With the exponential growth of automotive security research, new security vulnerabilities and attacks have been revealed and new challenges have emerged. In recent years, various attacks ranging from replay attacks, through false information injection, to Denial of Service (DoS), have shown how fragile automotive security is. As a result, a number of security solutions have been proposed that rely on techniques like encryption and firewalls. However, most proposals require performance and computational overheads that would become an additional burden rather than a solution. In this paper, we propose a new automotive network algorithm, called ID-Hopping, that aims to prevent targeted DoS attacks in which attackers target certain functions by injecting special frames that would prevent a car's normal operations. We aim to raise the bar for attackers by randomizing the expected patterns in the automotive network. Such randomization hinders the attacker's ability to launch targeted DoS attacks. We built a testing platform and implemented the randomization mechanism to evaluate the algorithm's effectiveness. Based on the evaluation, the algorithm holds a promising solution for targeted DoS, and even reverse engineering, which automotive networks are most vulnerable to.
{"title":"Using ID-Hopping to Defend Against Targeted DoS on CAN","authors":"Abdulmalik Humayed, Bo Luo","doi":"10.1145/3055378.3055382","DOIUrl":"https://doi.org/10.1145/3055378.3055382","url":null,"abstract":"With the exponential growth of automotive security research, new security vulnerabilities and attacks have been revealed and new challenges have emerged. In recent years, various attacks ranging from replay attacks, through false information injection, to Denial of Service (DoS), have shown how fragile automotive security is. As a result, a number of security solutions have been proposed that rely on techniques like encryption and firewalls. However, most proposals require performance and computational overheads that would become an additional burden rather than a solution. In this paper, we propose a new automotive network algorithm, called ID-Hopping, that aims to prevent targeted DoS attacks in which attackers target certain functions by injecting special frames that would prevent a car's normal operations. We aim to raise the bar for attackers by randomizing the expected patterns in the automotive network. Such randomization hinders the attacker's ability to launch targeted DoS attacks. We built a testing platform and implemented the randomization mechanism to evaluate the algorithm's effectiveness. Based on the evaluation, the algorithm holds a promising solution for targeted DoS, and even reverse engineering, which automotive networks are most vulnerable to.","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124800096","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To meet the growing railway-transportation demand, a new train control system, communication-based train control (CBTC) system, aims to maximize the ability of train lines by reducing the headway of each train. However, the wireless communications expose the CBTC system to new security threats. Due to the cyber-physical nature of the CBTC system, a jamming attack can damage the physical part of the train system by disrupting the communications. To address this issue, we develop a secure framework to mitigate the impact of the jamming attack based on a security criterion. At the cyber layer, we apply a multi-channel model to enhance the reliability of the communications and develop a zero-sum stochastic game to capture the interactions between the transmitter and jammer. We present analytical results and apply dynamic programming to find the equilibrium of the stochastic game. Finally, the experimental results are provided to evaluate the performance of the proposed secure mechanism.
{"title":"A Game-Theoretic Approach to Secure Control of Communication-Based Train Control Systems Under Jamming Attacks","authors":"Zhiheng Xu, Quanyan Zhu","doi":"10.1145/3055378.3055381","DOIUrl":"https://doi.org/10.1145/3055378.3055381","url":null,"abstract":"To meet the growing railway-transportation demand, a new train control system, communication-based train control (CBTC) system, aims to maximize the ability of train lines by reducing the headway of each train. However, the wireless communications expose the CBTC system to new security threats. Due to the cyber-physical nature of the CBTC system, a jamming attack can damage the physical part of the train system by disrupting the communications. To address this issue, we develop a secure framework to mitigate the impact of the jamming attack based on a security criterion. At the cyber layer, we apply a multi-channel model to enhance the reliability of the communications and develop a zero-sum stochastic game to capture the interactions between the transmitter and jammer. We present analytical results and apply dynamic programming to find the equilibrium of the stochastic game. Finally, the experimental results are provided to evaluate the performance of the proposed secure mechanism.","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121858250","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Some industrial systems are difficult to formally verify due to their large scale. In particular, the widespread use of lookup tables in embedded systems across diverse industries, such as aeronautics and automotive systems, create a critical obstacle to the scalability of formal verification. This paper presents Osiris, a tool that automatically computes abstractions of lookup tables. Osiris uses these abstractions to verify a property in first order logic. If the verification fails, Osiris uses a falsification heuristic to search for a violation of the specification. We validate our technique on a public benchmark of an adaptive cruise controller with lookup tables.
{"title":"Osiris: A Tool for Abstraction and Verification of Control Software with Lookup Tables","authors":"N. Aréchiga, Sumanth Dathathri, Shashank Vernekar, Nagesh Kathare, Sicun Gao, Shin'ichi Shiraishi","doi":"10.1145/3055378.3055384","DOIUrl":"https://doi.org/10.1145/3055378.3055384","url":null,"abstract":"Some industrial systems are difficult to formally verify due to their large scale. In particular, the widespread use of lookup tables in embedded systems across diverse industries, such as aeronautics and automotive systems, create a critical obstacle to the scalability of formal verification. This paper presents Osiris, a tool that automatically computes abstractions of lookup tables. Osiris uses these abstractions to verify a property in first order logic. If the verification fails, Osiris uses a falsification heuristic to search for a violation of the specification. We validate our technique on a public benchmark of an adaptive cruise controller with lookup tables.","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124791215","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we consider an attack on a string of automated vehicles, or platoons, from a game-theoretic standpoint. Game theory enables us to ask the question of optimality in an adversarial environment; what is the optimal strategy that an attacker can use to disrupt the operation of automated vehicles, considering that the defenders are also optimally trying to maintain normal operation. We formulate a zero-sum game and find optimal controllers for different game parameters. A platoon is then simulated and its closed loop stability is then evaluated in the presence of an optimal attack. It is shown that with the constraint of optimality, the attacker cannot significantly degrade the stability of a vehicle platoon in nominal cases. It is motivated that in order to have an optimal solution that is nearly unstable, the game has to be formulated almost unfairly in favor of the attacker.
{"title":"A Game-Theoretic Approach and Evaluation of Adversarial Vehicular Platooning","authors":"Imran Sajjad, Rajnikant Sharma, Ryan M. Gerdes","doi":"10.1145/3055378.3055383","DOIUrl":"https://doi.org/10.1145/3055378.3055383","url":null,"abstract":"In this paper, we consider an attack on a string of automated vehicles, or platoons, from a game-theoretic standpoint. Game theory enables us to ask the question of optimality in an adversarial environment; what is the optimal strategy that an attacker can use to disrupt the operation of automated vehicles, considering that the defenders are also optimally trying to maintain normal operation. We formulate a zero-sum game and find optimal controllers for different game parameters. A platoon is then simulated and its closed loop stability is then evaluated in the presence of an optimal attack. It is shown that with the constraint of optimality, the attacker cannot significantly degrade the stability of a vehicle platoon in nominal cases. It is motivated that in order to have an optimal solution that is nearly unstable, the game has to be formulated almost unfairly in favor of the attacker.","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124087760","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Developers of autonomous systems face distinct challenges in conforming to established methods of validating safety. It is well known that testing alone is insufficient to assure safety, because testing long enough to establish ultra-dependability is generally impractical. Thatfis why software safety standards emphasize high quality development processes. Testing then validates process execution rather than directly validating dependability. Two significant challenges arise in applying traditional safety processes to autonomous vehicles. First, simply gathering a complete set of system requirements is difficult because of the sheer number of combinations of possible scenarios and faults. Second, autonomy systems commonly use machine learning (ML) in a way that makes the requirements and design of the system opaque. After training, usually we know what an ML component will do for an input it has seen, but generally not what it will do for at least some other inputs until we try them. Both of these issues make it difficult to trace requirements and designs to testing as is required for executing a safety validation process. In other words, we are building systems that can not be validated due to incomplete or even unknown requirements and designs. Adaptation makes the problem even worse by making the system that must be validated a moving target. In the general case, it is impractical to validate all the possible adaptation states of an autonomy system using traditional safety design processes. An approach that can help with the requirements, design, and adaptation problems is basing a safety argument not on correctness of the autonomy functionality itself, but rather on conformance to a set of safety envelopes. Each safety envelope describes a boundary within the operational state space of the autonomy system. A system operating within a "safe" envelope knows that it is safe and can operate with full autonomy. A system operating within an "unsafe" envelope knows that it is unsafe, and must invoke a failsafe action. Multiple partial specifications can be used as an envelope set, with the intersection of safe envelopes permitting full autonomy, and the union of unsafe envelopes provoking validated, and potentially complex, failsafe responses. Envelope mechanisms can be implemented using traditional software engineering techniques, reducing the problems with requirements, design, and adaptation that would otherwise impede safety validation. Rather than attempting to prove that autonomy will always work correctly (which is still a valuable goal to improve availability), the envelope approach measures the behavior of one or more autonomous components to determine if the result is safe. While this is not necessarily an easy thing to do, there is reason to believe that checking autonomy behaviors for safety is easier than implementing perfect, optimized autonomy actions. This envelope approach might be used to detect faults during development and to trig
{"title":"Challenges in Autonomous Vehicle Validation: Keynote Presentation Abstract","authors":"P. Koopman","doi":"10.1145/3055378.3055379","DOIUrl":"https://doi.org/10.1145/3055378.3055379","url":null,"abstract":"Developers of autonomous systems face distinct challenges in conforming to established methods of validating safety. It is well known that testing alone is insufficient to assure safety, because testing long enough to establish ultra-dependability is generally impractical. Thatfis why software safety standards emphasize high quality development processes. Testing then validates process execution rather than directly validating dependability. Two significant challenges arise in applying traditional safety processes to autonomous vehicles. First, simply gathering a complete set of system requirements is difficult because of the sheer number of combinations of possible scenarios and faults. Second, autonomy systems commonly use machine learning (ML) in a way that makes the requirements and design of the system opaque. After training, usually we know what an ML component will do for an input it has seen, but generally not what it will do for at least some other inputs until we try them. Both of these issues make it difficult to trace requirements and designs to testing as is required for executing a safety validation process. In other words, we are building systems that can not be validated due to incomplete or even unknown requirements and designs. Adaptation makes the problem even worse by making the system that must be validated a moving target. In the general case, it is impractical to validate all the possible adaptation states of an autonomy system using traditional safety design processes. An approach that can help with the requirements, design, and adaptation problems is basing a safety argument not on correctness of the autonomy functionality itself, but rather on conformance to a set of safety envelopes. Each safety envelope describes a boundary within the operational state space of the autonomy system. A system operating within a \"safe\" envelope knows that it is safe and can operate with full autonomy. A system operating within an \"unsafe\" envelope knows that it is unsafe, and must invoke a failsafe action. Multiple partial specifications can be used as an envelope set, with the intersection of safe envelopes permitting full autonomy, and the union of unsafe envelopes provoking validated, and potentially complex, failsafe responses. Envelope mechanisms can be implemented using traditional software engineering techniques, reducing the problems with requirements, design, and adaptation that would otherwise impede safety validation. Rather than attempting to prove that autonomy will always work correctly (which is still a valuable goal to improve availability), the envelope approach measures the behavior of one or more autonomous components to determine if the result is safe. While this is not necessarily an easy thing to do, there is reason to believe that checking autonomy behaviors for safety is easier than implementing perfect, optimized autonomy actions. This envelope approach might be used to detect faults during development and to trig","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122150977","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
B. Finkbeiner, F. Klein, R. Piskac, Mark Santolucito
Functional languages have provided major benefits to the verification community. Although features such as purity, a strong type system, and computational abstractions can help guide programmers away from costly errors, these can present challenges when used in a reactive system. Functional Reactive Programming is a paradigm that allows users the benefits of functional languages and an easy interface to a reactive environment. We present a tool for building autonomous vehicle controllers in FRP using Haskell.
{"title":"Vehicle Platooning Simulations with Functional Reactive Programming","authors":"B. Finkbeiner, F. Klein, R. Piskac, Mark Santolucito","doi":"10.1145/3055378.3055385","DOIUrl":"https://doi.org/10.1145/3055378.3055385","url":null,"abstract":"Functional languages have provided major benefits to the verification community. Although features such as purity, a strong type system, and computational abstractions can help guide programmers away from costly errors, these can present challenges when used in a reactive system. Functional Reactive Programming is a paradigm that allows users the benefits of functional languages and an easy interface to a reactive environment. We present a tool for building autonomous vehicle controllers in FRP using Haskell.","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129554864","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
D. Work, Raphael E. Stern, Fangyu Wu, M. Churchill, Shumo Cui, H. Pohlmann, Benjamin Seibold, B. Piccoli, R. Bhadani, Matt Bunting, J. Sprinkle, M. D. Monache, Nathaniel P. Hamilton, R'mani Haulcy
This talk focuses on stop-and-go instabilities in dense traffic flows, and how autonomous vehicles can be applied to control for these instabilities.
这次演讲的重点是密集交通流中走走停停的不稳定性,以及如何应用自动驾驶汽车来控制这些不稳定性。
{"title":"Controlling for Unsafe Events in Dense Traffic through Autonomous Vehicles: Invited Talk Abstract","authors":"D. Work, Raphael E. Stern, Fangyu Wu, M. Churchill, Shumo Cui, H. Pohlmann, Benjamin Seibold, B. Piccoli, R. Bhadani, Matt Bunting, J. Sprinkle, M. D. Monache, Nathaniel P. Hamilton, R'mani Haulcy","doi":"10.1145/3055378.3055380","DOIUrl":"https://doi.org/10.1145/3055378.3055380","url":null,"abstract":"This talk focuses on stop-and-go instabilities in dense traffic flows, and how autonomous vehicles can be applied to control for these instabilities.","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124637244","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Scav, P. Koopman, Matt Bunting, J. Sprinkle, M. D. Monache, N. Aréchiga, Sumanth Dathathri, Shashank Vernekar, Nagesh Kathare, B. Finkbeiner, F. Klein
{"title":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","authors":"Scav, P. Koopman, Matt Bunting, J. Sprinkle, M. D. Monache, N. Aréchiga, Sumanth Dathathri, Shashank Vernekar, Nagesh Kathare, B. Finkbeiner, F. Klein","doi":"10.1145/3055378","DOIUrl":"https://doi.org/10.1145/3055378","url":null,"abstract":"","PeriodicalId":346760,"journal":{"name":"Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles","volume":"113 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132857694","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: