Academia.eduAcademia.edu

Outline

Title
Abstract
FAQs
Introduction
Related Work
Conclusions and Future Work
References
All Topics
Computer Science

CINNAMON: A Module for AUTOSAR Secure Onboard Communication

Profile image of Ilaria MatteucciIlaria Matteucci

2020, 2020 16th European Dependable Computing Conference (EDCC)

https://doi.org/10.1109/EDCC51268.2020.00026
visibility

description

8 pages

link

1 file

Abstract

This paper introduces CINNAMON, a software module that extends and seamlessly integrates with the AU-TOSAR "Secure Onboard Communication" (SecOC) module [3], [5] to also account for confidentiality of data in transit. It stands for Confidential, INtegral aNd Authentic on board coMunicatiON (CINNAMON). It takes a resource-efficient and practical approach to ensure, at the same time, confidentiality, integrity and authenticity of frames. The main new requirement that CINNAMON puts forward is the use of encryption and thus, as a result, CINNAMON exceeds SecOC against information gathering attacks. This paper sets forth the essential requirements and specification of the new module by detailing where and how to position it within AUTOSAR and by emphasizing the relevant upgrades with respect to SecOC. The presentation continues with the definition of a Security Profile and a summary of a prototype implementation of ours [8], [9]. While CINNAMON is easily extensible, for example through the definition of additional profiles, the current performances obtained on inexpensive boards support the claim that the approach is feasible.

FAQs

sparkles

AI

What are the key features of the CINNAMON module compared to SecOC?add

CINNAMON enhances SecOC by introducing symmetric-key encryption, ensuring confidentiality alongside integrity and authenticity. This novel approach effectively counters information gathering attacks on the CAN bus.

How does CINNAMON handle encryption without significant computational overhead?add

Using the Chaskey MAC function and SPECK 64/128 encryption, CINNAMON manages a negligible overhead of under 6µs on inexpensive hardware. This efficient design maintains communication speed while securing data.

What specific vulnerabilities does CINNAMON address in automotive security?add

CINNAMON addresses vulnerabilities associated with information gathering attacks that exploit the lack of confidentiality in CAN bus communications. Notably, it mitigates risks such as unauthorized interpretation of CAN frame payloads.

What is the impact of CINNAMON on existing CAN bus security protocols?add

CINNAMON integrates with AUTOSAR, enhancing existing security protocols by adding encryption capabilities that existing models lack. This compatibility ensures a seamless transition while improving overall vehicular communication security.

How does the threat model for CINNAMON inform its design?add

CINNAMON's threat model anticipates active attackers with limited control over ECUs, prompting the design to prioritize confidentiality and secure frame transmission. This consideration directly shapes its cryptographic strategies and security requirements.

Related papers

Using AUTOSAR High-Level Specifications for the Synthesis of Security Components in Automotive Systems
Gianluca Dini

Lecture Notes in Computer Science, 2016

The increasing complexity and autonomy of modern automotive systems, together with the safety-sensitive nature of many vehicle information flows require a careful analysis of the security requirements and adequate mechanisms for ensuring integrity and confidentiality of data. This is especially true for (semi-)autonomous vehicle systems, in which user intervention is limited or absent, and information must be trusted. This paper provides a proposal for the representation of high-level security properties in the specification of application components according to the AUTOSAR standard (AUTomotive Open System ARchitecture). An automatic generation of security components from security-annotated AUTOSAR specifications is also proposed. It provides for the automatic selection of the adequate security mechanisms based on a high-level specification, thus avoiding complex and error-prone manual encodings by the designer. These concepts and tools are applied to a paradigmatic example in order to show their simplicity and efficacy.

View PDFchevron_right
Secure, Network-Centric Operations of a Space-Based Asset: –an Abridged Report
Lloyd Wood

Earth-Sun System …, 2005

a Cisco Internet router (Cisco Systems, Inc., San Jose, CA) was launched into low Earth orbit onboard the UK-DMC, the disaster-monitoring satellite built by Surrey Satellite Technology Limited (SSTL, Guildford, UK). This router has since been successfully tested and demonstrated by an international government and private sector collaboration, showing how IP can be used to communicate with satellite payloads in space.

View PDFchevron_right
Secure Communication for E-Navigation and Remote Control of Unmanned Ships
Ørnulf Jan Rødseth

In proceedings of 14th Conference on Computer and IT Applications in the Maritime Industries - COMPIT'15.

Emerging ship control paradigms, including e-navigation and unmanned ships, rely more and more on digital communication between ships and between ship and shore. This paper gives an overview of communication needs for these emerging systems. Dependence on communication links may be abused by hostile or negligent parties through interference with communicated data or by jamming radio links. The paper also looks at these threats. Finally, the paper will discuss some of the remedies that are available to reduce threats, including new international standards for communication equipment and networks.

View PDFchevron_right
Design and Implementation of an Encryption Unit to Enhance Satellite Communication Security
Yasir ABBAS

Journal of Karary University for Engineering and Science

Satellite projects consume very high resources in all of their phases (research, design, manufacturing, testing and launching), they also extend for significant amount of time, and hence satellites must be protected against intrusion and data perception. Over the past years, satellite security has been overlooked except for military satellites because satellite intrusions were inconceivable as they far away from earth, but recently commercial satellite manufacturers realized the importance of satellite security because satellite intrusion became not an impossible task. In this paper, we present the design and implementation of encryption unit to secure satellite communication system by ciphering tele-commands using advanced encryption algorithm (AES) with random key generation, Diffie-Hellman key exchange algorithm and Hash-based message authentication code (HMAC) digital signature algorithm.

View PDFchevron_right
Security Enhancements of the Surveillance Data Exchange Protocol “ASTERIX”
Petr Jonáš

DEStech Transactions on Computer Science and Engineering

The surveillance information are key data for all air navigation service providers which are responsible for the safety of the air passengers and the efficiency of Air Traffic Management system. In this paper, we have focused on the analysis of a protocol used to carry the surveillance information from the sensor to the ATC centre as well as amongst variety of ATM applications inside the ATC centre. As the original ASTERIX protocol has been developed without any security mechanism, it constitutes a major vulnerability. This deficiency has been acknowledged by the AMG (ASTERIX management group) which is seeking a remedy. In this article we describe a proposal to implement the security features into the protocol.

View PDFchevron_right
Protecting Military Avionics Platforms from Attacks on MIL-STD-1553 Communication Bus
gaby shugol

ArXiv, 2017

MIL-STD-1553 is a military standard that defines the physical and logical layers, and a command/response time division multiplexing of a communication bus used in military and aerospace avionic platforms for more than 40 years. As a legacy platform, MIL-STD-1553 was designed for high level of fault tolerance while less attention was taken with regard to security. Recent studies already addressed the impact of successful cyber attacks on aerospace vehicles that are implementing MIL-STD-1553. In this study we present a security analysis of MIL-STD-1553. In addition, we present a method for anomaly detection in MIL-STD-1553 communication bus and its performance in the presence of several attack scenarios implemented in a testbed, as well as results on real system data. Moreover, we propose a general approach towards an intrusion detection system (IDS) for a MIL-STD-1553 communication bus.

View PDFchevron_right
High-Assurance Cyber Space Systems for Small Satellite Mission Integrity
Enrique Leon

2017

As the complexity of embedded computing platforms continues to grow, small satellites are increasingly deployed with operating systems having known cybersecurity vulnerabilities. Using common exploit techniques, potential intruders may compromise the capabilities and the integrity of the space mission. Moreover, the prominent use of commercial off-the-shelf (COTS) products in small satellites also increases the probability of attack via widely known vulnerabilities associated with commercially manufactured parts. System developers frequently assume that software and hardware components communicate through specified interfaces and primary data paths, but these assumptions cannot be fully guaranteed. By architecting secure space vehicle and ground control systems with functionally correct software components, mission critical vulnerabilities may be reduced.

View PDFchevron_right
SCR: A Practical Approach to Building a High Assurance COMSEC System
Constance Heitmeyer

1999

To date, the tabular based SCR (Software Cost Reduction) method has been applied mostly to the development of embedded control systems. The paper describes the successful application of the SCR method, including the SCR* toolset, to a different class of system, a COMSEC (Communications Security) device called CD that must correctly manage encrypted communications. The paper summarizes how the tools in SCR* were used to validate and to debug the SCR specification and to demonstrate that the specification satisfies a set of critical security properties. The development of the CD specification involved many tools in SCR*: a specification editor, a consistency checker, a simulator, the TAME interface to the theorem prover PVS, and various other analysis tools. Our experience provides evidence that use of the SCR* toolset to develop high quality requirements specifications of moderately complex COMSEC systems is both practical and low cost

View PDFchevron_right
Secure Communications in Embedded Systems
Andreas Steffen

CRC Industrial Information Technology …, 2004

View PDFchevron_right
Ensuring the Security of Space Systems from Eavesdropping Attacks
Caleb Richardson

International Conference on Cyber Warfare and Security, 2022

In a day and age where satellite communications are more important than ever to ensure global communication, establish international military power, and support our everyday way of life, satellite security must be at the forefront of innovation. However, eavesdropping attacks pose a serious threat to satellite communication systems that have not been adequately addressed. An eavesdropping attack threatens to put sensitive data in the wrong hands or even jeopardize critical missions. Research is needed to explore why defense against eavesdropping attacks is crucial, particularly for satellite systems. Three potential solutions to the problem are presented, addressing different challenges. Realistic solutions to the eavesdropping threat are needed urgently to defend the space domain from malicious threats.

View PDFchevron_right

References (35)

  1. Embedded Systems Academy. CANcrypt. https://www.cancrypt.eu/, 2018.
  2. ARM. Arm TrustZone Technology, 2020.
  3. AUTOSAR. Requirements on Secure Onboard Communication, 2019.
  4. AUTOSAR. Specification of Key Manager, 2019.
  5. AUTOSAR. Specification of Secure Onboard Communication AU- TOSAR CP R19-11, 2019.
  6. BBC. Hack attacks mounted on car control systems. https://www.bbc. com/news/10119492, 2010.
  7. Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. The simon and speck families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404, 2013. https://eprint.iacr.org/2013/404.
  8. Giampaolo Bella, Pietro Biondi, Gianpiero Costantino, and Ilaria Mat- teucci. Are you secure in your car?: poster. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2019, Miami, Florida, USA, May 15-17, 2019, pages 308-309. ACM, 2019.
  9. Giampaolo Bella, Pietro Biondi, Gianpiero Costantino, and Ilaria Mat- teucci. TOUCAN: A protocol to secure controller area network. In Proceedings of the ACM Workshop on Automotive Cybersecurity, AutoSec@CODASPY 2019, Richardson, TX, USA, March 27, 2019, pages 3-8, 2019.
  10. Cinzia Bernardeschi, Marco Di Natale, Gianluca Dini, and Dario Varano. Modeling and generation of secure component communications in AUTOSAR. In Proceedings of the Symposium on Applied Computing, SAC '17, page 1473-1480, New York, NY, USA, 2017. Association for Computing Machinery.
  11. Mario Luca Bernardi, Marta Cimitile, Fabio Martinelli, and Francesco Mercaldo. Driver and Path Detection through Time-Series Classification. Journal of Advanced Transportation, 2018:1-20, 2018.
  12. Charlie Miller Chris Valasek. Adventures in Automotive Networks and Control Units, 2020.
  13. Lucian Constantin. Researchers hack Tesla Model S with remote attack. https://www.pcworld.com/article/3121999/ researchers-demonstrate-remote-attack-against-tesla-model-s.html, 2016.
  14. National Instruments Corporation. FlexRay Automotive Communication Bus Overview, 2020.
  15. Gianpiero Costantino and Ilaria Matteucci. CANDY CREAM -hacking infotainment android systems to command instrument cluster via can data frame. In Meikang Qiu, editor, 2019 IEEE International Conference on Computational Science and Engineering, CSE 2019, and IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2019, New York, NY, USA, August 1-3, 2019, pages 476-481. IEEE, 2019.
  16. Luca Dariz, Michele Selvatici, Massimiliano Ruggeri, Gianpiero Costantino, and Fabio Martinelli. Trade-off analysis of safety and security in CAN bus communication. In 5th IEEE International Conference on Models and Technologies for Intelligent Transportation Systems, MT-ITS 2017, Naples, Italy, June 26-28, 2017, pages 226-231. IEEE, 2017.
  17. European Data Protection Board. Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. https://edpb.europa.eu/sites/edpb/files/consultation/edpb guidelines 202001 connectedvehicles.pdf, 2020.
  18. Bogdan Groza, Stefan Murvay, Anthony Van Herrewege, and Ingrid Verbauwhede. Libra-can: a lightweight broadcast authentication protocol for controller area networks. In International Conference on Cryptology and Network Security, pages 185-200, Cham, 2012. Springer.
  19. Ahmed Hazem and HA Fahmy. Lcap-a lightweight can authentication protocol for securing in-vehicle networks. In 10th escar Embedded Security in Cars Conference, Berlin, Germany, volume 6, 2012.
  20. International Organization for Standardization. ISO/IEC 11889-1:2015 -Trusted Platform Module library. https://www.iso.org/standard/66510. html, 2015.
  21. International Organization for Standardization. Road vehicles -Con- troller area network (CAN) -Part 1: Data link layer and physical signalling. https://www.iso.org/standard/63648.html, 2015.
  22. Jeff Crume. OwnStar: Yet another car hack. https://insideinternetsecurity.wordpress.com/2015/08/05/ ownstar-yet-another-car-hack/, 2015.
  23. Ryo Kurachi, Yutaka Matsubara, Hiroaki Takada, Naoki Adachi, Yuki- hiro Miyashita, and Satoshi Horihata. Cacan-centralized authentication system in can (controller area network). In 14th Int. Conf. on Embedded Security in Cars (ESCAR 2014), 2014.
  24. Miro Enev, Alex Takakuwa, Karl Koscher, and Tadayoshi Kohno. Automobile Driver Fingerprinting. https://petsymposium.org/2016/files/ papers/Automobile Driver Fingerprinting.pdf, 2016.
  25. Nicky Mouha, Bart Mennink, Anthony Van Herrewege, Dai Watanabe, Bart Preneel, and Ingrid Verbauwhede. Chaskey: An efficient mac algorithm for 32-bit microcontrollers. In Antoine Joux and Amr Youssef, editors, Selected Areas in Cryptography -SAC 2014, pages 306-323, Cham, 2014. Springer International Publishing.
  26. O.Hartkopp, C. Reuber, and R.Schilling. Macan message authenticated can. 2012.
  27. Andreea-Ina Radu and Flavio D. Garcia. Leia: A lightweight authen- tication protocol for can. In Ioannis Askoxylakis, Sotiris Ioannidis, Sokratis Katsikas, and Catherine Meadows, editors, Computer Security -ESORICS 2016, pages 283-300, Cham, 2016. Springer International Publishing.
  28. European Union. General Data Protection Regulation(EU Regulation 2016/679). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri= OJ:L:2016:119:FULL, 2016.
  29. Chris Valasek and Charlie Miller. Remote Exploitation of an Unaltered Passenger Vehicle. http://illmatics.com/Remote%20Car%20Hacking. pdf, 2015.
  30. Anthony Van Herrewege, Dave Singelee, and Ingrid Verbauwhede. Canauth-a simple, backward compatible broadcast authentication pro- tocol for can bus. In ECRYPT Workshop on Lightweight Cryptography. Vol. 2011., 2011.
  31. Serge Vaudenay. Security flaws induced by cbc padding -applications to ssl, ipsec, wtls... In Lars R. Knudsen, editor, Advances in Cryptol- ogy -EUROCRYPT 2002, pages 534-545, Berlin, Heidelberg, 2002. Springer Berlin Heidelberg.
  32. Vector. Solutions for Automotive Ethernet. https://www.vector.com/int/ en/know-how/technologies/networks/automotive-ethernet/, 2020.
  33. Xuhang Ying, Giuseppe Bernieri, Mauro Conti, and Radha Poovendran. TACAN: transmitter authentication through covert channels in controller area networks. CoRR, abs/1903.05231, 2019.
  34. Artem Yushev, Mohammed Barghash, Minh Phuong Nguyen, Andreas Walz, and Axel Sikora. Tls-over-can: An experimental study of internet- grade end-to-end communication security for can networks. IFAC- PapersOnLine, 51(6):96 -101, 2018. 15th IFAC Conference on Programmable Devices and Embedded Systems PDeS 2018.
  35. Tobias Ziermann, Stefan Wildermann, and Jürgen Teich. Can+: A new backward-compatible controller area network (can) protocol with up to 16x higher data rates. In Proceedings of the Conference on Design, Automation and Test in Europe, pages 1088-1093. European Design and Automation Association, 2009.

Related papers

Modeling and generation of secure component communications in AUTOSAR
cinzia bernardeschi

Proceedings of the Symposium on Applied Computing, 2017

The AUTOSAR standard acknowledges the need for improved security in automotive communications by providing a set of standard modules for encryption and authentication, to ensure confidentiality and integrity. However, these modules are not currently matched by corresponding models for security at the application level, and their use is somewhat in violation of the established AUTOSAR methodology that relies on code generation from high level specifications for all the communications and scheduling features. In this paper we present modeling extensions and code generation features, developed in the context of the EU project Sahire, that aim at bridging this gap.

View PDFchevron_right
A compact End Cryptographic Unit for tactical unmanned systems
hoa nguyen

Unmanned Systems Technology XXI, 2019

Under the Navy's Flexible Cyber-Secure Radio (FlexCSR) program, the Naval Information Warfare Center Pacific and the Massachusetts Institute of Technology's Lincoln Laboratory are jointly developing a unique cybersecurity solution for tactical unmanned systems (UxS): the FlexCSR Security/Cyber Module (SCM) End Cryptographic Unit (ECU). To deal with possible loss of unmanned systems that contain the device, the SCM ECU uses only publicly available Commercial National Security Algorithms and a Tactical Key Management system to generate and distribute onboard mission keys that are destroyed at mission completion or upon compromise. This also significantly reduces the logistic complexity traditionally involved with protection and loading of classified cryptographic keys. The SCM ECU is on track to be certified by the National Security Agency for protecting tactical data-in-transit up to Secret level. The FlexCSR SCM ECU is the first stand-alone cryptographic module that conforms to the United States Department of Defense (DoD) Joint Communications Architecture for Unmanned Systems, an initiative by the Office of the Secretary of Defense supporting the interoperability pillar of the DoD Unmanned Systems Integrated Roadmap. It is a credit cardsized enclosed unit that provides USB interfaces for plaintext and ciphertext, support for radio controls and management, and a software Application Programming Interface that together allow easy integration into tactical UxS communication systems. This paper gives an overview of the architecture, interfaces, usage, and development and approval schedule of the device.

View PDFchevron_right
On-board security services in small satellites
Martin Sweeting

MAPLD Proceedings, 2005

Security techniques for commercial satellites are insufficiently developed despite the explosive growth of security services in earthbound applications at present. Recently, the issue of satellite security has gained in importance in connection with attempts to intercept satellite data. ...

View PDFchevron_right
Extending AUTOSAR's Counter-Based Solution for Freshness of Authenticated Messages in Vehicles
Tomas Olovsson

2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC), 2019

Nowadays vehicles have an internal network consisting of more than 100 microcontrollers, so-called Electronic Control Units (ECUs), which control core functionalities, active safety, diagnostics, comfort and infotainment. The Controller Area Network (CAN) bus is one of the most widespread bus technologies in use, and thus is a primary target for attackers. AUTOSAR, an open system platform for vehicles, introduced in version 4.3 SecOC Profile 3, a counter-based solution to provide freshness in authenticated messages to protect the system against replay attacks. In this paper, we analyse and assess this method regarding safety constraints and usability, and discuss design considerations when implementing such a system. Furthermore, we propose a novel security profile addressing the identified deficiencies which allows faster resynchronisation when only truncated counter values are transmitted. Finally, we evaluate our solution in an experimental setup in regard to communication overhead and time to synchronise the freshness counter.

View PDFchevron_right
Attack Model Implementation for a Secure Onboard Communication from an Automotive ECU
Patrick Grumer

2019

Digital security is becoming increasingly more complex and thus important in the automotive industry. This research was part of a master's dissertation work to evaluate the security measures defined by the Automotive Open System Architecture (AUTOSAR) Security Concept for the implementation of the authenticity, reliability, and integrity of the transmitted and received data over communication buses. It begins with a brief introduction about the evolution of the automotive industry in recent decades, and follows-up with the AUTOSAR architecture and Security concept; then, it provides a short explanation about the product security life cycle using the V-model development process. Subsequently, it poses some automotive security concerns and it presents solutions to them, in an attempt to improve the future of the automotive security. In addition, an overview of the AUTOSAR module Secure Onboard Communication (SecOC) is provided to understand how a secure communication based on authenticity, and integrity is established nowadays. To identify security issues related with the communication bus of the in-vehicle network of the car, and to identify mechanisms which may mitigate these issues or discourage a potential threat, a pentesting framework was developed. Its aim is to evaluate the need of security measures in specific in-vehicle network protocols, and, if those security measures exist, audit their strength to detect poor implementation. With this approach, we concluded that the nonexistence of security measures in the Scalable service-Oriented MiddlewarE over IP Service Discovery (SOME/IP-SD) protocol could open up a vector of attack. This absence of security enables an attacker to search, provide, or subscribe to a service, and, in the worst-case scenario, it allows him to terminate services provided by other Electronics Control Units (ECUs) of the network. Furthermore, we concluded that although there are some cases where security measures do exist, the poor implementation still enables any attacker the ability of performing a replay attack. i Seccond, I would like to thank everyone of my family, especially my father, sister, and cousins (Rodrigo Duarte, Susana Duarte, and Pedro Duarte), who made this dissertation a reality. Third, I would like to thank to my girlfriend (Sofia Moreira), and all the close friends for all the support during this year. A special thank to João Salvado for the help in reviewing the dissertation. Finally, I would like to give a special thank to all those who made this dissertation possible, and it should be noted that all that was accomplished is just the beginning.

View PDFchevron_right

Related topics

  • Computer Science
  • Computer Security
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved