This content is not included in
your SAE MOBILUS subscription, or you are not logged in.
Zero-Day Attack Defenses and Test Framework for Connected Mobility ECUs
Technical Paper
2021-01-0141
ISSN: 2641-9637, e-ISSN: 2641-9645
This content contains downloadable datasets
Annotation ability available
Sector:
Event:
SAE WCX Digital Summit
Language:
English
Abstract
Recent developments in the commercialization of mobility services have brought unprecedented connectivity to the automotive sector. While the adoption of connected features provides significant benefits to vehicle owners, adversaries may leverage zero-day attacks to target the expanded attack surface and make unauthorized access to sensitive data. Protecting new generations of automotive controllers against malicious intrusions requires solutions that do not depend on conventional countermeasures, which often fall short when pitted against sophisticated exploitation attempts. In this paper, we describe some of the latent risks in current automotive systems along with a well-engineered multi-layer defense strategy. Further, we introduce a novel and comprehensive attack and performance test framework which considers state-of-the-art memory corruption attacks, countermeasures and evaluation methods. Finally, we demonstrate the ability to deter and prevent in-field zero-day attacks on connected vehicle ECUs.
Authors
Citation
Kashani, A., Iyer, G., Mora-Golding, C., Yamashita, H. et al., "Zero-Day Attack Defenses and Test Framework for Connected Mobility ECUs," SAE Int. J. Adv. & Curr. Prac. in Mobility 3(5):2501-2508, 2021, https://doi.org/10.4271/2021-01-0141.Data Sets - Support Documents
| Title | Description | Download |
|---|---|---|
| Unnamed Dataset 1 | ||
| Unnamed Dataset 2 |
Also In
SAE International Journal of Advances and Current Practices in Mobility
Number: V130-99EJ; Published: 2021-10-20
Number: V130-99EJ; Published: 2021-10-20
References
- Strobl , M. , Kucera , M. , Foeldi , A. , Waas , T. , Balbierer , N. , and Hilbert , C. Towards Automotive Virtualization 2013 International Conference on Applied Electronics 1 6 2013
- Gai , P. and Violante , M. Automotive Embedded Software Architecture in the Multi-Core Age 2016 21th IEEE European Test Symposium (ETS) 1 8 2016
- Edwards , J. , Kashani , A. , and Iyer , G. Evaluation of Software Vulnerabilities in Vehicle Electronic Control Units 2017 IEEE Cybersecurity Development (SecDev) 83 84 2017
- Miller , C. and Valasek , C. Remote Exploitation of an Unaltered Passenger Vehicle Black Hat USA 2015 91 2015
- Durumeric , Z. , Li , F. , Kasten , J. , Amann , J. , Beekman , J. , Payer , M. , Weaver , N. et al., The Matter of Heartbleed Proceedings of the 2014 Conference on Internet Measurement Conference 475 488 2014
- Checkoway , S. , McCoy , D. , Kantor , B. , Anderson , D. et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces USENIX Security Symposium 4 447 462 2011
- Wolf , M. The EVITA Hardware Security Module (HSM) Deliverable D1. 2.5. 1: Presentation Slides from the EVITA Project Workshop 34 2010
- Pelzl , J. , Wolf , M. , and Wollinger , T. Automotive Embedded Systems Applications and Platform Embedded Security Requirements Secure Smart Embedded Devices, Platforms and Applications New York Springer 2014 287 309
- CWE-119 Improper Restriction of Operations Within The Bounds Of A Memory Buffer 2020 https://cwe.mitre.org/data/definitions/119.html
- Martin , B. , Brown , M. , Paller , A. , Kirby , D. , and Christey , S. 2011
- Roemer , R. , Buchanan , E. , Shacham , H. , and Savage , S. Return-Oriented Programming: Systems, Languages, and Applications ACM Transactions on Information and System Security (TISSEC) 15 1 1 34 2012
- Shacham , H. , Page , M. , Pfaff , B. , Goh , E.-J. , Modadugu , N. , and Boneh , D. On the Effectiveness of Address-Space Randomization Proceedings of the 11th ACM Conference on Computer and Communications Security 298 307 2004
- Blazakis , D. Interpreter Exploitation: Pointer Inference and JIT Spraying 2010
- Oikonomopoulos , A. , Athanasopoulos , E. , Bos , H. , Giuffrida , C. Poking Holes in Information Hiding 25th USENI Security Symposium (USENIX Security 16) 121 138 2016
- Ganz , J. and Peisert , S. ASLR: How Robust is the Randomness? IEEE 2017
- Aristizabal , D.H. , Rodriguez , D.M. , and Guevara , R.Y. Measuring ASLR Implementations on Modern Operating Systems 2013 47th International Carnahan Conference on Security Technology (ICCST) 1 6 IEEE 2013
- Di Federico , A. , Cama , A. , Shoshitaishvili , Y. , Kruegel , C. , and Vigna , G. How the ELF Ruined Christmas 24th USENIX Security Symposium (USENIX Security 15) 643 658 2015
- Cowan , C. , Beattie , S. , Day , R.F. , Pu , C. , Wagle , P. , and Walthinsen , E. Protecting Systems from Stack Smashing Attacks with StackGuard Linux Expo 1999
- Howard , M. and Lipner , S. The Security Development Lifecycle 8 Redmond Microsoft Press 2006
- CWE-170: Improper Null Termination 2020 https://cwe.mitre.org/data/definitions/170.html
- CVE-2019-11365 2020 https://nvd.nist.gov/vuln/detail/CVE-2019-11365
- Abadi , M. , Budiu , M. , Erlingsson , U. , and Ligatti , J. Control-Flow Integrity Principles, Implementations, and Applications ACM Transactions on Information and System Security (TISSEC) 13 1 1 40 2009
- Szekeres , L. , Payer , M. , Wei , T. , and Song , D. Sok: Eternal War in Memory 2013 IEEE Symposium on Security and Privacy 48 62 IEEE 2013
- Harel , A. , David , T.B. , Kashani , A. , Iyer , G. et al. Mitigating Unknown Cybersecurity Threats in Performance Constrained Electronic Control Units SAE Technical Paper 2018-01-0016 2018
- Wilander , J. , Nikiforakis , N. , Younan , Y. , Kamkar , M. , and Joosen , W. RIPE: Runtime Intrusion Prevention Evaluator Proceedings of the 27th Annual Computer Security Applications Conference 41 50 2011
- Smith , B. , Grehan , R. , Yager , T. , and Niemi , D.C. Byte-Unixbench: A Unix Benchmark Suite 2011
- Pallister , J. , Hollis , S. , and Bennett , J. 2013
- Xiao , S. Microsoft/Lagscope 2020 https://github.com/microsoft/lagscope
- Dugan , J. , Elliot , S. , Mah , B. , Poskanzer , J. , and Prabhu , K. 2020 Iperf.Fr https://iperf.fr
- Kashani , A. and Iyer , G. 2020
- 2020 https://cwe.mitre.org/data/definitions/415.html
- 2020 https://cwe.mitre.org/data/definitions/416.html
- Hu , H. , Shinde , S. , Adrian , S. , Chua , Z.L. , Saxena , P. , and Liang , Z. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks 2016 IEEE Symposium on Security and Privacy (SP) 969 986 2016
- Castro , M. , Costa , M. , and Harris , T. Securing Software by Enforcing Data-Flow Integrity Proceedings of the 7th Symposium on Operating Systems Design and Implementation 147 160 2006