Biblio

The massive proliferation of state of the art interfaces into the automotive sector has triggered a revolution in terms of the technological ecosystem that is found in today's modern car. Accordingly, on the one hand, we find dozens of Electronic Control Units (ECUs) running several hundred MB of code, and more and more sophisticated dashboards with integrated wireless communications. On the other hand, in the same vehicle we find the underlying communication infrastructure struggling to keep up with the pace of these radical changes. This paper presents MixCAN (MIXed data authentication for Control Area Networks), an approach for mixing different message signatures (i.e., authentication tags) in order to reduce the overhead of Controller Area Network (CAN) communications. MixCAN leverages the attributes of Bloom Filters in order to ensure that an ECU can sign messages with different CAN identifiers (i.e., mix different message signatures), and that other ECUs can verify the signature for a subset of monitored CAN identifiers. Extensive experimental results based on Vectors Informatik's CANoe/CANalyzer simulation environment and the data set provided by Hacking and Countermeasure Research Lab (HCRL) confirm the validity and applicability of the developed approach. Subsequent experiments including a test bed consisting of Raspberry Pi 3 Model B+ systems equipped with CAN communication modules demonstrate the practical integration of MixCAN in real automotive systems.

The continuous progress of electronic equipments has influenced car manufacturers, leading to the integration of the latest infotainment technologies and providing connection to external devices, such as mobile phones. Modern cars work with ECUs (Electronic Control Units) that handle user interactions and sensor data, by also sending information to actuators using simple, reliable and efficient networks with fast protocols, like CAN (Controller Area Network). This is the most used vehicular protocol, which allows interconnecting different ECUs, making them interact in a synergic manner. On the down side, there is a security risk related to the exposition of malicious ECU's frames-possibly generated by compromised devices-which can lead to the possibility to remote control all the car equipments (like brakes and others) by an attacker. We propose a solution to this problem, designing an authentication and encryption system above CAN, called AuthentiCAN. Our proposal is tailored for the evolution of CAN called CAN-FD, and avoids the possibility for an attacker to inject malicious frames that are not discarded by the destination ECUs. Also, we avoid the possibility for an attacker to learn the interactions that occur across ECUs, with the objective of maliciously replaying messages-which would lead the actuator's logic to be no longer compliant with the actual data sources. We also present a simulation study of our solution, where we provide an assessment of its overhead, e.g. in terms of reduction of the throughput of data-unit transfer over CAN-FD, caused by the added security features.

Cyber attacks against automobiles have increased over the last decade due to the expansion in attack surfaces. This is the result of modern automobiles having connections such as Bluetooth, WiFi, and other broadband services. While there has been numerous proposed solutions in the literature, none have been widely adopted as maintaining real-time message deliverability in the Controller Area Networks (CAN) outweighs proposed security solutions. Through iterative research, we have developed a solution which mitigates an attacker's impact on the CAN bus by using CAN's inherent features of arbitration, error detection and signaling, and fault confinement mechanism. The solution relies on an access controller and message priority thresholds added to the CAN data-link layer. The results provide no time delay for non-malicious traffic and mitigates bus impact of a subverted node attempting to fabricate messages at an unauthorized priority level.

MAC using a counter value in message authentication for in-vehicle network prevents replay attack. When synchronization deviation of the counter value occurs between the sender and receiver, a message cannot be authenticated correctly because the generated MACs are different. Thus, a counter synchronization method has been proposed. In addition, injection and replay attack of a synchronization message for the synchronization method have been performed. However, DoS attack on the synchronization method has not been conducted. This study performs DoS attack in order to evaluate security of the synchronization method. Experimental results reveal the vulnerability of the synchronization method against DoS attack.

Controller area networks (CANs) are vulnerable to spoofing attacks such as frame falsifying attacks, as electronic control units (ECUs) send and receive messages without any authentication and encryption. In this paper, we propose a physical authentication scheme that exploits the voltage features of the ECU signals on the CAN bus and applies reinforcement learning to choose the authentication mode such as the protection level and test threshold. This scheme enables a monitor node to optimize the authentication mode via trial-and-error without knowing the CAN bus signal model and spoofing model. Experimental results show that the proposed authentication scheme can significantly improve the authentication accuracy and response compared with a benchmark scheme.

The domain of securing in-vehicle networks has attracted both academic and industrial researchers due to high danger of attacks on drivers and passengers. While securing wired and wireless interfaces is important to defend against these threats, detecting attacks is still the critical phase to construct a robust secure system. There are only a few results on securing communication inside vehicles using anomaly-detection techniques despite their efficiencies in systems that need real-time detection. Therefore, we propose an intrusion detection system (IDS) based on Multi-Layer Perceptron (MLP) neural network for Controller Area Networks (CAN) bus. This IDS divides data according to the ID field of CAN packets using K-means clustering algorithm, then it extracts suitable features and uses them to train and construct the neural network. The proposed IDS works for each ID separately and finally it combines their individual decisions to construct the final score and generates alert in the presence of attack. The strength of our intrusion detection method is that it works simultaneously for two types of attacks which will eliminate the use of several separate IDS and thus reduce the complexity and cost of implementation.

Recent years have seen an increase in the data usage in cars, particularly as they become more autonomous and connected. With the rise in data use have come concerns about automotive cyber-security. An in-vehicle network shown to be particularly vulnerable is the Controller Area Network (CAN), which is the communication bus used by the car's safety critical and performance critical components. Cyber attacks on the CAN have been demonstrated, leading to research to develop attack detection and attack prevention systems. Such research requires representative attack demonstrations and data for testing. Obtaining this data is problematical due to the expense, danger and impracticality of using real cars on roads or tracks for example attacks. Whilst CAN simulators are available, these tend to be configured for testing conformance and functionality, rather than analysing security and cyber vulnerability. We therefore adapt a leading, industry-standard, CAN simulator to incorporate a core set of cyber attacks that are representative of those proposed by other researchers. Our adaptation allows the user to configure the attacks, and can be added easily to the free version of the simulator. Here we describe the simulator and, after reviewing the attacks that have been demonstrated and discussing their commonalities, we outline the attacks that we have incorporated into the simulator.

There is a need for new tools and techniques to aid automotive engineers performing cybersecurity testing on connected car systems. This is in order to support the principle of secure-by-design. Our research has produced a method to construct useful automotive security tooling and tests. It has been used to implement Controller Area Network (CAN) fuzz testing (a dynamic security test) via a prototype CAN fuzzer. The black-box fuzz testing of a laboratory vehicle's display ECU demonstrates the value of a fuzzer in the automotive field, revealing bugs in the ECU software, and weaknesses in the vehicle's systems design.

Nowadays, the growing need to connect modern vehicles through computer networks leads to increased risks of cyberattacks. The internal network, which governs the several electronic components of a vehicle, is becoming increasingly overexposed to external attacks. The Controller Area Network (CAN) protocol, used to interconnect those devices is the key point of the internal network of modern vehicles. Therefore, securing such protocol is crucial to ensure a safe driving experience. However, the CAN is a standard that has undergone little changes since it was introduced in 1983. More precisely, in an attempt to reduce latency, the transfer of information remains unencrypted, which today represents a weak point in the protocol. Hence, the need to protect communications, without introducing low-level alterations, while preserving the performance characteristics of the protocol. In this work, we investigate the possibility of using symmetric encryption algorithms for securing messages exchanged by CAN protocol. In particular, we evaluate the using of lightweight ciphers to secure CAN-level communication. Such ciphers represent a reliable solution on hardware-constrained devices, such as microcontrollers.

The presence of security vulnerabilities in automotive networks has already been shown by various publications in recent years. Due to the specification of the Controller Area Network (CAN) as a broadcast medium without security mechanisms, attackers are able to read transmitted messages without being noticed and to inject malicious messages. In order to detect potential attackers within a network or software system as early as possible, Intrusion Detection Systems (IDSs) are prevalent. Many approaches for vehicles are based on techniques which are able to detect deviations from specified CAN network behaviour regarding protocol or payload properties. However, it is challenging to detect attackers who secretly connect to CAN networks and do not actively participate in bus traffic. In this paper, we present an approach that is capable of successfully detecting unknown CAN devices and determining the distance (cable length) between the attacker device and our sensing unit based on Time Domain Reflectometry (TDR) technique. We evaluated our approach on a real vehicle network.

Controller Area Network is the most widely adopted communication standard in automobiles. The CAN protocol is robust and is designed to minimize overhead. The light-weight nature of this protocol implies that it can't efficiently process secure communication. With the exponential increase in automobile communications, there is an urgent need for efficient and effective security countermeasures. We propose a support vector machine based intrusion detection system that is able to detect anomalous behavior with high accuracy. We outline a process for parameter selection and feature vector selection. We identify strengths and weaknesses of our system and propose to extend our work for time-series based data.

Security is a critical issue for new car generation targeting intelligent transportation systems (ITS), involving autonomous and connected vehicles. In this work we designed a low cost CAN probe and defined analysis tools in order to build attack scenarios. We reuse some threats identified by a previous work. Future researches will address new security protocols.

With emerging smart automotive technologies, vehicle-to-vehicle communications, and software-dominated enhancements for enjoyable driving and advanced driver assistance systems, the complexity of providing guarantees in terms of security, trust, and privacy in a modern cyber-enabled automotive system is significantly elevated. New threat models emerge that require efficient system-level countermeasures. This article introduces synergies between on- and off-chip networking techniques to ensure secure execution environments for electronic control units. The proposed mechanisms consist of hardware firewalling and on-chip network physical isolation, whose mechanisms are combined with system-wide cryptographic techniques in automotive controller area network (CAN)-bus communications to provide authentication and confidentiality.

Fully connected autonomous vehicles are more vulnerable than ever to hacking and data theft. The controller area network (CAN) protocol is used for communication between in-vehicle control networks (IVN). The absence of basic security features of this protocol, like message authentication, makes it quite vulnerable to a wide range of attacks including spoofing attacks. As traditional cybersecurity methods impose limitations in ensuring confidentiality and integrity of transmitted messages via CAN, a new technique has emerged among others to approve its reliability in fully authenticating the CAN messages. At the physical layer of the communication system, the method of fingerprinting the messages is implemented to link the received signal to the transmitting electronic control unit (ECU). This paper introduces a new method to implement the security of modern electric vehicles. The lumped element model is used to characterize the channel-specific step response. ECU and channel imperfections lead to a unique transfer function for each transmitter. Due to the unique transfer function, the step response for each transmitter is unique. In this paper, we use control system parameters as a feature-set, afterward, a neural network is used transmitting node identification for message authentication. A dataset collected from a CAN network with eight-channel lengths and eight ECUs to evaluate the performance of the suggested method. Detection results show that the proposed method achieves an accuracy of 97.4% of transmitter detection.

While vehicle to everything (V2X) communication enables safety-critical automotive control systems to better support various connected services to improve safety and convenience of drivers, they also allow automotive attack surfaces to increase dynamically in modern vehicles. Many researchers as well as hackers have already demonstrated that they can take remote control of the targeted car by exploiting the vulnerabilities of in-vehicle networks such as Controller Area Networks (CANs). For assuring CAN security, we focus on how to authenticate electronic control units (ECUs) in real-time by addressing the security challenges of in-vehicle networks. In this paper, we propose a novel and lightweight authentication protocol with an attack-resilient tree algorithm, which is based on one-way hash chain. The protocol can be easily deployed in CAN by performing a firmware update of ECU. We have shown analytically that the protocol achieves a high level of security. In addition, the performance of the proposed protocol is validated on CANoe simulator for virtual ECUs and Freescale S12XF used in real vehicles. The results show that our protocol is more efficient than other authentication protocol in terms of authentication time, response time, and service delay.

Modern vehicles may contain a considerable number of ECUs (Electronic Control Units) which are connected through various means of communication, with the CAN (Controller Area Network) protocol being the most widely used. However, several vulnerabilities such as the lack of authentication and the lack of data encryption have been pointed out by several authors, which ultimately render vehicles unsafe to their users and surroundings. Moreover, the lack of security in modern automobiles has been studied and analyzed by other researchers as well as several reports about modern car hacking have (already) been published. The contribution of this work aimed to analyze and test the level of security and how resilient is the CAN protocol by taking a BMW E90 (3-series) instrument cluster as a sample for a proof of concept study. This investigation was carried out by building and developing a rogue device using cheap commercially available components while being connected to the same CAN-Bus as a man in the middle device in order to send spoofed messages to the instrument cluster.

The Controller Area Network (CAN) is a broadcast communications network invented by Robert Bosch GmbH in 1986. CAN is the standard communication network found in automobiles, industry equipment, and many space applications. To be used in these environments, CAN is designed for efficiency and reliability, rather than security. This research paper closely examines the security risks within the CAN protocol and proposes a feasible solution. In this research, we investigate the problems with implementing certain security features in the CAN protocol, such as message authentication and protections against replay and denial-of-service (DoS) attacks. We identify the restrictions of the CAN bus, and we demonstrate how our proposed implementation meets these restrictions. Many previously proposed solutions lack security, feasibility, and/or efficiency; however, a solution must not drastically hinder the real-time operation speed of the network. The solution proposed in this research is tested with a simulative CAN environment. This paper proposes an alteration to the standard CAN bus nodes and the CAN protocol to better protect automobiles and other CAN-related systems from attacks.

In IoT environments, the user may have many devices to connect each other and share the data. Also, the device will not have the powerful computation and storage ability. Many studies have focused on the lightweight authentication between the cloud server and the client in this environment. They can use the cloud server to help sensors or proxies to finish the authentication. But in the client side, how to create the group session key without the cloud capability is the most important issue in IoT environments. The most popular application network of IoT environments is the wireless body area network (WBAN). In WBAN, the proxy usually needs to control and monitor user's health data transmitted from the sensors. In this situation, the group authentication and group session key generation is needed. In this paper, in order to provide an efficient and robust group authentication and group session key generation in the client side of IoT environments, we propose a lightweight authentication scheme with dynamic group members in IoT environments. Our proposed scheme can satisfy the properties including the flexible generation of shared group keys, the dynamic participation, the active revocation, the low communication and computation cost, and no time synchronization problem. Also our scheme can achieve the security requirements including the mutual authentication, the group session key agreement, and prevent all various well-known attacks.

This study stems from the premise that we need to break away from the "reactive" cycle of developing defenses against new DDoS attacks (e.g., amplification) by proactively investigating the potential for new types of DDoS attacks. Our specific focus is on pulsating attacks, a particularly debilitating type that has been hypothesized in the literature. In a pulsating attack, bots coordinate to generate intermittent pulses at target links to significantly reduce the throughput of TCP connections traversing the target. With pulsating attacks, attackers can cause significantly greater damage to legitimate users than traditional link flooding attacks. To date, however, pulsating attacks have been either deemed ineffective or easily defendable for two reasons: (1) they require a central coordinator and can thus be tracked; and (2) they require tight synchronization of pulses, which is difficult even in normal non-congestion scenarios. This paper argues that, in fact, the perceived drawbacks of pulsating attacks are in fact not fundamental. We develop a practical pulsating attack called CICADAS using two key ideas: using both (1) congestion as an implicit signal for decentralized implementation, and (2) a Kalman-filter-based approach to achieve tight synchronization. We validate CICADAS using simulations and wide-area experiments. We also discuss possible countermeasures against this attack.

New viewpoints of covert channels are presented in this work. First, the origin of covert channels is traced back to acc ess control and a new class of covert channel, air-gap covert channels, is presented. Second, we study the design of covert channels and provide novel insights that differentiate the research area of undetectable communication from that of covert channels. Third, we argue that secure systems can be characterized as fixed-source systems or continuous-source systems, i.e., systems whose security is compromised if their design allows a covert channel to communicate a small, fixed amount of information or communicate information at a sufficiently high, continuous rate, respectively. Consequently, we challenge the traditional method for measuring covert channels, which is based on Shannon capacity, and propose that a new measure, steganographic capacity, be used to accurately assess the risk posed by covert channels, particularly those affecting fixed-source systems. Additionally, our comprehensive review of covert channels has led us to the conclusion that important properties of covert channels have not been captured in previous taxonomies. We, therefore, present novel extensions to existing taxonomies to more accurately characterize covert channels.

The National Science Foundation has made investments in Software Defined Networking (SDN) and Network Function Virtualization (NFV) for many years, in both the research and infrastructure areas. SDN and NFV enable systems to become more open to transformative research, with implications for revolutionary new applications and services. Additionally, the emerging concept of Software-Defined Exchanges will enable large-scale interconnection of Software Defined infrastructures, owned and operated by many different organizations, to provide logically isolated 'on demand' global scale infrastructure on an end-to-end basis, with enhanced flexibility and security for new applications. This talk will examine past NSF investments and successes in SDN/NFV, identify new research opportunities available to the community and present challenges that need to be overcome to make SDN/NFV a reality in operational cyberinfrastructure.

SDN has become the wide area network technology, which the academic and industry most concerned about.The limited table sizes of today’s SDN switches has turned to the most prominent short planks in the network design implementation. TCAM based flow table can provide an excellent matching performance while it really costs much. Even the flow table overflow cannot be prevented by a fixed-capacity flow table. In this paper, we design FTS(Flow Table Sharing) mechanism that can improve the performance disaster caused by overflow. We demonstrate that FTS reduces both control messages quantity and RTT time by two orders of magnitude compared to current state-of-the-art OpenFlow table-miss handler.

The surprising success of cryptocurrencies has led to a surge of interest in deploying large scale, highly robust, Byzantine fault tolerant (BFT) protocols for mission-critical applications, such as financial transactions. Although the conventional wisdom is to build atop a (weakly) synchronous protocol such as PBFT (or a variation thereof), such protocols rely critically on network timing assumptions, and only guarantee liveness when the network behaves as expected. We argue these protocols are ill-suited for this deployment scenario. We present an alternative, HoneyBadgerBFT, the first practical asynchronous BFT protocol, which guarantees liveness without making any timing assumptions. We base our solution on a novel atomic broadcast protocol that achieves optimal asymptotic efficiency. We present an implementation and experimental results to show our system can achieve throughput of tens of thousands of transactions per second, and scales to over a hundred nodes on a wide area network. We even conduct BFT experiments over Tor, without needing to tune any parameters. Unlike the alternatives, HoneyBadgerBFT simply does not care about the underlying network.

Defense-in-depth is an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is 'deep', containing many layers of security, and 'narrow', the number of node independent attack paths is minimized. Unfortunately, accurately calculating both depth and width is difficult using standard graph algorithms because of a lack of independence between multiple vulnerability instances (i.e., if an attacker can penetrate a particular vulnerability on one host then they can likely penetrate the same vulnerability on another host). To address this, we represent known weaknesses and vulnerabilities as a type of colored attack graph. We measure depth and width through solving the shortest color path and minimum color cut problems. We prove both of these to be NP-Hard and thus for our solution we provide a suite of greedy heuristics. We then empirically apply our approach to large randomly generated networks as well as to ICS networks generated from a published ICS attack template. Lastly, we discuss how to use these results to help guide improvements to defense-in-depth postures.

Contemporary vehicles are getting equipped with an increasing number of Electronic Control Units (ECUs) and wireless connectivities. Although these have enhanced vehicle safety and efficiency, they are accompanied with new vulnerabilities. In this paper, we unveil a new important vulnerability applicable to several in-vehicle networks including Control Area Network (CAN), the de facto standard in-vehicle network protocol. Specifically, we propose a new type of Denial-of-Service (DoS), called the bus-off attack, which exploits the error-handling scheme of in-vehicle networks to disconnect or shut down good/uncompromised ECUs. This is an important attack that must be thwarted, since the attack, once an ECU is compromised, is easy to be mounted on safety-critical ECUs while its prevention is very difficult. In addition to the discovery of this new vulnerability, we analyze its feasibility using actual in-vehicle network traffic, and demonstrate the attack on a CAN bus prototype as well as on two real vehicles. Based on our analysis and experimental results, we also propose and evaluate a mechanism to detect and prevent the bus-off attack.