Table of Links
Abstract and 1 Introduction
2. Current Security Testing Platforms
2.1. Recent progress
3. A New Testing Platform and 3.1. Testing platform roles
3.2. Web-based remote access
3.3. Testbed setup
4. Enabled Testing Methodologies
4.1. Secure Development Lifecycle (SDL) testing and 4.2. Penetration testing
4.3. Research testing
5. Conclusion & Outlook, and References
4.3. Research testing
We now discuss how our testing platform can enable a researcher to rapidly establish and experiment with numerous ECU networks to support their security research. A testing platform where the ECUs present on the bus can be easily configured to support the development of a research project is ideal for fine-tuning an attack or defense.
Enhancing test bed functionality. For research use cases, it is critical to have a programmable ECU on the network to launch attacks or implement defenses. Typically, simulation-based environments remove realworld characteristics, such as bus voltage, bit-level CAN bus arbitration, bus errors, etc. Likewise, advanced attacks beyond simple CAN bus injection often require microcontroller-level timing precision that cannot be achieved by the PC-USB interface. Thus, our platform includes an automotive-grade MCU to mimic having programming access to an ECU. For other testing purposes, a bench with MCUs from several vendors could enable a user to test with different vendor libraries and MCU features very quickly.
Exploring real research use cases. We identify a set of research projects that use a similar test setup and demonstrate how our testing platform could have made that research easier and more efficient. To demonstrate the usefulness of this new remote and configurable platform, we implement and test three different open-source research implementations using a single bench of ECUs. We remotely run the CANvas network mapper [10] to correctly identify unique ECUs on two CAN buses with different speeds and across several configurations network topologies. We also remotely demonstrate the CANnon bus disruption attack [11] using the automotive-grade microcontroller on our bench and observe numerous faults on the CAN bus, which were captured by the attached Saleae logic analyzer. Finally, we remotely deploy techniques from the CANdid authentication bypass attack [9] against three configurations of a single bench, where we isolate three powertrain ECUs from three different vehicle models using our relay-controlled power inputs and observe the same ability to control the randomness of the challenge. The CANnon and CANdid attack require launching attacks from an automotive-grade microcontroller and require an attached oscilloscope or logic analyzer to finetune certain parameters, which are all features offered by our testing platform.
Offering new services. A unique challenge with automotive security research is the lack of hands-on demonstrators for the community to experiment and test with. We envision the offering of new services that permit access to research examples of attacks, defenses, measurement techniques, etc. Instead of limiting the availability of research to published code and papers, the ability to remotely access a running sample in a real in-vehicle network environment would strengthen the research community. In cases where code or hardware descriptions do not want to be publicly disclosed, our testing platform could enable such access.
Authors:
(1) Sekar Kulandaivel, Robert Bosch LLC — Research and Technology Center;
(2) Wenjuan Lu, Block Harbor Cybersecurity;
(3) Brandon Barry, Block Harbor Cybersecurity;
(4) Jorge Guajardo, Robert Bosch LLC — Research and Technology Center.
