Mitigating Unknown Cybersecurity Threats in Performance Constrained Electronic Control Units
Published April 3, 2018 by SAE International in United States
Downloadable datasets for this paper availableAnnotation of this paper is available
Externally-connected Electronic Control Units (ECUs) contain millions of lines of code, which may contain security vulnerabilities. Hackers may exploit these vulnerabilities to gain code execution privileges, which affect public safety. Traditional Cybersecurity solutions fall short in meeting automotive ECU constraints such as zero false positives, intermittent connectivity, and low performance impact. A desirable solution would be deterministic, require minimum resources, and protect against known and unknown security threats. We integrated Autonomous Security on a BeagleBone Black (BBB) system to evaluate the feasibility of mitigating Cybersecurity risks against potential threats. We identified key metrics that should be measured, such as level of security, ease of integration and system performance impact. In this paper, we describe the integration and evaluation process and present its results. We show that Autonomous Security can provide this protection with zero false-positives while meeting automotive constraints.
CitationHarel, A., Ben David, T., Kashani, A., Iyer, G. et al., "Mitigating Unknown Cybersecurity Threats in Performance Constrained Electronic Control Units," SAE Technical Paper 2018-01-0016, 2018, https://doi.org/10.4271/2018-01-0016.
Data Sets - Support Documents
|[Unnamed Dataset 1]|
|[Unnamed Dataset 2]|
- Edwards, J. and Kashani, A., “Identifying Security Vulnerabilities Early in the ECU Software Development Lifecycle,” SAE Technical Paper 2017, 2017, doi:10.4271/2017-01-1657.
- Edwards, J., Kashani, A., and Iyer, G., “Evaluation of Software Vulnerabilities in Vehicle Electronic Control Units,” IEEE Cybersecurity Development (SecDev), 2017, (pp. 83-84). IEEE.
- Beringer, N., “The Connected Car Security Boundaries,” ATZ Worldwide 115(10):22-27, 2013.
- Daly, M.K., "Advanced Persistent Threat," Usenix, Nov 4, no. 4 (2009): 2013-2016.
- Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J., “Control-Flow Integrity: Principles, Implementations, and Applications,” presented at the 12th ACM conference on Computer and Communications Security, USA, November 07-11, 2005.
- Zhang, M. and Sekar, R., “Control Flow Identity for COTS Binaries,” presented at the 22nd USENIX conference on Security, USA, August 14-16, 2013.
- Standard Performance Evaluation Corporation, “SPEC CPU 2006,” https://www.spec.org/cpu/
- Lin, Y., Tang, X., Gao, D., and Fu, J., “Control Flow Integrity Enforcement with Dynamic Code Optimization,” Information Security: Proceedings of the 19th International Conference, ISC 2016. Lecture Notes in Computer Science 9866:366-385, 2016.
- National Highway Traffic Safety Administration., “Federal Motor Vehicle Safety Standards; Electronic Stability Control Systems.," NHTSA, FMVSS 126 (2006).
- MISRA.,"MISRA C and MISRA C++ Compliance"., http://www.Programmingresearch.com
- ISO, ISO26262., "26262: Road Vehicles-Functional Safety.," International Standard ISO/FDIS 26262 (2011).
- International Electrotechnical Commission., "Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems.," IEC 61508 (2000).
- Zimmerman, C., "Cybersecurity Operations Center.," MITRE Corporation, 2014.
- Shacham, H., Page, M., Pfaff, B., and Goh, E.-J., et al. "On the effectiveness of address-space randomization.," In Proceedings of the 11th ACM Conference on Computer and Communications Security, Pp. 298-307. ACM, 2004.
- Miller, C. and Valasek, C., "Remote Exploitation of an Unaltered Passenger Vehicle.," Black Hat USA 2015 (2015).
- MITRE, “Corporate Overview,” https://www.mitre.org/about/corporate-overview, accessed October 2017.
- MITRE, “Common Attack Pattern Enumeration and Classification.,” https://capec.mitre.org/, accessed October 2017.
- MITRE, “CWE View: Weaknesses in Software Written in C,” https://cwe.mitre.org/data/definitions/658.html, accessed October 2017.
- ISO, ISO.,"14229-1: 2013 Road vehicles--Unified Diagnostic services (UDS)--Part 1: Specification and requirements.," (2013).
- FIPS, PUB., "180-4." Secure hash standard (SHS),” March (2012).
- QNX Software Systems Limited., “QNX Software Development Platform 6.6.0.,” http://www.qnx.com/download/group.html?programid=26071 , accessed October 2017.
- Smith, B., Grehan, R., Yager, T., and Niemi, D.C., "Byte-unixbench: A Unix benchmark suite.," (2011).