An official website of the United States government
Controller Area Network (CAN) is the de-facto standard in-vehicle network system. Despite its wide adoption by automobile manufacturers, the lack of security design makes it vulnerable to attacks. For instance, broadcasting packets without authentication allows the impersonation of electronic control units (ECUs). Prior mitigations, such as message authentication or intrusion detection systems, fail to address the compatibility requirement with legacy ECUs, stealthy and sporadic malicious messaging, or guaranteed attack detection. We propose a novel authentication system called ShadowAuth that overcomes the aforementioned challenges by offering backward-compatible packet authentication to ECUs without requiring ECU firmware source code. Specifically, our authentication scheme provides transparent CAN packet authentication without modifying existing CAN packet definitions (e.g., J1939) via automatic ECU firmware instrumentation technique to locate CAN packet transmission code, and instrument authentication code based on the CAN packet behavioral transmission patterns. ShadowAuth enables vehicles to detect state-of-the-art CAN attacks, such as bus-off and packet injection, responsively within 60ms without false positives. ShadowAuth provides a sound and deployable solution for real-world ECUs.
more »
« less
This content will become publicly available on June 27, 2026
Hardware-Assisted Runtime In-vehicle ECU Firmware Self-attestation and Self-repair
Modern vehicles are largely controlled by many embedded computers, known as Electronic Control Units (ECUs). The increased use of ECUs has brought many in-vehicle security concerns. Specifically, injection of malware into ECUs poses a significant risk to vehicle operation. Indeed, many ECU malware injection attacks have been performed, and much work has been introduced towards mitigating these vulnerabilities. A main defense is for ECUs to perform a self-attestation over their firmware state. However, most current self-attestation solutions do not enable runtime checking due to their high computational cost. Additionally, existing solutions mostly do not incorporate any ECU self-repairing in coordination with the attestation mechanisms. In this work, we have designed FSAVER, a highly efficient self-attestation and self-repair framework for in-vehicle ECUs. For the self-attestation, we adapt highly efficient spot-checking techniques, so that the firmware can be checked periodically at runtime. To perform these attestations, we rely on the TEE already equipped within each ECU. For self-repair, we take advantage of the isolated flash memory controller (FMC) in the storage device. Specifically, we coordinate it with the update mechanism and self-attestations to guarantee that the latest benign firmware version can always be restored. To realize this while malware is running, a special mechanism has been carefully developed to notify the FMC of the malicious presence.
more »
« less
- Award ID(s):
- 2225424
- PAR ID:
- 10629228
- Publisher / Repository:
- Springer Nature Switzerland
- Date Published:
- ISBN:
- 978-3-031-93353-0
- Page Range / eLocation ID:
- 187 to 210
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
With increasing development of connected and autonomous vehicles, the risk of cyber threats on them is also increasing. Compared to traditional computer systems, a CAV attack is more critical, as it does not only threaten confidential data or system access, but may endanger the lives of drivers and passengers. To control a vehicle, the attacker may inject malicious control messages into the vehicle’s controller area network. To make this attack persistent, the most reliable method is to inject malicious code into an electronic control unit’s firmware. This allows the attacker to inject CAN messages and exhibit significant control over the vehicle, posing a safety threat to anyone in proximity. In this work, we have designed a defensive framework which allows restoring compromised ECU firmware in real time. Our framework combines existing intrusion detection methods with a firmware recovery mechanism using trusted hardware components equipped in ECUs. Especially, the firmware restoration utilizes the existing FTL in the flash storage device. This process is highly efficient by minimizing the necessary restored information. Further, the recovery is managed via a trusted application running in TrustZone secure world. Both the FTL and TrustZone are secure when the ECU firmware is compromised. Steganography is used to hide communications during recovery. We have implemented and evaluated our prototype implementation in a testbed simulating the real-world in-vehicle scenario.more » « less
-
The Controller Area Network (CAN) protocol used in vehicles today was designed to be fast, reliable, and robust. However, it is inherently insecure due to its lack of any kind of message authentication. Despite this, CAN is still used extensively in the automotive industry for various electronic control units (ECUs) and sensors which perform critical functions such as engine control. This paper presents a novel methodology for in-vehicle security through fingerprinting of ECUs. The proposed research uses the fingerprints injected in the signal due to material imperfections and semiconductor impurities. By extracting features from the physical CAN signal and using them as inputs for a machine learning algorithm, it is possible to determine the sender ECU of a packet. A high classification accuracy of up to 100.0% is possible when every node on the bus has a sufficiently different channel length.more » « less
-
When a computing device, such as a server, workstation, laptop, tablet, etc. is shipped from one site to another (for example, from a vendor to a customer or from one branch location of an organization to another) it can potentially be subjected to unauthorized firmware modifications. The industry has sought to partially address this issue by focusing on securing the boot process. Secure boot provides attestation methods by a hardware root-of-trust to confirm the integrity of the device’s BIOS/UEFI firmware. However, once a device boots up, it is relatively easy for a malicious adversary to tamper with the firmware. In this paper, we address this problem by preventing a secure boot unless done by an authorized user. We extend a hardware root of trust (HRoT) processor’s ability to perform secure attestation by implementing a new functionality to securely lock and unlock the BIOS/UEFI or the BMC (Baseboard Management Controller) and implementing an authentication mechanism in the HRoT for determining authorized users. This ensures that the secure boot process won’t commence unless authorized appropriately and provides a robust mechanism for securing the device’s firmware during transit. The proposed PIT-Cerberus framework (PIT = Protection In Transit) leverages strong cryptographic techniques and has been implemented within a trusted microcontroller. We have contributed the PIT-Cerberus framework’s libraries to Project Cerberus, an open-source project that offers a security platform for server hardware.more » « less
-
Remote attestation (RA) is a means of malware detection, typically realized as an interaction between a trusted verifier and a potentially compromised remote device (prover). RA is especially relevant for low-end embedded devices that are incapable of protecting themselves against malware infection. Most current RA techniques require on-demand and uninterruptible (atomic) operation. The former fails to detect transient malware that enters and leaves between successive RA instances; the latter involves performing potentially time-consuming computation over prover's memory and/or storage, which can be harmful to the device's safety-critical functionality and general availability. However, relaxing either on-demand or atomic RA operation is tricky and prone to vulnerabilities. This paper identifies some issues that arise in reconciling requirements of safety-critical operation with those of secure remote attestation, including detection of transient and self-relocating malware. It also investigates mitigation techniques, including periodic self-measurements as well as interruptible attestation modality that involves shuffled memory traversals and various memory locking mechanisms.more » « less
