Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 795 Cyber-Physical Systems April 15, 2013

Published byAlijah Folsom Modified over 9 years ago

Similar presentations

Presentation on theme: "CS 795 Cyber-Physical Systems April 15, 2013"— Presentation transcript:

1 CS 795 Cyber-Physical Systems April 15, 2013
Security Threats to Automotive CAN Networks - Practical Examples and Selected Short-Term Countermeasures (safecomp 2008) Harshith Reddy Bandi CS 795 Cyber-Physical Systems April 15, 2013

2 Vocabulary Electronic Control Unit (ECU) is a generic term for any embedded system that controls one or more of the electrical systems or subsystems in a motor vehicle. Actuator is a mechanical device for moving or controlling a mechanism or system. It takes energy, usually transported by air, electric current, or liquid, and converts that into some kind of motion. Sensor is a device that measures a physical quantity and converts it into a signal which can be read by an observer or by an instrument . CAN bus (for controller area network) is a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other within a vehicle without a host computer. Unfortunately, testing new components in a complex mobile cyber-physical system is excessively dif- cult due to the unpredictable and uncontrollable external factors. This paper lays the foundation for Pharos, intended to serve ultimately as a benchmark for the design and analysis of mobile cyber-physical systems.

3 Why security is needed? Amount of ECUs or controllers in cars and other vehicles is increasing. Communication from vehicles to other systems are increasing. Wireless access to cars is very probable in the future. More intelligent systems attract attackers more. Security violation results in dangerous situations and compromises the safety of humans and environment Even more important than in typical home PC. Increasing number of communication channels introduce new ways to break in to the system.

4 Security in cars today Encryption & digital signatures used, but not broadly. Keyless entry potential attack target. Memory chips also potential attack target. A reserved portion of memory contained in modern ECUs is reserved to store diagnostic trouble codes (DTC). Reactive Measures like Intrusion Detection Systems(IDS) or IT-forensic investigations are not fairly established. This paper presents three contributions related to Pharos: i) we introduce the Pharos testbed as a comprehensive mobile cyber-physical system testbed (Section 3); ii) we characterize the repeatability of Pharos experiments (Section 4); and iii) we quantify the divergence of Pharos experiments from simulations (Section 5). Using the Pharos testbed, we pinpoint cyber and physical variations across runs, empirically establishing relationships between physical properties and cyber properties. Finally, we correlate Pharos experiments with simulations, demonstrating that existing simulators fail to completely capture the complexity of even small-scale mobile cyber-physical system deployments.

5 Four exemplary automotive IT security threats
Four significant test setups (denoted as attack scenarios S1–S4) have been selected to perform a broader analysis of potential safety implications and to define and evaluate first countermeasures. A potential security incident that could have employed the described attacking technique is discussed by using the CERT taxonomy. The violation of security aspects in the four attack scenarios S1–S4 has been evaluated with a focus on the digital information communicated via the car’s internal bus networks shown in the table in next slide.

6 Security aspects mapped to information within automotive bus systems.

7 Example Security Threats
Electric window lift (S1) Indicator lights(S2) Airbag control system(S3) Analyses on the gateway ECU(S4)

8 Test setup The Proteus design focuses on componentization
and reuse of commercial-off-the-shelf (COTS) equipment to maximize both robustness and flexibility. Each node is inexpensive, easy to manufacture, and simple to work with. Mobility: an iRobot Create, a Segway RMP50, or a customized Traxxas Stampede. The CreateR is a low cost, low speed, differentially steered robot with a simple serial control interface. The RMP50 is based on SegwayR's popular self-balancing products and is controllable over a CAM bus or USB port. It is more expensive than the CreateR but offers higher speeds, higher payload capacity, and long-range outdoor use. The third mobility option is a customized Traxxas Stampede. The Stampede is a high-performance remote controlled car with Ackerman steering and 4-wheel-independent suspension. Each platform provides its own power to reduce dependencies on other components. Behavior: A low-power VIA EPIAR x86 Linux-based computer coupled with a FreescaleTM 9S12 micro-controller provides the platform for Proteus node behaviors. This dual architecture offloads many real-time tasks to the micro-controller while allowing the x86 system to focus on higher level aspects. The two-level approach also opens a wide range of I/O options for connecting sensors and other peripherals. Basic communications are provided by an onboard b/g wireless network interface controller with a 5.5 dBi antenna. Other network communication technologies (e.g., Bluetooth, MEMSICR Motes) can be easily added to any Proteus as required Interaction: The third functional area of the Proteus is sensing and actuating. We currently support various range-finding sensors, digital compass, global positioning system (GPS), and cameras, as well as ambient sensing devices including MEMSIC motes (wireless modules).

9 Scenario S1: analyses on the electric window lift

10 CERT classifications of S1-S4
Security implications: Authenticity of control commands is violated DoS attack: The windows do not respond correctly to authentic requests until the attack finishes. Non-repudiation is affected, since the authentic console cannot prove that the close-commands have not been sent by itself.

11 Scenario S2: analyses on the warning lights

12 Security Implications:
Authenticity and integrity of control commands is violated. Availability of the indicators is violated by the DoS attack since they do not respond correctly to any actuation command. Non-repudiation is affected, since the authentic ECU cannot prove that it did not generate the forged unset-commands. At a high-level, it consists of three components: a Pharos client residing on a laptop that wirelessly communicates with one or more Proteus nodes, Pharos and Player servers running on each Proteus's x86 computer, and sensor/actuator drivers that reside within Proteus's micro-controller. The Pharos client is written in JavaTM and serves as the experiment coordinator. It is responsible for assigning motion scripts to Proteus nodes and initiating the execution of the motion script. The Pharos Server is also written in JavaTM and consists of a Motion Script Follower and a Navigation component. The Motion Script Follower informs the Navigation component of the next waypoint and desired speed and waits for it to finish steering the node to the specified waypoint. The Navigation component requires compass and GPS data, using both to adjust the steering angle and speed at a frequency of 5Hz. The Navigation component obtains the sensor data and issues the movement commands through a Player Server that also runs on the x86. The Player Server is implemented in C/C++ and provides a popular middleware abstraction for obtaining GPS and compass data and issuing movement commands to control movement The micro-controller implements lowlevel drivers in a mix of C and assembly. It has a Compass; a Tachometer Driver; a Motor Driver, and a Steering Driver. It automatically sends compass and odometer data to the x86 upon receiving the heartbeats. This push-based data delivery model reduces communication overhead allowing the micro-controller to focus on time-critical tasks.

13 Scenario S3: analyses on the airbag control system

14 Security Implications:
The authenticity of the periodic status messages and of diagnostic reply is violated, since they are not generated by the airbag ECU but by a bogus device.  Integrity of the periodic status information and the diagnostic data is concerned, since they do not correspond to the true system state.   The availability of the entire airbag system is violated. At a high-level, it consists of three components: a Pharos client residing on a laptop that wirelessly communicates with one or more Proteus nodes, Pharos and Player servers running on each Proteus's x86 computer, and sensor/actuator drivers that reside within Proteus's micro-controller. The Pharos client is written in JavaTM and serves as the experiment coordinator. It is responsible for assigning motion scripts to Proteus nodes and initiating the execution of the motion script. The Pharos Server is also written in JavaTM and consists of a Motion Script Follower and a Navigation component. The Motion Script Follower informs the Navigation component of the next waypoint and desired speed and waits for it to finish steering the node to the specified waypoint. The Navigation component requires compass and GPS data, using both to adjust the steering angle and speed at a frequency of 5Hz. The Navigation component obtains the sensor data and issues the movement commands through a Player Server that also runs on the x86. The Player Server is implemented in C/C++ and provides a popular middleware abstraction for obtaining GPS and compass data and issuing movement commands to control movement The micro-controller implements lowlevel drivers in a mix of C and assembly. It has a Compass; a Tachometer Driver; a Motor Driver, and a Steering Driver. It automatically sends compass and odometer data to the x86 upon receiving the heartbeats. This push-based data delivery model reduces communication overhead allowing the micro-controller to focus on time-critical tasks.

15 Scenario S4: analyses on the gateway ECU

16 Security Implications:
Confidentiality of eavesdropped internal messages is violated.  Looking at the diagnostics request injected, also the authenticity of these requests is violated, since they are not sent by an authentic diagnostic tester but by a forged device.  In case of personal or person relatable information, also the privacy can be affected. At a high-level, it consists of three components: a Pharos client residing on a laptop that wirelessly communicates with one or more Proteus nodes, Pharos and Player servers running on each Proteus's x86 computer, and sensor/actuator drivers that reside within Proteus's micro-controller. The Pharos client is written in JavaTM and serves as the experiment coordinator. It is responsible for assigning motion scripts to Proteus nodes and initiating the execution of the motion script. The Pharos Server is also written in JavaTM and consists of a Motion Script Follower and a Navigation component. The Motion Script Follower informs the Navigation component of the next waypoint and desired speed and waits for it to finish steering the node to the specified waypoint. The Navigation component requires compass and GPS data, using both to adjust the steering angle and speed at a frequency of 5Hz. The Navigation component obtains the sensor data and issues the movement commands through a Player Server that also runs on the x86. The Player Server is implemented in C/C++ and provides a popular middleware abstraction for obtaining GPS and compass data and issuing movement commands to control movement The micro-controller implements lowlevel drivers in a mix of C and assembly. It has a Compass; a Tachometer Driver; a Motor Driver, and a Steering Driver. It automatically sends compass and odometer data to the x86 upon receiving the heartbeats. This push-based data delivery model reduces communication overhead allowing the micro-controller to focus on time-critical tasks.

17 Short-term Countermeasures
• Intrusion detection – Increased message frequency – Obvious misuse of message IDs – Low-level communication characteristics • Proactive forensics support

18 Restrictions of Patterns 1–3 and potential for future research
Effort and costs for development and implementation Patterns 1 and 2 have the advantage that the detection algorithms are very simple to develop and implement. The related effort and costs are the major downside of Pattern 3: the evaluation of respective signal properties can be expected to be complex in development. Effectiveness and performance Patterns 1 and 2 can obviously only be used to detect an incident, as long as the authentic sender is still present and fully functional. The main advantage of Pattern 3 is its potential to detect a broad spectrum of added or swapped devices.  Absolute Divergence: The node's movement error is always calculated in reference to the original ideal trajectory. At any moment, the node's ideal location is the point on the ideal trajectory that is shortest distance to the node's actual location, i.e., the point on the line perpendicular to the ideal trajectory from the current location. Absolute divergence denes how far o the node's actual trajectory is relative to the theoretical ideal of the motion script, which matches the expectations of the user of the testbed, i.e., that the nodes will move along perfectly linear lines from one waypoint to the next. Relative Divergence: While absolute divergence is useful, it is not “fair" in that it does not use the same definition of the ideal path as that used by the waypoint navigation algorithm implemented on the Proteus. The waypoint navigation algorithm does not consider the ideal path to be the straight line connecting the segment's start position to its destination position. Instead, it assumes that the ideal path is the linear line from the node's current location to the destination. To match the objective of the navigation algorithm, we introduce relative divergence as the shortest distance between the node's current location and the recalculated ideal path based on the node's previous location. Relative divergence is useful because it quantifies the minimum amount of node positioning error that accumulates during the inter-arrival time of GPS location measurements. Relative Speed Divergence: Relative divergence captures the semantics of the ideal path as dened by the Proteus's waypoint navigation algorithm but does not consider node speed. We introduce relative-speed divergence, shown in Figure 5(c). Relative-speed divergence is the distance between the node's current location and the the location it should be at if it had traveled at the same speed along the recalculated ideal path, whereas relative divergence is simply the shortest distance between the node's current location and any point along the recalculated ideal path. The gray circles along the recalculated ideal paths represent the ideal position of the node assuming it traveled at the same speed along the ideal path. Reflective Divergence: The last form of divergence is reflective and is distinguished in that it compares one execution of a motion script with another execution of the same motion script. Specifically, the motion script is segmented into percentages of completion. At every ten percent increment, the location of the node during one execution is compared with the position of the node in another execution of the same motion script. Any difference is the reflective divergence. Reflective divergence is important because it enables direct comparison of the repeatability across experimental runs.

19 Proactive forensics model phases
Strategic preparation. In this phase, all the proactive measures need to be put in place because they have the potential to substantially support or even enable a following forensic investigation. Operational preparation. All the options, tools and potential data sources have to be considered, as well as potential influences from some measures. Data gathering phase. All potential data sources containing potential evidence for an IT security related incident have to be collected. Figure 7(a) shows the absolute divergence of Lonestar over the seven runs. The error bars indicate 95% condence intervals. The average absolute divergence over all segment traversals was /- 0.08m.

20 Proactive forensics model phases
Data investigation phase. In which the collected data are transformed into data that can be interpreted by the human investigator. Data analysis phase. The interpreted data are correlated and reduced. The correlation combines evidence from different ECUs and puts them into a timeline and a causal context.  Final documentation phase, the findings of the investigation have to be distilled into a report. Depending on the target audience, the technical content inside this report may vary. Figure 8 shows the relative divergence for Lonestar over the same seven executions of the lollipop motion script. As expected, the divergence is much smaller since the ideal path is continuously recalculated. Averaged over all segments, the relative divergence is only 0.31 +/- 0.02m. This is approximately three times less than the absolute divergence, indicating that while the node may not be able to follow the ideal line from the segment's start location to the destination, it is able to remain relatively close to the adjusted ideal line. One interesting phenomena is the spike at the beginning of each segment traversal. This is caused by the non-zero turning radius of the node, which forces the node to significantly diverge from the ideal route as it orients itself towards the next waypoint. Because of this non-zero radius, the node inherently drifts away from the absolute ideal path at the very beginning of each segment, which is another reason why the relative divergence is so much lower than the absolute divergence.

21 Forensic data types Hardware data DT1. Hardware data are data in a system, which is not or only in a limited way influenced by the operating system and application. Raw data DT2. Raw data are a sequence of bits (or data streams) of components of the system not (yet) classified. Details about data DT3. Details about data constitute metadata added to user data. These can be stored within user data or externally. Configuration data DT4. Configuration data are data that can be changed by the operating system or applications, which modify the behaviour of the system but not its behaviour with regards to communication. The figure shows the average reflective divergence across every pairwise combination of the seven executions. One immediately apparent phenomenon is the node takes significantly different paths while going towards the first waypoint. This is a result of our control of experiment initiation; we neglected to start the node at the same location during each execution of the script. Another feature is that as the node traverses each segment, its divergence is initially high but drops throughout the segment. This is due to the node ending up with a different orientation at the end of the previous segment, which is due to cumulative but varying errors throughout the previous segment's traversal, resulting in the node needing to turn by different amounts as it begins to traverse the next segment. Overall, discounting the divergence going towards the first waypoint, the average reflective divergence was only /- 0.07m. This is relatively small compared to the size of the experiment, which covers a region over 40m wide and 100m long.

22 Forensic data types Communication protocol data DT5. Communication protocol data contain data, which modify the behaviour of the system with regards to communication. Process data DT6. Process data are data about a running process. That includes, for example, the status of the process, the owner of the process, its priority, memory usage or the related application.  Session data DT7. Session data constitute data collected by a system during a session, regardless of whether the session was initiated by a user, an application or the operating system. User data DT8. User data are contents edited or consumed by the user. Averaged over all segments of all executions, the relative divergence was 0.34 +/- 0.03m which is slightly higher than relative divergence as expected. An interesting feature is the spike about 80% of the way into traversing the third segment. That the spike is due to the node temporarily getting lost and running in a loop during one of the motion script executions. This spike only appears in the relative-speed divergence because it considers the speed of the node, which is actually negative when the node mistakenly makes a loop.

23 Centralized vs. distributed to proactive measures in support of IT-forensics
Centralized system, a dedicated supplemental unit would have to be installed into an existing automotive system and collect data, for instance, from the CAN bus network. Because of the problems caused by the missing authenticity checks in today’s bus systems, such a unit could ensure integrity and authenticity of the collected data only once it enters the unit. Distributed approach, each ECU’s functionality would have to be extended with proactive forensic support, which goes a lot further than today’s self-monitoring and diagnosis capabilities.  It would require a lot more storage space for the recorded data and a substantial increase in processing power . The big advantage would be that additional sensory input only available at the particular ECU could be collected and IT security related incidents inside the ECU could potentially be recognized. The figure clearly indicates that each node exhibits its own unique \mobility personality." For example, Shiner sometimes makes very wide right turns relative to the other two nodes. This could be indicative of differences in the alignment of the front wheels or calibration of the steering arms. Among the three nodes, Wynkoop seems to be the most accurate. These observations are supported by the differences in their absolute divergences. Specifically, the average absolute divergence and 95% confidence intervals of nodes Lonestar, Shiner, and Wynkoop across all seven executions are /- 0.08m, /- 0.18m, and 1.20 +/- 0.06m, respectively. Clearly, despite the fact that each node exhibits its own unique motion profile, which is sometimes inaccurate, the 95% confidence intervals in the absolute divergence remain relatively small. This characterizes the Pharos testbed's ability to provide motion repeatability across multiple nodes.

24 Proactive forensic measures—exemplary application to the attack scenarios S1–S4
S1 and S2 - The forensic data types that are of primary concern are raw data DT2 (i.e. the data stream that constitutes the affected bus datagrams) and the communication protocol data DT5 (i.e. the type of CAN bus messages). S3 - The forensic data types that are of primary concern in S3 are raw data DT2 (i.e. the data stream that constitutes the bus datagrams) and configuration data DT4 (i.e. a disabled passenger seat airbag) as well as communication protocol data DT5 (i.e. the type of CAN bus message) and session data DT7 (i.e. status messages transmitted).  S4 - The forensic data types that are of primary concern are raw data DT2 (i.e. the data stream that constitutes the bus datagrams) and the communication protocol data DT5 (i.e. the type of CAN bus message). 

25 Long-term solutions • Holistic security concepts needed – Price is the problem – Hardware and software-based attacks • Bus solutions need to be revised we measured connectivity by sending wireless beacons between the nodes in all of our experiments and recorded when any node saw another nodes' beacon. The beacons themselves were UDP packets sent to the subnet broadcast address by the Pharos middleware (at user-configurable intervals) containing a sequence number to allow us to track which beacons were lost. we use the OMNeT++ network simulator [28]. For the simulated radio within OMNeT++, we used the unit disk radio model which considers a nodes' wireless range to be a perfect circle Although this is a naive radio model, it is popular and often used for simulation. It is also straightforward to replace this radio model with a more sophisticated one in OMNeT++; we use it to get an initial quantification of differences between the Pharos testbed and simulation.

26 Acknowledgements Information and figures are from “Security threats to automotive CAN networks—Practical examples and selected short-term countermeasures” Tobias Hoppe n, Stefan Kiltz, Jana Dittmann

27 Thank you Questions??

Download ppt "CS 795 Cyber-Physical Systems April 15, 2013"

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Chapter Six Networking Hardware.

Chapter Six Networking Hardware.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
NIST Big Data Public Working Group Security and Privacy Subgroup Presentation September 30, 2013 Arnab Roy, Fujitsu Akhil Manchanda, GE Nancy Landreville,

NIST Big Data Public Working Group Security and Privacy Subgroup Presentation September 30, 2013 Arnab Roy, Fujitsu Akhil Manchanda, GE Nancy Landreville,
1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.
FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert

FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert
Reporter:PCLee 2011.10.07. With a significant increase in the design complexity of cores and associated communication among them, post-silicon validation.

Reporter:PCLee With a significant increase in the design complexity of cores and associated communication among them, post-silicon validation.
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Prepared By: Kopila Sharma 908-37-2749.  Enables communication between two or more system.  Uses standard network protocols for communication.  Do.

Prepared By: Kopila Sharma  Enables communication between two or more system.  Uses standard network protocols for communication.  Do.
A New Household Security Robot System Based on Wireless Sensor Network Reporter :Wei-Qin Du.

A New Household Security Robot System Based on Wireless Sensor Network Reporter :Wei-Qin Du.
REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Data Networking Fundamentals Unit 7 7/2/2015 1 Modified by: Brierley.

Data Networking Fundamentals Unit 7 7/2/ Modified by: Brierley.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

Similar presentations

Ads by Google