In recent years, significant developments were introduced within the vehicular domain, evolving the vehicles to become a network of many embedded systems distributed throughout the car, known as Electronic Control Units (ECUs). Each one of these ECUs runs a number of software components that collaborate with each other to perform various vehicle functions. Modern vehicles are also equipped with wireless communication technologies, such as WiFi, Bluetooth, and so on, giving them the capability to interact with other vehicles and roadside infrastructure. While these improvements have increased the safety of the automotive system, they have vastly expanded the attack surface of the vehicle and opened the door for new potential security risks. The situation is made worse by a lack of security mechanisms in the vehicular system, which allows the escalation of a compromise in one of the non-critical subsystems to threaten the safety of the entire vehicle and its passengers.
This dissertation focuses on providing a comprehensive framework that ensures the security of the vehicular system during its whole life-cycle. This framework aims to prevent cyber-attacks against different components by ensuring secure communications among them. Furthermore, it aims to detect attacks that were not prevented successfully, and finally, to respond to these attacks properly to ensure a high degree of safety and stability of the system.
The thesis starts by developing a hybrid threat model that combines multiple existing threat modeling approaches to define a more comprehensive one. This model defines (1) the various potential groups of attackers, which may threaten the vehicular system and their capabilities, (2) the potential targets (i.e., assets) of these groups and the various vulnerabilities that they include, and (3) the security requirements for these targets which should be considered to prevent the attacker from compromising them.
After defining the security requirements by using the proposed threat model, the thesis addresses the challenges of developing the security policy, which implements these requirements. The thesis presents a methodology supporting the gradual definition of the security policy. Under our methodology, the designer of each software component is responsible for formulating the security policy of their components. As components get integrated into larger subsystems, the individual policies are merged into the subsystem policy. This continues as we go up the ladder of bigger subsystems until we have a complete vehicle.
The thesis also shows how to enforce the developed security policy in an efficient manner by using a lightweight distributed access framework implemented within each single ECU. The enforcement takes place at the network level, enforcing communications only between authorized components while employing data integrity mechanisms in the communication between components, even if they run on different ECUs. In this way, we provide a level of compartmentalization in the in-vehicle network. With this precondition, a malicious application might remain able to emit (a) malicious packet(s) to its remote peer(s), if it is authorized. But, at the same time, this application can be prevented from attacking other components, which it is not authorized to communicate with.
A heavy-handed security policy may adversely impact availability. Taken to the extreme, a secure system is a silent system that does not interact with its environment, and this is clearly not the intent of a security policy aimed at a vehicular platform. So we face the conundrum of increased security, leading to false positives affecting availability and overall performance against a more permissive system that may fail to detect attacks (false negatives), leading to the demise of the platform. The thesis addresses this issue by using the Red-Zone principle, whereby a tighter inner security envelope alerts the security system of a potential compromise before an actual security violation occurs. In this way, we can observe the suspect component as it operates within the Red-Zone, and characterize the event. We leverage the Red-zone principle in order to develop a run-time mechanism to detect the incidence of an attack and to prevent the attackers from gaining a foothold. The thesis defines temporal specifications for each hard real-time software component within the vehicle to be used as a baseline to define its nominal behavior. Attacks such as code injection, or Denial of Service (DoS) will usually cause a breach of this temporal specification, and thus will be detected.
Once a software component is found to have violated its security boundaries, the system needs to take some remedial action. The type of response, e.g., taking the component offline, restarting the component, initiating containment measures (e.g., resetting the entire ECU), and so on, are the responsibility of the Intrusion Response System (IRS). This thesis uses the Red-Zone principle as the basis for developing an IRS framework to manage the interaction between security and safety of the system.