Modern cars are operated via an internal network of more than 50 Electronic
Control Units.
Recent incidents have shown such ECUs to be vulnerable to
various kinds of remote attacks, which threatens the safety of passengers
and other road users alike.
While recent standardization and research efforts address security, few security mechanisms
are implemented in current cars.
In this video we demonstrate VulCAN, a lightweight and efficient framework
for implementing industry standard-compliant and secure vehicular
communication, based on embedded trusted computing.
We use the open-source Sancus hardware-level security architecture
to establish trust in a simplified traction control system.
Our demo system consists of a number of ECUs some of which represent
sensors or actuators at the wheels, other ECUs perform centralized
processing tasks.
All ECUs are interconnected via a Controller Area
Network, the blue cable in our demo setup.
CAN is the most prevalent network in vehicles, and enables ECUs to jointly
operate the car's overall behavior and safety critical functionality.
To demonstrate real-world applicability, we connected two off-the-shelf
instrument clusters.
An important feature of VulCAN is software extensibility by multiple,
distrusting remote software providers.
We therefore organized our demo application as a distributed set of trusted
software components, which are compiled on a PC and subsequently deployed
over an untrusted network to the ECUs.
Untrusted support software on the participating ECUs loads and
schedules the trusted components, whereas their authenticity can be
established at runtime through a process known as remote attestation.
The black keypad abstracts genuine driver interaction via steering wheel
and brake pedals.
Inputs from this keypad are processed on a central ECU,
which reacts by sending control messages over the CAN bus.
CAN is a broadcast medium.
Anyone connected to the bus can see or even modify these messages.
We show this by recording all traffic on the PC.
ECUs at the wheels or within the instrument clusters react upon receiving
control messages.
Many attacks against automotive control networks rely on an attacker with
access to the CAN bus to inject arbitrary messages.
In our demo we even go one step further and assume a powerful attacker
that also executes software on the crucial central ECU.
These attacker interactions are triggered by
the red keypad.
Under attack, the left and the right side of the setup behave differently.
The right side shows how a car without our security solution would react.
As the attacker sends messages to activate the direction indicators and to
display a high engine speed, the right instrument cluster and ECUs accept
and display the spoofed values.
Our vulcanized components on the left side accept authenticated messages
only, and indeed reject the attacker's messages.
We demonstrate how unmodified legacy devices without Sancus can
be transparently shielded.
For this, we connect a second instrument cluster
to a VulCAN gateway, which forwards authenticated messages from the untrusted
blue CAN bus over the yellow private CAN bus.
The gateway ensures that attacker messages are
rejected.
The driver can even be notified of an ongoing attack by
triggering a warning indicator in the dashboard.
Our demo illustrates that vulcanized software components never react to
injected messages for which authenticity and freshness cannot be verified.
Even a powerful attacker with code execution abilities on ECUs will not be
able to extract the required cryptographic keys to construct such
authenticated messages due to the strong isolation guarantees provided by
the underlying Sancus architecture.
Yet, such an attacker may harm availability by monopolizing an ECU or by
performing denial-of-service attacks against the network, which are domains
of active ongoing research at DistriNet.
Since we value both research transparency and reproducibility, we
open-sourced all of our hardware designs, plus the complete software stack,
and a simulator.
For more info, and related research efforts, visit the
VulCAN and Sancus websites/GitHub pages linked below.
Không có nhận xét nào:
Đăng nhận xét