This content is not included in your SAE MOBILUS subscription, or you are not logged in.

Enhancement of Automotive Penetration Testing with Threat Analyses Results

Journal Article
11-01-02-0005
ISSN: 2572-1046, e-ISSN: 2572-1054
Published November 02, 2018 by SAE International in United States
Enhancement of Automotive Penetration Testing with Threat Analyses Results
Sector:
Citation: Dürrwang, J., Braun, J., Rumez, M., Kriesten, R. et al., "Enhancement of Automotive Penetration Testing with Threat Analyses Results," SAE Int. J. Transp. Cyber. & Privacy 1(2):91-112, 2018, https://doi.org/10.4271/11-01-02-0005.
Language: English

References

  1. Charette , R.N. This Car Runs on Code 2009 http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code
  2. Miller , C. and Valasek , C. 2014
  3. Checkoway , S. , McCoy , D. , Kantor , B. , Anderson , D. et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces USENIX Security Symposium San Francisco 2011
  4. Valasek , C. and Miller , C. CAN Message Injection: OG Dynamite Edition 2017 http://illmatics.com/can%20message%20injection.pdf
  5. Greenberg , A. Tesla Responds to Chinese Hack with a Major Security Upgrade 2017 https://www.wired.com/2016/09/tesla-responds-chinese-hack-major-security-upgrade/
  6. Thompson , H.H. Application Penetration Testing IEEE Security and Privacy Magazine 3 1 66 69 2005
  7. Felderer , M. , Büchler , M. , Johns , M. , Brucker , A.D. et al. Security Testing: A Survey Advances in Computers 101 1 51 2016
  8. ISECOM Open Source Security Testing Methodology Manual http://www.isecom.org/research/
  9. NIST Technical Guide to Information Security Testing and Assessment http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
  10. OISSG Information Systems Security Assessment Framework http://cuchillac.net/archivos/pre_seguridad_pymes/2_hakeo_etico/lects/metodologia_oissg.pdf
  11. Gontharet , F. ISSAF - Methodology Analysis and Critical Evaluation) 2015 https://wrong.name/other/REPORT_PenetrationTesting_Methodology.pdf
  12. PTES Penetration Testing Execution Standard http://www.pentest-standard.org
  13. OWASP Open Web Application Security Project - Testing Guide v4 https://www.owasp.org/images/1/19/OTGv4.pdf
  14. SAE Cybersecurity Guidebook for Cyber-Physical Vehicle Systems 2016 http://standards.sae.org/wip/j3061/
  15. Plósz , S. , Schmittner , C. , and Varga , P. Combining Safety and Security Analysis for Industrial Collaborative Automation Systems International Conference on Computer Safety, Reliability, and Security 2017 187 198
  16. Kadhirvelan , S.P. and Söderberg-Rivkin , A. Threat Modelling and Risk Assessment within Vehicular Systems 2014 http://publications.lib.chalmers.se/records/fulltext/202917/202917.pdf
  17. Ruddle , A. , Ward , D. , Weyl , B. , Idrees , S. et al. 2009
  18. The STRIDE Threat Model 2005 https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
  19. Shostack , A. Threat Modeling: Designing for Security John Wiley & Sons 2014
  20. Henniger , O. , Apvrille , L. , Fuchs , A. , Roudier , Y. et al. Security Requirements for Automotive On-Board Networks 2009 9th International Conference on Intelligent Transport Systems Telecommunications (ITST) 2009 641 646
  21. Nancy , M. , Forrest , S. , Krishnamurthy , V. , and Ole , V. A Hybrid Threat Modeling Method: TECHNICAL NOTE https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=516617
  22. Denning , T. , Friedman , B. , and Kohno , T. The Security Cards: A Security Threat Brainstorming Toolkit 2013 http://securitycards.cs.washington.edu http://securitycards.cs.washington.edu/index.html
  23. Macher , G. , Armengaud , E. , Brenner , E. , and Kreiner , C. Threat and Risk Assessment Methodologies in the Automotive Domain Procedia Computer Science 83 1288 1294 2016
  24. Macher , G. , Sporer , H. , Berlach , R. , Armengaud , E. et al. SAHARA: A Security-Aware Hazard and Risk Analysis Method 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE) 2015 621 624
  25. Schmittner , C. , Ma , Z. , and Smith , P. FMVEA for Safety and Security Analysis of Intelligent and Cooperative Vehicles Computer Safety, Reliability, and Security Bondavalli , A. , Ceccarelli , A. , and Ortmeier , F. Heidelberg Springer 2014 8696 282 288
  26. Schmittner , C. , Ma , Z. , Schoitsch , E. , and Gruber , T. A Case Study of FMVEA and as Safety and Security Co-Analysis Method for Automotive Cyber-Physical Systems Proceedings of the 1st ACM Workshop on Cyber-Physical System Security 2015 69 80
  27. Fredriksen , R. , Kristiansen , M. , Gran , B.A. , Stølen , K. et al. The CORAS Framework for a Model-Based Risk Management Process International Conference on Computer Safety, Reliability, and Security 2002 94 105
  28. Kriaa , S. , Pietre-Cambacedes , L. , Bouissou , M. , and Halgand , Y. A Survey of Approaches Combining Safety and Security for Industrial Control Systems Reliability Engineering & System Safety 139 156 178 2015
  29. Young , W. and Leveson , N.G. An Integrated Approach to Safety and Security Based on Systems Theory Communications of the ACM 57 2 31 35 2014
  30. Friedberg , I. , McLaughlin , K. , Smith , P. , Laverty , D. et al. STPA-SafeSec: Safety and Security Analysis for Cyber-Physical Systems Journal of Information Security and Applications 34 183 196 2017
  31. Dürrwang , J. , Beckers , K. , and Kriesten , R. A Lightweight Threat Analysis Approach Intertwining Safety and Security for the Automotive Domain International Conference on Computer Safety, Reliability, and Security 2017 305 319 https://link.springer.com/chapter/10.1007/978-3-319-66266-4_20
  32. Winther , R. , Johnsen , O.-A. , and Gran , B.A. Security Assessments of Safety Critical Systems Using HAZOPs Computer Safety, Reliability and Security Springer 2001 14 24
  33. Winther , R. Probabilistic Safety Assessment and Management 2004 2345 2351
  34. Dürrwang , J. Evaluation Security Guideword Experiment 2017 http://www.home.hs-karlsruhe.de/~duju0001/Evaluation_SGM/
  35. GitHub Caringcaribou 2018 https://github.com/CaringCaribou/caringcaribou
  36. Ring , M. , Dürrwang , J. , Sommer , F. , and Kriesten , R. Survey on Vehicular Attacks-Building a Vulnerability Database 2015 IEEE International Conference on Vehicular Electronics and Safety (ICVES) 2015 208 212
  37. ISO 2012
  38. ISO 2009
  39. Ring , M. , Rensen , T. , and Kriesten , R. 2014
  40. Kerckhoffs , A. 1883
  41. CVE-2017-14937 2017 https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-14937
  42. Rapid7 Metasploit Wrapup: Airbag Authentication 2017 https://blog.rapid7.com/2017/12/22/metasploit-wrapup-21/
  43. Rapid7 CVE-2017-14937 Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.) 2017 https://www.rapid7.com/db/modules/post/hardware/automotive/pdt
  44. Miller , C. and Valasek , C. 2015
  45. Keen Security Lab Experimental Security Assessment of BMW Cars: A Summary Report 2018 https://keenlab.tencent.com/en/Experimental_Security_Assessment_of_BMW_Cars_by_KeenLab.pdf
  46. Kovelman , A. A Remote Attack on the Bosch Drivelog Connector Dongle - Argus Cyber Security 2017 https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/
  47. ISO Road Vehicles - End-of-Life Activation of On-Board Pyrotechnic Devices: Part 4: Additional Communication Line with Bidirectional Communication 2009 https://www.iso.org/obp/ui/#iso:std:iso:26021:-4:ed-1:v1:en
  48. Dürrwang , J. , Rumez , M. , Braun , J. , and Kriesten , R. Security Hardening with Plausibility Checks for Automotive ECUs VEHICULAR 2017 2017 6 38 41 http://www.thinkmind.org/download.php? articleid=vehicular_2017_2_40_30053
  49. Paar , C. and Pelzl , J. Understanding Cryptography: A Textbook for Students and Practitioners Heidelberg/New York Springer 2010
  50. Lenstra , A.K. and Verheul , E.R. Selecting Cryptographic Key Sizes Journal of Cryptology 14 4 255 293 2001
  51. AUTOSAR Specification of Secure Onboard Communication: AUTOSAR CP Release 4.3.1 2017 https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_SecureOnboardCommunication.pdf
  52. Margraf, M. 2008
  53. Barker , E. , Barker , W. , Burr , W. , Polk , W. et al. Recommendation for Key Management Part 1: General Revision 3 800 57 1 147 2012
  54. Kim , D.-K. , Song , E. , and Yu , H. Introducing Attribute-Based Access Control to AUTOSAR SAE Technical Paper 2016-01-0069 2016 10.4271/2016-01-0069
  55. Berger , S. , Vensmer , A. , and Kiesel , S. An ABAC-Based Policy Framework for Dynamic Firewalling International Conference on Systems and Network Communications (ICSNC 2012), 2012 2012 118 123

Cited By