Jiyang Chen, Tomasz Kloda, Rohan Tabish, Ayoosh Bansal, Chien-Ying Chen, Bo Liu, Sibin Mohan, Marco Caccamo, Lui Sha
Timing correctness is crucial in a multi-criticality real-time system, such as an autonomous driving system. It has been recently shown that these systems can be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions like schedule randomization cannot protect against such attacks, often limited by the system’s real-time nature. This article presents “ SchedGuard++ ”: a temporal protection framework for Linux-based real-time systems that protects against posterior schedule-based attacks by preventing untrusted tasks from executing during specific time intervals. SchedGuard++ supports multi-core platforms and is implemented using Linux containers and a customized Linux kernel real-time scheduler. We provide schedulability analysis assuming the Logical Execution Time (LET) paradigm, which enforces I/O predictability. The proposed response time analysis takes into account the interference from trusted and untrusted tasks and the impact of the protection mechanism. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform. Not only is “ SchedGuard++ ” able to protect against the posterior schedule-based attacks, but it also ensures that the real-time tasks/containers meet their temporal requirements.
{"title":"SchedGuard++: Protecting against Schedule Leaks Using Linux Containers on Multi-Core Processors","authors":"Jiyang Chen, Tomasz Kloda, Rohan Tabish, Ayoosh Bansal, Chien-Ying Chen, Bo Liu, Sibin Mohan, Marco Caccamo, Lui Sha","doi":"10.1145/3565974","DOIUrl":"https://doi.org/10.1145/3565974","url":null,"abstract":"Timing correctness is crucial in a multi-criticality real-time system, such as an autonomous driving system. It has been recently shown that these systems can be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions like schedule randomization cannot protect against such attacks, often limited by the system’s real-time nature. This article presents “ SchedGuard++ ”: a temporal protection framework for Linux-based real-time systems that protects against posterior schedule-based attacks by preventing untrusted tasks from executing during specific time intervals. SchedGuard++ supports multi-core platforms and is implemented using Linux containers and a customized Linux kernel real-time scheduler. We provide schedulability analysis assuming the Logical Execution Time (LET) paradigm, which enforces I/O predictability. The proposed response time analysis takes into account the interference from trusted and untrusted tasks and the impact of the protection mechanism. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform. Not only is “ SchedGuard++ ” able to protect against the posterior schedule-based attacks, but it also ensures that the real-time tasks/containers meet their temporal requirements.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"107 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-01-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135202259","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jarul Mehta, Guillaume Richard, Loren Lugosch, Derek Yu, B. Meyer
The controller area network (CAN) protocol, used in many modern vehicles for real-time inter-device communications, is known to have cybersecurity vulnerabilities, putting passengers at risk for data exfiltration and control system sabotage. To address this issue, researchers have proposed to utilize security measures based on cryptography and message authentication; unfortunately, such approaches are often too computationally expensive to be deployed in real time on CAN devices. Additionally, they have developed machine learning (ML) techniques to detect anomalies in CAN traffic and thereby prevent attacks. The main disadvantage of existing ML-based techniques is that they either depend on additional computational hardware or they heuristically assume that all communication anomalies are malicious. In this article, we show that tree-based learning ensembles outperform anomaly-based techniques like AutoRegressive Integrated Moving Average (ARIMA) and Z-Score when used to detect attacks that result in increased bus utilization. We evaluated the detection capacity of three tree-based ensembles, Adaboost, gradient boosting, and random forests, and collectively refer to these as DT-DS. We conclude that the decision tree ensemble with Adaboost performs best with an area under curve (AUC) score of 0.999, closely followed by gradient boosting and random forests with 0.997 and 0.991 AUC scores, respectively, when trained using message profiles. We observe that with an increase in the observation window, the DT-DS models present an average AUC score of 0.999, and offer a nearly perfect detection of attacks, at the cost of increased latency in detection of attacked messages. We evaluate the performance of the IDS for Aeronautical Radio, Incorporated– (ARINC) encoded CAN communication traffic in avionic systems, generated using an aerospace testbench, ARINC-825TBv2. The IDS has been evaluated against the active attacks of a state-of-the-art predictive attacker model. Additionally, we observed that the performance of IDS approaches such as ARIMA and Z-Score degrade considerably with a decrease in the size of the observation time window. In contrast, the performance of DT-DS models is consistent, with only an average drop of 0.005 in the AUC score.
{"title":"DT-DS: CAN Intrusion Detection with Decision Tree Ensembles","authors":"Jarul Mehta, Guillaume Richard, Loren Lugosch, Derek Yu, B. Meyer","doi":"10.1145/3566132","DOIUrl":"https://doi.org/10.1145/3566132","url":null,"abstract":"The controller area network (CAN) protocol, used in many modern vehicles for real-time inter-device communications, is known to have cybersecurity vulnerabilities, putting passengers at risk for data exfiltration and control system sabotage. To address this issue, researchers have proposed to utilize security measures based on cryptography and message authentication; unfortunately, such approaches are often too computationally expensive to be deployed in real time on CAN devices. Additionally, they have developed machine learning (ML) techniques to detect anomalies in CAN traffic and thereby prevent attacks. The main disadvantage of existing ML-based techniques is that they either depend on additional computational hardware or they heuristically assume that all communication anomalies are malicious. In this article, we show that tree-based learning ensembles outperform anomaly-based techniques like AutoRegressive Integrated Moving Average (ARIMA) and Z-Score when used to detect attacks that result in increased bus utilization. We evaluated the detection capacity of three tree-based ensembles, Adaboost, gradient boosting, and random forests, and collectively refer to these as DT-DS. We conclude that the decision tree ensemble with Adaboost performs best with an area under curve (AUC) score of 0.999, closely followed by gradient boosting and random forests with 0.997 and 0.991 AUC scores, respectively, when trained using message profiles. We observe that with an increase in the observation window, the DT-DS models present an average AUC score of 0.999, and offer a nearly perfect detection of attacks, at the cost of increased latency in detection of attacked messages. We evaluate the performance of the IDS for Aeronautical Radio, Incorporated– (ARINC) encoded CAN communication traffic in avionic systems, generated using an aerospace testbench, ARINC-825TBv2. The IDS has been evaluated against the active attacks of a state-of-the-art predictive attacker model. Additionally, we observed that the performance of IDS approaches such as ARIMA and Z-Score degrade considerably with a decrease in the size of the observation time window. In contrast, the performance of DT-DS models is consistent, with only an average drop of 0.005 in the AUC score.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"7 1","pages":"1 - 27"},"PeriodicalIF":2.3,"publicationDate":"2023-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47361185","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Today's automotive cyber-physical systems for autonomous driving aim to enhance driving safety by replacing the uncertainties posed by human drivers with standard procedures of automated systems. However, the accuracy of in-vehicle perception systems may significantly vary under different operational conditions (e.g., fog density, light condition, etc.) and consequently degrade the reliability of autonomous driving. A perception system for autonomous driving must be carefully validated with an extremely large dataset collected under all possible operational conditions in order to ensure its robustness. The aforementioned dataset required for validation, however, is expensive or even impossible to acquire in practice, since most operational corners rarely occur in a real-world environment. In this paper, we propose to generate synthetic datasets at a variety of operational corners by using a parameterized cycle-consistent generative adversarial network (PCGAN). The proposed PCGAN is able to learn from an image dataset recorded at real-world operational conditions with only a few samples at corners and synthesize a large dataset at a given operational corner. By taking STOP sign detection as an example, our numerical experiments demonstrate that the proposed approach is able to generate high-quality synthetic datasets to facilitate accurate validation.
{"title":"Data-Driven Parameterized Corner Synthesis for Efficient Validation of Perception Systems for Autonomous Driving","authors":"Handi Yu, Xin Li","doi":"10.1145/3571286","DOIUrl":"https://doi.org/10.1145/3571286","url":null,"abstract":"Today's automotive cyber-physical systems for autonomous driving aim to enhance driving safety by replacing the uncertainties posed by human drivers with standard procedures of automated systems. However, the accuracy of in-vehicle perception systems may significantly vary under different operational conditions (e.g., fog density, light condition, etc.) and consequently degrade the reliability of autonomous driving. A perception system for autonomous driving must be carefully validated with an extremely large dataset collected under all possible operational conditions in order to ensure its robustness. The aforementioned dataset required for validation, however, is expensive or even impossible to acquire in practice, since most operational corners rarely occur in a real-world environment. In this paper, we propose to generate synthetic datasets at a variety of operational corners by using a parameterized cycle-consistent generative adversarial network (PCGAN). The proposed PCGAN is able to learn from an image dataset recorded at real-world operational conditions with only a few samples at corners and synthesize a large dataset at a given operational corner. By taking STOP sign detection as an example, our numerical experiments demonstrate that the proposed approach is able to generate high-quality synthetic datasets to facilitate accurate validation.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"7 1","pages":"1 - 24"},"PeriodicalIF":2.3,"publicationDate":"2023-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42881393","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Anas Alsoliman, Giulio Rigoni, Davide Callegaro, M. Levorato, C. Pinotti, M. Conti
Cheap commercial off-the-shelf (COTS) First-Person View (FPV) drones have become widely available for consumers in recent years. Unfortunately, they also provide low-cost attack opportunities to malicious users. Thus, effective methods to detect the presence of unknown and non-cooperating drones within a restricted area are highly demanded. Approaches based on detection of drones based on emitted video stream have been proposed, but were not yet shown to work against other similar benign traffic, such as that generated by wireless security cameras. Most importantly, these approaches were not studied in the context of detecting new unprofiled drone types. In this work, we propose a novel drone detection framework, which leverages specific patterns in video traffic transmitted by drones. The patterns consist of repetitive synchronization packets (we call pivots), which we use as features for a machine learning classifier. We show that our framework can achieve up to 99% in detection accuracy over an encrypted WiFi channel using only 170 packets originated from the drone within 820ms time period. Our framework is able to identify drone transmissions even among very similar WiFi transmissions (such as video streams originated from security cameras) as well as in noisy scenarios with background traffic. Furthermore, the design of our pivot features enables the classifier to detect unprofiled drones in which the classifier has never trained on and is refined using a novel feature selection strategy that selects the features that have the discriminative power of detecting new unprofiled drones.
{"title":"Intrusion Detection Framework for Invasive FPV Drones Using Video Streaming Characteristics","authors":"Anas Alsoliman, Giulio Rigoni, Davide Callegaro, M. Levorato, C. Pinotti, M. Conti","doi":"10.1145/3579999","DOIUrl":"https://doi.org/10.1145/3579999","url":null,"abstract":"Cheap commercial off-the-shelf (COTS) First-Person View (FPV) drones have become widely available for consumers in recent years. Unfortunately, they also provide low-cost attack opportunities to malicious users. Thus, effective methods to detect the presence of unknown and non-cooperating drones within a restricted area are highly demanded. Approaches based on detection of drones based on emitted video stream have been proposed, but were not yet shown to work against other similar benign traffic, such as that generated by wireless security cameras. Most importantly, these approaches were not studied in the context of detecting new unprofiled drone types. In this work, we propose a novel drone detection framework, which leverages specific patterns in video traffic transmitted by drones. The patterns consist of repetitive synchronization packets (we call pivots), which we use as features for a machine learning classifier. We show that our framework can achieve up to 99% in detection accuracy over an encrypted WiFi channel using only 170 packets originated from the drone within 820ms time period. Our framework is able to identify drone transmissions even among very similar WiFi transmissions (such as video streams originated from security cameras) as well as in noisy scenarios with background traffic. Furthermore, the design of our pivot features enables the classifier to detect unprofiled drones in which the classifier has never trained on and is refined using a novel feature selection strategy that selects the features that have the discriminative power of detecting new unprofiled drones.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"7 1","pages":"1 - 29"},"PeriodicalIF":2.3,"publicationDate":"2023-01-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49235077","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nitasha Sahani, Ruoxi Zhu, Jinny Cho, Chen-Ching Liu
Machine learning (ML)-based intrusion detection system (IDS) approaches have been significantly applied and advanced the state-of-the-art system security and defense mechanisms. In smart grid computing environments, security threats have been significantly increased as shared networks are commonly used, along with the associated vulnerabilities. However, compared to other network environments, ML-based IDS research in a smart grid is relatively unexplored, although the smart grid environment is facing serious security threats due to its unique environmental vulnerabilities. In this article, we conducted an extensive survey on ML-based IDS in smart grids based on the following key aspects: (1) The applications of the ML-based IDS in transmission and distribution side power components of a smart power grid by addressing its security vulnerabilities; (2) dataset generation process and its usage in applying ML-based IDSs in the smart grid; (3) a wide range of ML-based IDSs used by the surveyed papers in the smart grid environment; (4) metrics, complexity analysis, and evaluation testbeds of the IDSs applied in the smart grid; and (5) lessons learned, insights, and future research directions.
{"title":"Machine Learning-based Intrusion Detection for Smart Grid Computing: A Survey","authors":"Nitasha Sahani, Ruoxi Zhu, Jinny Cho, Chen-Ching Liu","doi":"10.1145/3578366","DOIUrl":"https://doi.org/10.1145/3578366","url":null,"abstract":"Machine learning (ML)-based intrusion detection system (IDS) approaches have been significantly applied and advanced the state-of-the-art system security and defense mechanisms. In smart grid computing environments, security threats have been significantly increased as shared networks are commonly used, along with the associated vulnerabilities. However, compared to other network environments, ML-based IDS research in a smart grid is relatively unexplored, although the smart grid environment is facing serious security threats due to its unique environmental vulnerabilities. In this article, we conducted an extensive survey on ML-based IDS in smart grids based on the following key aspects: (1) The applications of the ML-based IDS in transmission and distribution side power components of a smart power grid by addressing its security vulnerabilities; (2) dataset generation process and its usage in applying ML-based IDSs in the smart grid; (3) a wide range of ML-based IDSs used by the surveyed papers in the smart grid environment; (4) metrics, complexity analysis, and evaluation testbeds of the IDSs applied in the smart grid; and (5) lessons learned, insights, and future research directions.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":" ","pages":"1 - 31"},"PeriodicalIF":2.3,"publicationDate":"2023-01-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46531489","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Automotive cyber-physical systems consist of multiple control subsystems working under resource limitations, and the trend is to run the corresponding control tasks on a shared platform. The resource requirements of the tasks are usually variable at runtime due to the uncertainties in the environment, necessitating some kinds of adaptation to deal with the resource limitations. Such adaptations may positively or negatively affect the control performance of several subsystems. Since there might be some thresholds on the control performances as quality constraints, this matter should be considered carefully to avoid any quality attribute constraint violation. This paper proposes a scalable control performance constraint verification method for such a system that works based on a feedback scheduler. The scalability is the result of a control-aware pruning method. In case of a constraint violation, the designer may change the system configuration and perform re-verification. Our evaluations show that the proposed method scales well while preserving the verification soundness.
{"title":"Control Performance Analysis of Automotive Cyber-Physical Systems: A Study on Efficient Formal Verification","authors":"V. Panahi, M. Kargahi, Fathiyeh Faghih","doi":"10.1145/3576046","DOIUrl":"https://doi.org/10.1145/3576046","url":null,"abstract":"Automotive cyber-physical systems consist of multiple control subsystems working under resource limitations, and the trend is to run the corresponding control tasks on a shared platform. The resource requirements of the tasks are usually variable at runtime due to the uncertainties in the environment, necessitating some kinds of adaptation to deal with the resource limitations. Such adaptations may positively or negatively affect the control performance of several subsystems. Since there might be some thresholds on the control performances as quality constraints, this matter should be considered carefully to avoid any quality attribute constraint violation. This paper proposes a scalable control performance constraint verification method for such a system that works based on a feedback scheduler. The scalability is the result of a control-aware pruning method. In case of a constraint violation, the designer may change the system configuration and perform re-verification. Our evaluations show that the proposed method scales well while preserving the verification soundness.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"1 1","pages":""},"PeriodicalIF":2.3,"publicationDate":"2022-12-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42137204","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Khaled Sarieddine, M. Sayed, Sadegh Torabi, Ribal Atallah, C. Assi
The adoption rate of EVs has witnessed a significant increase in recent years driven by multiple factors, chief among which is the increased flexibility and ease of access to charging infrastructure. To improve user experience and increase system flexibility, mobile applications have been incorporated into the EV charging ecosystem. EV charging mobile applications allow consumers to remotely trigger actions on charging stations and use functionalities such as start/stop charging sessions, pay for usage, and locate charging stations, to name a few. In this paper, we study the security posture of the EV charging ecosystem against a new type of remote which exploits vulnerabilities in the EV charging mobile applications as an attack surface. We leverage a combination of static and dynamic analysis techniques to analyze the security of widely used EV charging mobile applications. Our analysis was performed on 31 of the most widely used mobile applications including their interactions with various components such as the cloud management systems. The attack, scenarios that exploit these vulnerabilities were verified on a real-time co-simulation test bed. Our discoveries indicate the lack of user/vehicle verification and improper authorization for critical functions, which allow adversaries to remotely hijack charging sessions and launch attacks against the connected critical infrastructure. The attacks were demonstrated using the EVCS mobile applications showing the feasibility and the applicability of our attacks. Indeed, we discuss specific remote attack scenarios and their impact on EV users. More importantly, our analysis results demonstrate the feasibility of leveraging existing vulnerabilities across various EV charging mobile applications to perform wide-scale coordinated remote charging/discharging attacks against the connected critical infrastructure (e.g., power grid), with significant economical and operational implications. Finally, we propose countermeasures to secure the infrastructure and impede adversaries from performing reconnaissance and launching remote attacks using compromised accounts.
{"title":"Investigating the Security of EV Charging Mobile Applications As an Attack Surface","authors":"Khaled Sarieddine, M. Sayed, Sadegh Torabi, Ribal Atallah, C. Assi","doi":"10.1145/3609508","DOIUrl":"https://doi.org/10.1145/3609508","url":null,"abstract":"The adoption rate of EVs has witnessed a significant increase in recent years driven by multiple factors, chief among which is the increased flexibility and ease of access to charging infrastructure. To improve user experience and increase system flexibility, mobile applications have been incorporated into the EV charging ecosystem. EV charging mobile applications allow consumers to remotely trigger actions on charging stations and use functionalities such as start/stop charging sessions, pay for usage, and locate charging stations, to name a few. In this paper, we study the security posture of the EV charging ecosystem against a new type of remote which exploits vulnerabilities in the EV charging mobile applications as an attack surface. We leverage a combination of static and dynamic analysis techniques to analyze the security of widely used EV charging mobile applications. Our analysis was performed on 31 of the most widely used mobile applications including their interactions with various components such as the cloud management systems. The attack, scenarios that exploit these vulnerabilities were verified on a real-time co-simulation test bed. Our discoveries indicate the lack of user/vehicle verification and improper authorization for critical functions, which allow adversaries to remotely hijack charging sessions and launch attacks against the connected critical infrastructure. The attacks were demonstrated using the EVCS mobile applications showing the feasibility and the applicability of our attacks. Indeed, we discuss specific remote attack scenarios and their impact on EV users. More importantly, our analysis results demonstrate the feasibility of leveraging existing vulnerabilities across various EV charging mobile applications to perform wide-scale coordinated remote charging/discharging attacks against the connected critical infrastructure (e.g., power grid), with significant economical and operational implications. Finally, we propose countermeasures to secure the infrastructure and impede adversaries from performing reconnaissance and launching remote attacks using compromised accounts.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":" ","pages":""},"PeriodicalIF":2.3,"publicationDate":"2022-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48935364","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Modern vehicles contain a multitude of electronic control units that implement software features controlling most of the operational, entertainment, connectivity, and safety aspects of the vehicle. However, with security requirements often being an afterthought in automotive software development, incorporation of such software features with intra- and inter-vehicular connectivity requirements often opens up new attack surfaces. Demonstrations of such security vulnerabilities in past reports and literature bring in the necessity to formally analyze how secure automotive control systems really are against adversarial attacks. Modern vehicles often incorporate onboard monitoring systems that test the sanctity of data samples communicated among controllers and detect possible attack/noise insertion scenarios. The performance of such monitors against security threats also needs to be verified. In this work, we outline a rigorous methodology for estimating the vulnerability of automotive CPSs. We provide a computer-aided design framework that considers the model-based representation of safety-critical automotive controllers and monitoring systems working in a closed loop with vehicle dynamics and verifies their safety and robustness w.r.t. false data injection attacks. Symbolically exploring all possible combinations of attack points of the input automotive CPS, the proposed framework tries to find out which sensor and/or actuation signal is vulnerable by generating stealthy and successful attacks using a formal method-based counter-example guided abstract refinement process. We also validate the efficacy of the proposed framework using a case study performed in an industry-scale simulator.
{"title":"CAD Support for Security and Robustness Analysis of Safety-critical Automotive Software","authors":"Ipsita Koley, Soumyajit Dey, Debdeep Mukhopadhyay, Sachin Kumar Singh, Lavanya Lokesh, Shantaram Vishwanath Ghotgalkar","doi":"10.1145/3571287","DOIUrl":"https://doi.org/10.1145/3571287","url":null,"abstract":"Modern vehicles contain a multitude of electronic control units that implement software features controlling most of the operational, entertainment, connectivity, and safety aspects of the vehicle. However, with security requirements often being an afterthought in automotive software development, incorporation of such software features with intra- and inter-vehicular connectivity requirements often opens up new attack surfaces. Demonstrations of such security vulnerabilities in past reports and literature bring in the necessity to formally analyze how secure automotive control systems really are against adversarial attacks. Modern vehicles often incorporate onboard monitoring systems that test the sanctity of data samples communicated among controllers and detect possible attack/noise insertion scenarios. The performance of such monitors against security threats also needs to be verified. In this work, we outline a rigorous methodology for estimating the vulnerability of automotive CPSs. We provide a computer-aided design framework that considers the model-based representation of safety-critical automotive controllers and monitoring systems working in a closed loop with vehicle dynamics and verifies their safety and robustness w.r.t. false data injection attacks. Symbolically exploring all possible combinations of attack points of the input automotive CPS, the proposed framework tries to find out which sensor and/or actuation signal is vulnerable by generating stealthy and successful attacks using a formal method-based counter-example guided abstract refinement process. We also validate the efficacy of the proposed framework using a case study performed in an industry-scale simulator.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"7 1","pages":"1 - 26"},"PeriodicalIF":2.3,"publicationDate":"2022-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44210288","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
With progress in cooperative and autonomous driving, there is an increasing interest in intelligent intersections to replace conventional traffic lights and, thereby, improve traffic efficiency. To avoid accidents in such safety-critical systems, a traffic protocol needs to be implemented. In this article, we are concerned with synchronous traffic protocols, i.e., those that synchronize the arrival time of vehicles at the intersection. In particular, such protocols are normally conceived for homogeneous vehicles of approximately the same size/length. However, these do not extend well to heterogeneous vehicles, i.e., they lead to unviable requirements on the road infrastructure. To overcome this limitation, based on the observation that large/overlength vehicles like buses and trams are less frequent than passenger vehicles, we propose an approach that treats them as exceptions (rather than the rule) leading to a much more efficient design. In contrast to approaches from the literature, we implement a two-speed policy—with a high speed for drive-through and a low speed for turn maneuvers—and analyze both single-vehicle as well as fairness-based platoon crossing. To conclude, we perform detailed comparisons illustrating the benefits by the proposed approach.
{"title":"A Two-Speed Synchronous Traffic Protocol for Intelligent Intersections: From Single-Vehicle to Platoon Crossing","authors":"Daniel Markert, Alejandro Masrur","doi":"10.1145/3571289","DOIUrl":"https://doi.org/10.1145/3571289","url":null,"abstract":"With progress in cooperative and autonomous driving, there is an increasing interest in intelligent intersections to replace conventional traffic lights and, thereby, improve traffic efficiency. To avoid accidents in such safety-critical systems, a traffic protocol needs to be implemented. In this article, we are concerned with synchronous traffic protocols, i.e., those that synchronize the arrival time of vehicles at the intersection. In particular, such protocols are normally conceived for homogeneous vehicles of approximately the same size/length. However, these do not extend well to heterogeneous vehicles, i.e., they lead to unviable requirements on the road infrastructure. To overcome this limitation, based on the observation that large/overlength vehicles like buses and trams are less frequent than passenger vehicles, we propose an approach that treats them as exceptions (rather than the rule) leading to a much more efficient design. In contrast to approaches from the literature, we implement a two-speed policy—with a high speed for drive-through and a low speed for turn maneuvers—and analyze both single-vehicle as well as fairness-based platoon crossing. To conclude, we perform detailed comparisons illustrating the benefits by the proposed approach.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"7 1","pages":"1 - 21"},"PeriodicalIF":2.3,"publicationDate":"2022-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42594375","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mazen Mohamad, Rodi Jolak, Örjan Askerdal, Jan-Philipp Steghöfer, R. Scandariato
Security Assurance Cases (SAC) are structured arguments and evidence bodies used to reason about the security of a certain system. SACs are gaining focus in the automotive industry, as the needs for security assurance are growing in this domain. However, the state-of-the-arts lack a mature approach able to suit the needs of the automotive industry. In this article, we present CASCADE, an asset-driven approach for creating SAC, which is inspired by the upcoming security standard ISO/SAE-21434 as well as the internal needs of automotive Original Equipment Manufacturers (OEMs). CASCADE also differentiates itself from the state-of-the-art by incorporating a way to reason about the quality of the constructed security assurance case. We created the approach by conducting an iterative design science research study. We illustrate the results using the example case of the road vehicle’s headlamp provided in the ISO standard. We also illustrate how our approach aligns well with the structure and content of the ISO/SAE-21434 standard, hence demonstrating the practical applicability of CASCADE in an industrial context.
{"title":"CASCADE: An Asset-driven Approach to Build Security Assurance Cases for Automotive Systems","authors":"Mazen Mohamad, Rodi Jolak, Örjan Askerdal, Jan-Philipp Steghöfer, R. Scandariato","doi":"10.1145/3569459","DOIUrl":"https://doi.org/10.1145/3569459","url":null,"abstract":"Security Assurance Cases (SAC) are structured arguments and evidence bodies used to reason about the security of a certain system. SACs are gaining focus in the automotive industry, as the needs for security assurance are growing in this domain. However, the state-of-the-arts lack a mature approach able to suit the needs of the automotive industry. In this article, we present CASCADE, an asset-driven approach for creating SAC, which is inspired by the upcoming security standard ISO/SAE-21434 as well as the internal needs of automotive Original Equipment Manufacturers (OEMs). CASCADE also differentiates itself from the state-of-the-art by incorporating a way to reason about the quality of the constructed security assurance case. We created the approach by conducting an iterative design science research study. We illustrate the results using the example case of the road vehicle’s headlamp provided in the ISO standard. We also illustrate how our approach aligns well with the structure and content of the ISO/SAE-21434 standard, hence demonstrating the practical applicability of CASCADE in an industrial context.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":" ","pages":"1 - 26"},"PeriodicalIF":2.3,"publicationDate":"2022-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"45140128","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}