In recent decades, vehicles have been equipped with an increasing number of
electronic features and controllers. They have become a vital part of automotive
architecture. This architecture consists of an internal network of microcontrollers
and small computers, called Electronic Control Units (ECUs). Such
ECUs may be part of an entertainment system, which will interact with the
driver, or they complement technical and mechanical systems such as power
steering, brakes, or engine control. Every ECU is usually connected to one or
more networks as well as a number of sensors and actuators.
Vehicles have become multi-connected places: i) Entertainment systems allow
data to be retrieved directly from the internet, typically trac conditions,
weather or navigational information, ii) Increasingly consumer devices are being
connected by wired and wireless interfaces in order to control vehicle functions
or distribute multimedia content, iii) Assistance functions to augment trac
safety and eciency are currently being standardized, allowing vehicles and infrastructure units to communicate autonomously via dedicated radio channels.
All of these new communication interfaces should be properly secured, as failure
to do so could have severe consequences, such as loss of control over the vehicle
or private data being accessed by third party applications, which could, for
example, record conversations or track usage behavior. Recent security analyses
show that current vehicle architectures are vulnerable to the above described
threats. It has been shown that by exploiting implementation
can control the vehicle's behavior from a device inside the car or even remotely.
This dissertation focuses on securing in-vehicle networks. Historically, vehicle
buses such as the Controller Area Network (CAN) were considered as isolated
embedded systems. However, an e ective isolation of on-board networks is
dicult if not impossible to achieve with the rises of connectivity inside the
vehicle for internal functions and, at the same time, for third party devices and
internet services. Upcoming safety and assistance functions use Car-to-Car and
Car-to-Infrastructure communication (Car2X). These assistance functions rely
on remotely received data. It is imperative that these data are trustworthy. A
high level of trust can only be achieved by securing the on-board platform as
a whole, and by protecting both the integrity and the authenticity of network
communication as well as software execution.
The main contributions of this thesis are i) an approach to securing the communication
of in-vehicle networks, ii) an approach to applying dynamic data
ow analysis to the distributed embedded applications of on-board networks,
by using taint-tag tracking in order to detect and avoid malicious activities, iii)
working prototypes for di erent aspects of the overall security problem, showing
simulations and real-world results of the techniques developed in this thesis.
The approach that is presented combines multiple mechanisms at di erent layers
of the vehicular communication and execution platform. Cryptographic communication
protocols are designed and implemented in order to authenticate
data exchanged on the buses. Hardware Security Modules (HSMs) are used
to complement the actual microcontroller by providing a secure storage and by
acting as a local root of trust. We distribute usage-restricted symmetric key
material between HSMs. Their use is limited to certain functions, like generating
or verifying authentication codes. Thereby, they can be used asymmetrically
for group-communication patterns. This is a common communication paradigm
in automotive applications, in particular for distributing vehicle-wide signals. A
proof of concept system has been implemented as part of this thesis, showing
the feasibility of integrating security features on top of automotive buses and for
use with Car2X communication. We simulated the behavior of a CAN network
and compare our results for di erent network designs with data collected from
a real vehicle and with simulations based on a Simulink toolkit.
In order to account for untrusted program code, we use a distributed data flow tracking based approach for securing code execution on the ECUs of the automotive network. This means that a high level of trust can be placed in applications even when mechanisms, such as software review and applications signatures, fall short of the desired security levels, or cannot be applied at all.
If this approach is taken then the use of applications of unknown origin along
side those controlling critical functions becomes possible. In addition to plain
policy rules, we use a declarative approach to represent the kind of data used
on communication links. Binary instrumentation techniques are used to track
data ows throughout the execution and between control units.
For the Car2Car Communication Consortium Forum in November 2011, a part
of the prototype implementations was integrated into two research vehicles to
demonstrate an \Active Brake" safety scenario using secure in-vehicle and Car2X
communication. It demonstrated the e ectiveness and applicability of our communication