Wufei Wu,Ryo Kurachi,Gang Zeng,Yutaka Matsubara,Hiroaki Takada,Renfa Li,Keqin Li

DOI: https://doi.org/10.1109/access.2018.2870695

IF: 3.9

2018-01-01

IEEE Access

Abstract:Cybersecurity is increasingly important for the safety and reliability of autonomous vehicles. The controller area network (CAN) is the most widely used in-vehicle network for automotive safety-critical applications. Enhancing the cybersecurity ability of CAN while considering the real-time, schedulability, and cost constraints becomes an urgent issue. To address this problem, a real-time, and schedulability analysis-guaranteed security mechanism [identification hopping CAN (IDH-CAN)] is proposed in this paper, which aims to improve the security performance of CAN under the constraints of automotive real-time applications. In order to support the operation of the IDH-CAN mechanism, an IDH-CAN controller is also designed and implemented on a field-programmable gate array, which can work as a hardware firewall in the data link layer of CAN to isolate cyberattacks from the physical layer. Meanwhile, to maximize the information entropy of the CAN message ID on the physical layer, the ID hopping table generation and optimization algorithms for IDH-CAN are also proposed. Then, information security evaluation experiments based on information entropy comparison are deployed. The simulation and practical evaluations demonstrate the effectiveness of the proposed mechanism in defending reverse engineering, targeted denial of service, and replay attacks without violating real-time and schedulability constraints.

Xiaoyu Ji,Jiliang Wang,Mingyan Liu,Yubo Yan,Panlong Yang,Yunhao Liu

DOI: https://doi.org/10.1109/INFOCOM.2014.6848196

2014-01-01

Abstract:Recently, carrying control signals on passing data packets has emerged as a promising direction for efficient control information transmission. With control messages carried on data payload, the extra air time needed for control packets like RTS/CTS is eliminated and thus channel utilization is improved. However, carrying control signals on the data payload of a packet requires the data packet to have a sufficiently large SNR, otherwise both the data packet and the control messages are lost. In this paper, we propose Hitchhike, a technique that utilizes the preamble field to carry control messages. Hitchhike completely decouples the control messages from the payload and therefore the superposition of (multiple) control messages has little adverse effect on the operation of the payload decoding. We implement and evaluate Hitchhike in the USRP2 platform with 5 nodes. Evaluation results demonstrate the feasibility and effectiveness of Hitchhike. Compared with the state-of-the-art, e.g., Side-channel in 802.15.4, Hitchhike improves the detection accuracy of control messages by 40% and reduces the data loss caused by control messages by 15%.

Xiaoyu Ji,Jiliang Wang,Mingyan Liu,Yubo Yan,Panlong Yang,Yunhao Liu

DOI: https://doi.org/10.1109/twc.2015.2487961

IF: 10.4

2015-01-01

IEEE Transactions on Wireless Communications

Abstract:Recently, carrying control signals on passing data packets has emerged as a promising direction for efficient control information transmission. With control messages carried on data payload, the extra air time needed for control packets like RTS/CTS is eliminated and thus channel utilization is improved. However, carrying control signals on the data payload of a packet requires the data packet to have a sufficiently large SNR, otherwise both the data packet and the control messages are lost. In this paper, we propose Hitchhike, a technique that utilizes the preamble field to carry control messages. Hitchhike completely decouples the control messages from the payload and therefore the superposition of (multiple) control messages has little adverse effect on the operation of the payload decoding. We implement and evaluate Hitchhike in the USRP2 platform with five nodes. Evaluation results demonstrate the feasibility and effectiveness of Hitchhike. Compared with the state-of-the-art, e.g., side-channel in 802.15.4, Hitchhike improves the detection accuracy of control messages by 40% and reduces the data loss caused by control messages by 15%.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Huiping Qian,Hao Han,Xiaojun Zhu,Fengyuan Xu

DOI: https://doi.org/10.1109/msn60784.2023.00059

2023-01-01

Abstract:Controller Area Networks (CANs), the most widely used protocols for in-vehicle networks, are vulnerable to various attacks due to the lack of security countermeasures by design. CAN messages are broadcast without source/destination labeling and lack built-in encryption or authentication mechanisms, thus suffering many attacks. To address this problem, we propose a lightweight CAN message obfuscation technique called ShuffleCAN. Motivated by the idea of moving target defense (MTD), ShuffleCAN is designed with a combined shuffling scheme based on the hash chain and combinatorial coding techniques to achieve both ID anonymization and payload shuffling. With ShuffleCAN, selected or all transmitter and receiver pairs can communicate in a private dialect over the standard CAN protocol, so the eavesdropper cannot understand the meaning of each message or inject a valid fake message. We implemented a prototype and evaluated ShuffleCAN on Toyota’s testbed PASTA. The experimental results show that ShuffleCAN outperforms state-of-the-art CAN protection schemes.

Sunandan Adhikary,Ipsita Koley,Arkaprava Sain,Soumyadeep das,Shuvam Saha,Soumyajit Dey

2023-06-15

Abstract:This work focuses on eliminating timing-side channels in real-time safety-critical cyber-physical network protocols like Controller Area Networks (CAN). Automotive Electronic Control Units (ECUs) implement predictable scheduling decisions based on task level response time estimation. Such levels of determinism exposes timing information about task executions and therefore corresponding message transmissions via the network buses (that connect the ECUs and actuators). With proper analysis, such timing side channels can be utilized to launch several schedule-based attacks that can lead to eventual denial-of-service or man-in-the-middle-type attacks. To eliminate this determinism, we propose a novel schedule obfuscation strategy by skipping certain control task executions and related data transmissions along with random shifting of the victim task instance. While doing this, our strategy contemplates the performance of the control task as well by bounding the number of control execution skips. We analytically demonstrate how the attack success probability (ASP) is reduced under this proposed attack-aware skipping and randomization. We also demonstrate the efficacy and real-time applicability of our attack-aware schedule obfuscation strategy Hide-n-Seek by applying it to synthesized automotive task sets in a real-time Hardware-in-loop (HIL) setup.

Cryptography and Security,Systems and Control

Guoqi Xie,Laurence T. Yang,Wei Wu,Keyu Zeng,Xiangzhen Xiao,Renfa Li

DOI: https://doi.org/10.1109/tits.2020.3000783

IF: 8.5

2021-08-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Controller Area Network with Flexible Data-rate (CAN FD) is beneficial for the in-vehicle communication of Internet of Connected Vehicles (IoCVs) because of its high bandwidth and data field length. However, CAN FD lacks a security authentication mechanism, making it extremely vulnerable to masquerade attacks. This study proposes the security enhancement for a real-time parallel in-vehicle application adopting a two-stage method. The first stage obtains the lower bound of an in-vehicle application by quickly abandoning most of sequences, while the second stage enhances security by adding Message Authentication Codes (MACs) to messages taking advantage of the laxity interval from the lower bound to the deadline. Experiments with an example and the adaptive cruise control in-vehicle application show the advantage of the proposed two-stage method in increasing the total byte size of MACs.

engineering, electrical & electronic,transportation science & technology, civil

Qiang Dong,Zenglu Song,Haoshu Shao

DOI: https://doi.org/10.1049/ell2.13112

2024-01-30

Electronics Letters

Abstract:This research presents a novel method for detecting and defending against intrusions in the Controller Area Network (CAN) bus used in automotive systems. By analysing frequency anomalies in message transmission and utilizing the arbitration mechanism of the CAN bus, this approach effectively identifies and disrupts illegal messages in real‐time, ensuring the security of the network. As automobile intelligence continues to develop, the electronic control units connected to the Controller Area Network (CAN) bus within vehicles face an increasing number of threats from potential attacks originating from the internet. To address this issue, an intrusion detection and defence method is proposed that is capable of detecting illegal messages through the use of frequency anomaly detection, and subsequently disrupting them through utilization of the CAN bus arbitration mechanism. This proposed method offers a simple implementation compared to traditional approaches, while being able to identify suspicious units and neutralize threats in real‐time. Experimental results demonstrate the effectiveness of this approach.

engineering, electrical & electronic

Guoqi Xie,Laurence T. Yang,Yao Liu,Haibo Luo,Xin Peng,Renfa Li

DOI: https://doi.org/10.1109/tvt.2021.3061746

IF: 6.8

2021-06-01

IEEE Transactions on Vehicular Technology

Abstract:The rise of autonomous driving technology and the prosperity of mobile vehicular applications have brought tremendous pressure and put forward high bandwidth and low latency requirements for vehicular networks. Controller Area Network with Flexible Data-rate (CAN-FD) is a feasible choice to meet the high bandwidth and low latency requirements of in-vehicle communication of mobile vehicles. However, CAN-FD is vulnerable to masquerade attacks because it lacks necessary security authentication mechanisms and protection measures. This study presents a security enhancement technique called forward-backward exploration for independent in-vehicle CAN-FD messages while still guaranteeing each message is real-time. In the forward-backward exploration solution, a novel dual-pointer (including the forward pointer and the backward pointer) solution is proposed; the Message Authentication Code (MAC) size of each message is then dynamically adjusted by presenting the dual-pointer movement rules until the total payload no longer increases. Experimental results with real-life CAN-FD message set provided by an automaker demonstrate the effectiveness of our solution.

telecommunications,engineering, electrical & electronic,transportation science & technology

Ruiqi Lu,Guoqi Xie,Renfa Li,Yan Liu,Xinzhong Liu,Wei Xu,Jianmei Lei,Kenli Li

DOI: https://doi.org/10.1109/tcad.2024.3368971

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:As promising industrial embedded networks, Controller Area Networks with Flexible Data-rate (CAN-FD) are widely used in time-sensitive domains, such as automotive networks. However, the absence of built-in security mechanisms in CAN-FD necessitates the development of security protection mechanisms. The existing Lightweight Authentication for Secure Automotive Networks (LASAN) framework focuses on enhancing the security of CAN/CAN-FD communication but neglects the conflict between security and delay. In this study, we conduct a thorough analysis of the causal mechanism related to the security and delay of LASAN and propose a static message scheduling method called Cooperative Swapping Approach (CSA) to achieve secure and low-delay CAN-FD communication. CSA is to minimize the end-to-end delay of precedence-constrained CAN-FD applications by swapping message positions in a valid message sequence. Nevertheless, exchanging message positions may impact the precedence dependencies between messages; therefore, we propose a novel Cooperative Transform Approach (CTA) within the CSA to efficiently preserve these precedence constraints. Valid message sequences with minimal end-to-end delays of a motivation example and an Adaptive Cruise Control (ACC) application are obtained in LASAN by CSA. These sequences are implemented on the embedded microcontroller platform of STM32H743IITs for evaluation. Experimental results show that our proposed CSA can effectively reduce the end-to-end delay of LASAN and outperform the state-of-the-art static message scheduling method in terms of low delay.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Li Yue,Zheming Li,Tingting Yin,Chao Zhang

DOI: https://doi.org/10.14722/autosec.2021.23024

2021-01-01

Abstract:Modern vehicles have many electronic control units (ECUs) connected to the Controller Area Network (CAN) bus, which have few security features in design and are vulnerable to cyber attacks.Researchers have proposed solutions like intrusion detection systems (IDS) to mitigate such threats.We presented a novel attack, CANCloak, which can deceive two ECUs with one CAN data frame, and therefore can bypass IDS detection or cause vehicle malfunction.In this attack, assuming a malicious transmitter is controlled by the adversary, one crafted CAN data frame can be transmitted to a target receiver, while other ECUs shall not receive that frame nor raise any error.We have setup a physical test environment and evaluated the effectiveness of this attack.Evaluation results showed that success rate of CANCloak reaches up to 99.7%, while the performance depends on the attack payload and sample point settings of victim receivers, independent from bus bit rate.

Alvise de Faveri Tron,Stefano Longari,Michele Carminati,Mario Polino,Stefano Zanero

DOI: https://doi.org/10.1145/3548606.3560618

2022-09-20

Abstract:Current research in the automotive domain has proven the limitations of the CAN protocol from a security standpoint. Application-layer attacks, which involve the creation of malicious packets, are deemed feasible from remote but can be easily detected by modern IDS. On the other hand, more recent link-layer attacks are stealthier and possibly more disruptive but require physical access to the bus. In this paper, we present CANflict, a software-only approach that allows reliable manipulation of the CAN bus at the data link layer from an unmodified microcontroller, overcoming the limitations of state-of-the-art works. We demonstrate that it is possible to deploy stealthy CAN link-layer attacks from a remotely compromised ECU, targeting another ECU on the same CAN network. To do this, we exploit the presence of pin conflicts between microcontroller peripherals to craft polyglot frames, which allows an attacker to control the CAN traffic at the bit level and bypass the protocol's rules. We experimentally demonstrate the effectiveness of our approach on high-, mid-, and low-end microcontrollers, and we provide the ground for future research by releasing an extensible tool that can be used to implement our approach on different platforms and to build CAN countermeasures at the data link layer.

Cryptography and Security

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1903.05231

2019-03-12

Cryptography and Security

Abstract:Nowadays, the interconnection of automotive systems with modern digital devices offers advanced user experiences to drivers. Electronic Control Units (ECUs) carry out a multitude of operations using the insecure Controller Area Network (CAN) bus in automotive Cyber-Physical Systems (CPSs). Therefore, dangerous attacks, such as disabling brakes, are possible and the safety of passengers is at risk. In this paper, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs by exploiting the covert channels without introducing CAN protocol modifications or traffic overheads (i.e., no extra bits or messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) offset-based, exploiting the clock offsets of CAN messages; 3) Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data. We implement the covert channels on the University of Washington (UW) EcoCAR testbed and evaluate their performance through extensive experiments. We demonstrate the feasibility of TACAN, highlighting no traffic overheads and attesting the regular functionality of ECUs. In particular, the bit error ratios are within 0.1% and 0.42% for the IAT-based and offset-based covert channels, respectively. Furthermore, the bit error ratio of the LSB-based covert channel is equal to that of a normal CAN bus, which is 3.1x10^-7%.

Jun-Chao Zhang,Rong-Xiang Zhao,Jun-Jie Chen

DOI: https://doi.org/10.1007/978-3-642-21697-8_46

2011-01-01

Abstract: Hierarchical multicast can effectively achieve multicast communication of heterogeneous network. RED algorithm and HTH algorithm were analyzed and discussed. RED can keep low delay while pursuit larger throughput, but it has shortcoming of sensitive to parameters. HTH algorithm can rapidly respond to congestion and effectively improve throughput as well as utilization of link, but it occupies too much router resources in case of many streams. On the basis, a kind of hop-to-hop controlled hierarchical multicast congestion control mechanism combining RED and HTH was presented. With this mechanism, each router determines its congestion status based on current network state. If congestion occurs, it discards with certain probability and report congestion status to upstream router. After router received congestion state from other routers, it will take appropriate measures to increase or decrease transmission rate to some downstream router. At the same time, packet discard number of each link was considered in congestion control to ensure fairness. Simulation result based on NS-2 shows that the proposed algorithm is superior to RED in aspects of throughput and packet loss rate.

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Linda Bushnell,Radha Poovendran

DOI: https://doi.org/10.1109/tdsc.2021.3068213

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In recent years, the security of automotive Cyber-Physical Systems (CPSs) is facing urgent threats due to the widespread use of legacy in-vehicle communication systems. As a representative legacy bus system, the Controller Area Network (CAN) hosts Electronic Control Units (ECUs) that are crucial for the vehicles functioning. In this scenario, malicious actors can exploit the CAN vulnerabilities, such as the lack of built-in authentication and encryption schemes, to launch CAN bus attacks (e.g., suspension, injection, and masquerade attacks) with life-threatening consequences (e.g., disabling brakes). In this article, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs on the legacy CAN bus by exploiting the covert channels, without introducing CAN protocol modifications or traffic overheads (no extra bits or CAN messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a centralized, trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) the Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) the Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data; and 3) a hybrid covert channel, exploiting the combination of the first two. In order to validate TACAN, we implement the covert channels on the University of Washington (UW) EcoCAR (Chevrolet Camaro 2016) testbed. We further evaluate the bit error, throughput, and detection performance of TACAN through extensive experiments using the EcoCAR testbed and a publicly available dataset collected from Toyota Camry 2010. We demonstrate the feasibility of TACAN and the effectiveness of detecting CAN bus attacks, highlighting no traffic overheads and attesting the regular functionality of-ECUs.

computer science, information systems, software engineering, hardware & architecture

Haichun Zhang,Xu Meng,Xiong Zhang,Zhenglin Liu

DOI: https://doi.org/10.3390/s20174900

IF: 3.9

2020-08-30

Sensors

Abstract:The Internet of Things (IoT) is an industry-recognized next intelligent life solution that increases the level of comfort, efficiency, and automation for citizens through numerous sensors, smart devices, and cloud stations connected physically. As an important application scenario of IoT, the Internet of Vehicles (IoV) plays an extremely critical role in the intelligent transportation field. In fact, the In-Vehicle Network of smart vehicles that are recognized as the core roles in intelligent transportation is currently the Controller Area Network (CAN). However, the In-Vehicle CAN bus protocol has several vulnerabilities without any encryption, authentication, or integrity checking, which severely threatens the safety of drivers and passengers. Once malicious attackers hack the vehicular gateway and obtain the access right of the CAN, they may control the vehicle based on the vulnerabilities of the CAN bus protocol. Given the severe security risk of CAN, we proposed the CANsec, a practical In-Vehicle CAN security evaluation tool that simulates malicious attacks according to major attack models to evaluate the security risk of the In-Vehicle CAN. We also show a usage case of the CANsec without knowing any information from the vehicle manufacturer.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xinyu Yao,Hui Sun,Xiangdong Jin,Yifan Ding

DOI: https://doi.org/10.23919/ccc50068.2020.9189356

2020-01-01

Abstract:The electric vehicles nowadays are managed by networked controllers. Because of the advantages of fast, reliable, simple wiring, and light weight, CAN bus has become one of the most widely used field buses in the world. Most of the networks were designed with little concern about security which has recently motivated researchers to demonstrate various kinds of attacks against the system. This paper proposes an optimization method for encrypting CAN Messages. In addition, a single frame CAN message can only transmit 64-bit valid data, it is often necessary to complete the communication task by sending a multi-frame message with the same ID. The AES algorithm has become the first choice for encrypting multi-frame CAN messages with its extremely high reliability and fast encryption and decryption speed. In this paper, a method of encrypting multi-frame CAN messages based on the AES algorithm is proposed, and on the basis of which a hash value is optimized to ensure the security of data transmitted on the CAN bus.

Damilola Oladimeji,Amar Rasheed,Cihan Varol,Mohamed Baza,Hani Alshahrani,Abdullah Baz

DOI: https://doi.org/10.3390/s23198223

2023-10-02

Abstract:Current vehicles include electronic features that provide ease and convenience to drivers. These electronic features or nodes rely on in-vehicle communication protocols to ensure functionality. One of the most-widely adopted in-vehicle protocols on the market today is the Controller Area Network, popularly referred to as the CAN bus. The CAN bus is utilized in various modern, sophisticated vehicles. However, as the sophistication levels of vehicles continue to increase, we now see a high rise in attacks against them. These attacks range from simple to more-complex variants, which could have detrimental effects when carried out successfully. Therefore, there is a need to carry out an assessment of the security vulnerabilities that could be exploited within the CAN bus. In this research, we conducted a security vulnerability analysis on the CAN bus protocol by proposing an attack scenario on a CAN bus simulation that exploits the arbitration feature extensively. This feature determines which message is sent via the bus in the event that two or more nodes attempt to send a message at the same time. It achieves this by prioritizing messages with lower identifiers. Our analysis revealed that an attacker can spoof a message ID to gain high priority, continuously injecting messages with the spoofed ID. As a result, this prevents the transmission of legitimate messages, impacting the vehicle's operations. We identified significant risks in the CAN protocol, including spoofing, injection, and Denial of Service. Furthermore, we examined the latency of the CAN-enabled system under attack, finding that the compromised node (the attacker's device) consistently achieved the lowest latency due to message arbitration. This demonstrates the potential for an attacker to take control of the bus, injecting messages without contention, thereby disrupting the normal operations of the vehicle, which could potentially compromise safety.

Qian Wang,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.48550/arXiv.1808.04046

2018-08-13

Abstract:Dozens of Electronic Control Units (ECUs) can be found on modern vehicles for safety and driving assistance. These ECUs also introduce new security vulnerabilities as recent attacks have been reported by plugging the in-vehicle system or through wireless access. In this paper, we focus on the security of the Controller Area Network (CAN), which is a standard for communication among ECUs. CAN bus by design does not have sufficient security features to protect it from insider or outsider attacks. Intrusion detection system (IDS) is one of the most effective ways to enhance vehicle security on the insecure CAN bus protocol. We propose a new IDS based on the entropy of the identifier bits in CAN messages. The key observation is that all the known CAN message injection attacks need to alter the CAN ID bits and analyzing the entropy of such bits can be an effective way to detect those attacks. We collected real CAN messages from a vehicle (2016 Ford Fusion) and performed simulated message injection attacks. The experimental results showed that our entropy based IDS can successfully detect all the injection attacks without disrupting the communication on CAN.

Cryptography and Security

Wenhong Ma,Yan Liu,Guoqi Xie,Renfa Li,Laurence T. Yang

DOI: https://doi.org/10.1109/jiot.2021.3085422

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Controller area network with flexible data-rate (CAN-FD) has received great attention in automotive cyber–physical systems (ACPSs) due to its high bandwidth and long payload. However, CAN-FD adopts a broadcast message transmission mechanism and lacks security protection, making it extremely vulnerable to cyberattacks. CAN-FD message packing (packing signals into messages) with low bandwidth occupancy (utilization) under security constraints is the prerequisite for running intelligent applications in ACPS. In this work, we implement a two-stage CAN-FD message packing solution to reduce bandwidth utilization and improve signal acceptance rate under security constraints. The first stage solves the message packing problem of minimizing bus bandwidth utilization under security constraints. The second stage aims at improving the signal acceptance rate by repacking signals. Experimental results show that the first stage reduces average bus bandwidth utilization by 135% compared with the unpacking solution, and the second stage improves the average signal acceptance rate by 5% than existing advanced methods.

computer science, information systems,telecommunications,engineering, electrical & electronic