In this work, we establish a physical access control mechanism for vehicular platoons. The goal is to restrict vehicle-to-vehicle (V2V) communications to platooning members by tying the digital identity of a candidate vehicle requesting to join a platoon to its physical trajectory relative to the platoon. We propose the Wiggle protocol that employs a physical challenge-response exchange to prove that a candidate requesting to be admitted into a platoon actually follows it. The protocol name is inspired by the random longitudinal movements that the candidate is challenged to execute. Wiggle prevents any remote adversary from joining the platoon and injecting fake V2V messages. Compared to prior works, Wiggle is resistant to prerecording attacks and can verify that the candidate is traveling behind the verifier in the same lane.
more »
« less
Convoy: Physical Context Verification for Vehicle Platoon Admission
Truck platooning is emerging as a promising solution with many economic incentives. However, securely admitting a new vehicle into a platoon is an extremely important yet difficult task. There is no adequate method today for verifying physical arrangements of vehicles within a platoon formation. Specifically, we address the problem of a platoon ghost attack wherein an attacker spoofs presence within a platoon to gain admission and subsequently execute malicious attacks. To address such concerns, we present Convoy, a novel autonomous platoon admission scheme which binds the vehicles' digital certificates to their physical context (i.e., locality). Convoy exploits the findings that vehicles traveling together experience similar context to prove to each other over time that they are co-present. Specifically, they experience similar road (e.g., bumps and cracks) and traffic (e.g., acceleration and steering) conditions. Our approach is based on the ability for vehicles to capture this context, generate fingerprints to establish shared keys, and later bind these symmetric keys to their public keys. We design and implement the Convoy protocol and evaluate it with real-world driving data. Our implementation demonstrates that vehicles traveling in adjacent lanes can be sufficiently distinguished by their context and this can be utilized to thwart platoon ghost attacks and similar misbehavior
more »
« less
- Award ID(s):
- 1645759
- NSF-PAR ID:
- 10048436
- Date Published:
- Journal Name:
- Proc. 18th Int'l Workshop on Mobile Computing Systems and Applications (HotMobile)
- Page Range / eLocation ID:
- 73 - 78
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
null (Ed.)Connected Autonomous Vehicular (CAV) platoon refers to a group of vehicles that coordinate their movements and operate as a single unit. The vehicle at the head acts as the leader of the platoon and determines the course of the vehicles following it. The follower vehicles utilize Vehicle-to-Vehicle (V2V) communication and automated driving support systems to automatically maintain a small fixed distance between each other. Reliance on V2V communication exposes platoons to several possible malicious attacks which can compromise the safety, stability, and efficiency of the vehicles. We present a novel distributed resiliency architecture, RePLACe for CAV platoon vehicles to defend against adversaries corrupting V2V communication reporting preceding vehicle position. RePLACe is unique in that it can provide real-time defense against a spectrum of communication attacks. RePLACe provides systematic augmentation of a platoon controller architecture with real-time detection and mitigation functionality using machine learning. Unlike computationally intensive cryptographic solutions RePLACe accounts for the limited computation capabilities provided by automotive platforms as well as the real-time requirements of the application. Furthermore, unlike control-theoretic approaches, the same framework works against the broad spectrum of attacks. We also develop a systematic approach for evaluation of resiliency of CAV applications against V2V attacks. We perform extensive experimental evaluation to demonstrate the efficacy of RePLACe.more » « less
-
Side-channel attacks, such as Spectre and Meltdown, that leverage speculative execution pose a serious threat to computing systems. Worse yet, such attacks can be perpetrated by compromised operating system (OS) kernels to bypass defenses that protect applications from the OS kernel. This work evaluates the performance impact of three different defenses against in-kernel speculation side-channel attacks within the context of Virtual Ghost, a system that protects user data from compromised OS kernels: Intel MPX bounds checks, which require a memory fence; address bit-masking and testing, which creates a dependence between the bounds check and the load/store; and the use of separate virtual address spaces for applications, the OS kernel, and the Virtual Ghost virtual machine, forcing a speculation boundary. Our results indicate that an instrumentation-based bit-masking approach to protection incurs the least overhead by minimizing speculation boundaries. Our work also highlights possible improvements to Intel MPX that could help mitigate speculation side-channel attacks at a lower cost.more » « less
-
more » « less
Advanced sensing technologies and communication capabilities of Connected and Autonomous Vehicles (CAVs) empower them to capture the dynamics of surrounding vehicles, including speeds and positions of those behind, enabling judicious responsive maneuvers. The acquired dynamics information of vehicles spurred the development of various cooperative platoon controls, particularly designed to enhance platoon stability with reduced spacing for reliable roadway capacity increase. These controls leverage abundant information transmitted through various communication topologies. Despite these advancements, the impact of different vehicle dynamics information on platoon safety remains underexplored, as current research predominantly focuses on stability analysis. This knowledge gap highlights the critical need for further investigation into how diverse vehicle dynamics information influences platoon safety. To address this gap, this research introduces a novel framework based on the concept of phase shift, aiming to scrutinize the tradeoffs between the safety and stability of CAV platoons formed upon bidirectional information flow topology. Our investigation focuses on platoon controls built upon bidirectional information flow topologies using diverse dynamics information of vehicles. Our research findings emphasize that the integration of various types of information into CAV platoon controls does not universally yield benefits. Specifically, incorporating spacing information can enhance both platoon safety and string stability. In contrast, velocity difference information can improve either safety or string stability, but not both simultaneously. These findings offer valuable insights into the formulation of CAV platoon control principles built upon diverse communication topologies. This research contributes a nuanced understanding of the intricate interplay between safety and stability in CAV platoons, emphasizing the importance of information dynamics in shaping effective control strategies.
-
null (Ed.)Timing side channels have been used to extract cryptographic keys and sensitive documents even from trusted enclaves. Specifically, cache side channels created by reuse of shared code or data in the memory hierarchy have been exploited by several known attacks, e.g., evict+reload for recovering an RSA key and Spectre variants for leaking speculatively loaded data.In this paper, we present TimeCache, a cache design that incorporates knowledge of prior cache line access to eliminate cache side channels due to reuse of shared software (code and data). Our goal is to retain the benefits of a shared cache of allowing each process access to the entire cache and of cache occupancy by a single copy of shared software. We achieve our goal by implementing per-process cache line visibility so that the processes do not benefit from cached data brought in by another process until they have incurred a corresponding miss penalty. Our design achieves low overhead by using a novel combination of timestamps and a hardware design to allow efficient parallel comparisons of the timestamps. The solution works at all the cache levels without the need to limit the number of security domains, and defends against an attacker process running on the same core, on a another hyperthread, or on another core.Our implementation in the gem5 simulator demonstrates that the system is able to defend against RSA key extraction. We evaluate performance using SPEC2006 and PARSEC and observe the overhead of TimeCache to be 1.13% on average. Delay due to first access misses adds the majority of the overhead, with the security context bookkeeping incurred at the time of a context switch contributing 0.02% of the 1.13%.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1145/3032970.3032987
