Final Report Abstract

The CCC Research Unit involves the coordination of a great number of stakeholders with the goal of allowing incremental change in vehicular platforms. Within this framework, security plays an important role as it provides a stable base on which the other projects can build up-on. Assumptions about any aspect of a vehicular system can be violated by the interference caused by an attacker. For example, traditional safety analysis looks at probabilities of events occurring, but an attacker can change the odds breaking assumptions and thus making the safety analysis irrelevant. With this in mind, the key objective of the B4 Security and Integrity project is to ensure the security of software components and the security of the communications between components. Given the complexity of modern software, the existence of bugs should be considered a certainty. A sizable percentage of these bugs introduce security vulnerabilities that can be expected to be exploited by attackers. An important observation is that irrespective of the outcome of an attack, the process used by the attacker influences the behavior of that component. This off-nominal behavior may result in missed real-time deadlines, increased CPU load, even a temperature increase in the CPU core as more processing resources are consumed during or after an attack. Once a compromised component is detected, the attack must be prevented from spreading to the rest of the system. Thus, containment of any affected components is key to the survivability of complex systems, as in most cases mechanisms exist to disable components or sub-systems so that the system can continue to operate even if in a degraded manner. We enforce containment at two levels, the execution environment level, preventing an errant component from attacking other components operating within the same hardware platform (e.g. ECU) and at the network level, enforcing communications only between authorized components while employing data integrity mechanisms in the communication between components, even if they run on different ECUs. However, a heavy-handed system of a potential compromise before an actual security violation occurs. In this way, we can observe the suspect component as it operates within the Red Zone, and characterize the event. In the case of an actual attack we may use the gathered data for digital forensic analysis. This will enable us to adapt our security mechanisms to the particular attack and thus either detect it earlier, or deflect it altogether. Alternatively, if the off-nominal condition turns out to be not the result of an attack, we can allow the component to exit the Red Zone and return to its normal mode of operation. As in the case of an actual attack, the data gathered will allow us to adjust the system so that if the event re-occurs it will be handled without raising a (false) alarm. Once a software component is found to have violated its security boundaries, the system needs to take some remedial action. The type of response, e.g. taking the component off-line, restarting the component, initiating containment measures (e.g. restarting the entire ECU) and so on, are the responsibility of the Intrusion Response System (IRS). We used the Red-Zone principle as the basis for developing an IRS framework and to manage the interaction between security and safety (i.e. projects B4 and B3). Finally, a supplemental grant was used to develop coding techniques to allow recovery of damaged encrypted data frames.

Publications

• A policy-based communications architecture for vehicles. In 2015 International Conference on Information Systems Security and Privacy (ICISSP) (pp. 155-162). IEEE, 2015
  V. Prevelakis and M. Hamad
  
• Extending the Operational Envelope of Applications. In 8th International Conference on Trust & Trustworthy Computing (TRUST 2015), 2015
  V. Prevelakis and M. Hamad
  
• Implementation and performance evaluation of embedded IPsec in microkernel OS. In 2015 World Symposium on Computer Networks and Information Security (WSCNIS) (pp. 1-7). IEEE, 2015
  M. Hamad and V. Prevelakis
  
• A communication framework for distributed access control in microkernel-based systems. In 12th Annual Workshop on Operating Systems Platforms for Embedded Real-Time Applications (OSPERT16), 2016
  M. Hamad, J. Schlatow, V. Prevelakis, and R. Ernst
  
• Towards comprehensive threat modeling for vehicles. In the 1st Workshop on Security and Dependability of Critical Embedded Real-Time Systems, 2016
  M. Hamad, M. Nolte, and V. Prevelakis
  
• A framework for policy based secure intra vehicle communication. In 2017 IEEE Vehicular Networking Conference (VNC) (pp. 1-8). IEEE, 2017
  M. Hamad, M. Nolte, and V. Prevelakis
  
• Secure APIs for Applications in Microkernel-based Systems. In 3rd International Conference on Information Systems Security and Privacy, 2017
  M. Hamad and V. Prevelakis
  
• Using ciphers for failure-recovery in its systems. In the 12th International Conference on Availability, Reliability and Security, ARES ’17, 2017
  M. Ayoob, W. Adi, and V. Prevelakis
  
• Prediction of abnormal temporal behavior in real-time systems. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (pp. 359-367). ACM, 2018
  M. Hamad, Z. A. Hammadeh, S. Saidi, V. Prevelakis, and R. Ernst
  
• ProSEV: Proxy-Based Secure and Efficient Vehicular Communication. In 2018 IEEE Vehicular Networking Conference (VNC) (pp. 1-8). IEEE, 2018
  M. Hamad, M. R. Agha and V. Prevelakis
  
• Efficient Monitoring of Library Call Invocation. In the 2nd IEEE International Symposium on Future Cyber Security Technologies (FCST 2019). Spain. 2019
  M. Tsantekidis, and V. Prevelakis
  
• Red-Zone: Towards an Intrusion Response Framework for Intra-Vehicle System. In the 5th International Conference on Vehicle Technology and Intelligent Transport Systems (VEHITS), Crete, Greece, 201
  M. Hamad, M. Tsantekidis, and V. Prevelakis