-
A Systematic Approach to Automotive Security
Authors:
Masoud Ebrahimi,
Stefan Marksteiner,
Dejan Ničković,
Roderick Bloem,
David Schögler,
Philipp Eisner,
Samuel Sprung,
Thomas Schober,
Sebastian Chlup,
Christoph Schmittner,
Sandra König
Abstract:
We propose a holistic methodology for designing automotivesystems that consider security a central concern at every design stage.During the concept design, we model the system architecture and definethe security attributes of its components. We perform threat analysis onthe system model to identify structural security issues. From that analysis,we derive attack trees that define recipes describing…
▽ More
We propose a holistic methodology for designing automotivesystems that consider security a central concern at every design stage.During the concept design, we model the system architecture and definethe security attributes of its components. We perform threat analysis onthe system model to identify structural security issues. From that analysis,we derive attack trees that define recipes describing steps to successfullyattack the system's assets and propose threat prevention measures.The attack tree allows us to derive a verification and validation (V&V)plan, which prioritizes the testing effort. In particular, we advocate usinglearning for testing approaches for the black-box components. It consistsof inferring a finite state model of the black-box component from its executiontraces. This model can then be used to generate new relevanttests, model check it against requirements, and compare two differentimplementations of the same protocol. We illustrate the methodologywith an automotive infotainment system example. Using the advocated approach, we could also document unexpected and potentially criticalbehavior in our example systems.
△ Less
Submitted 17 April, 2023; v1 submitted 6 March, 2023;
originally announced March 2023.
-
Using Cyber Digital Twins for Automated Automotive Cybersecurity Testing
Authors:
Stefan Marksteiner,
Slava Bronfman,
Markus Wolf,
Eddie Lazebnik
Abstract:
Cybersecurity testing of automotive systems has become a practical necessity, with the wide adoption of advanced driving assistance functions and vehicular communications. These functionalities require the integration of information and communication technologies that not only allow for a plethora of on-the-fly configuration abilities, but also provide a huge surface for attacks. Theses circumstan…
▽ More
Cybersecurity testing of automotive systems has become a practical necessity, with the wide adoption of advanced driving assistance functions and vehicular communications. These functionalities require the integration of information and communication technologies that not only allow for a plethora of on-the-fly configuration abilities, but also provide a huge surface for attacks. Theses circumstances have also been recognized by standardization and regulation bodies, making the need for not only proper cybersecurity engineering but also proving the effectiveness of security measures by verification and validation through testing also a formal necessity. In order to keep pace with the rapidly growing demand of neutral-party security testing of vehicular systems, novel approaches are needed. This paper therefore presents a methodology to create and execute cybersecurity test cases on the fly in a black box setting by using pattern matching-based binary analysis and translation mechanisms to formal attack descriptions as well as model-checking techniques. The approach is intended to generate meaningful attack vectors on a system with next-to-zero a priori knowledge.
△ Less
Submitted 15 July, 2021;
originally announced July 2021.
-
A Model-Driven Methodology for Automotive Cybersecurity Test Case Generation
Authors:
Stefan Marksteiner,
Peter Priller
Abstract:
Through international regulations (most prominently the latest UNECE regulation) and standards, the already widely perceived higher need for cybersecurity in automotive systems has been recognized and will mandate higher efforts for cybersecurity engineering. T he UNECE also demands the effectiveness of these engineering to be verified and validated through testing. T his requires both a significa…
▽ More
Through international regulations (most prominently the latest UNECE regulation) and standards, the already widely perceived higher need for cybersecurity in automotive systems has been recognized and will mandate higher efforts for cybersecurity engineering. T he UNECE also demands the effectiveness of these engineering to be verified and validated through testing. T his requires both a significantly higher rate and more comprehensiveness of cybersecurity testing that is not effectively to cope with using current, predominantly manual, automotive cybersecurity testing techniques. To allow for comprehensive and efficient testing at all stages of the automotive life cycle, including supply chain parts not at band, and to facilitate efficient third party testing, as well as to test under real-world conditions, also methodologies for testing the cybersecurity of vehicular systems as a black box are necessary. T his paper therefore presents a model and attack tree-based approach to (semi-)automate automotive cybersecurity testing, as well as considerations for automatically black box-deriving models for the use in attack modeling.
△ Less
Submitted 13 July, 2021;
originally announced July 2021.
-
An Agnostic Domain Specific Language for Implementing Attacks in an Automotive Use Case
Authors:
Christian Wolschke,
Stefan Marksteiner,
Tobias Braun,
Markus Wolf
Abstract:
This paper presents a Domain Specific Language (DSL) for generically describing cyber attacks, agnostic to specific system-under-test(SUT). The creation of the presented DSL is motivated by an automotive use case. The concepts of the DSL are generic such thatattacks on arbitrary systems can be addressed.The ongoing trend to improve the user experience of vehicles with connected services implies an…
▽ More
This paper presents a Domain Specific Language (DSL) for generically describing cyber attacks, agnostic to specific system-under-test(SUT). The creation of the presented DSL is motivated by an automotive use case. The concepts of the DSL are generic such thatattacks on arbitrary systems can be addressed.The ongoing trend to improve the user experience of vehicles with connected services implies an enhanced connectivity as well asremote accessible interface opens potential attack vectors. This might also impact safety and the proprietary nature of potential SUTs.Reusing tests of attack vectors to industrialize testing them on multiple SUTs mandates an abstraction mechanism to port an attackfrom one system to another. The DSL therefore generically describes attacks for the usage with a test case generator (and executionenvironment) also described in this paper. The latter use this description and a database with SUT-specific information to generateattack implementations for a multitude of different (automotive) SUTs.
△ Less
Submitted 19 August, 2021; v1 submitted 6 July, 2021;
originally announced July 2021.
-
Automatically Determining a Network Reconnaissance Scope Using Passive Scanning Techniques
Authors:
Stefan Marksteiner,
Bernhard Jandl-Scherf,
Harald Lernbeiß
Abstract:
The starting point of securing a network is having a concise overview of it. As networks are becoming more and more complex both in general and with the introduction of IoT technology and their topological peculiarities in particular, this is increasingly difficult to achieve. Especially in cyber-physical environments, such as smart factories, gaining a reliable picture of the network can be, due…
▽ More
The starting point of securing a network is having a concise overview of it. As networks are becoming more and more complex both in general and with the introduction of IoT technology and their topological peculiarities in particular, this is increasingly difficult to achieve. Especially in cyber-physical environments, such as smart factories, gaining a reliable picture of the network can be, due to intertwining of a vast amount of devices and different protocols, a tedious task. Nevertheless, this work is necessary to conduct security audits, compare documentation with actual conditions or found vulnerabilities using an attacker's view, for all of which a reliable topology overview is pivotal. For security auditors, however, there might not much information, such as asset management access, be available beforehand, which is why this paper assumes network to audit as a complete black box. The goal is therefore to set security auditors in a condition of, without having any a priori knowledge at all, automatically gaining a topology oversight. This paper describes, in the context of a bigger system that uses active scanning to determine the network topology, an approach to automate the first steps of this procedure: passively scanning the network and determining the network's scope, as well as gaining a valid address to perform the active scanning. This allows for bootstrap** an automatic network discovery process without prior knowledge.
△ Less
Submitted 28 June, 2021;
originally announced June 2021.
-
SaSeVAL: A Safety/Security-Aware Approach for Validation of Safety-Critical Systems
Authors:
Christian Wolschke,
Behrooz Sangchoolie,
Jacob Simon,
Stefan Marksteiner,
Tobias Braun,
Hayk Hamazaryan
Abstract:
Increasing communication and self-driving capabilities for road vehicles lead to threats imposed by attackers. Especially attacks leading to safety violations have to be identified to address them by appropriate measures. The impact of an attack depends on the threat exploited, potential countermeasures and the traffic situation. In order to identify such attacks and to use them for testing, we pr…
▽ More
Increasing communication and self-driving capabilities for road vehicles lead to threats imposed by attackers. Especially attacks leading to safety violations have to be identified to address them by appropriate measures. The impact of an attack depends on the threat exploited, potential countermeasures and the traffic situation. In order to identify such attacks and to use them for testing, we propose the systematic approach SaSeVAL for deriving attacks of autonomous vehicles. SaSeVAL is based on threats identification and safety-security analysis. The impact of automotive use cases to attacks is considered. The threat identification considers the attack interface of vehicles and classifies threat scenarios according to threat types, which are then mapped to attack types. The safety-security analysis identifies the necessary requirements which have to be tested based on the architecture of the system under test. lt determines which safety impact a security violation may have, and in which traffic situations the highest impact is expected. Finally, the results of threat identification and safety-security analysis are used to describe attacks. The goal of SaSeVAL is to achieve safety validation of the vehicle w.r.t. security concerns. lt traces safety goals to threats and to attacks explicitly. Hence, the coverage of safety concerns by security testing is assured. Two use cases of vehicle communication and autonomous driving are investigated to prove the applicability of the approach.
△ Less
Submitted 25 June, 2021;
originally announced June 2021.
-
A Process to Facilitate Automated Automotive Cybersecurity Testing
Authors:
Stefan Marksteiner,
Nadja Marko,
Andre Smulders,
Stelios Karagiannis,
Florian Stahl,
Hayk Hamazaryan,
Rupert Schlick,
Stefan Kraxberger,
Alexandr Vasenev
Abstract:
Modern vehicles become increasingly digitalized with advanced information technology-based solutions like advanced driving assistance systems and vehicle-to-x communications. These systems are complex and interconnected. Rising complexity and increasing outside exposure has created a steadily rising demand for more cyber-secure systems. Thus, also standardization bodies and regulators issued stand…
▽ More
Modern vehicles become increasingly digitalized with advanced information technology-based solutions like advanced driving assistance systems and vehicle-to-x communications. These systems are complex and interconnected. Rising complexity and increasing outside exposure has created a steadily rising demand for more cyber-secure systems. Thus, also standardization bodies and regulators issued standards and regulations to prescribe more secure development processes. This security, however, also has to be validated and verified. In order to keep pace with the need for more thorough, quicker and comparable testing, today's generally manual testing processes have to be structured and optimized. Based on existing and emerging standards for cybersecurity engineering, this paper therefore outlines a structured testing process for verifying and validating automotive cybersecurity, for which there is no standardized method so far. Despite presenting a commonly structured framework, the process is flexible in order to allow implementers to utilize their own, accustomed toolsets.
△ Less
Submitted 25 June, 2021; v1 submitted 25 January, 2021;
originally announced January 2021.
-
Integrating Threat Modeling and Automated Test Case Generation into Industrialized Software Security Testing
Authors:
Stefan Marksteiner,
Rudolf Ramler,
Hannes Sochor
Abstract:
Industrial Internet of Things (IIoT) application provide a whole new set of possibilities to drive efficiency of industrial production forward. However, with the higher degree of integration among systems, comes a plethora of newthreats to the latter, as they are not yet designed to be broadly reachable and interoperable. To mitigate these vast amount of new threats, systematic and automated test…
▽ More
Industrial Internet of Things (IIoT) application provide a whole new set of possibilities to drive efficiency of industrial production forward. However, with the higher degree of integration among systems, comes a plethora of newthreats to the latter, as they are not yet designed to be broadly reachable and interoperable. To mitigate these vast amount of new threats, systematic and automated test methods are necessary. This comprehensiveness can be achieved by thorough threat modeling. In order to automate security test, we present an approach to automate the testing process from threat modeling onward, closing the gap between threat modeling and automated test case generation.
△ Less
Submitted 15 November, 2019;
originally announced November 2019.
-
Approaching the Automation of Cyber Security Testing of Connected Vehicles
Authors:
Stefan Marksteiner,
Zhendong Ma
Abstract:
The advancing digitalization of vehicles and automotive systems bears many advantages for creating and enhancing comfort and safety-related systems ranging from drive-by-wire, inclusion of advanced displays, entertainment systems up to sophisticated driving assistance and autonomous driving. It, however, also contains the inherent risk of being used for purposes that are not intended for, raging f…
▽ More
The advancing digitalization of vehicles and automotive systems bears many advantages for creating and enhancing comfort and safety-related systems ranging from drive-by-wire, inclusion of advanced displays, entertainment systems up to sophisticated driving assistance and autonomous driving. It, however, also contains the inherent risk of being used for purposes that are not intended for, raging from small non-authorized customizations to the possibility of full-scale cyberattacks that affect several vehicles to whole fleets and vital systems such as steering and engine control. To prevent such conditions and mitigate cybersecurity risks from affecting the safety of road traffic, testing cybersecurity must be adopted into automotive testing at a large scale. Currently, the manual penetration testing processes cannot uphold the increasing demand due to time and cost to test complex systems. We propose an approach for an architecture that (semi-)automates automotive cybersecurity test, allowing for more economic testing and therefore kee** up to the rising demand induced by new vehicle functions as well as the development towards connected and autonomous vehicles.
△ Less
Submitted 15 November, 2019;
originally announced November 2019.
-
Requirements and Recommendations for IoT/IIoT Models to automate Security Assurance through Threat Modelling, Security Analysis and Penetration Testing
Authors:
Ralph Ankele,
Stefan Marksteiner,
Kai Nahrgang,
Heribert Vallant
Abstract:
The factories of the future require efficient interconnection of their physical machines into the cyber space to cope with the emerging need of an increased uptime of machines, higher performance rates, an improved level of productivity and a collective collaboration along the supply chain. With the rapid growth of the Internet of Things (IoT), and its application in industrial areas, the so calle…
▽ More
The factories of the future require efficient interconnection of their physical machines into the cyber space to cope with the emerging need of an increased uptime of machines, higher performance rates, an improved level of productivity and a collective collaboration along the supply chain. With the rapid growth of the Internet of Things (IoT), and its application in industrial areas, the so called Industrial Internet of Things (IIoT)/Industry 4.0 emerged. However, further to the rapid growth of IoT/IIoT systems, cyber attacks are an emerging threat and simple manual security testing can often not cope with the scale of large IoT/IIoT networks. In this paper, we suggest to extract metadata from commonly used diagrams and models in a typical software development process, to automate the process of threat modelling, security analysis and penetration testing, without detailed prior security knowledge. In that context, we present requirements and recommendations for metadata in IoT/IIoT models that are needed as necessary input parameters of security assurance tools.
△ Less
Submitted 25 June, 2019;
originally announced June 2019.
-
Smart Ticket Protection: An Architecture for Cyber-Protecting Physical Tickets Using Digitally Signed Random Pattern Markers
Authors:
Stefan Marksteiner
Abstract:
In order to counter forgeries of tickets for public transport or mass events, a method to validate them, using printed unique random pattern markers was developed. These markers themselves are unforgeable by their physically random distribution. To assure their authenticity, however, they have to be cryptographically protected and equipped with an environment for successful validation, combining p…
▽ More
In order to counter forgeries of tickets for public transport or mass events, a method to validate them, using printed unique random pattern markers was developed. These markers themselves are unforgeable by their physically random distribution. To assure their authenticity, however, they have to be cryptographically protected and equipped with an environment for successful validation, combining physical and cyber security protection. This paper describes an architecture for cryptographically protecting these markers, which are stored in Aztec codes on physical tickets, in order to assure that only an authorized printer can generate a valid Aztec code of such a pattern, thus providing forge protection in combination with the randomness and uniqueness of the pattern. Nevertheless, the choice of the signature algorithm is heavily constrained by the sizes of the pattern, ticket provider data, metadata and the signature confronted by the data volume the code hold. Therefore, this paper also defines an example for a signature layout for the proposed architecture. This allows for a lightweight ticket validation system that is both physically and cryptographically secured to form a smart solution for mass access verification for both shorter to longer periods at relatively low cost.
△ Less
Submitted 3 September, 2018;
originally announced September 2018.
-
Reasoning on Adopting OPC UA for an IoT-Enhanced Smart Energy System from a Security Perspective
Authors:
Stefan Marksteiner
Abstract:
Smart Services using Industrial Internet of Things (IIoT) applications are on the rise, but still more often than not, traditional industrial protocols are used to interconnect the entities of the resulting systems. These protocols are mostly not intended for functioning in such a highly interconnected environment and, therefore, often lack even the most fundamental security measures. To address t…
▽ More
Smart Services using Industrial Internet of Things (IIoT) applications are on the rise, but still more often than not, traditional industrial protocols are used to interconnect the entities of the resulting systems. These protocols are mostly not intended for functioning in such a highly interconnected environment and, therefore, often lack even the most fundamental security measures. To address this issue, this paper reasons on the security of a communications protocol, intended for Machine to machine (M2M) communications, namely the Open Platform Communications Unified Architecture (OPC UA) and exemplifies, on a smart energy system, its capability to serve as a secure communications architecture by either itself or in conjunction with traditional protocols.
△ Less
Submitted 24 September, 2018; v1 submitted 3 September, 2018;
originally announced September 2018.
-
An Overview of Wireless IoT Protocol Security in the Smart Home Domain
Authors:
Stefan Marksteiner,
Víctor Juan Expósito Jiménez,
Heribert Vallant,
Herwig Zeiner
Abstract:
While the application of IoT in smart technologies becomes more and more proliferated, the pandemonium of its protocols becomes increasingly confusing. More seriously, severe security deficiencies of these protocols become evident, as time-to- market is a key factor, which satisfaction comes at the price of a less thorough security design and testing. This applies especially to the smart home doma…
▽ More
While the application of IoT in smart technologies becomes more and more proliferated, the pandemonium of its protocols becomes increasingly confusing. More seriously, severe security deficiencies of these protocols become evident, as time-to- market is a key factor, which satisfaction comes at the price of a less thorough security design and testing. This applies especially to the smart home domain, where the consumer-driven market demands quick and cheap solutions. This paper presents an overview of IoT application domains and discusses the most important wireless IoT protocols for smart home, which are KNX-RF, EnOcean, Zigbee, Z-Wave and Thread. Finally, it describes the security features of said protocols and compares them with each other, giving advice on whose protocols are more suitable for a secure smart home.
△ Less
Submitted 22 January, 2018;
originally announced January 2018.
-
On the Resilience of a QKD Key Synchronization Protocol for IPsec
Authors:
Stefan Marksteiner,
Benjamin Rainer,
Oliver Maurhart
Abstract:
This paper presents a practical solution to the problem of limited bandwidth in Quantum Key Distribution (QKD)- secured communication through using rapidly rekeyed Internet Protocol security (IPsec) links. QKD is a cutting-edge security technology that provides mathematically proven security by using quantum physical effects and information theoretical axioms to generate a guaranteed non-disclosed…
▽ More
This paper presents a practical solution to the problem of limited bandwidth in Quantum Key Distribution (QKD)- secured communication through using rapidly rekeyed Internet Protocol security (IPsec) links. QKD is a cutting-edge security technology that provides mathematically proven security by using quantum physical effects and information theoretical axioms to generate a guaranteed non-disclosed stream of encryption keys. Although it has been a field of theoretical research for some time, it has only been producing market-ready solutions for a short period of time. The downside of this technology is that its key generation rate is only around 52,000 key bits per second over a distance of 50 km. As this rate limits the data throughput to the same rate, it is substandard for normal modern communications, especially for securely interconnecting networks. IPsec, on the other hand, is a well-known security protocol that uses classical encryption and is capable of exactly creating site-to-site virtual private networks. This paper presents a solution that combines the performance advantages of IPsec with QKD. The combination sacrifices only a small portion of QKD security by using the generated keys a limited number of times instead of just once. As a part of this, the solution answers the question of how many data bits per key bit make sensible upper and lower boundaries to yield high performance while maintaining high security. While previous approaches complement the Internet Key Exchange protocol (IKE), this approach simplifies the implementation with a new key synchronization concept, proposing a lightweight protocol that uses relatively few, slim control messages and sparse acknowledgement. Furthermore, it provides a Linux-based module for the AIT QKD software using the Netlink XFRM Application Programmers Interface to feed the quantum key to the IP***ABSTRACT TRUNCATED TO 1920 CHARS***
△ Less
Submitted 5 January, 2018;
originally announced January 2018.
-
Towards a Secure Smart Grid Storage Communications Gateway
Authors:
Stefan Marksteiner,
Heribert Vallant
Abstract:
This research in progress paper describes the role of cyber security measures undertaken in an ICT system for integrating electric storage technologies into the grid. To do so, it defines security requirements for a communications gateway and gives detailed information and hands-on configuration advice on node and communication line security, data storage, co** with backend M2M communications pr…
▽ More
This research in progress paper describes the role of cyber security measures undertaken in an ICT system for integrating electric storage technologies into the grid. To do so, it defines security requirements for a communications gateway and gives detailed information and hands-on configuration advice on node and communication line security, data storage, co** with backend M2M communications protocols and examines privacy issues. The presented research paves the road for develo** secure smart energy communications devices that allow enhancing energy efficiency. The described measures are implemented in an actual gateway device within the HORIZON 2020 project STORY, which aims at develo** new ways to use storage and demonstrating these on six different demonstration sites.
△ Less
Submitted 9 October, 2017;
originally announced October 2017.
-
An Iterative and Toolchain-Based Approach to Automate Scanning and Map** Computer Networks
Authors:
Stefan Marksteiner,
Harald Lernbeiß,
Bernhard Jandl-Scherf
Abstract:
As today's organizational computer networks are ever evolving and becoming more and more complex, finding potential vulnerabilities and conducting security audits has become a crucial element in securing these networks. The first step in auditing a network is reconnaissance by map** it to get a comprehensive overview over its structure. The growing complexity, however, makes this task increasing…
▽ More
As today's organizational computer networks are ever evolving and becoming more and more complex, finding potential vulnerabilities and conducting security audits has become a crucial element in securing these networks. The first step in auditing a network is reconnaissance by map** it to get a comprehensive overview over its structure. The growing complexity, however, makes this task increasingly effortful, even more as map** (instead of plain scanning), presently, still involves a lot of manual work. Therefore, the concept proposed in this paper automates the scanning and map** of unknown and non-cooperative computer networks in order to find security weaknesses or verify access controls. It further helps to conduct audits by allowing comparing documented with actual networks and finding unauthorized network devices, as well as evaluating access control methods by conducting delta scans. It uses a novel approach of augmenting data from iteratively chained existing scanning tools with context, using genuine analytics modules to allow assessing a network's topology instead of just generating a list of scanned devices. It further contains a visualization model that provides a clear, lucid topology map and a special graph for comparative analysis. The goal is to provide maximum insight with a minimum of a priori knowledge.
△ Less
Submitted 3 October, 2017;
originally announced October 2017.