Florian Sommer,Reiner Kriesten,Frank Kargl

DOI: https://doi.org/10.1109/access.2023.3282176

IF: 3.9

2023-06-09

IEEE Access

Abstract:Modern connected or autonomous vehicles (AVs) are highly complex cyber-physical systems. As a result of the high number of different technologies and connectivity features involved, testing these systems to identify security vulnerabilities is a big challenge. Security testing techniques, such as penetration testing, are often manual methods that are applied comparatively late in the vehicle development process. Thus, vulnerabilities are only detected late or after development, leading to higher costs and more patching effort. To reduce the amount of testing resources in general and enable early and automated testing, model-based testing methods have been established in several domains, such as information technology and the automotive domain. The transfer of model-based testing approaches to automotive security testing could help to detect vulnerabilities earlier than other, manual methods by automatically generating, executing, or simulating security tests. In this study, we review the literature on model-based test approaches in the automotive domain. First, we consider security-independent approaches to obtain an overview of applied models, formalisms, test selection criteria, and test generation techniques. In addition, we investigate, whether and how model-based approaches are applied for automotive security testing. Overall, we identified 63 publications related to model-based testing and 29 publications with regard to model-based security testing. The aim of this study is to provide an overview and direct comparison between these approaches. In this manner, the state of model-based security testing in the automotive domain, current challenges, and potential research areas are determined.

computer science, information systems,telecommunications,engineering, electrical & electronic

Feng Luo,Xuan Zhang,Zhenyu Yang,Yifan Jiang,Jiajia Wang,Mingzhi Wu,Wanqiang Feng

DOI: https://doi.org/10.3390/s22239211

2022-11-26

Abstract:Modern vehicles are more complex and interconnected than ever before, which also means that attack surfaces for vehicles have increased significantly. Malicious cyberattacks will not only exploit personal privacy and property, but also affect the functional safety of electrical/electronic (E/E) safety-critical systems by controlling the driving functionality, which is life-threatening. Therefore, it is necessary to conduct cybersecurity testing on vehicles to reveal and address relevant security threats and vulnerabilities. Cybersecurity standards and regulations issued in recent years, such as ISO/SAE 21434 and UNECE WP.29 regulations (R155 and R156), also emphasize the indispensability of cybersecurity verification and validation in the development lifecycle but lack specific technical details. Thus, this paper conducts a systematic and comprehensive review of the research and practice in the field of automotive cybersecurity testing, which can provide reference and advice for automotive security researchers and testers. We classify and discuss the security testing methods and testbeds in automotive engineering. Furthermore, we identify gaps and limitations in existing research and point out future challenges.

Masoud Ebrahimi,Stefan Marksteiner,Dejan Ničković,Roderick Bloem,David Schögler,Philipp Eisner,Samuel Sprung,Thomas Schober,Sebastian Chlup,Christoph Schmittner,Sandra König

DOI: https://doi.org/10.1007/978-3-031-27481-7_34

2023-04-17

Abstract:We propose a holistic methodology for designing automotivesystems that consider security a central concern at every design stage.During the concept design, we model the system architecture and definethe security attributes of its components. We perform threat analysis onthe system model to identify structural security issues. From that analysis,we derive attack trees that define recipes describing steps to successfullyattack the system's assets and propose threat prevention measures.The attack tree allows us to derive a verification and validation (V&V)plan, which prioritizes the testing effort. In particular, we advocate usinglearning for testing approaches for the black-box components. It consistsof inferring a finite state model of the black-box component from its executiontraces. This model can then be used to generate new relevanttests, model check it against requirements, and compare two differentimplementations of the same protocol. We illustrate the methodologywith an automotive infotainment system example. Using the advocated approach, we could also document unexpected and potentially criticalbehavior in our example systems.

Cryptography and Security

Stefan Marksteiner,Zhendong Ma

DOI: https://doi.org/10.48550/arXiv.1911.06589

2019-11-15

Cryptography and Security

Abstract:The advancing digitalization of vehicles and automotive systems bears many advantages for creating and enhancing comfort and safety-related systems ranging from drive-by-wire, inclusion of advanced displays, entertainment systems up to sophisticated driving assistance and autonomous driving. It, however, also contains the inherent risk of being used for purposes that are not intended for, raging from small non-authorized customizations to the possibility of full-scale cyberattacks that affect several vehicles to whole fleets and vital systems such as steering and engine control. To prevent such conditions and mitigate cybersecurity risks from affecting the safety of road traffic, testing cybersecurity must be adopted into automotive testing at a large scale. Currently, the manual penetration testing processes cannot uphold the increasing demand due to time and cost to test complex systems. We propose an approach for an architecture that (semi-)automates automotive cybersecurity test, allowing for more economic testing and therefore keeping up to the rising demand induced by new vehicle functions as well as the development towards connected and autonomous vehicles.

Claudiu Vasile Kifor,Aurelian Popescu

DOI: https://doi.org/10.3390/s24186139

2024-09-23

Abstract:Modern vehicles are increasingly interconnected through various communication channels, which requires secure access for authorized users, the protection of driver assistance and autonomous driving system data, and the assurance of data integrity against misuse or manipulation. While these advancements offer numerous benefits, recent years have exposed many intrusion incidents, revealing vulnerabilities and weaknesses in current systems. To sustain and enhance the performance, quality, and reliability of vehicle systems, software engineers face significant challenges, including in diverse communication channels, software integration, complex testing, compatibility, core reusability, safety and reliability assurance, data privacy, and software security. Addressing cybersecurity risks presents a substantial challenge in finding practical solutions to these issues. This study aims to analyze the current state of research regarding automotive cybersecurity, with a particular focus on four main themes: frameworks and technologies, standards and regulations, monitoring and vulnerability management, and testing and validation. This paper highlights key findings, identifies existing research gaps, and proposes directions for future research that will be useful for both researchers and practitioners.

Mohamed Abouelnaga,Christine Jakobs

2023-07-05

Abstract:Nowadays, systematic security risk analysis plays a vital role in the automotive domain. The demand for advanced driver assistance systems and connectivity of vehicles to the internet makes cyber-security a crucial requirement for vehicle manufacturers. This paper summarizes the risk analysis method stated in the recently released automotive security standard ISO/SAE 21434, which lays the high-level principles for threat analysis and risk assessment (TARA) methods. Following, we introduce a specific use case to compare different security analysis approaches which OEMs can benefit from to achieve compliance with the standard.

Cryptography and Security

Tobias Hoppe,Stefan Kiltz,Jana Dittmann

DOI: https://doi.org/10.1016/j.ress.2010.06.026

2011-01-01

Abstract:The IT security of automotive systems is an evolving area of research. To analyse the current situation and the potentially growing tendency of arising threats we performed several practical tests on recent automotive technology. With a focus on automotive systems based on CAN bus technology, this article summarises the results of four selected tests performed on the control systems for the window lift, warning light and airbag control system as well as the central gateway. These results are supplemented in this article by a classification of these four attack scenarios using the established CERT taxonomy and an analysis of underlying security vulnerabilities, and especially, potential safety implications.With respect to the results of these tests, in this article we further discuss two selected countermeasures to address basic weaknesses exploited in our tests. These are adaptations of intrusion detection (discussing three exemplary detection patterns) and IT-forensic measures (proposing proactive measures based on a forensic model). This article discusses both looking at the four attack scenarios introduced before, covering their capabilities and restrictions. While these reactive approaches are short-term measures, which could already be added to today’s automotive IT architecture, long-term concepts also are shortly introduced, which are mainly preventive but will require a major redesign. Beneath a short overview on respective research approaches, we discuss their individual requirements, potential and restrictions.

engineering, industrial,operations research & management science

Florian Sommer,Mona Gierl,Reiner Kriesten,Frank Kargl,Eric Sax

DOI: https://doi.org/10.1145/3644075

IF: 2.717

2024-02-05

ACM Transactions on Privacy and Security

Abstract:Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, the vehicle is exposed to security attacks that are able to impact road safety. A profound understanding of security attacks, vulnerabilities, and mitigations is necessary to protect vehicles against cyber threats. While automotive threat descriptions, such as in UN R155, are still abstract, this creates a risk that potential vulnerabilities are overlooked and the vehicle is not secured against them. So far, there is no common understanding of the relationship of automotive attacks, the concrete vulnerabilities they exploit, and security mechanisms that would protect the system against these attacks. In this paper, we aim at closing this gap by creating a mapping between UN R155, Microsoft STRIDE classification, Common Attack Pattern Enumerations and Classifications (CAPECTM), and Common Weakness Enumeration (CWETM). In this way, already existing detailed knowledge of attacks, vulnerabilities, and mitigations is combined and linked to the automotive domain. In practice, this refines the list of UN R155 threats and therefore supports vehicle manufacturers, suppliers, and approval authorities to meet and assess the requirements for vehicle development in terms of cybersecurity. Overall, 204 mappings between UN threats, STRIDE, CAPEC attack patterns, and CWE weaknesses were created. We validated these mappings by applying our Automotive Attack Database (AAD) that consists of 361 real-world attacks on vehicles. Furthermore, 25 additional attack patterns were defined based on automotive-related attacks.

computer science, information systems

Jürgen Dobaj,Damjan Ekert,Jakub Stolfa,Svatopluk Stolfa,Georg Macher,Richard Messnarz

DOI: https://doi.org/10.3897/jucs.72367

2021-08-28

Abstract:Cybersecurity has become a crucial challenge in the automotive sector. At the current stage, the framework described by the ISO/SAE 21434 is insufficient to derive concrete methods for the design of secure automotive networked embedded systems on the supplier level. This article describes a case study with actionable steps for designing secure systems and systematically eliciting traceable cybersecurity requirements to address this gap. The case study is aligned with the ISO/SAE 21434 standard and can provide the basis for integrating cybersecurity engineering into company-specific processes and practice specifications.

Yuefeng Du,Zhiqiang Cai,Le Yu,Wenkai Zhang,Pengfei Jing,Yingjie Cao,Shi Wu,Sen Nie,Xiapu Luo,Chenxiong Qian

DOI: https://doi.org/10.1109/SP54263.2024.00080

2024-05-19

Abstract:As modern vehicles become increasingly complex in terms of both external attack surfaces and internal in-vehicle network (IVN) topology, ensuring their cybersecurity remains a challenge. Existing standards and regulations, such as WP29 R155e and ISO 21434, attempt to establish a baseline for automotive cybersecurity, but their sufficiency in addressing the evolving threats is unclear. To fill in this gap, we first carried out an in-depth interview study with 15 experts in automotive cybersecurity, uncovering the particular challenges encountered during security activities and the limitations of current regulations. We identified 20 key insights from the interview data, ranging from the challenges and gaps in the existing automotive security industry to the limitations and recommendations for current regulations. Notably, we discovered that the quality of threat cases provided by existing regulations is unsatisfactory, and the Threat Analysis and Risk Assessment (TARA) process is often highly inefficient due to the lack of automatic tools. In response to the above limitations, we first built an improved threat database for automotive systems using the collected interview data, which enhanced the existing database both quantitatively and qualitatively. Additionally, we present CarVal, a datalog-based approach designed to infer multi-stage attack paths in IVNs and calculate risk values, thereby making TARA more efficient for automotive systems. By applying CarVal to five real vehicles, we performed extensive security analysis based on the generated attack paths and successfully exploited the corresponding attack chains in the newly gateway-segmented IVN, uncovering new automotive attack surfaces that previous research failed to cover, including the in-vehicle browser, official mobile app, backend server, and in-vehicle malware.

Engineering,Computer Science

Eduardo dos Santos,Andrew Simpson,Dominik Schoop

DOI: https://doi.org/10.4204/EPTCS.271.7

2018-05-15

Abstract:Ensuring a car's internal systems are free from security vulnerabilities is of utmost importance, especially due to the relationship between security and other properties, such as safety and reliability. We provide the starting point for a model-based framework designed to support the security testing of modern cars. We use Communicating Sequential Processes (CSP) to create architectural models of the vehicle bus systems, as well as an initial set of attacks against these systems. While this contribution represents initial steps, we are mindful of the ultimate objective of generating test code to exercise the security of vehicle bus systems. We present the way forward from the models created and consider their potential integration with commercial engineering tools

Cryptography and Security,Software Engineering

Sergej Japs,Harald Anacker

DOI: https://doi.org/10.1017/pds.2021.517

2021-07-27

Proceedings of the Design Society

Abstract:Abstract Cyber-physical systems (CPS), like autonomous vehicles, are intelligent and networked. The development of such systems and its components requires interdisciplinary cooperation between different stakeholders. A lack of system understanding between stakeholders can lead to unidentified and unresolved security threats & safety hazards in early engineering phases, resulting in high costs in product development and potentially compromises compliance with the safety of CPS. Model-based systems engineering (MBSE) improves the system understanding between stakeholders by using models. However, MBSE approaches only partially address security threats & safety hazards. In particular, their integrative consideration is not taken into account. Established security & safety approaches are either only applicable to specific disciplines or only partially consider security threats & safety hazards. In the context of this paper we present a method for the resolution of safety relevant security threats in the system architecture design phase using design patterns. We illustrate our approach with the example of the automotive sector. Finally, we present an evaluation of the method, based on an 8 week project with 67 master students.

Stefan Marksteiner,Peter Priller

DOI: https://doi.org/10.1109/eurospw54576.2021.00021

2021-09-01

Abstract:Through international regulations (most prominently the latest UNECE regulation) and standards, the already widely perceived higher need for cybersecurity in automotive systems has been recognized and will mandate higher efforts for cybersecurity engineering. The UNECE also demands the effectiveness of these engineering to be verified and validated through testing. This requires both a significantly higher rate and more comprehensiveness of cybersecurity testing that is not effectively to cope with using current, predominantly manual, automotive cybersecurity testing techniques. To allow for comprehensive and efficient testing at all stages of the automotive life cycle, including supply chain parts not at hand, and to facilitate efficient third party testing, as well as to test under real-world conditions, also methodologies for testing the cybersecurity of vehicular systems as a black box are necessary. This paper therefore presents a model and attack tree-based approach to (semi-)automate automotive cybersecurity testing, as well as considerations for automatically black box-deriving models for the use in attack modeling.

Stefan Marksteiner,Slava Bronfman,Markus Wolf,Eddie Lazebnik

DOI: https://doi.org/10.1109/EuroSPW54576.2021.00020

2021-07-15

Abstract:Cybersecurity testing of automotive systems has become a practical necessity, with the wide adoption of advanced driving assistance functions and vehicular communications. These functionalities require the integration of information and communication technologies that not only allow for a plethora of on-the-fly configuration abilities, but also provide a huge surface for attacks. Theses circumstances have also been recognized by standardization and regulation bodies, making the need for not only proper cybersecurity engineering but also proving the effectiveness of security measures by verification and validation through testing also a formal necessity. In order to keep pace with the rapidly growing demand of neutral-party security testing of vehicular systems, novel approaches are needed. This paper therefore presents a methodology to create and execute cybersecurity test cases on the fly in a black box setting by using pattern matching-based binary analysis and translation mechanisms to formal attack descriptions as well as model-checking techniques. The approach is intended to generate meaningful attack vectors on a system with next-to-zero a priori knowledge.

Cryptography and Security

Sekar Kulandaivel,Wenjuan Lu,Brandon Barry,Jorge Guajardo

2024-04-03

Abstract:In the automotive security sector, the absence of a testing platform that is configurable, practical, and user-friendly presents considerable challenges. These difficulties are compounded by the intricate design of vehicle systems, the rapid evolution of attack vectors, and the absence of standardized testing methodologies. We propose a next-generation testing platform that addresses several challenges in vehicle cybersecurity testing and research domains. In this paper, we detail how the Vehicle Security Engineering Cloud (VSEC) Test platform enables easier access to test beds for efficient vehicle cybersecurity testing and advanced (e.g., penetration, fuzz) testing and how we extend such test beds to benefit automotive security research. We highlight methodology on how to use this platform for a variety of users and use cases with real implemented examples.

Cryptography and Security,Systems and Control

Árpád Török,Zsombor Pethő

DOI: https://doi.org/10.3311/pptr.15850

2020-08-07

Periodica Polytechnica Transportation Engineering

Abstract:Since modern vehicles are connected and their transport processes are strongly supported by different automated functions, malicious external interventions can impair safety integrity. Therefore, it seems to be reasonable in the future to introduce safety and security co-engineering approaches in the automotive industry. With regard to the performed evaluation, three main promising research orientations have been identified. Automotive safety and security related development of co-engineering methodology and validation framework are of key importance from the viewpoint of autonomous transportation. Accordingly, a scenario based, integrated evaluation of automotive safety and security would be closely fit to the concept of SOTIF and the SoS approach. Beyond this, the communication and network security of "vehicle to everything" channels have to also be in the focus of automotive researches. Additionally, the development of automotive anomaly detection systems, especially focusing on the complex SoS operation processes will be a highly important research orientation.

Alessia Knauss,Jan Schröder,Christian Berger,Henrik Eriksson

DOI: https://doi.org/10.48550/arXiv.1708.06988

2017-05-09

Abstract:The technology in the area of automated vehicles is gaining speed and promises many advantages. However, with the recent introduction of conditionally automated driving, we have also seen accidents. Test protocols for both, conditionally automated (e.g., on highways) and automated vehicles do not exist yet and leave researchers and practitioners with different challenges. For instance, current test procedures do not suffice for fully automated vehicles, which are supposed to be completely in charge for the driving task and have no driver as a back up. This paper presents current challenges of testing the functionality and safety of automated vehicles derived from conducting focus groups and interviews with 26 participants from five countries having a background related to testing automotive safety-related <a class="link-external link-http" href="http://topics.We" rel="external noopener nofollow">this http URL</a> provide an overview of the state-of-practice of testing active safety features as well as challenges that needs to be addressed in the future to ensure safety for automated vehicles. The major challenges identified through the interviews and focus groups, enriched by literature on this topic are related to 1) virtual testing and simulation, 2) safety, reliability, and quality, 3) sensors and sensor models, 4) required scenario complexity and amount of test cases, and 5) handover of responsibility between the driver and the vehicle.

Software Engineering,Artificial Intelligence,Robotics

Timm Lauser,Daniel Zelle,Christoph Krauß

DOI: https://doi.org/10.1145/3385958.3430482

2020-12-02

Abstract:The technology of modern vehicles is currently undergoing a major transformation with increased communication and the introduction of new protocols. It is essential that these protocols are secure and do not allow attacks on the vehicle. In this paper, we discuss how formal models can be used to verify the security of protocols used in modern vehicles and propose new group membership authentication properties for shared key scenarios used in some automotive protocols. Our focus is on tool-based analysis for which we provide an overview of suitable tools, analyze the current status of (automotive) protocol analysis and, as an example, analyze AUTOSAR’s Secure Onboard Communication (SecOC) with the Tamarin tool. Our results show that tool-based formal analysis is a relatively quick and easy way to assess the security of protocols and can help to increase the security of modern vehicles.

Christian Plappert,Florian Fenzl,Roland Rieke,Ilaria Matteucci,Gianpiero Costantino,Marco De Vincenzi

DOI: https://doi.org/10.1109/pdp55904.2022.00047

2022-03-01

Abstract:Automated driving requires increasing networking of vehicles, which in turn broadens their attack surface. In this paper, we describe several security design patterns that target critical steps in automotive attack chains and mitigate their con-sequences. These patterns enable the detection of anomalies in the firmware when booting, detect anomalies in the communication in the vehicle, prevent unauthorized control units from successfully transmitting messages, offer a way of transmitting security-related events within a vehicle network and reporting them to units external to the vehicle, and ensure that communication in the vehicle is secure. Using the example of a future high-level Electrical / Electronic (E / E) architecture, we also describe how these security design patterns can be used to become aware of the current attack situation and how to react to it.

Christian Wolschke,Behrooz Sangchoolie,Jacob Simon,Stefan Marksteiner,Tobias Braun,Hayk Hamazaryan

DOI: https://doi.org/10.1109/DSN-W52860.2021.00016

2021-06-25

Abstract:Increasing communication and self-driving capabilities for road vehicles lead to threats imposed by attackers. Especially attacks leading to safety violations have to be identified to address them by appropriate measures. The impact of an attack depends on the threat exploited, potential countermeasures and the traffic situation. In order to identify such attacks and to use them for testing, we propose the systematic approach SaSeVAL for deriving attacks of autonomous vehicles. SaSeVAL is based on threats identification and safety-security analysis. The impact of automotive use cases to attacks is considered. The threat identification considers the attack interface of vehicles and classifies threat scenarios according to threat types, which are then mapped to attack types. The safety-security analysis identifies the necessary requirements which have to be tested based on the architecture of the system under test. lt determines which safety impact a security violation may have, and in which traffic situations the highest impact is expected. Finally, the results of threat identification and safety-security analysis are used to describe attacks. The goal of SaSeVAL is to achieve safety validation of the vehicle w.r.t. security concerns. lt traces safety goals to threats and to attacks explicitly. Hence, the coverage of safety concerns by security testing is assured. Two use cases of vehicle communication and autonomous driving are investigated to prove the applicability of the approach.

Cryptography and Security