomous Cooperative Vehicle Ecosystems [Lima et al. 2016] 13

Protection: a major concern Defence in depth prevention, detection, containment Various techniques Trust management and access control In-car and car2x secure communications cryptographic protocols, Trusted hardware modules deployed in ECUs Key management Secure boot Embedded software protection Code signing Virtualisation and sandboxing Hardened execution platforms 14

Hardware Security Modules: EVITA Project https://www.evita-project.org Three classes of HSM, different costs, different security protection Full: high performance asymmetric/symmetric crypto, powerful internal processor & memory : for V2X communication unit, central gateway Medium: fast symmetric crypto HW, firmware asymmetric crypto: for in-vehicle security modules with strong cost & security requirements (engine control, front/rear module, ) Light: cost optimzed symmetric crypto HW with small internal memory: for less, but critical security-critical ECUs that provide/process security critical information (critical sensors/ actuators, 15

Oversee: Open Vehicular Secure Platform https://www.oversee-project.com 16

A major concern Preventive Solutions What happens if an intrusion is successful? 17

Outline Review of security threats and some existing protection mechanisms Design of an intrusion detection system for automotive embedded networks 18

Intrusion detection Signature-based Known attacks Need regular updates Anomaly/behavioural based Detects unknown attacks Requires a model of normal behaviour Specification-based/machine learning 19

Attack scenario Controls a node Knows the system Emits frames onto the network 20

Constraints Cost Carry over/cots Limited resources Network-based monitoring No alteration of the ECUs No change in the network architecture Diversity Many architectures Model specific attack scenarios Behaviour-based approach System modeling Anomaly detection Requires few or no updates Lifecycle 20 years Reactivity Fast detection required Passive system Detection only Open to evolutions Optimisation Master complexity 21

Location IDS IDS IDS IDS IDS 22

One source of data: the network Network traffic monitoring Goal : Check the consistency of a message with the previously observed behaviour ECU 1 Bus ECU2 23

Attack symptoms Frames that do not conform to the protocol specifications Set of formal checks Periodic, forged frames added into the traffic Monitoring of the frames frequency Periodic, forged frames replacing the legitimate traffic Event-related forged frames Correlation of contextual information 24

Context-sensitive anomaly detection approach ECUs network behavior modeling with Finite State Automata (FSA) Based on specifications or on network traffic monitoring Generate System Automaton from composition of ECUs FSA Represented by a langage L SYS Generate a langage of observable attack sequences L SYS = complement of L SYS Specs Specs ECU Specs specs Automate Automate Automate ECU ECU ECU ECU automata System automaton Attack sequences 25

Context-sensitive anomaly detection Specs Specs ECU Specs specs Automate Automate Automate ECU ECU ECU ECU automata System automaton Command Sensor Lights 26

Context-sensitive anomaly detection Specs Specs ECU Specs specs Automate Automate Automate ECU ECU ECU ECU automata System automaton Attack sequences L attacks = Suf ( Lsys. Σsys L sys sys ) Suf(L sys ) "The sequence ends with a forbidden transition AND is not a part of any legitimate sequence" 27

Complexity 1 automaton A attacks accepting L attacks = Suf ( L sys ). Σsys Lsys ) Suf(L sys L left L right ) Time complexity State complexity (worst case) O(1) O( 2 n ) sys. Σsys Lsys sys 2 automata A left and A right accepting resp. AND L Handling the suffixes 2 sets S left and S right containing the possible states of A left and A right at a given time Time complexity (worst case) 2 n + 1 State complexity L ( 1+ Σ )(2n + 1) sys 1 automaton A right and 1 set S right Time. complexity (worst case) State complexity n n( 1+ Σsys ) 28

Complexity (2) 29

Overview No No Yes Yes Yes 30

Experimental Protocol Design Architecture System implementation Logs Attack Logs Implemented in analyzed by Evaluation 31

Experimental Protocol Data Set 102 log files / 49 min total 3000 400 000 frames per file / 2s 3min Studied Systems Light control subsystem (LCS) Speed control subsystem (SCS) Composed system (LCS + SCS) Objectives Detection coverage Detection time 32

Experimental results Parameters 1 core 1,2GHz 310 440 frames 205 seconds 1514 frames/s 660µs/frame Durations measured over 100 runs Successful detection of all simulated attacks Frame checks Step Average Min Max Interpretation 32µs 8µs 517µs Control rules 33µs 5µs 110µs Large variation of the number of signals per frame ( 1 30 ) 33

Experimental results «Worst» case : composed system 108 states State Complexity A attacks A right states 366 108 Time Complexity A attacks Constant analysis time 12 µs A right Avg. auto Min auto Max auto 49µs 20µs 779µs Avg. frame Min frame Max frame 153µs 34µs 903µs 34

Conclusion Automotive systems security: a major challenge Increasing complexity many potential vulnerabilities Connectivity wider attack surface Documented attack examples Design of a context-sensitive automotive IDS Language theory to characterize attacks Compatibility with existing architectures First implementation for CAN networks Can be adapted to other protocols and contexts Extensions Full scale evaluation Distributed IDS 35

Other challenges From detection to reaction Alert the driver Trigger automatic recovery actions, consistent with safety rules Safety Security interactions Extensions to compensate possible imperfect coverage of existing safety mechanisms Intrusion tolerance Protection against low level attacks Leverage advances from hardware architecture technologies Privacy Holistic engineering approach to address inter-related safetysecurity-privacy requirements Standardisation : Extension of AUTOSAR ISO 26262 Legal issues 36

For further details Ivan Studnia, Intrusion Detection for Embedded Automotive Networks: A language-based Approach, Phd, Université de Toulouse, France, 2015 (in French) https://tel.archives-ouvertes.fr/tel-01261568 I. Studnia, E. Alata, V. Nicomette, M. Kaâniche, Y. Laarouchi, A language-based intrusion detection approach for automotive embedded networks, International Journal on Embedded Systems, Special Issue PRDC-2015, http://www.inderscience.com/info/ingeneral/forthcoming.php?jcode=ijes https://hal.archives-ouvertes.fr/hal-01419020/ Ivan Studnia, Vincent Nicomette, Eric Alata, Yves Deswarte, Mohamed Kaâniche, Youssef Laarouchi, Survey on security threats and protection mechanisms in embedded automotive networks. 2nd Workshop on Open Resilient human-aware Cyber-physical Systems (WORCS-2013), DSN-21013 Workshops, Budapest (Hungary), june 2013. Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T., et al.: Comprehensive experimental analyses of automotive attack surfaces. 20th USENIX Security. San Francisco, CA (2011) Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H.: Experimental security analysis of a modern automobile. IEEE Symp. Security and Privacy. pp. 447 462. Oakland, CA (2010). H. Schweppe, Security and Privacy in Automotive On-Board Networks, Phd Telecom ParisTech, 2012 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback